Privacy policy

Healthengine Limited (ACN 138 767 021) and its related bodies corporate (Healthengine, we or us) is committed to protecting the privacy of your personal information. We take our responsibility for handling sensitive personal information seriously and we have put measures in place to maintain the integrity of personal information and provide full transparency on conduct. We are bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth) (Privacy Act) about how we handle your personal information.

This Privacy Policy sets out how and why Healthengine collects, stores, uses and discloses your personal information, and how to contact us if you have any questions about how we handle your personal information or would like to access the personal information we hold about you.

Healthengine provides a range of services that are primarily offered through our website and associated bookings mobile applications (Healthengine Network) or through our customers’ websites and mobile applications (Health Professional Network) and include:

  • a booking system for appointments with health professionals, including but not limited to general practitioners, dentists, allied health professionals, telehealth providers and pharmacies (health professionals);
  • digital forms to assist with the registration of patients booking appointments with health professionals and/or provision of health-related services;
  • a secure video conferencing solution to facilitate telehealth consultations between you and health professionals;
  • a pre-vaccination screening service to facilitate the administration of vaccinations;
  • an online prescription service, to request repeat prescriptions from health professionals;
  • form based and form assisted digital medical consultations to request medical certificates and prescriptions from health professionals;
  • a prescription fulfilment and medication delivery service delivered in partnership with Medication Pty Ltd t/as Evermed Pty Ltd (Evermed);
  • a place for patients to store and access relevant health details, records, prescriptions and referrals;
  • a task manager whereby patients can store, access and manage to do list activity;
  • an online directory of health professionals and practices; and
  • referral services to assist you in connecting with providers of other products and services which may be of interest to you.

Healthengine also offers a range of services through related entities, including website design and online resources.

We are constantly evolving our services, and new services may be offered from time to time.

1. What information does Healthengine collect?

The personal information we collect depends on which of our services you use and the information you choose to provide.

When you use our services, you may choose to provide to Healthengine, and we may collect personal information such as:

  • your name;
  • your date of birth;
  • your contact details (e.g. address, email address, phone number);
  • your gender and/or birth sex;
  • your marital status;
  • occupation;
  • cultural background;
  • your emergency contact details;
  • your next of kin details;
  • advance health directive;
  • the type of appointment you are requesting;
  • the reason you are seeking that type of appointment;
  • health information as defined under the Privacy Act which includes but is not limited to information about your health, illness or disability, a health service you have had or will receive, your medical records and your medications;
  • billing information including MBS item numbers and rebates;
  • additional information requested by your Health Professional including information they consider necessary to facilitate the provision of health appointments or health-related services;
  • records of any interactions or communications you have with a Health Professional through the Healthengine Network;
  • prescription tokens;
  • notes, records and images you provide relating to your health appointments;
  • health interests;
  • to do list activity;
  • information about your private health insurance fund, including your membership number;
  • your Medicare, Pension, Health Care Card and Veteran Affairs number and details;
  • your photograph or image;
  • financial information;
  • transaction information;
  • information you provide to us when you contact us with questions or to assist you to troubleshoot, whether by phone, online, by email or using our AI chatbot, and the information you receive in response;
  • de-identified technical data such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Healthengine Network; and
  • web analytics data which we may collect directly or use third-party analytics tools, to help us measure traffic and usage trends for our products and services. These tools collect information sent by your browser or mobile device, including the pages you visit and other information that assists us in improving our products and services. We collect and use this analytics information in aggregate form such that it cannot reasonably be manipulated to identify any particular individual user.

2. How does Healthengine collect your personal information?

Usually, we collect personal information directly from you. However, in some cases, we will collect it from third parties. There are a range of ways that we collect your personal information, and technologies we use, including through online forms, our booking system, our mobile app, by telephone, email or when you engage with our AI chatbot. These are outlined below.

When you use the Healthengine Network

If you choose to use the Healthengine Network for obtaining health related services from telehealth providers, we may collect personal information including health information from you which is reasonably required to deliver this service. You should review the privacy policy for that telehealth provider for information on how the telehealth provider will collect, hold, use and disclose your personal information.

When you use our booking services

Where you book an appointment or complete a form based or form-assisted digital medical consultation with a health professional (including telehealth providers), we may collect information about your symptoms, prescriptions, relevant medical history, conditions and other health information you may provide when using the service. Your personal information will be disclosed to that health professional for the purpose of them providing you with health services.

If you choose to use our booking system for appointments with medical specialists, we may collect information from you as provided by your referring health professional regarding your treatment such as copies of referral letters which may include relevant medical history, symptoms, investigation results, medication and management, and other health information.

When you use our digital forms

If you choose to use our digital forms or online pre-vaccination screening service, we may collect information about your health, billing information (including MBS item numbers and rebates), and other information you may provide when using these services for the purposes of facilitating your health appointment or the administration of your health appointment or vaccination, as appropriate.

When you use our online prescription service

If you choose to use our online prescription service, we may collect information about your prescriptions, symptoms, treating health professional and other information you may provide when using the service.

If you request to access your prescription through the Healthengine mobile application, Healthengine will collect and disclose your prescription token to its mobile intermediary, Oexa Pty Ltd, for the purposes of enabling you to manage your prescription through the Healthengine mobile application.

Healthengine’s third party mobile intermediary, Oexa Pty Ltd, discloses the prescription token to the prescribing system and prescription exchanges operated by eRx Script Exchange Pty Ltd and Medication Knowledge Pty Ltd to enable you to access and manage your prescription medicines and repeats through the Healthengine mobile application.

If you request prescription fulfilment and medication delivery services through the Healthengine Network, we will collect and disclose your prescription token to our partner, Evermed, for the purposes of facilitating the prescription fulfilment and medication delivery service. Evermed will collect your personal and sensitive information for the purposes of connecting you with pharmacies for the purchase and delivery of your medication. You should review Evermed’s privacy policy for information on how Evermed will collect, hold, use and disclose your personal information.

When you request third party services

If you request the services of a third party service provider through the Healthengine Network, we may collect your personal information for the purpose of facilitating the provision of the third party services you have requested such as payment processing or referral services.

When you use our AI chatbot

If you choose to engage with us using our AI chatbot, we will collect your personal information in the form of your questions, comments and the information you receive in response through that system.

When you apply to work with us

If you are applying for employment with us, we will collect information about you for recruitment purposes (including possible future recruitment opportunities) and human resources activities. Information collected may include but not be limited to your occupation, qualifications, citizenship, information contained in your resume, medical or health related information, employee records and other human resources personal information. We may also conduct and collect psychometric, technical skills or behavioural analysis type assessments.

When you use our online directory

If you are a health professional using our online directory, we will collect information about you and your practice (for the online directory).

If you are a referring health practitioner, we may collect information about you and your practice such as name, contact details, provider number and information relevant to providing services to referred patients.

Collecting from third parties

We may also collect your personal information from third parties, such as:

  • family members, legal guardian/s and/or a person you have authorised to provide your personal information to us;
  • health professionals and their practices (often via their practice management software systems), in relation to the management of appointments you have made, your requested health services, and the associated fees (including MBS item numbers and rebates);
  • prescribing system and prescription exchanges operated by eRx Script Exchange Pty Ltd and Medication Knowledge Pty Ltd to access your prescription details or when fulfilling prescription medicines and repeats with your prescription though the Network; and
  • platforms such as Facebook, Google and Apple with your consent for the purposes of logging in or creating a Healthengine account, and to enable this, we will collect your name and e-mail from these services for this purpose.

Cookies and other technology

We use cookies and similar technologies (such as web beacons and proprietary measurement software) on the Healthengine Network to analyse trends, administer our services, diagnose problems, improve the quality of our products and services, track users’ movements around the Healthengine Network, and to gather demographic information about our user base as a whole.

A cookie is a small text file that the Healthengine Network may place on your device to store information. We may use persistent cookies (which remain on your computer even after you close your browser) to store information that may speed up your use of the Healthengine Network for any of your future visits to the Healthengine Network. We may also use session cookies (which no longer remain after you end your browsing session) to help manage the display and presentation of information on the Healthengine Network. You may refuse to use cookies, web beacons or some of the proprietary measurement software features by selecting the appropriate settings on your browser or the settings section of your mobile or tablet device. However, please note that if you do this, you may not be able to use the full functionality of the Healthengine Network.

Social network platforms

Healthengine uses social networking services such as Facebook, Twitter and Instagram to communicate with the public about its activities. Healthengine may collect your personal information when you communicate with us by using these social networking services, and the social networking services will also handle your personal information for their own activities. These social networking sites have their own privacy policies.

Data analytics

Healthengine uses both internally built survey software and third party vendors for the collection, aggregation and analysis of some survey data (such as Alchemer). The information you provide is stored in a secure data warehouse in either Australia or the United States and is accessed by Healthengine in accordance with a third party vendor’s privacy policy. If you do not want your personal information being stored offshore, you can decline to provide this information by not responding to these surveys.

Your choices

You do not have to use our services, and you may choose which of our services you wish to use. Some of our services, such as our online directory of health professionals and practices, do not require you to provide us with personal information. However, the majority of our services do, and when you use such services, we require you to provide accurate details and do not permit you to use a pseudonym or remain anonymous. For some services, certain information is designated as mandatory (which is required to use the service) and some is optional (which you may choose not to provide, but your failure to provide that information may limit your use of the service). If you do not provide personal information to Healthengine that is designated as mandatory, we will be unable to provide you with that service.

3. Why does Healthengine collect and use your personal information?

The primary reason Healthengine uses your personal information is to provide the services you have elected to receive.

Health Professional Networks: Healthengine may also collect and use your personal and sensitive information if you interact with Health Professional Networks that have incorporated Healthengine technology in the course of the health professional providing health services to you.

Where Healthengine has collected personal and sensitive information through the Health Professional Network that incorporate Healthengine’s technology, it will:

  • handle your personal and sensitive information in accordance with Healthengine’s privacy commitments as outlined in our agreements with such health professionals (Health Professional Agreement);
  • disclose your personal and sensitive information to the relevant health professional (or their affiliates and service providers), and will not otherwise have effective control or use your personal and sensitive information as detailed below unless permitted under the Health Professional Agreement;
  • seek assurances from health professionals that use our services that they will handle information in accordance with applicable laws, but we have no control over and are not responsible for any health professional’s use of information (including information used by their affiliates and service providers) for which it has effective control.

The protections that apply to such personal information will be described in the individual privacy policies of those health professionals, and not in this Privacy Policy. To learn more about the privacy and data security practices of those health professionals, you should read the respective health professional’s privacy policy carefully.

Subject to above in relation to Health Professional Networks that utilise Healthengine’s technology, Healthengine may use your personal information:

  • to contact you about your use of the Healthengine Network;
  • to facilitate communications between you and health professionals and their practices such as to remind you of an upcoming appointment, to confirm a booking, to request feedback, to complete a digital form, to facilitate online requests for health services (including but not limited to medical certificates, prescriptions and referrals) or participate in a survey or questionnaire;
  • to access your prescription from the prescribing system and prescription exchange or facilitate prescription fulfilment and medication delivery services using your prescription;
  • if you decide to create a personal profile on the Network, we will store that information securely on the Network for the purpose of making your future interactions with Healthengine more convenient and personalised;
  • on a de-identified basis for analysis, research and quality assurance purposes;
  • for referral services, to facilitate communications between you and certain service providers (e.g., for private health insurance comparison services, providers of audiology services, providers of prescription fulfilment and medication delivery services, and providers of cosmetic or major dental services);
  • to answer your questions and troubleshoot any issues relating to our products and services;
  • when you have provided prior agreement, for communicating with you about our products and services and those of third parties or about general or health information which you have indicated or we believe may be of interest to you. You will be able to stop receiving these communications at any time by:
  • to promote and drive engagement with our products and services, including the use of targeted online advertising;
  • to send push notifications to your mobile device. You can use the settings on your mobile device to enable or turn off mobile push notifications from Healthengine;
  • to pre-fill certain forms;
  • for human resources activities including but not limited to recruitment purposes and possible future recruitment opportunities;
  • to report to health professionals and their practices about the use and functionality of our services, including associated financial benefits;
  • for de-identified data analytics to help us improve our service and products, and our users’ experience, including by monitoring aggregate metrics such as total number of visitors, traffic, and demographic patterns;
  • for security measures to implement access controls, monitor activity that we think is suspicious or potentially fraudulent, and to identify violations of this Privacy Policy or our Terms of Use;
  • for payment processing; and
  • for other purposes that are notified to you at the time we collect your information, which you give your consent to, or which are authorised or required by law.

4. Who does Healthengine disclose personal information to?

Health professionals

When you use the Healthengine Network for booking appointments with health professionals, requesting form based or form assisted digital medical consultations, or completing digital forms which assist with the registration of patients and/or the provision of health-related services, we will disclose your personal information to the health professionals that you have selected and their practices for the purpose of arranging such appointments, facilitating the request for online provision of health services or provision of other health related services. Each health professional has to comply with applicable privacy laws with regards to their use of your personal information. However, we have no control over, and are not responsible for how the health professional uses your information. To learn more about how a health professional may use your information, you should review their privacy policy.

If you are a health professional using our online directory, we will make the information you provide publicly available including on the Healthengine Network. We may also make the information you provide available to Healthdirect for inclusion in the National Health Services Directory. Healthdirect will make the information publicly available on the Healthdirect website and mobile applications. Healthdirect’s privacy policy can be found athttps://www.healthdirect.gov.au/privacy-policy.

Service providers

Healthengine may disclose your personal information to service providers, including software service providers. Some of these software services allow us to advise you of certain services and benefits available to you, facilitate the provision of products and services to you or provide you with functionality associated with the Healthengine Network. We require our third party service providers to agree to appropriate privacy restrictions, and only permit them to access personal information to the extent needed to provide goods or services to us.

Our third party service providers include:

  • IT and software service providers such as First Focus IT;
  • practice management software vendors such as Best Practice Software Pty Ltd, Health Communication Network Pty Limited trading as MedicalDirector, Centaur Software Development Co Pty Ltd and Software of Excellence Australia;
  • our provider of AI chatbot software, Intercom Inc;
  • providers of research services;
  • payment processing service providers such as Stripe Australia Pty Ltd and Tyro Payments Ltd;
  • our professional advisers such as lawyers and auditors;
  • our mobile intermediary, Oexa Pty Ltd, for the purposes of enabling you to manage your prescription through the Healthengine app;
  • eRx Script Exchange Pty Ltd, Medication Knowledge Pty Ltd to access your prescription details or when fulfilling prescription medicines and repeats with your prescription though the Network;
  • MedAdvisor International, a provider of digital medication management solutions;
  • our provider of an AI Revenue Intelligence Platform, Gong.io Inc; and
  • Braze Inc to provide marketing of our products and services, but only for the purpose of providing goods or services to us.

We may also disclose de-identified information of our users to third parties that collect and process data for analysis, research and quality assurance purposes, such as:

  • third parties who provide data analytics (such as Google Analytics and Hotjar) to help us improve our service and products, and our users’ experience, including by monitoring aggregate metrics such as total number of visitors, traffic, and demographic patterns;
  • third party security entities to prevent various types of data processing abuse attempts and block suspicious behaviour (such as Google reCAPTCHA); and
  • third party service providers to manage our advertising on other websites.

Our ad network providers use cookies and web beacons to collect information about your activities on the Healthengine Network to serve you with advertisements regarding our products and services, and to help determine the effectiveness of our promotional or advertising campaigns. This type of online, targeted advertising — known as “retargeting” — is used to re-engage consumers who previously visited the Healthengine Network. The website www.youronlinechoices.com.au allows you to opt-out of some online behavioural advertising and provides further information about how online behavioural advertising works. Please note this does not opt you out of being served advertising. You will continue to receive generic ads.

Other third parties

Healthengine may also disclose your personal information to other persons, such as:

  • its related bodies corporate for business purposes, which will be required to to comply with the terms of this Privacy Policy regarding use of your information;
  • upon your request, to your representatives and/or providers of other services and products which may be of interest to you, such as private health insurance companies and comparison services, providers of finance credit for cosmetic, medical and dental procedures (including major dental and cosmetic dental service providers), providers of audiology services, and providers of prescription fulfilment and medication delivery services;
  • courts, tribunals, regulatory authorities and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights; and
  • other persons notified to you at the time we collect your personal information, who you give your consent to, or to whom we are authorised or required by law to make such disclosure.

Overseas disclosures

Some third party service providers used by Healthengine may store your personal information on servers located overseas, including the US. However, they must also meet our requirements for privacy and data security.

5. Data quality and security

Healthengine takes reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, relevant and up-to-date.

Healthengine takes reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. Healthengine implements security measures including:

  • physical security such as security procedures for access to our business premises; and
  • IT security procedures including password protection, network firewalls, encryption, intrusion detection and site monitoring.

We store your personal information on secure servers located in Australia in an encrypted, electronic format.

Before disclosing personal information to an entity or person located overseas, Healthengine takes steps to ensure that the recipients of such information do not breach the APPs in relation to the information, by including relevant contractual provisions.

We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or for legal purposes.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

6. Access to, deletion of and correction of your personal information

You have a right to request:

  • access to your personal information;
  • that your personal information be deleted or de-identified; or
  • that we correct inaccuracies relating to your information.

In some circumstances, we may not be able to comply with a request that you make in respect of your personal information. For example, we may be required to retain certain information that you ask us to delete for various reasons, such as where there is a legal requirement to do so. Where these reasons to refuse a request in respect of your personal information exist, we will advise you of those reasons at the time you make your request.

If we do agree to your request for the deletion of your personal information, we will delete your data but will generally assume that you would prefer us to keep a note of your name on a register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

If you request that your personal information is changed, and if Healthengine does not agree to change your personal information, we will enclose your statement of the requested changes with your personal information.

If you would like to obtain access to, delete or request changes to your personal information you can ask our Privacy Officer (details below).

Healthengine can charge a reasonable fee for the time and cost of collating, preparing, and photocopying material for you if you request access to your personal information.

Where we have obtained your consent to handle your personal information, or consent to send you information, you may withdraw your consent at any time and we will cease to carry out the particular activity that you previously consented to, unless we consider that there is an alternative reason to justify our continued handling of your personal information for this purpose, in which case we will inform you of this condition.

Where Healthengine provides services directly to health professionals, this may involve Healthengine receiving and handling information separately on behalf of the health professional, for the purpose of providing those services. In these circumstances, Healthengine will return, retain or destroy any personal information that we have collected in delivering our services to a health professional in accordance with our end user terms and conditions that we agree with that health professional and/or the Health Professional Agreement.

7. Complaints

If you have questions about this Privacy Policy, if Healthengine does not agree to provide you with access to your personal information; or if you have a complaint about our information handling practices, you can contact our Privacy Officer on the details below.

In particular, if you wish to make a complaint about how we have handled your personal information, you should forward a written complaint to our Privacy Officer.

We will respond in writing within 30 days of receipt of a complaint. If you are not satisfied with our decision, you can contact us to discuss your concerns.

If the complaint remains unresolved, you have the option of notifying the Office of the Australian Information Commissioner (OAIC). Contact details can be found at OAIC's website:www.oaic.gov.au.

8. How to contact us