Privacy Policy

Last updated: 11 May 2026

1. About This Policy

Phoenix Health Co (ABN 28 685 097 044) ("Phoenix Health", "we", "us", "our") is committed to protecting your personal and health information. We are bound by:

• The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• The Privacy and Other Legislation Amendment Act 2024 (Cth)
• The Health Records and Information Privacy Act 2002 (NSW) and the Health Privacy Principles (HPPs 1–15)
• The Spam Act 2003 (Cth)
• The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act

This Privacy Policy explains how we collect, hold, use, disclose, and otherwise manage your personal information in accordance with these laws. As a health service provider, we are subject to these obligations regardless of our organisational size.

Our Collection Notice, which provides a summary of how we handle your health information at the point of collection, is available at /privacy/notice.

2. Types of Information We Collect

We may collect the following categories of information:

• Personal information: name, date of birth, sex, gender identity, email address, phone number, residential and mailing address, emergency contact details.
• Sensitive health information: medical history, current medications, allergies (medication, food, environmental), health metric and pathology results, imaging reports, health assessment data, biological age calculations, bespoke health plan data, mental health information, family medical history, and lifestyle information (smoking, alcohol, exercise, sleep, stress levels).
• Government identifiers: Medicare number and expiry, DVA card number, private health insurance details. These are collected solely for billing, claims, and referral purposes and are never used as our own identifiers (per APP 9 / HPP 4).
• Wearable device data: health metrics synced from connected devices (e.g. Apple Health, Oura, Garmin, Whoop, Fitbit) - collected only with your explicit, separate consent.
• Usage and technical data: login timestamps, IP addresses, browser type, device information, and platform interaction data for security and service improvement.
• Digital signatures and consent records: your typed name, consent selections, and timestamps of acceptance.

3. How We Collect Your Information

We collect personal and health information:

• Directly from you: via registration forms, health assessment forms, appointment bookings, profile updates, and communications with our team.
• From your healthcare providers: referring doctors, specialists, pathology labs, and imaging clinics involved in your care, with your consent.
• From connected devices: wearable health devices you have explicitly authorised to sync with our platform.
• Automatically: through essential cookies and server logs when you use our platform.

If you choose not to provide certain information, we may be unable to provide you with some or all of our health services, or the quality of service may be affected.

4. Purpose of Collection (Why We Collect)

We collect and use your information for the following primary purposes:

• Providing personalised health optimisation services, health metric analysis, and bespoke health plans.
• Facilitating appointments, health screenings, and referrals.
• Communicating with you about your care, appointments, results, and account status.
• Processing billing, Medicare claims, and insurance claims.
• Maintaining accurate clinical records as required by law.

We may also use your information for secondary purposes that are directly related to the primary purpose and which you would reasonably expect, including:

• Internal quality improvement and clinical audit.
• De-identified, aggregated data analysis to improve our services.
• Compliance with legal and regulatory obligations.

We will only use your health information for direct marketing purposes if you have provided explicit, separate consent (which you may withdraw at any time).

5. Disclosure of Your Information

We may disclose your information to:

• Healthcare providers: referring doctors, specialists, pathology laboratories, radiology clinics, and other practitioners involved in your care — with your consent or where directly related to the purpose of collection (per HPP 11).
• Technology service providers: see the sub-processor table in Section 5a below. All are bound by Data Processing Agreements (DPAs) and contractual data protection obligations.
• Professional advisors: our legal, accounting, and compliance advisors where necessary for our business operations.
• Government and regulatory bodies: where required by Australian law, court order, or to comply with mandatory reporting obligations.
• Emergency situations: where necessary to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.

We will never sell your personal or health information to third parties.

5a. Sub-Processors

The following third-party service providers process data on our behalf (APP 1.4(f), APP 8):

APP 8 transfer impact assessments are maintained for each overseas sub-processor. No health information is disclosed to Cloudflare or Upstash.

6. Cross-Border Disclosure

Some of our technology service providers may store or process data on servers located outside Australia (including the United States). Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient handles your information in accordance with the APPs (per APP 8) and that equivalent protections apply.

Where health information is transferred outside NSW, we comply with HPP 14 of the Health Records and Information Privacy Act 2002 (NSW), ensuring that equivalent privacy protections are in place or that you have provided informed consent.

We will inform you if we become aware that an overseas recipient has breached the APPs in relation to your information.

7. AI-Assisted Health Data Processing

When your healthcare provider uploads health documents (such as pathology reports, lab results, or medical records) for metric extraction, we process this data using artificial intelligence as follows:

• De-identification: All personally identifiable information - including names, dates of birth, email addresses, phone numbers, Medicare numbers, and addresses - is automatically stripped from document content before any AI processing occurs. This de-identification is mandatory and cannot be bypassed.
• AI processing: Only de-identified health metric data (test names, values, units, and dates) is sent to our AI provider (Azure OpenAI, hosted in the Australia East region) for structured extraction and verification. No raw personal information is ever transmitted to AI services. AI processing uses a two-pass verification chain: an extractor pass identifies metrics, and a verifier pass independently checks the results for accuracy.
• Data Processing Agreement:Our use of Azure OpenAI is governed by Microsoft's Online Services Terms DPA. Under this agreement, data submitted via the API is not used to train AI models, Zero Data Retention is enabled, and all processing occurs in the Australia East region (APP 8 data sovereignty).
• Document retention: Uploaded source documents are purged from temporary storage immediately after processing is complete. A hard maximum retention period of 24 hours applies as a safety fallback. Only the extracted metric values (numbers, units, dates) are retained in your health record - never the source document itself.
• Mandatory clinician review: All AI-extracted data is presented to your healthcare provider for mandatory review and verification before being saved to your health record. AI output is never automatically committed without clinician approval. A prominent warning is displayed stating that AI output may contain errors.
• Audit trail: All import actions - including upload, processing, review, and submission - are logged in our immutable audit system for compliance and accountability. These logs record who performed each action, when, and what data was involved.
• No health information in logs: Application logs and error reports contain only de-identified text. Raw document content and personal health information are never written to logs or transmitted to error monitoring services.

If the AI service is unavailable or not configured, the system falls back to deterministic text parsing (pattern matching) that operates entirely within our own infrastructure, with no data sent to any third party.

8. Data Storage & Security

We take reasonable steps to protect your personal and health information from misuse, interference, loss, unauthorised access, modification, and disclosure (per APP 11 / HPP 4). Our security measures include:

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Role-based access controls - staff can only access information necessary for their role.
• Comprehensive audit logging of all access to personal and health information, with health-information and PII access flags.
• Two-factor authentication for client account activation.
• Google Workspace SSO with domain restrictions for staff access.
• SOC 2 compliant hosting infrastructure.
• Regular security reviews and access audits.

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs/HPPs, and we are not required by law to retain it, we will take reasonable steps to destroy or permanently de-identify the information.

9. Data Retention

We retain your information in accordance with the following schedule:

• Health records (adults): minimum 7 years from the date of last service, in accordance with the Health Records and Information Privacy Act 2002 (NSW) and the Privacy Act 1988.
• Health records (minors): until the individual turns 25 years of age, or 7 years from the date of last service, whichever is later (HRIP Act, NSW).
• Medicare and insurance records: as required by Medicare Australia and relevant legislation.
• Consent records and digital signatures: retained for the duration of the clinical relationship plus the applicable retention period.
• Audit logs: retained for a minimum of 7 years for compliance and security purposes.
• AI import source documents: purged immediately after processing; hard maximum retention of 24 hours. Only extracted metric values are retained.
• Account and usage data: retained while your account is active and for a reasonable period thereafter, unless deletion is requested.

You may request deletion of your account data at any time, subject to our legal retention obligations. Where we are legally required to retain information, we will inform you of the applicable retention period.

10. Your Rights

Under the Privacy Act 1988 and the Health Records and Information Privacy Act 2002 (NSW), you have the right to:

• Access your personal and health information held by us (APP 12 / HPP 7). We will respond to access requests within 30 days.
• Correct inaccurate, incomplete, out-of-date, or misleading information (APP 13 / HPP 8).
• Request deletion of your personal information where it is no longer required and we are not legally obligated to retain it.
• Withdraw consent for non-essential data processing at any time. This will not affect the lawfulness of processing carried out before withdrawal.
• Request data portability — you may request that your health records be transferred to another health service provider (HPP 12).
• Export your data - you may request a copy of all personal and health information we hold about you in a portable format.
• Opt out of direct marketing at any time by using the unsubscribe link in any marketing communication or by contacting us directly.
• Anonymity — where lawful and practicable, you may deal with us without identifying yourself (APP 2). However, for clinical health services, identification is necessary for safe and effective care.

To exercise any of these rights, contact our Privacy Officer using the details in Section 17, or use the Privacy & Data settings in your client dashboard.

11. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Take immediate steps to contain the breach and assess potential harm.
• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
• Notify affected individuals, including details of the breach, the type of information involved, and recommended steps to mitigate harm.

Our Data Breach Response Plan is available at /legal/data-breach-policy.

12. Cookies & Analytics

Our platform uses essential cookies for authentication, session management, and security. These are strictly necessary for the platform to function and do not require separate consent.

We may use analytics cookies to understand usage patterns and improve the platform experience. Analytics data is anonymised and aggregated. You may manage your cookie preferences through the cookie consent banner displayed when you first visit the platform.

No third-party advertising or tracking cookies are used. We do not participate in cross-site tracking or behavioural advertising.

13. Children's Privacy

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal information from individuals under 18 years of age. If we become aware that we have inadvertently collected personal information from a minor, we will take reasonable steps to delete that information promptly.

We will comply with the Australian Children's Privacy Code when it is finalised and comes into effect under the Privacy and Other Legislation Amendment Act 2024.

14. NSW Health Privacy Principles Compliance

As a health service provider operating in New South Wales, we comply with all 15 Health Privacy Principles (HPPs) under the Health Records and Information Privacy Act 2002 (NSW):

• HPP 1 (Lawful): We only collect health information by lawful means.
• HPP 2 (Relevant): We only collect health information that is relevant, not excessive, and necessary for our functions.
• HPP 3 (Direct collection): We collect health information directly from you where reasonable and practicable.
• HPP 4 (Collection — no ID): We do not adopt government identifiers (e.g. Medicare numbers) as our own client identifiers.
• HPP 5 (Notice): At or before collection, we inform you why we collect your information, who may receive it, and your access rights. See our Collection Notice.
• HPP 6 (Use & disclosure — direct purpose): We use and disclose health information only for the primary purpose of collection, or for directly related secondary purposes you would reasonably expect.
• HPP 7 (Access): You may request access to your health information. We will respond within 30 days.
• HPP 8 (Correction): You may request correction of inaccurate, incomplete, or misleading information.
• HPP 9 (Accuracy): We take reasonable steps to ensure your health information is accurate, complete, and up-to-date before use.
• HPP 10 (Security): We protect your health information with robust security measures (see Section 8).
• HPP 11 (Limits on disclosure): We do not disclose health information for a purpose other than that for which it was collected, except as permitted by law.
• HPP 12 (Identifiers): We do not adopt, use, or disclose identifiers assigned by other organisations.
• HPP 13 (Anonymity): Where lawful and practicable, you may access our services without identifying yourself.
• HPP 14 (Transborder data flows): We comply with restrictions on transferring health information outside NSW (see Section 6).
• HPP 15 (Linkage): We do not include health information in a generally available publication without consent.

15. How to Make a Complaint

If you believe we have breached the APPs, the HPPs, or otherwise interfered with your privacy, you may lodge a complaint with us. We take all complaints seriously and will respond within 30 days.

Step 1: Contact our Privacy Officer (see Section 17).

Step 2: If you are not satisfied with our response, you may escalate your complaint to:

• Office of the Australian Information Commissioner (OAIC)
  Phone: 1300 363 992
  Web: www.oaic.gov.au
  For complaints about breaches of the Australian Privacy Principles.
• NSW Information and Privacy Commission (IPC)
  Phone: 1800 472 679
  Web: www.ipc.nsw.gov.au
  For complaints about breaches of the NSW Health Privacy Principles.

Full details of our complaint handling process are available at /legal/complaint.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. Material changes will be communicated via email and through a notification on the platform. The latest version will always be available at /legal/privacy-policy and within your account settings.

Continued use of our platform after notification of changes constitutes acceptance of the updated Privacy Policy, unless we are required to obtain your express consent.

17. Contact Our Privacy Officer

For privacy-related enquiries, data access requests, complaints, or to exercise any of your rights, contact:

• Privacy Officer, Phoenix Health Co
• Email: contact@phoenixhealthco.com.au
• Phone: 1300 PHOENIX (1300 743 649)
• Post: Privacy Officer, Phoenix Health Co, Sydney NSW 2000