Privacy Policy

About Us and This Policy

Enhanced Wellbeing Pty Ltd (ABN: [INSERT ABN]) ("Enhanced Wellbeing", "we", "us", "our") operates an online telehealth clinic providing prescription health services, wellness assessments, and related products to patients across Australia via our website at enhancedwellbeing.com.au (the "Website").

This Privacy Policy explains how we manage personal information and health information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act"), the Australian Privacy Principles ("APPs"), and applicable state and territory legislation. This Policy applies to all personal information and health information collected by us in connection with our services, including information collected via our Website, telehealth consultations, and any correspondence.

By accessing our Website or using our services, you agree to the collection and use of your information as described in this Policy. If you do not agree, please do not use our services.

This Policy should be read in conjunction with our Terms of Service and our Telehealth and Patient Agreement.

What Information We Collect

2.1 Personal Information

We collect personal information that is reasonably necessary to provide our services, including:

• Full name, date of birth, gender, and residential address
• Contact details including email address and phone number
• State or territory of residence
• Identity verification information
• Payment information (processed securely by our third-party payment processor — we do not store full credit card numbers)
• Communications you send us, including enquiries and feedback

2.2 Health Information (Sensitive Information)

Health information is "sensitive information" under the Privacy Act and receives the highest level of protection. We collect health information that is necessary to provide clinical and telehealth services, including:

• Medical history, current and past diagnoses, and presenting symptoms
• Current and past medications and supplements
• Allergies and adverse drug reactions
• Family medical history where clinically relevant
• Height, weight, body measurements, and vital signs (where provided)
• Reproductive health and sexual health information (where clinically relevant)
• Lifestyle factors including diet, exercise, alcohol use, and smoking status
• Mental health information (where clinically relevant)
• Pathology results, imaging results, and other investigation outcomes
• Prescriptions issued, medications dispensed, and treatment plans
• Clinical notes from telehealth consultations
• Information you provide in our online health assessment questionnaire

2.3 Government Identifiers

We may collect Medicare numbers and Individual Healthcare Identifiers (IHI) where necessary to process Medicare benefits or use e-prescribing systems. We will not use government identifiers for any purpose other than those permitted by the Privacy Act and applicable law.

2.4 Information from Third Parties

With your consent, we may receive health information from your treating practitioner(s), specialists, pharmacies, or pathology providers. We may also receive referral information from other healthcare providers.

How We Collect Your Information

We collect your personal and health information in the following ways:

• Online assessment form: When you complete our online health assessment or registration form on our Website
• Telehealth consultations: During real-time video or telephone consultations with our practitioners
• Account creation: When you create a patient account on our platform
• Correspondence: When you contact us by email, phone, or through our Website
• Payments: When you make payments for our services
• From third parties: From other healthcare providers with your consent, from pathology laboratories, or from pharmacies involved in your care
• Website technology: Automatically from your browser when you visit our Website (see Section 13 — Cookies)

Where practicable, we collect your information directly from you. We will only collect health information from third parties where you have consented, or in other circumstances permitted by law.

Why We Collect Your Information (Purpose)

We collect personal and health information for the following primary purposes:

• Providing telehealth consultations, clinical assessments, and prescribing services
• Issuing prescriptions and coordinating dispensing through our pharmacy partners
• Establishing and maintaining your ongoing patient health record
• Communicating with you regarding your health, treatment plan, and appointments
• Processing payments for services
• Verifying your identity
• Complying with our legal and regulatory obligations under the Privacy Act 1988, AHPRA requirements, TGA requirements, state health legislation, and other applicable law
• Communicating with other healthcare providers involved in your care (with your consent)
• Quality assurance and clinical governance activities (using de-identified information where possible)
• Responding to your enquiries and complaints

We may also use your non-health personal information for the following secondary purposes where you would reasonably expect:

• Sending appointment reminders, follow-up care information, and service updates (you may opt out at any time)
• Improving our services and Website
• Statistical and research purposes using de-identified information

We will not use your health information for any secondary purpose without your express consent unless otherwise required or permitted by law.

Use and Disclosure of Your Information

We will only use or disclose your personal information and health information for the primary purpose for which it was collected, or for a directly related secondary purpose, or where you have consented, or where otherwise required or permitted by law.

Legal Bases for Use and Disclosure Without Consent — we may use or disclose your information without your consent in the following circumstances:

• Mandatory reporting: Where we are required by law to report information to a government authority. This includes mandatory reporting of suspected child abuse or neglect to state child protection authorities (see Section 16 for state-specific obligations). This obligation overrides confidentiality.
• Public interest: Where the use or disclosure is necessary to lessen or prevent a serious threat to an individual's life, health, safety, or to public health and safety, and where it is unreasonable or impracticable to obtain consent
• Legal proceedings: Where required or authorised by law, a court order, or tribunal
• Law enforcement: Where reasonably necessary for law enforcement activities
• Audit and quality assurance: Limited de-identified use for clinical governance

Disclosure to Third Parties

We may disclose your personal and health information to the following types of third parties, only to the extent necessary to provide our services or as required by law:

6.1 Healthcare Providers

• Pharmacies and compounding pharmacies: To dispense prescriptions issued during your consultation. We will only share what is necessary for dispensing.
• Pathology laboratories: If pathology testing is ordered as part of your care
• Specialist practitioners and specialists: Where referral is clinically appropriate and with your consent
• Your usual GP or treating practitioner: In accordance with AHPRA guidelines and good clinical practice, we may communicate your consultation summary, prescriptions, and treatment plan to your usual GP with your consent. We strongly encourage this. If you withhold consent, we will note this in your record, but our practitioners may still consider this clinically appropriate in certain circumstances.
• Emergency services: If we believe you are at immediate risk of harm, we may contact emergency services or provide information to emergency responders without consent

6.2 Technology and Service Providers

• Telehealth platform providers: The video/phone consultation platform we use to deliver consultations. These providers operate under data processing agreements requiring them to protect your information.
• Electronic prescribing systems: Required for issuing valid electronic prescriptions in Australia
• Cloud storage providers: For secure storage of health records. All data is stored in Australia (see Section 9).
• Payment processors: For processing payments. Payment processors receive only the minimum information necessary and operate under PCI DSS compliance standards.
• Practice management software: Used to manage appointments and clinical records

6.3 Regulatory Authorities

We may be required to disclose information to:

• AHPRA (Australian Health Practitioner Regulation Agency)
• The Therapeutic Goods Administration (TGA)
• The Office of the Australian Information Commissioner (OAIC)
• State and territory health regulators
• Child protection authorities (where mandatory reporting obligations apply)
• Law enforcement agencies (where legally required)

6.4 Coroner or Tribunal

We may be required to provide health information to a coroner or tribunal as required by law.

Overseas Disclosure

We store all personal information and health information in Australia. We do not currently transfer personal information or health information to recipients located overseas.

If circumstances change and overseas disclosure becomes necessary (for example, for a technology service with overseas operations), we will only disclose personal information to overseas recipients where:

• We have taken reasonable steps to ensure the overseas recipient does not breach the APPs; or
• You have expressly consented to the overseas disclosure after being informed that APP 8 will not apply; or
• The disclosure is required or authorised by Australian law

In any case, health information contained in the My Health Records system will never be disclosed to overseas recipients, in compliance with the My Health Records Act 2012.

My Health Records

If you are a registered My Health Record participant, we may, as a registered healthcare provider organisation, upload clinical information to your My Health Record, including consultation summaries, prescriptions, and pathology results. We will only do so where clinically appropriate and in accordance with the My Health Records Act 2012 (Cth).

All information uploaded to or accessed from the My Health Records system is:

• Stored and processed solely in Australia
• Subject to the privacy framework of the My Health Records Act, which operates alongside (and supplements) the Privacy Act
• Only accessible to healthcare providers who are registered participants with a legitimate clinical need

You have the right to control access to your My Health Record, including restricting access to certain providers or documents. For more information, visit myhealthrecord.gov.au.

Any breach of My Health Records information will be reported to both the Australian Digital Health Agency (ADHA) and the OAIC, as required by law.

Data Security and Storage

We take reasonable steps to protect your personal and health information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Data storage in Australia: All health records and personal information are stored on servers located within Australia
• Encryption: Data is encrypted in transit (TLS/SSL) and at rest
• Access controls: Only authorised personnel who require access to perform their duties can access patient information
• Authentication: Multi-factor authentication for practitioner and staff access to clinical systems
• Physical security: Our data centres maintain physical access controls
• Staff training: All staff receive privacy and data security training
• Third-party agreements: All service providers who access your data operate under data processing agreements requiring equivalent protection standards
• Regular reviews: We regularly review and update our security practices

While we take all reasonable steps to protect your information, no internet transmission or storage system can be guaranteed as completely secure. We strongly recommend that you use a secure and private internet connection when accessing our telehealth services.

Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach — being an unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to affected individuals — we will:

• Contain the breach and assess its nature and extent as quickly as practicable
• Notify affected individuals and the OAIC of the breach as soon as practicable after we become aware it is an eligible data breach, and in any event within the timeframes required by the Privacy Act
• Provide affected individuals with recommendations about the steps they should take in response
• For breaches involving My Health Records information, additionally notify the Australian Digital Health Agency in accordance with the My Health Records Act 2012

We maintain a written Data Breach Response Plan and conduct practice runs to ensure our response is timely and effective.

Retention of Your Information

We retain your health information for the minimum period required by law and our professional obligations. As a general guide:

• Adults: Health records are retained for a minimum of 7 years from the date of last entry, in accordance with applicable state and territory requirements
• Children: Health records for patients who are under 18 at the time of treatment are retained until the patient turns 25, or for 7 years from the date of last entry, whichever is longer
• State-specific requirements: We comply with any longer retention periods required under Victorian, NSW, or other applicable state legislation
• Financial records: Retained for 7 years in accordance with tax law requirements

After the applicable retention period, health information will be securely destroyed or permanently de-identified in accordance with the APPs and applicable law.

Your Rights — Access and Correction

12.1 Right of Access

You have the right to request access to the personal information and health information we hold about you. To make an access request, please contact our Privacy Officer (see Section 19). We will respond to access requests within 30 days. We may charge a reasonable administrative fee for providing access in certain circumstances, but we will inform you of any fee in advance.

We may refuse access in limited circumstances where the Privacy Act, state health privacy legislation, or other law permits us to do so. If we refuse access, we will give you reasons for the refusal and advise you of any available complaint mechanisms.

12.2 Right of Correction

You have the right to request correction of personal information or health information that you believe is inaccurate, incomplete, out of date, irrelevant, or misleading. We will take reasonable steps to correct information or, if we disagree that correction is required, will note your request for correction against the relevant record.

12.3 State-Specific Rights

Patients in Victoria and New South Wales have additional statutory rights of access and correction under the Health Records Act 2001 (Vic) and Health Records and Information Privacy Act 2002 (NSW) respectively. These rights are in addition to your rights under the Privacy Act.

Cookies and Website Analytics

Our Website uses cookies and similar technologies to improve your browsing experience and to understand how visitors use our site. Cookies are small files stored on your device.

Types of Cookies We Use

• Essential cookies: Necessary for the Website to function (session management, security). Cannot be disabled without preventing use of the site.
• Analytics cookies: Used to understand how visitors interact with our Website (e.g., Google Analytics with IP anonymisation enabled). This information is aggregate and de-identified.
• Functional cookies: Used to remember your preferences and improve your experience

You can control cookies through your browser settings. Disabling certain cookies may affect Website functionality. We do not use cookies to collect or process health information.

Our Website analytics services do not track your activity across third-party websites, and we do not engage in cross-site tracking for advertising purposes.

Telehealth-Specific Privacy Matters

Telehealth consultations involve the transmission of personal and health information over the internet, which carries inherent privacy risks that do not exist in traditional in-person consultations. We take all reasonable steps to minimise these risks, but you should be aware of the following:

• Platform security: We use encrypted, healthcare-grade telehealth platforms. However, no internet-based communication can be guaranteed completely secure.
• Your connection: We strongly recommend you use a secure, private internet connection (not public Wi-Fi) for all telehealth consultations.
• Recording: Consultations may only be recorded with the express consent of all parties. You will be informed in advance if a consultation is to be recorded, and you have the right to refuse. Any recordings are stored securely in Australia.
• Third parties: You should ensure you are in a private location during consultations, as we cannot control who may overhear conversations at your end.
• Technical issues: If a connection failure occurs during a consultation, we will take steps to reconnect or continue by an alternative means. Any technical issue will be documented in your clinical record.
• Data minimisation: We only collect the minimum health information necessary for each consultation.

Children's Privacy

Our services are not directed to persons under 18 years of age. We do not knowingly collect personal or health information from persons under 18 without the involvement and consent of a parent or guardian. If you are a parent or guardian and believe we have inadvertently collected information about a person under 18 without appropriate consent, please contact our Privacy Officer immediately and we will promptly address the matter.

State-Specific Provisions

16.1 Victoria — Health Records Act 2001

Patients who are located in or primarily receive services in Victoria have additional rights under the Health Records Act 2001 (Vic), which applies a stricter Health Privacy Principles (HPPs) framework. Victorian patients may also access the Health Complaints Commissioner (HCC) in relation to privacy concerns about health services, in addition to the OAIC.

16.2 New South Wales — Health Records and Information Privacy Act 2002

Patients in NSW are protected by the Health Records and Information Privacy Act 2002 (NSW), which contains 15 Health Privacy Principles. NSW patients may access the NSW Privacy Commissioner in relation to health privacy complaints, in addition to the OAIC.

16.3 All States and Territories — Mandatory Reporting

Regardless of the state or territory in which you reside, our practitioners are subject to mandatory reporting obligations under applicable child protection legislation. This means that where a practitioner has reasonable grounds to suspect that a child (a person under 18) is at risk of, or is experiencing, abuse or neglect, they are required by law to report that information to the relevant child protection authority. This obligation overrides confidentiality.

The relevant authorities by state include:

• NSW: Department of Communities and Justice — Child Protection Helpline: 132 111
• VIC: Department of Families, Fairness and Housing — Child Protection: 13 12 78
• QLD: Department of Children, Youth Justice and Multicultural Affairs: 1800 811 810
• SA: Department for Child Protection: 13 14 78
• WA: Department of Communities: 1800 273 889
• TAS: Department for Education, Children and Young People: 1800 000 123
• ACT: Child and Youth Protection Services: 1300 556 728
• NT: Territory Families, Housing and Communities: 1800 700 250

16.4 Applicable State Poison and Medicines Legislation

Our practitioners comply with the relevant state and territory Poisons and Therapeutics Goods Acts in each jurisdiction. Where required, information about prescriptions issued may be provided to state regulatory authorities as part of mandatory prescription monitoring programs.

Complaints

If you believe we have breached this Privacy Policy or the Australian Privacy Principles, you have the right to make a complaint. We take all privacy complaints seriously and will investigate and respond promptly.

Step 1 — Contact Us First

Please contact our Privacy Officer in the first instance (see Section 19). We aim to acknowledge your complaint within 5 business days and provide a substantive response within 30 days.

Step 2 — External Complaints

If you are not satisfied with our response, you may escalate your complaint to:

• Office of the Australian Information Commissioner (OAIC): oaic.gov.au | 1300 363 992
• Victorian patients — Health Complaints Commissioner: hcc.vic.gov.au | 1300 582 113
• NSW patients — NSW Privacy Commissioner: ipc.nsw.gov.au | 1800 472 679
• Health service quality complaints: Your state or territory Health Complaints Commissioner or Health Ombudsman

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance. When we update this Policy, we will:

• Update the "Effective" date at the top of this page
• Post the updated Policy on our Website
• Where changes are material, notify existing patients by email

We encourage you to review this Policy periodically. Continued use of our services after a change to this Policy constitutes acceptance of the revised Policy.

Contact Us

For all privacy enquiries, access and correction requests, and complaints, please contact our Privacy Officer: