Privacy Policy (Australia)

Introduction

This Privacy Policy outlines the commitment of Heron Health Limited (we, us, or our) to safeguarding Personal Information provided to us by our customers (you or your) and ensuring that all data processing activities are conducted in strict compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Scope

This Privacy Policy applies to all Personal Information collected, used and disclosed through Heron, our cloud-based patient booking and inquiry software system, and any related services, products, or other engagements that we have with you.

Where we process Personal Information on behalf of healthcare providers using Heron, those providers remain primarily responsible for ensuring appropriate notices and consents are obtained from their patients in accordance with applicable privacy laws.

Important Notice: Not a System of Record

Heron is a communication and booking interface, not a clinical System of Record (SoR). While Heron may capture and temporarily store health information (such as call transcripts or summaries), you are solely responsible for ensuring that any relevant health information is transferred to and maintained in your own System of Record (such as your Patient Management System) in accordance with your legal obligations. Heron does not accept responsibility for your regulatory compliance obligations, including but not limited to health record retention requirements.

Collection Notices (APP 5)

Healthcare providers using Heron are responsible for providing their patients with collection notices in accordance with APP 5, including informing patients about the identity of the collecting entity, the purposes of collection, and any third parties to whom information may be disclosed. Heron supports this obligation by making this Privacy Policy publicly available.

Information We Collect

We collect Personal Information about you and your customers when you sign up as a user of Heron and use Heron and our related services. The types of information we may collect include:

• Account Data: personal details reasonably necessary for system setup, user authentication, and service provision, including your name (for account identification and communication), email address (for account access, authentication, and service communications), phone number (for account security and support), physical address (for billing and regulatory compliance), and payment information (for subscription billing and transaction processing). Optional information includes profile picture and business information, which you may provide to enhance your user experience but are not required for basic service functionality.
• Customer Data: information reasonably necessary for appointment booking, patient identification, and service delivery through Heron. Mandatory information includes full name, date of birth, and phone number (required for all appointment bookings and patient identification). Additional information may include contact details, demographic information, medical identification numbers (where required by clinic systems), appointment histories (retained for 90 days for operational continuity), health insurance information (where requested by participating clinics), and information relating to health conditions or medical history (where required by clinics for appointment purposes). Health information is “sensitive information” under the Privacy Act 1988 and is collected on the basis of consent obtained by the healthcare provider from their patients. By using Heron, you warrant that you have obtained all necessary patient consents for us to collect and process health information on your behalf. Please note that conversation transcripts - a core product feature enabling front desk staff to review AI agent interactions - may capture additional personal or health information that patients voluntarily disclose during conversations, including details beyond what is specifically requested for appointments.
• Usage Data: information reasonably necessary for service delivery and operational continuity, retained for up to 90 days from each interaction. This includes call transcriptions and call summaries (automatically generated for all interactions to enable clinic staff to review and access information from patient-AI agent conversations - essential for basic service operation), web chat communications (between patients and AI agents or support teams for service delivery), and voluntary feedback or ratings provided by patients on their interactions. Real-time call audio for quality assurance is collected only where clinics opt-in to voice recording features as described in section 4 below.
• Voice Recordings (optional): audio recordings of telephone calls placed through the Heron telephony module when your clinic chooses to enable call recording. Recordings may capture patient identifiers and clinical information. We record calls only where lawful consent is obtained in accordance with s 7 & s 7 B of the Telecommunications (Interception and Access) Act 1979 (Cth) and any applicable State/Territory Surveillance Devices Act.
• Technical Data: information automatically collected and retained for up to 9 months after the user becomes inactive that is reasonably necessary for service delivery, security, and technical support. Essential technical data includes device type and browser information (for compatibility and troubleshooting purposes), browser version (for technical support and compatibility assessment), operating system information (for technical support and system compatibility), screen resolution (for interface optimization and technical support), and IP address (for security protection, system integrations, and geographic routing). Application analytics data (for understanding user behavior and service improvement) is collected for enhancement purposes and may be disabled in your account settings if preferred.
• Cookies: Heron uses cookies and similar technologies as reasonably necessary for secure, functional services and improving user experience. Types of cookies we use include:
  • session cookies for managing user sessions;
  • persistent cookies for remembering user preferences; and
  • third-party cookies for tracking and analytics and other purposes.

Essential cookies collect minimal information necessary for service functionality, while analytics cookies collect additional data such as IP addresses, browser types, device information, and browsing activity. You have full control over cookie preferences through your account settings, browser settings, and can opt-out of non-essential cookies at any time without affecting core service functionality.

Use of Information

We process, use, collect, and retain your data in a manner that complies with applicable laws and regulatory requirements:

• Provision of Services: We collect and use your data, including data inputted into Heron relating to your customers, to operate Heron and deliver our services, and support your account. This collection and use is reasonably necessary for us to provide our services under the Terms of Service (APP 6.1) and to support healthcare provider obligations under applicable health records legislation.
• Quality assurance: we may review voice recordings for quality assurance purposes only and do not use the audio to train any AI models or for any other secondary purposes.
• Service Improvement: We collect and use your data to identify bugs, improve features, and enhance the overall user experience of Heron. This use is reasonably necessary for our functions and activities, specifically the ongoing improvement and maintenance of our services (APP 6.1). Information relating to your customers is only used for service improvement in aggregate or de-identified form to protect patient privacy.
• Communication: We may use your contact information to send service updates, gather feedback, and inform you about changes or new features. Service communications are reasonably necessary for service delivery, while marketing communications require your consent (which you can withdraw by opting out at any time).
• Security: Technical data is processed to maintain the security and integrity of our systems. This use is reasonably necessary for our functions and activities, specifically protecting our services, users, and your data from security threats, fraud, and unauthorised access (APP 6.1).
• Artificial Intelligence (AI): Heron leverages AI to enrich your experience, boost operational efficiency and to offer advanced functionalities. We do not currently collect or use any data from you or your customers for the purposes of training any AI models. Should we consider any changes to this approach in the future to align with evolving industry standards or technological developments, we will provide you with reasonable advance notice and an opportunity to provide feedback before implementing any such changes. Any future modifications to our AI data use practices would be subject to updated privacy disclosures and, where required by law, your explicit consent. For the avoidance of doubt, Heron’s AI functions as a communication and booking tool and does not make clinical decisions or automated decisions that could significantly affect the rights or interests of individuals.

Data Protection

We take data security seriously and have implemented appropriate technical and organisational measures to protect data from misuse, interference, loss, unauthorised access, modification, or disclosure, and to ensure the destruction or de-identification of personal information that is no longer needed, in accordance with APPs 11.1, 11.2, and 11.3. This includes:

• Encryption: All personal and usage data is industry-standard encrypted both in transit and at rest. Any third-party integration keys and secrets will be encrypted before being sent and stored.
• Access Control: Access to data is restricted to authorised personnel involved in the maintenance, development and improvement of Heron. We enforce strict access controls and regularly review permissions.
• Anonymisation: Where possible, we anonymise data to further protect your and your customer's privacy.
• Notifiable Data Breaches: If we experience an eligible data breach under Part IIIC of the Privacy Act 1988 (Cth), we will promptly notify the Office of the Australian Information Commissioner (OAIC) and affected individuals, outlining the steps we have taken to remediate the breach.

Collection Authority

The collection of Personal Information through Heron and our related services is conducted in accordance with the Australian Privacy Principles:

Account Data: collected because it is reasonably necessary for us to provide our services and manage your account (APP 3.2). Customer Data (health information): collected on the basis of consent obtained by the healthcare provider from their patients. Healthcare providers using Heron are responsible for ensuring appropriate patient consents and collection notices are in place. Usage Data: collected because it is reasonably necessary for service delivery (APP 3.2), including essential service features such as transcriptions and summaries. Technical Data: collected because it is reasonably necessary for system security, technical support, and fraud prevention (APP 3.2). Voice Recordings: collected only with consent in accordance with section 7 of the Telecommunications (Interception and Access) Act 1979 (Cth) and applicable State/Territory surveillance legislation. Where applicable, we will inform you whether the provision of Personal Information is voluntary or mandatory, as well as the possible consequences of failing to provide such data.

Data Retention

• Account Data: We retain invoices, payment records and other corporate financial records only for as long as reasonably necessary for business and operational purposes, which may include account management, financial reporting, and customer support. We regularly review retention needs and will delete or irreversibly de-identify financial data once it is no longer required for these purposes, provided no tax, audit, dispute or other legal hold remains. In any case, we will not retain such records beyond seven (7) years from the end of the financial year in which the transaction occurred, as required by s 286(2) of the Corporations Act 2001 (Cth). You may request earlier deletion at any time, and we will action it as soon as operationally feasible and legally permissible.
• Personal Information: We keep personal information only while it is reasonably necessary for the specific purpose for which it was collected or to meet a legal obligation. We conduct regular reviews of retained data and proactively delete or de-identify personal information when the original collection purpose no longer exists and no legal duty prevents deletion. When that purpose (and any legal hold) ends, we securely delete or de-identify the data as required by APP 11.2; if no legal duty prevents it, we will process your deletion request within a reasonable period, taking into account the complexity of the request and any operational requirements. To the extent that the Personal Information is also Customer Data, paragraph (c) also applies.
• Customer Data (health information): We retain health-related data - such as bookings, clinical notes, transcripts and chat logs, voice recordings - only for as long as reasonably necessary for the provision of our services and to meet your operational needs as a healthcare provider. We conduct regular reviews and will delete or irreversibly de-identify health data when it is no longer required for these purposes. However, we will not retain health information beyond seven (7) years after the last service for adult patients, or until the patient turns twenty-five (25) if they were a minor, reflecting the maximum statutory periods for private-sector providers in NSW, Victoria and the ACT. Once data is no longer needed for operational purposes (and any legal hold ends), we delete or irreversibly de-identify the data unless you instruct us to return it and no statutory obligation prevents us.

Third-Party Services

We do not share Personal Information with third parties except as reasonably necessary to provide our services (such as cloud hosting providers, payment processors, telephony infrastructure, and AI processing tools).

When engaging market-leading technology vendors, we take reasonable steps to ensure your data remains protected. Rather than bespoke contracts, these providers are typically engaged under standard industry Data Processing Agreements (DPAs) or Terms of Service. We conduct due diligence to ensure these standard agreements offer privacy, security, and confidentiality protections that are substantially similar to those required under the APPs.

Our vendor agreements generally include:

• commitments to implement appropriate technical and organisational security measures to protect Personal Information from unauthorised access or loss;
• restrictions on the use of Personal Information for purposes other than providing their specific services to us (for example, our AI and telephony vendors are restricted from using your health data or transcripts to train their own foundational AI models); and
• obligations to notify us in the event of a data breach affecting our systems.

All third-party providers are vetted for security and privacy compliance before engagement and are subject to periodic review to ensure their standard protections remain adequate.

Data Transfers

Where we disclose Personal Information to recipients outside Australia, we ensure compliance with APP 8 through:

Reasonable steps (APP 8.1): We conduct due diligence on our vendors' standard Data Processing Agreements to ensure they implement robust security safeguards and provide privacy protections that are substantially similar to the Australian Privacy Principles.

Applicable exceptions (APP 8.2): For routine operational transfers with established global cloud and infrastructure providers, we rely on exceptions such as where we reasonably believe the recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information.

Risk assessment: We assess each transfer type to determine the most appropriate compliance mechanism based on data sensitivity, purpose, and the recipient's jurisdiction.

For the avoidance of doubt, our primary database and core data storage reside securely within Australia. However, current likely overseas recipients include vendors located in the United States, which we utilise for specific critical infrastructure components. This includes providers for API hosting, telephony services, AI processing (such as real-time speech-to-text and text-to-speech), and payment processing. A complete, current list of our overseas recipients and their locations is available upon request.

Your rights under the Privacy Act 1988 (Cth)

• Access: You have the right under APP 12 to request access to the Personal Information we hold about you and/or your customers. We will provide this information within a reasonable period, taking into account the complexity of your request and any operational requirements, subject to verification of your identity and any applicable legal restrictions. Access may be provided in the format requested where technically feasible.
• Correction: Under APP 13, you can request corrections to any inaccurate, out-of-date, incomplete, irrelevant or misleading information we hold about you or your customers. We will respond to correction requests within a reasonable period and update our records promptly upon verification of the correct information, including notifying relevant third parties where required.
• Deletion: You can request the deletion of your, and your customers', personal data at any time. We will process deletion requests within a reasonable period unless we are legally required or permitted to retain the information, including where: (a) retention is required by law (such as financial records under the Corporations Act 2001 (Cth) or health records under applicable state legislation); (b) the information is subject to a legal hold, court order, or ongoing legal proceedings; (c) deletion would compromise the rights and freedoms of others; or (d) retention is necessary for the establishment, exercise or defence of legal claims. Where we refuse your deletion request, we will provide written reasons specifying the legal basis and information on how to complain to the Office of the Australian Information Commissioner (APP 12.9).
• Complaints: If you believe we have breached your privacy rights, you may lodge a complaint with our Privacy Officer using the contact details below. We will investigate all complaints within a reasonable period and provide a written response outlining our findings and any remedial action taken. If you are not satisfied with our response, you have the right to complain to the Office of the Australian Information Commissioner.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. When we make changes, we will post an updated version on our website www.heyheron.ai. We may also provide additional notice of significant changes through available communication channels where reasonably practicable. Significant changes include alterations to how we collect, use, or share Personal Information. We encourage you to review this Privacy Policy periodically to stay informed of any updates.

Contact Us

The agency collecting and holding your information is:

Heron Health Limited
9 Huron Street, Takapuna, Auckland, 0622, New Zealand

If you have any questions or concerns about this Privacy Policy or your data, please contact our Privacy Officer:

Email: hello@heyheron.ai
Attention: Heron Privacy

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) by calling 1300 363 992 or visiting www.oaic.gov.au.

You may also have additional remedies available under the Privacy Act 1988, including under the statutory tort for serious invasions of privacy.

Last Updated

This Privacy Notice was last updated on 5 December 2025.

Definitions

For the purposes of this Privacy Policy:

"Australian Privacy Principles (APPs)" means the principles set out in Schedule 1 to the Privacy Act 1988 (Cth).

"Customer Data" means any data provided by you or your customers, that is entered into, stored in, or processed Heron, and any data that is based on or derived from this data and provided to you via Heron.

"Internal Privacy Policies" means our internal data policies including in relation to information security, information retention, incident response and recovery.

"Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not, as defined in section 6 of the Privacy Act 1988 (Cth).