Introduction

Prime Medic Group Pty Ltd ("Prime Medic," "we," "our," or "us") is committed to protecting the privacy and security of your personal information.

We handle personal and health information in accordance with:

The Privacy Act 1988 (Cth)
The Australian Privacy Principles (APPs)
Any applicable state-based health records laws, including the Health Records and Information Privacy Act 2002 (NSW)
Other relevant privacy and health information laws

This Privacy Policy explains how we collect, use, disclose, store, and protect your information, and how you can access and correct your data.

Personal Information We Collect

We collect personal information directly from you during consultations, through our website and mobile applications, and from third parties where lawful and necessary.

Identifying Information

Name, date of birth, gender, and contact details (email, phone number, and address).

If you are under 18, we require consent from a parent or legal guardian before providing telehealth services, except where permitted by law.

Health Information

Medical history, medications, allergies, clinical notes, consultation records, Medicare number, private health insurance details, concession and health care card numbers, and Department of Veterans' Affairs (DVA) details.

Technical Data

IP address, browser type, operating system, device identifiers, and general location data.

Payment Information

Credit/debit card details are processed via secure third-party payment gateways-we do not store complete card details.

Cookies & Tracking

Information collected via cookies and similar technologies (see Section 7).

Third-Party Data

Information from healthcare providers, insurers, laboratories, and analytics providers.

Sensitive Information

Information relating to sexual orientation or criminal history, where relevant and lawful to collect for service provision.

Legal Basis for Data Processing

We collect, hold, use, and disclose your personal information based on:

Consent: where you have permitted for a specific purpose.
Service provision: to deliver the healthcare services you request.
Legal obligations: to comply with Australian health, privacy, and record-keeping laws.
Legitimate interests: to improve our services and protect system security, provided

How We Use Your Informations

We use your information to:

Provide telehealth consultations, health assessments, and related services.
Manage appointments, process payments, and administer your account.
Communicate with you about services, updates, and patient support.
Improve our website, applications, and service delivery.
Comply with legal, regulatory, and accreditation requirements.
Detects, investigates, and prevents fraud or security threats.
Conduct quality assurance, research, and analytics.
Personalise your experience, including providing relevant health education content.
Ensure licenced healthcare professionals review health-related information on our platform for accuracy.
Undertake policy development, program evaluation, and public health research, using de-identified data unless you have given specific consent.

Disclosure of Personal Information

We may share your personal information with:

Healthcare providersare directly involved in your care.
Trusted third-party service providers (e.g., IT support, payment processors, secure hosting providers, analytics services, communication platforms). Some of these providers may be located outside Australia. Where information is transferred overseas, we take reasonable steps to ensure compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Regulatory and government agencies, as required by law.
Professional advisers(e.g., legal or insurance providers) for operational and compliance purposes.

Where possible, we de-identify information before disclosure unless it is necessary for clinical, legal, or regulatory purposes.

Data Security

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Measures include:

Encryption of data in transit and at rest.
Secure servers with role-based access controls.
Two-factor authentication for staff access.
Data minimisation practices.
Regular security audits, penetration testing, and vulnerability assessments.
Employee training on privacy and data handling.
Breach response protocols in line with the Notifiable Data Breaches Scheme.

Cookies and Tracking Technologies

We use cookies and similar technologies to improve functionality, analyse usage, and personalise content.

Types of cookies:

Essential: Required for basic site functions.
Performance :Collect anonymized usage data.
Functional : Store user preferences.
Targeting/Advertising Cookies (only with your explicit consent):Used to provide general health-related information or service updates, never to track sensitive health conditions.

You can manage cookies via your browser settings. Disabling cookies may impact functionality.

Your Rights

Under the APPs and relevant health privacy laws, you have the right to:

Access your personal information.
Request correction of inaccurate or outdated information.
Request deletion of information when no longer required or legally retained.
Restrict certain processing activities.
Opt out of direct marketing.
Request data portability in applicable formats.
Remain anonymous or use a pseudonym where lawful and practicable.
Complain to the OAIC or the relevant state health privacy authority.

We generally respond to access and correction requests within 30 days.

Data Retention

We keep personal and health information for as long as needed for its intended purpose or as required by law.

Medical records are retained for at least 7 years from the last entry, or until the patient is 25 years old if they were under 18 at the time of the last entry.

When no longer needed, information is securely destroyed or permanently de-identified.

Notifiable Data Breaches

If a data breach is likely to result in serious harm, we will:

Promptly assess the breach.
Notify affected individuals as soon as practicable.
Notify the OAIC in line with the Notifiable Data Breaches Scheme.

We may also notify other relevant regulators where required.

Privacy Impact Assessments

For projects introducing new or significantly altered ways of handling personal information, we conduct Privacy Impact Assessments to:

Identify privacy risks.
Ensure compliance with the APPs and health privacy laws.
Implement measures to mitigate identified risks before launch.

Changes to This Policy

We may update this Privacy Policy to reflect changes in:

Legal or regulatory requirements.
Our services or technology.
Feedback from patients and stakeholders.

We will update the "Effective Date" and, for material changes, notify users via email or prominent notice on our website.

Complaints and Contact Us

If you believe your privacy rights have been breached, you may:

Contact Us Directly with details of your concern
Please submit a written complaint to our Privacy Officer, who will investigate and respond within 30 days.
Escalate to the OAIC or the relevant state health privacy regulator if unsatisfied.