Privacy Policy
Last updated: 2026-04-23
This policy explains how eMedical Platform Pty Ltd(“eMedical Platform”, “we”, “our”) collects, uses and protects personal information. For data your clinic controls about patients (Protected Health Information), see also our Data Processing Addendum.
1. Who we are
eMedical Platform is a practice-management platform for independent clinics. We are headquartered in Australia and operated by eMedical Platform Pty Ltd (ABN [ABN — pending registration]). You can contact our privacy team at privacy@emedicalplatform.com.
When you use eMedical Platform as a clinic employee, your clinic is the “controller” of patient data. We act as the “processor”. When you visit our marketing website or enquire about eMedical Platform, we act as the controller of your data under this policy.
2. What we collect
2.1 From visitors to our website
- Email address and any details you enter into contact or waitlist forms.
- Minimal server logs: IP address, user agent, referrer, request path.
- Product-analytics events (page views, button clicks) with identifiers hashed.
2.2 From clinic staff using the product
- Account details: name, work email, role, hashed password, multi-factor factors.
- Audit metadata: IP, user agent, and a record of actions taken in the product.
- Billing details for the clinic subscription (processed by Stripe).
2.3 Patient data (PHI) handled on behalf of your clinic
We process patient records, appointment details, clinical notes, invoices, payments and communications strictly on your clinic’s instructions. We do not sell, mine or train models on patient data. Handling of this data is governed by our Data Processing Addendum and, where applicable, a Business Associate Agreement.
3. Why we process it
- To provide, secure and improve the service.
- To bill clinics and comply with tax/accounting obligations.
- To respond to enquiries and support requests.
- To detect abuse, fraud and unauthorised access.
- To comply with legal obligations (court orders, regulatory requests).
Our legal bases (GDPR): contractual necessity, legitimate interests (security, service improvement), consent (marketing email), and legal obligation.
4. Subprocessors
We use a small set of vendors to operate the service. Each is bound by a written agreement that requires equivalent protections, and — where we process PHI — a Business Associate Agreement.
| Vendor | Purpose | Data region |
|---|---|---|
| AWS / Neon (Postgres) | Primary database | Region of your clinic |
| AWS S3 | File storage (encrypted) | Region of your clinic |
| Stripe | Subscription + patient billing | US / EU / AU |
| Postmark / Paubox | Transactional email | US |
| Twilio | SMS delivery (BAA) | US / EU |
| Plesk-managed servers | Application hosting | Region of your clinic |
| Sentry | Error monitoring (PII scrubbed) | US / EU |
We publish material changes to this list at least 30 days before they take effect. Email privacy@emedicalplatform.com to subscribe to subprocessor notifications.
5. Retention
- Marketing form submissions: deleted 24 months after last contact, or on request.
- Product audit logs: 6 years (or longer where required by your jurisdiction).
- Backups: 35 days, overwritten on rotation.
- On termination of a clinic subscription we retain data for 60 days to enable export, then permanently delete within a further 30 days unless legal hold applies.
6. Security
Encryption in transit (TLS 1.2+) and at rest (AES-256). Row-level tenant isolation enforced in the database. Least-privilege access, mandatory MFA for staff, annual training. See our Security overview for detail.
7. Your rights
Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, Australian Privacy Act) you have rights to access, correct, delete, restrict, port, and object to processing of your personal information. Email privacy@emedicalplatform.com and we will respond within 30 days.
Patients with questions about their health records should contact their clinic directly — the clinic, not eMedical Platform, is the controller of that data.
8. International transfers
We store data in the region you select (AU/NZ, EU, or US). Where data must leave that region (e.g., limited support access) we rely on Standard Contractual Clauses or equivalent safeguards.
9. Children
The eMedical Platform product is not offered to children directly. Clinics may lawfully store records about minors under parental or guardian consent in the ordinary course of care.
10. Changes
We will post any material changes to this policy on this page and, where we have your email, notify you at least 30 days before they take effect.
11. Contact
Privacy team: privacy@emedicalplatform.com
Data Protection Officer: dpo@emedicalplatform.com
Post: eMedical Platform Pty Ltd, [registered office address — pending], Australia