Privacy Policy — Phoenix Health

# Phoenix Health — Privacy Policy **Effective date:** _TO BE COMPLETED ON ADOPTION_ **Last updated:** _TO BE COMPLETED ON ADOPTION_ > This is the source-of-truth privacy policy. The same content is rendered publicly at `/privacy`. **Legal counsel must review prior to publication.** Placeholders below are intentional. ## 1. Who We Are Phoenix Health Co (ABN 28 685 097 044) ("Phoenix Health", "we", "us") is a health service provider operating online and in-clinic in New South Wales, Australia. This policy explains how we handle personal information — including health information — in accordance with: - **Privacy Act 1988 (Cth)** — Australian Privacy Principles (APPs 1–13) - **Health Records and Information Privacy Act 2002 (NSW)** — Health Privacy Principles (HPPs 1–15) - **Notifiable Data Breaches scheme** — Part IIIC of the Privacy Act - **EU GDPR** — where applicable to EU/EEA visitors **Privacy Officer / Privacy Contact Officer:** privacy@phoenixhealthco.com **Registered address:** _TBD_ ## 2. Information We Collect - **Identity & contact:** name, date of birth, email, phone, postal/residential address, emergency contact. - **Health information:** medical history, medications, allergies, biomarker results, wearable device data (heart rate, sleep, activity), uploaded documents (e.g. pathology reports), lifestyle factors, family history. - **Account & technical:** authentication credentials, session metadata, IP address, device identifiers, timestamps, audit log entries. - **Communications:** messages between you and our clinicians, notifications you receive. - **Consent records:** what you consented to, when, and via what mechanism. ## 3. How We Collect - Directly from you (registration, intake forms, in-app entries, uploads). - Automatically (your interactions with the app, device data you choose to sync). - From our clinicians during your consultations. - From third parties only with your consent (e.g. uploaded reports). ## 4. Why We Collect & Use Primary purposes: - Providing your healthcare services. - Maintaining your clinical record. - Communicating with you about appointments, plans, results. - Legal/regulatory obligations. Secondary purposes (only with your consent or where permitted by law): - AI-assisted extraction of health metrics from uploaded documents (see §7). - De-identified service improvement. ## 5. Disclosure / Sharing We share personal information only with: - Treating clinicians within Phoenix Health. - Sub-processors providing infrastructure or services (see §8) under contractual obligations. - Other healthcare providers when you direct us to. - Where required by law (subpoena, court order, mandatory reporting). - Emergency situations as permitted by APP 6.2(a) / HPP 10(1)(c). We do **not** sell personal information. ## 6. Cross-Border Transfers (APP 8 / HPP 14) Your information is primarily stored and processed in Australia (Sydney region). Some sub-processors may process data in the United States under strict contractual controls. Where we disclose information to an overseas recipient, we take reasonable steps to ensure they handle your information in accordance with the APPs, primarily by entering into Data Processing Agreements (DPAs) and verifying equivalent protections are in place. ## 7. AI Processing We use Azure OpenAI (Microsoft, Australia East region) to extract structured health metrics from documents you upload. Documents are de-identified prior to transmission — no identifying information is sent to the AI service. Zero Data Retention is enabled, meaning your data is not stored or used for model training. You may opt out of AI processing at registration or in your privacy settings; manual clinician review will be used instead. AI outputs are always reviewed by a qualified clinician before being added to your health record. AI does not make clinical decisions autonomously. ## 8. Sub-Processors | Vendor | Purpose | Region | DPA | |---|---|---|---| | Vercel | Application hosting | Sydney, AU | Signed | | Neon | PostgreSQL database | Sydney, AU | Signed | | Microsoft Azure | AI document processing (Azure OpenAI) | Australia East | OST DPA | | Microsoft 365 | Email ingestion (Graph API) | AU/US | OST DPA | | Cloudflare | DNS, CAPTCHA (Turnstile) | Global edge | Signed | | Upstash | Rate limiting (Redis) | Sydney, AU | Signed | No health information is shared with Cloudflare or Upstash. A current list is maintained in our internal sub-processor register (`compliance/dpa-tracking.md`) and is available on request. ## 9. Security We use TLS 1.3 in transit; AES-256-GCM application-layer encryption for sensitive fields; AES-256 provider-level encryption at rest; multi-factor authentication for staff (TOTP); HMAC-signed session tokens; comprehensive audit logging; role-based access control. Security details: `compliance/encryption-at-rest.md`. ## 10. Retention - Active client records: retained for the duration of the engagement. - Inactive client records (adults): retained for 7 years after last service. - Inactive client records (minors): retained until the individual's 25th birthday, or 7 years from the last entry, whichever is later (per HRIP Act requirements). - Audit logs: 7 years (aligned with health record retention). - Authentication codes: deleted on use or after 5 minutes. ## 11. Your Rights (APP 12/13, HPP 7/8) You may, at any time: - **Access** your health information — `/client/{id}/privacy` → Download Data (APP 12, HPP 7). - **Correct** inaccurate information — `/client/{id}/profile` (APP 13, HPP 8). - **Delete** your account — `/client/{id}/privacy` → Delete Account (subject to retention obligations). - **Manage consents** — `/client/{id}/privacy` → Manage Consents. - **Object / restrict** processing — contact privacy@phoenixhealthco.com (GDPR, where applicable). - **Portability** — JSON export available. - **Complaint** — to us first; if unresolved: - **OAIC:** oaic.gov.au · 1300 363 992 (federal) - **NSW IPC:** ipc.nsw.gov.au · ipcinfo@ipc.nsw.gov.au (state) - EU supervisory authority (if applicable) We respond to access and correction requests within 30 days. ## 12. Notifiable Data Breaches If we experience an eligible data breach under the NDB scheme (Part IIIC of the Privacy Act), we will: - Assess within 30 days of becoming aware. - Notify you and the OAIC as soon as practicable after confirmation. - Notify the NSW IPC where NSW residents' health information is involved. - Notify EU residents per GDPR Art 33/34 where applicable. ## 13. Children The platform is not designed for children under 13. Users aged 13–17 require a parent/guardian co-consent and guardian contact details at registration. Children's health records are subject to extended retention (until age 25 per HRIP Act). ## 14. Cookies & Tracking We use strictly necessary cookies for authentication and session integrity. We do not use cross-site advertising trackers. ## 15. Changes We will notify you of material changes via the app and email at least 14 days before they take effect. ## 16. Contact - Privacy Officer / Privacy Contact Officer: privacy@phoenixhealthco.com - Security concerns: security@phoenixhealthco.com - Postal: _TBD_ - ABN: _TBD_ --- *This policy is reviewed at least annually and following any material change.*