Privacy Policy – HealthTech.Systems

Last Updated: 12 November 2025

1. Introduction

HealthTech.Systems ("we", "us", or "our") is committed to protecting the privacy of our clients, users, and partners. This Privacy Policy explains how we collect, use, store, and disclose personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), and, where applicable, state and territory health records legislation including the Health Records Act 2001 (Vic), Health Records and Information Privacy Act 2002 (NSW), and Health Records (Privacy and Access) Act 1997 (ACT).

We operate an online software platform and related services designed for health and wellness professionals. Protecting your information and maintaining trust are central to our business.

IMPORTANT: This Privacy Policy contains critical information about overseas data storage that affects how your information (and your clients' information) is handled. Please read it carefully.

2. Our Commitment to Privacy

We handle personal and, in some cases, health information responsibly and transparently. HealthTech.Systems has internal policies and data-protection practices to ensure compliance with the APPs and applicable state and territory privacy obligations.

However, as explained in detail below, our platform operates on third-party infrastructure that stores data overseas. This creates important considerations for health practitioners using our services.

3. What Information We Collect

3.1. We may collect the following categories of information:

- Personal information: name, business name, contact details (email, phone, address), and demographic data.

- Business and payment information: billing details, subscription preferences, and transaction history.

- Technical data: login credentials, IP address, device identifiers, browser type, and platform usage analytics.

- Client data (uploaded by users): information about your clients that you enter into the HealthTech.Systems platform (e.g. contact details, appointment history, notes, forms, or communications).

- Sensitive information: when users manage health-related data through our platform, this constitutes "health information" and "sensitive information" under Australian privacy law.

3.2 Health Information - Important Notice for Health Practitioners

If you are a health practitioner or wellness professional using our platform to provide health services, you will be collecting and storing health information about your clients.

Under Australian privacy law, health information is classified as "sensitive information" and receives the highest level of privacy protection.

Health information includes:

- Information about a person's physical or mental health or disability

- Health assessments, treatment plans, and clinical notes

- Information about health services provided to a person

- Genetic information about an individual

- Body samples that could be linked to an identifiable person

- Any other personal information collected in providing a health service, including: Names, contact details, dates of birth

- Appointment dates and times

- Billing information and Medicare numbers

- Email or other correspondence about a client's health

- Health questionnaires and intake forms

- Dietary information, lifestyle assessments, wellness plans

Under the Privacy Act 1988 (Cth), you (as the health practitioner) are the data controller responsible for your clients' health information. HealthTech.Systems acts as a data processor, providing the platform infrastructure.

Because data is stored overseas (see Section 6 below), you must:

✓ Obtain express consent from your clients to collect their health information

✓ Inform your clients that their health information will be stored overseas (including in the United States)

✓ Obtain specific consent for overseas storage and processing of their health information

✓ Maintain your own privacy policy and provide privacy collection notices to your clients

✓ Ensure you comply with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles

✓ Comply with any applicable state or territory health privacy legislation (Health Records Act 2001 (Vic), Health Records and Information Privacy Act 2002 (NSW), Health Records (Privacy and Access) Act 1997 (ACT))

✓ Comply with any professional body codes of conduct or practice standards

You remain legally responsible for compliance with all applicable privacy and health information laws, regardless of the platform you use.

HealthTech.Systems provides technology infrastructure only and does not provide legal or compliance advice. You should seek independent legal advice about your specific obligations.

4. How We Collect Information

We collect information when you:

- Register or subscribe to our platform

- Participate in training, support sessions, or marketing activities

- Communicate with us by email, phone, chat, or social media

- Visit our website or use our applications (cookies and analytics may be used)

- Upload or enter client information into the platform

We may also collect information indirectly from integrated systems (e.g. Stripe, Google Workspace, Mailgun, Twilio, or other connected tools) when you authorise those connections.

5. Purpose of Collection

We collect, hold, and use personal information to:

- Provide, operate, and improve the HealthTech.Systems platform and services

- Communicate with you about your account, support, and product updates

- Process payments, subscriptions, and contracts

- Ensure security and integrity of our systems

- Meet legal and regulatory obligations

- (With consent) send marketing communications about new features, training, or events

- Conduct aggregated, de-identified analytics to improve performance and user experience

We will only collect and use sensitive or health information for the primary purpose for which it was provided or a directly related secondary purpose that you would reasonably expect, or as otherwise permitted by law.

6. Information Security and Storage

HealthTech.Systems operates on the GoHighLevel (GHL) platform, which is provided by a United States-based company. GHL stores data on cloud infrastructure (primarily Amazon Web Services) in geographically dispersed locations globally, including in the United States and potentially other countries.

We cannot guarantee that your data, or data about your clients that you upload to the platform, will be stored exclusively within Australia. Data is likely to be stored, processed, and backed up on servers located overseas, including in the United States.

This means that, when personal information (including health information) is disclosed to overseas recipients, it may not receive the same level of protection as it would under Australian privacy law.

Specific risks include:

- Data stored overseas may be subject to foreign laws, including government access provisions

- Overseas providers are not directly subject to Australian privacy law

- Enforcement of Australian privacy rights may be more difficult

- We may have limited practical ability to control how overseas providers handle data day-to-day

- In the event of a data breach by an overseas provider, notification and remediation may be more complex

Our Security Measures

We implement and require the following security measures:

- Encryption in transit (TLS 1.3) and at rest (AES-256)

- Multi-factor authentication for user accounts

- Restricted access controls and role-based permissions

- Regular security reviews and monitoring

- Audit logging of system access

- Secure backup procedures

- Regular security updates and patches

These measures are implemented by GHL and monitored by our team. However, no online service can guarantee absolute security, and the overseas storage of data creates additional risks beyond our direct control.

BY USING THE PLATFORM, YOU ACKNOWLEDGE AND CONSENT TO YOUR INFORMATION (AND YOUR CLIENTS' INFORMATION) BEING STORED AND PROCESSED OVERSEAS, INCLUDING IN THE UNITED STATES.

If you are a health practitioner, you must also obtain this consent from your clients before uploading their information to our platform.

7. Disclosure of Information

We may disclose personal information to:

- Service providers who support our operations, including:

- GoHighLevel (GHL) - platform infrastructure (United States)

- Amazon Web Services (AWS) - cloud hosting (global infrastructure)

- Stripe - payment processing

- Mailgun - email delivery services

- Twilio/LeadConnector - SMS and voice services

- Google Workspace - business operations

- Analytics and support tools

- Professional advisers (e.g. accountants, lawyers) under confidentiality agreements

- As required by law, regulation, court order, or government authority

- With your consent, to third-party integrations you enable (e.g. email marketing tools, calendar apps, social media platforms)

7.1 Cross-Border Disclosure and Your Rights (APP 8 Compliance)

Under Australian Privacy Principle 8 (APP 8), when we disclose personal information to overseas recipients (such as our platform provider GHL), we remain accountable for any breach of the Australian Privacy Principles by those recipients.

Reasonable steps we take include:

✓ Executing data processing agreements with overseas providers

✓ Requiring contractual commitments to security standards

✓ Regular review of provider security and compliance practices

✓ Encryption and access controls

✓ Maintaining records of overseas disclosures

✓ Monitoring for security incidents and breaches

However, you should understand that:

⚠ Once information is stored overseas, it may be subject to foreign laws, including government access provisions

⚠ The overseas provider may not be directly subject to Australian privacy law in practice

⚠ Enforcement of Australian privacy rights against overseas entities may be difficult

⚠ We have limited practical ability to monitor or control the day-to-day handling of data by overseas infrastructure providers

Your Legal Rights:

If GHL or another overseas provider breaches the Australian Privacy Principles in handling your information, we may be held accountable under Australian law.

You retain all rights to:

- Make a complaint to the Office of the Australian Information Commissioner (OAIC)

- Seek access to and correction of your information

- Pursue other remedies available under Australian law

8. Marketing Communications

With your consent, we may use your contact details to send information about new features, events, or special offers.

You may opt out at any time by:

- Using the unsubscribe link in our emails

- Contacting us directly at [email protected]

- Updating your preferences in your account settings

We do not sell or rent your personal information to third parties for their marketing purposes.

9. Access and Correction

You have the right to request access to, or correction of, the personal information we hold about you.

To make a request:

- Email us at [email protected]

- Provide sufficient detail to identify the information you're requesting

- We will respond within 30 days

We will provide access or make corrections unless:

- Providing access would be unlawful or unreasonably impact another person's privacy

- The request is frivolous or vexatious

- Denying access is required or authorized by law

- Legal proceedings are underway

If we refuse access or correction, we will provide you with written reasons and information about how to make a complaint.

Your clients may request access to or correction of their information. As the data controller, it is your responsibility to respond to these requests. We can assist you in retrieving data from the platform but you must handle the client relationship and legal response.

10. Website Usage and Cookies

Our website uses cookies and analytics tools (such as Google Analytics) to improve functionality and measure engagement.

Cookies are used for:

- Essential site functionality (login, session management)

- Analytics and performance monitoring

- Understanding user preferences and behavior

- Cookies can be disabled in your browser settings, though this may affect site functionality. We do not use cookies to collect sensitive health information directly.

11. Data Retention

11.1 We retain personal information only as long as necessary for business, legal, or regulatory purposes.

Retention periods:

- Active accounts: Data retained while your subscription is active plus 30 days after cancellation

- Financial records: 7 years (Australian tax law requirements)

- Legal matters: Until resolution plus any required retention period

- Marketing data: Until you unsubscribe or request deletion

When information is no longer required, it is securely destroyed or de-identified in accordance with our data retention policy and applicable legal requirements.

Note: Deleted data may persist in backups for up to 90 days before being permanently purged.

11.2. Notifiable Data Breaches

Under the Privacy Act 1988 (Cth), we are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if we experience an "eligible data breach" - that is, a breach that is likely to result in serious harm to individuals.

If we become aware of a data breach affecting your information, we will:

- Assess the breach within 30 days to determine if it is an eligible data breach

- Notify the OAIC within 72 hours if the breach is eligible

- Notify affected individuals as soon as practicable, providing a description of the breach, type of information involved, recommendations for steps you can take to protect yourself, our contact details for further information, take remedial action to contain and mitigate the breach, conduct a post-incident review to prevent recurrence.

If you become aware of any of the following, you must notify us immediately at [email protected]:

- Unauthorized access to your account

- Suspected compromise of your login credentials

- Potential data breach or security incident

IMPORTANT: If you experience a data breach involving your clients' information stored on our platform, YOU may have independent obligations to notify the OAIC and your affected clients under the Notifiable Data Breaches scheme.

As the data controller, you are responsible for:

- Assessing whether the breach is eligible

- Making required notifications to the OAIC

- Notifying your affected clients

- Taking remedial action

We can assist with investigating the breach and retrieving relevant information, but you remain responsible for your own notification obligations under the Privacy Act.

If you believe there has been a breach of your clients' data, contact us immediately and also seek independent legal advice about your notification obligations.

12. Managing Client Data

As a HealthTech.Systems subscriber, you remain the data controller of any client records you store within our platform. We act as a data processor, managing that data on your behalf under our Terms of Service.

You are responsible for ensuring that your own collection and use of client information complies with:

✓ The Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles

✓ Applicable state and territory health records legislation

✓ Professional body codes of conduct and practice standards

✓ Any other applicable laws and regulations

Your Specific Obligations Include:

CONSENT:

- Obtaining express consent to collect health information

- Explaining overseas data storage to clients

- Obtaining consent for overseas disclosure of health information

- Documenting all consents appropriately

TRANSPARENCY:

- Maintaining your own privacy policy

- Providing privacy collection notices at point of collection

- Explaining how you use and store client information

DATA QUALITY:

- Ensuring information is accurate and up-to-date

- Correcting information when requested

- Only collecting information reasonably necessary

SECURITY:

- Using strong passwords and multi-factor authentication

- Not sharing login credentials

- Monitoring for unauthorized access

- Reporting security concerns immediately

ACCESS & CORRECTION:

- Responding to client requests for access to their information

- Making corrections when requested

- Maintaining records of requests and responses

DATA BREACH NOTIFICATION:

- Understanding your obligations under the Notifiable Data Breaches scheme

- Having procedures to detect and respond to breaches

- Notifying the OAIC and affected clients when required

HealthTech.Systems provides technology infrastructure to help you manage your practice efficiently. We do not provide legal or compliance advice.

If you are unsure about your privacy obligations, you should:

- Consult the OAIC website: www.oaic.gov.au

- Seek independent legal advice

- Contact your professional association or regulatory body

- Consider engaging a privacy consultant

13. Complaints and Feedback

If you have concerns about how your personal information has been handled, please contact us first:

Email: [email protected]
Address: PO Box 495, Port Melbourne VIC 3207
Website: www.healthtech.systems

We take privacy complaints seriously and will:

- Acknowledge your complaint within 7 days

- Investigate the matter thoroughly

- Respond with our findings and proposed resolution within 30 days

- Take corrective action if warranted

- If You're Not Satisfied

- If you are unsatisfied with our response, you may contact: Office of the Australian Information Commissioner (OAIC), GPO Box 5218, Sydney NSW 2001. Phone: 1300 363 992. Email: [email protected]. Website: www.oaic.gov.au

The OAIC can investigate privacy complaints and has various powers including making determinations and ordering corrective action.

You may also have rights under Australian Consumer Law or other applicable legislation.

14. Children's Privacy

The HealthTech.Systems platform is designed for business use by adults (18 years and over). We do not knowingly collect personal information from children under 18 without appropriate parental consent.

If you are a health practitioner treating minors, you are responsible for obtaining appropriate consent from parents or guardians before collecting and storing information about minors on our platform.

15. Policy Updates

We may update this Privacy Policy from time to time to reflect:

- Changes in law or regulation

- Changes to our operations or platform

- Changes to third-party services we use

- Improvements to our privacy practices

The latest version will always be available at www.healthtech.systems/privacy-policy

Material changes will be notified by:

- Email to your registered email address

- In-platform notification upon login

- Notice period of at least 30 days before changes take effect (where practicable)

Your continued use of the platform after changes take effect constitutes acceptance of the updated Privacy Policy.

We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your information.

16. International Users

HealthTech.Systems is designed for and directed at users within Australia. Our Privacy Policy and practices are designed to comply with Australian privacy law.

If you access our platform from outside Australia, you acknowledge that:

- Your information will be transferred to and processed in Australia and overseas (including the United States)

- Australian privacy law will govern our handling of your information

- You may have rights under your local privacy laws that differ from Australian law

17. Definitions

Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Health Information: Information or an opinion about the health or a disability of an individual; information about health services provided or to be provided to an individual; or other personal information collected in connection with providing a health service.

Sensitive Information: Includes health information, genetic information, and other special categories defined in the Privacy Act 1988 (Cth).

Data Controller: The entity that determines the purposes and means of processing personal information (typically, you as the health practitioner for your client data).

Data Processor: The entity that processes personal information on behalf of the data controller (HealthTech.Systems in relation to client data you store on our platform).

18. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]
Postal Address: PO Box 495, Port Melbourne VIC 3207
Website: www.healthtech.systems

For data breach notifications or urgent security matters: Email [email protected] with "URGENT - SECURITY" in the subject line.

For OAIC enquiries: If the OAIC contacts you regarding our privacy practices, please forward any correspondence to us immediately.