Privacy Policy

Last updated: 14 February 2026

1. About This Policy

Phoenix Health Pty Ltd (ABN XX XXX XXX XXX) ("Phoenix Health", "we", "us", "our") is committed to protecting your personal and health information. We are bound by:

• The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• The Privacy and Other Legislation Amendment Act 2024 (Cth)
• The Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs)
• The Health Records Regulations 2023 (Vic)
• The Spam Act 2003 (Cth)
• The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act

This Privacy Policy explains how we collect, hold, use, disclose, and otherwise manage your personal information in accordance with these laws. As a health service provider, we are subject to these obligations regardless of our organisational size.

2. Types of Information We Collect

We may collect the following categories of information:

• Personal information: name, date of birth, sex, gender identity, email address, phone number, residential and mailing address, emergency contact details.
• Sensitive health information: medical history, current medications, allergies (medication, food, environmental), health metric and pathology results, imaging reports, health assessment data, biological age calculations, bespoke health plan data, mental health information, family medical history, and lifestyle information (smoking, alcohol, exercise, sleep, stress levels).
• Government identifiers: Medicare number and expiry, DVA card number, private health insurance details. These are collected solely for billing, claims, and referral purposes and are never used as our own identifiers (per APP 9 / HPP 7).
• Wearable device data: health metrics synced from connected devices (e.g. Apple Health, Oura, Garmin, Whoop, Fitbit) — collected only with your explicit, separate consent.
• Usage and technical data: login timestamps, IP addresses, browser type, device information, and platform interaction data for security and service improvement.
• Digital signatures and consent records: your typed name, consent selections, and timestamps of acceptance.

3. How We Collect Your Information

We collect personal and health information:

• Directly from you: via registration forms, health assessment forms, appointment bookings, profile updates, and communications with our team.
• From your healthcare providers: referring doctors, specialists, pathology labs, and imaging clinics involved in your care, with your consent.
• From connected devices: wearable health devices you have explicitly authorised to sync with our platform.
• Automatically: through essential cookies and server logs when you use our platform.

If you choose not to provide certain information, we may be unable to provide you with some or all of our health services, or the quality of service may be affected.

4. Purpose of Collection (Why We Collect)

We collect and use your information for the following primary purposes:

• Providing personalised health optimisation services, health metric analysis, and bespoke health plans.
• Facilitating appointments, health screenings, and referrals.
• Communicating with you about your care, appointments, results, and account status.
• Processing billing, Medicare claims, and insurance claims.
• Maintaining accurate clinical records as required by law.

We may also use your information for secondary purposes that are directly related to the primary purpose and which you would reasonably expect, including:

• Internal quality improvement and clinical audit.
• De-identified, aggregated data analysis to improve our services.
• Compliance with legal and regulatory obligations.

We will only use your health information for direct marketing purposes if you have provided explicit, separate consent (which you may withdraw at any time).

5. Disclosure of Your Information

We may disclose your information to:

• Healthcare providers: referring doctors, specialists, pathology laboratories, radiology clinics, and other practitioners involved in your care — with your consent or where directly related to the purpose of collection (per HPP 2).
• Technology service providers: secure cloud hosting (Vercel/AWS, infrastructure located in Australia where available), email delivery (Nodemailer/SMTP), SMS providers — all bound by contractual data protection obligations.
• Professional advisors: our legal, accounting, and compliance advisors where necessary for our business operations.
• Government and regulatory bodies: where required by Australian law, court order, or to comply with mandatory reporting obligations.
• Emergency situations: where necessary to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.

We will never sell your personal or health information to third parties.

6. Cross-Border Disclosure

Some of our technology service providers may store or process data on servers located outside Australia (including the United States). Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient handles your information in accordance with the APPs (per APP 8) and that equivalent protections apply.

Where health information is transferred outside Victoria, we comply with HPP 9 of the Health Records Act 2001 (Vic), ensuring that equivalent privacy protections are in place or that you have provided informed consent.

We will inform you if we become aware that an overseas recipient has breached the APPs in relation to your information.

7. AI-Assisted Health Data Processing

When your healthcare provider uploads health documents (such as pathology reports, lab results, or medical records) for metric extraction, we process this data using artificial intelligence as follows:

• De-identification: All personally identifiable information — including names, dates of birth, email addresses, phone numbers, Medicare numbers, and addresses — is automatically stripped from document content before any AI processing occurs. This de-identification is mandatory and cannot be bypassed.
• AI processing: Only de-identified health metric data (test names, values, units, and dates) is sent to our AI provider (OpenAI) for structured extraction and verification. No raw personal information is ever transmitted to AI services. AI processing uses a two-pass verification chain: an extractor pass identifies metrics, and a verifier pass independently checks the results for accuracy.
• Data Processing Agreement: Our use of OpenAI's API is governed by OpenAI's Data Processing Addendum (DPA). Under this agreement, data submitted via the API is not used to train AI models and is subject to enterprise-grade data protection commitments.
• Document retention: Uploaded source documents are purged from temporary storage immediately after processing is complete. A hard maximum retention period of 24 hours applies as a safety fallback. Only the extracted metric values (numbers, units, dates) are retained in your health record — never the source document itself.
• Mandatory clinician review: All AI-extracted data is presented to your healthcare provider for mandatory review and verification before being saved to your health record. AI output is never automatically committed without clinician approval. A prominent warning is displayed stating that AI output may contain errors.
• Audit trail: All import actions — including upload, processing, review, and submission — are logged in our immutable audit system for compliance and accountability. These logs record who performed each action, when, and what data was involved.
• No PHI in logs: Application logs and error reports contain only de-identified text. Raw document content and personal health information are never written to logs or transmitted to error monitoring services.

If the AI service is unavailable or not configured, the system falls back to deterministic text parsing (pattern matching) that operates entirely within our own infrastructure, with no data sent to any third party.

8. Data Storage & Security

We take reasonable steps to protect your personal and health information from misuse, interference, loss, unauthorised access, modification, and disclosure (per APP 11 / HPP 4). Our security measures include:

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Role-based access controls — staff can only access information necessary for their role.
• Comprehensive audit logging of all access to personal and health information, including PHI and PII access flags.
• Two-factor authentication for client account activation.
• Google Workspace SSO with domain restrictions for staff access.
• SOC 2 compliant hosting infrastructure.
• Regular security reviews and access audits.

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs/HPPs, and we are not required by law to retain it, we will take reasonable steps to destroy or permanently de-identify the information.

9. Data Retention

We retain your information in accordance with the following schedule:

• Health records (adults): minimum 7 years from the date of last service, in accordance with the Health Records Act 2001 (Vic) and the Privacy Act 1988.
• Health records (minors): until the individual turns 25 years of age, or 7 years from the date of last service, whichever is later.
• Medicare and insurance records: as required by Medicare Australia and relevant legislation.
• Consent records and digital signatures: retained for the duration of the clinical relationship plus the applicable retention period.
• Audit logs: retained for a minimum of 7 years for compliance and security purposes.
• AI import source documents: purged immediately after processing; hard maximum retention of 24 hours. Only extracted metric values are retained.
• Account and usage data: retained while your account is active and for a reasonable period thereafter, unless deletion is requested.

You may request deletion of your account data at any time, subject to our legal retention obligations. Where we are legally required to retain information, we will inform you of the applicable retention period.

10. Your Rights

Under the Privacy Act 1988 and the Health Records Act 2001 (Vic), you have the right to:

• Access your personal and health information held by us (APP 12 / HPP 6). We will respond to access requests within 30 days.
• Correct inaccurate, incomplete, out-of-date, or misleading information (APP 13 / HPP 6).
• Request deletion of your personal information where it is no longer required and we are not legally obligated to retain it.
• Withdraw consent for non-essential data processing at any time. This will not affect the lawfulness of processing carried out before withdrawal.
• Request data portability — you may request that your health records be transferred to another health service provider (HPP 11).
• Export your data — you may request a copy of all personal and health information we hold about you in a portable format.
• Opt out of direct marketing at any time by using the unsubscribe link in any marketing communication or by contacting us directly.
• Anonymity — where lawful and practicable, you may deal with us without identifying yourself (APP 2 / HPP 8). However, for clinical health services, identification is necessary for safe and effective care.

To exercise any of these rights, contact our Privacy Officer using the details in Section 17, or use the Privacy & Data settings in your client dashboard.

11. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Take immediate steps to contain the breach and assess potential harm.
• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
• Notify affected individuals, including details of the breach, the type of information involved, and recommended steps to mitigate harm.

Our Data Breach Response Plan is available at /legal/data-breach-policy.

12. Cookies & Analytics

Our platform uses essential cookies for authentication, session management, and security. These are strictly necessary for the platform to function and do not require separate consent.

We may use analytics cookies to understand usage patterns and improve the platform experience. Analytics data is anonymised and aggregated. You may manage your cookie preferences through the cookie consent banner displayed when you first visit the platform.

No third-party advertising or tracking cookies are used. We do not participate in cross-site tracking or behavioural advertising.

13. Children's Privacy

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal information from individuals under 18 years of age. If we become aware that we have inadvertently collected personal information from a minor, we will take reasonable steps to delete that information promptly.

We will comply with the Australian Children's Privacy Code when it is finalised and comes into effect under the Privacy and Other Legislation Amendment Act 2024.

14. Victorian Health Privacy Principles Compliance

As a health service provider operating in Victoria, we comply with all 11 Health Privacy Principles (HPPs) under the Health Records Act 2001 (Vic):

• HPP 1 (Collection): We only collect health information that is necessary for providing our health services, with your consent.
• HPP 2 (Use & Disclosure): We use and disclose health information only for the primary purpose of collection, or for directly related secondary purposes you would reasonably expect.
• HPP 3 (Data Quality): We take reasonable steps to ensure your health information is accurate, complete, and up-to-date.
• HPP 4 (Data Security): We protect your health information with robust security measures and destroy or de-identify information when no longer needed.
• HPP 5 (Openness): This Privacy Policy documents our information management practices and is freely available.
• HPP 6 (Access & Correction): You may request access to and correction of your health information.
• HPP 7 (Unique Identifiers): We do not adopt government identifiers (e.g. Medicare numbers) as our own client identifiers.
• HPP 8 (Anonymity): Where lawful and practicable, you may access our services without identifying yourself. Clinical services require identification for safe care.
• HPP 9 (Transborder Data Flows): We comply with restrictions on transferring health information outside Victoria (see Section 6).
• HPP 10 (Transfer/Closure): In the event of practice closure or transfer, we will handle your health records in accordance with the Statutory Guidelines on Transfer or Closure.
• HPP 11 (Transfer to Another Provider): You may request that your health information be transferred to another health service provider.

15. How to Make a Complaint

If you believe we have breached the APPs, the HPPs, or otherwise interfered with your privacy, you may lodge a complaint with us. We take all complaints seriously and will respond within 30 days.

Step 1: Contact our Privacy Officer (see Section 17).

Step 2: If you are not satisfied with our response, you may escalate your complaint to:

• Office of the Australian Information Commissioner (OAIC)
  Phone: 1300 363 992
  Web: www.oaic.gov.au
  For complaints about breaches of the Australian Privacy Principles.
• Health Complaints Commissioner Victoria (HCC)
  Phone: 1300 582 113
  Web: www.hcc.vic.gov.au
  For complaints about breaches of the Victorian Health Privacy Principles.

Full details of our complaint handling process are available at /legal/complaint.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. Material changes will be communicated via email and through a notification on the platform. The latest version will always be available at /legal/privacy-policy and within your account settings.

Continued use of our platform after notification of changes constitutes acceptance of the updated Privacy Policy, unless we are required to obtain your express consent.

17. Contact Our Privacy Officer

For privacy-related enquiries, data access requests, complaints, or to exercise any of your rights, contact:

• Privacy Officer, Phoenix Health Pty Ltd
• Email: privacy@phoenixhealth.com.au
• Phone: 1300 PHOENIX (1300 743 649)
• Post: Privacy Officer, Phoenix Health Pty Ltd, Melbourne VIC 3000