Privacy Policy
HealthMate Co Pty Ltd (ACN 691 309 663)
Last updated: June 2026
1. About this Policy
This Privacy Policy of HEALTHMATE CO PTY LTD ACN 691 309 663 (us, we, our) sets out how we treat the Personal Information that we collect, use and disclose and our procedures regarding the handling of Personal Information, including the collection, use, disclosure and storage of information, as well as the right of individuals to access and correct that information. We operate the application and website called Health Mate, which includes the website with domain name https://healthmate.co (Platform/Application).
From time to time, we may revise or update this Privacy Policy or our information handling practices. If we do so, the revised Privacy Policy will be published on the Platform at www.healthmate.co/privacy.
We may collect Personal Information in order to conduct our business, to provide and market our services and to meet our legal obligations. By using the Platform or our services, or by providing any Personal Information to us, you consent to the collection, use and disclosure of your Personal Information as set out in this Privacy Policy.
2. Responsibility
The Platform/Application is responsible for the secure operation of the digital health marketplace, including the platform, AI tools, payment systems, practitioner verification, baseline clinical governance, and compliance with the Privacy Act.
Practitioners (being health practitioners or other practitioners who use the Platform to provide health services) remain independently responsible for all clinical decision-making, clinical records (including AI-assisted content they approve), compliance with AHPRA and applicable health records laws, prescribing obligations, professional indemnity insurance, mandatory reporting obligations, and the security of devices used to access the Platform.
Clinic partners are responsible for ensuring that their personnel comply with all applicable privacy and health records laws. Clinic partners must also manage and remove user access as required.
3. The types of information
The Privacy Act 1988 (Cth) (Privacy Act) defines types of information, including Personal Information and Sensitive Information.
(a) Personal Information
Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. If the information does not disclose your identity or enable your identity to be ascertained, it will in most cases not be classified as Personal Information and will not be subject to this Privacy Policy.
(b) Sensitive Information
Sensitive Information is defined in the Privacy Act as including information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.
Sensitive Information will be used by us only for the primary purpose for which it was obtained, for a secondary purpose that is directly related to the primary purpose, and with your explicit consent or where its collection, use or disclosure is required or authorised by law.
4. Personal and Sensitive Information we collect and hold
The types of Personal Information we may collect and hold includes (but is not limited to):
- your name, address, contact telephone number and other contact details such as your email address;
- government and funder identifiers, clinical and consultation records, AI-generated clinical documentation, wearable device data;
- payment information (such as credit card or bank details);
- professional, compliance, billing and platform usage information from practitioners, including AHPRA registration details, qualifications, provider numbers, insurance information and clinical governance data;
- other personal information required to provide our services in specific cases; and
- details of your use of our products or services.
The types of Sensitive Information we may collect and hold includes (but is not limited to) your health and medical information, including but not limited to health and wellbeing information, medical diagnoses, medical conditions and any additional information related to health and wellbeing.
You are not obliged to provide Personal Information or Sensitive Information to us. However, in many cases, if you do not provide us with the necessary information, we may not be able to supply the relevant functionality of the Platform or our services effectively.
In some circumstances, you may provide to us, and we may collect from you, Personal Information or Sensitive Information about a third party. Where you provide such information of a third party, you must ensure that the third party is aware of this Privacy Policy, understands it and agrees to accept it.
If you are providing us with Personal or Sensitive Information on behalf of a person who is under the age of 18 (Dependent) that you are the parent, guardian or authorised healthcare decision-maker/health attorney (Substitute Decision Maker) of, you understand that you are consenting to this Privacy Policy on their behalf as their legal guardian and will need to create an account for the Dependent that is linked to your account. Practitioners must assess the decision making capacity of a Dependent, in compliance with all relevant laws and professional standards. The medical decision making rights of a Dependent held by their Substitute Decision Maker will automatically transition to the Dependent at 9:00 AM on the day that they turn 18 years old, unless the Practitioner reasonably believes that the Dependent lacks the required decision making capacity.
If it is necessary to provide specific services to you, we may collect Sensitive Information about you. However, we will only collect Sensitive Information from you if you agree to provide it to us, you authorise us to obtain it from a third party or where the collection of the information is required or authorised by or under an Australian law or a Court/Tribunal order or otherwise where the collection is not prohibited under Australian law.
5. How we collect and hold information
We collect Personal Information and Sensitive Information in the following ways:
- when you fill in and submit to us a signed interest form;
- when you submit information through the Platform (such as when you send us a message or fill out an online form) or provide it to us in any other way;
- in person, for example, when you engage with our employees, contractors, facilitators, agents, or customer service representatives; and
- in the course of providing services to you.
While we limit the collection of Sensitive Information to what is necessary for our services, we do collect Sensitive Information as outlined above, particularly concerning your health and medical conditions. When we collect Sensitive Information, we will always comply strictly with the Privacy Act and obtain your explicit consent unless otherwise permitted or required by law.
6. Automated systems and Artificial Intelligence (AI) tools
We use automated systems and AI tools to support functions such as practitioner matching, search result ranking, content recommendations, reminders, initial triage prompts, fraud detection and the preparation of draft clinical documentation. These systems use the categories of Personal Information described in this Privacy Policy (excluding tokenised payment card information) and may assist with recommendations, content ranking, and transaction monitoring, but do not make clinical diagnoses, prescribe treatment, or replace the professional judgment of a Practitioner.
We do not rely solely on automated systems or AI tools to make decisions that could reasonably be expected to significantly affect an individual's rights or interests. All clinically significant decisions are made by a registered Practitioner, not by an AI tool. AI-generated content provided to a Practitioner is identified as such and must be reviewed and approved by the Practitioner before it is included in a clinical record or shared with a client or third party. Any significant operational decision, including account suspension or booking refusal, also involves human review.
Our AI Scribe is an AI-assisted clinical documentation tool that records and transcribes consultations and generates draft clinical notes for Practitioner review and approval. AI Scribe is used only with your express or standing consent, includes clear recording indicators and the ability to stop recording at any time, and does not replace the Practitioner's professional responsibility for the clinical record. Audio recordings are deleted after transcription and any applicable retention period, unless retention is required by law, and de-identified AI Scribe data may be used to train foundation models.
Where consent is required, we seek it separately through an affirmative action and you may withdraw consent at any time, subject to our ability to continue providing services. You may also provide ongoing or standing consent for recurring activities such as AI-assisted clinical documentation, funded care claims processing and secure information sharing between Practitioners involved in your care. Standing consent may be reviewed, varied or withdrawn at any time and operates prospectively only.
If you require further information about an automated decision or wish to request human review where you consider your rights or interests have been significantly affected, you may contact our Privacy Officer.
7. Collection of Personal Information through activity (Cookies)
Information that may identify you as a user may be gathered during your access to the Platform. The Platform may include pages that use cookies. A cookie is a unique identification number that allows the server to identify and interact more effectively with your computer or device. The cookie assists us in identifying what our users find interesting on the Platform.
A cookie may be allocated each time you use the Platform. The cookie does not identify you as an individual in our data collection process; however, it does identify your internet service provider. You can configure your access to the Platform to refuse cookies. If you do so, you may not be able to use all or part of the Platform.
8. Purposes for which we collect, hold, use and disclose information
We collect, hold, use and disclose Personal Information and Sensitive Information for a variety of business purposes including:
- to provide the products or services you have requested from us;
- to provide health services or as otherwise permitted by law;
- to share your Sensitive Information with activity providers solely for health or safety purposes, under confidentiality obligations;
- to improve our business, products and services;
- to promote and market our business and services to you;
- to handle and respond to your enquiries, complaints or concerns; and
- to provide information to third parties as set out in this Privacy Policy, only where necessary, with appropriate safeguards and your consent where required by law.
We use your information only for the purpose for which it was collected, or a related purpose you would reasonably expect. Otherwise, we will ask for consent or rely on another APP exception.
Where services delivered through the Platform are funded or claimed under a government, compensation or insurance programme, we may collect, use and disclose Personal Information as required to verify eligibility, process claims, coordinate care and comply with applicable legal, regulatory and programme requirements. This may include disclosures to government agencies, insurers, plan managers, support coordinators, employers, case managers and treating teams where authorised or required by law.
Additional rules apply to programmes including the NDIS, aged care, Medicare, DVA, workers compensation and transport accident schemes, private health insurance and employer assistance programmes. We will only disclose clinical information to an employer in connection with an employer assistance programme where permitted by programme rules and with your express consent.
9. Direct marketing
We also collect, hold, use and disclose your Personal Information to:
- notify you about the details of new services and products offered by us;
- send you our newsletters and other marketing publications;
- administer our databases for client or patient service, marketing and financial accounting purposes; and
- comply with our legal requirements regarding the collection and retention of information concerning the products and services that we provide.
All marketing emails and SMS messages include an unsubscribe facility. By using the Platform, you consent to the receipt of direct marketing material. If you do not wish to disclose your Personal Information for the purpose of direct marketing or you would like to opt-out of receiving direct marketing communications, you can do so by contacting us using the contact details set out below, or by following the instructions to unsubscribe which are contained in a communication that you receive from us.
We may use your Personal Information (but never Sensitive Information) to contact you about our services, updates, and promotions.
10. Third party service providers
We may disclose your Personal Information, and where reasonably necessary for the provision of health services or as required by law, Sensitive Information to third parties who work with us in our business to promote, market or improve the services that we provide, including:
- specialists for expert assistance with diagnosing or treating your health issue;
- providers of customer relations management database services and marketing database services;
- marketing consultants, promotion companies and website hosts;
- partnered businesses;
- linked service providers; and
- consultants and professional advisers.
We use third-party payment service providers to process transactions securely. These providers may collect and store your payment details in accordance with their own privacy policies.
We may also combine your Personal Information with information available from other sources, including the entities mentioned above, to help us provide better services to you.
Where we do share information with third parties, we require that there are contracts in place that only allow use and disclosure of Personal Information to provide the service and that protect your Personal Information and Sensitive Information in accordance with Australian law. Otherwise, we will disclose information to others if you have given us permission, or if the disclosure relates to the main purpose for which we collected the information, and you would reasonably expect us to do so.
11. How we store, hold and protect your information
We store Personal Information and Sensitive Information in computer storage facilities and paper-based files in Australia on secure AWS infrastructure, with backups and disaster recovery systems also maintained there. We implement reasonable technical and organisational measures in accordance with APP 11 to protect Personal Information from misuse, interference and loss, and from unauthorised access, modification or disclosure, including encryption, access controls, multi-factor authentication, network security monitoring, incident response procedures, vendor oversight, staff training and data minimisation practices.
We have implemented internal processes, security controls and Practitioner conduct standards to reduce the risk of any conduct that may amount to a serious invasion of privacy. All Practitioners, clinic partners and our personnel must comply with legal requirements when collecting, using, disclosing or handling Personal Information or Sensitive Information via the Platform.
Examples of the steps we take to protect your information include:
- ensuring there are suitable password protection measures and access privileges in place to monitor and control access to our IT systems;
- imposing restrictions on physical access to paper files;
- requiring any third parties engaged by us to provide appropriate assurances to handle your information in a manner consistent with Australian law; and
- taking reasonable steps to destroy or de-identify information after we no longer need it for our business or to comply with the law.
We store, process, and retain your information only for as long as we need it for the purposes described in this Privacy Policy. We retain Personal Information for the periods required by applicable law, including health, taxation, funded care and workers compensation obligations.
The Australian Privacy Principles (APP) permit you to obtain access to the Personal Information or Sensitive Information we hold about you in certain circumstances (APP 12) and allow you to correct inaccurate information subject to certain exceptions (APP 13). Where you would like to obtain such access, please contact us in writing on the contact details set out below.
12. Data breach response
We maintain a written data breach response plan that complies with the Privacy Act and applicable health information laws. Where we have reasonable grounds to suspect that an eligible data breach may have occurred, we will promptly contain and investigate the incident, take reasonable steps to mitigate harm and preserve evidence, and carry out an assessment in a reasonable and expeditious manner and, where required by law, within 30 days.
If we become aware of reasonable grounds to believe an eligible data breach has occurred, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, in line with the Privacy Act. If direct notification is not practicable, we will publish a notification. We will keep records of the incident, our assessment, and our response, and take reasonable steps to prevent a recurrence.
If a breach involves health information, healthcare identifiers, or My Health Record information, we will comply with all notification, reporting, and other obligations required by relevant federal and state or territory health records legislation.
13. Cross-border disclosure
We generally store Personal Information in Australia but may disclose it to overseas service providers or Practitioners providing telehealth services from outside Australia. Before disclosing Personal Information to an overseas recipient, we will comply with APP 8 by taking reasonable steps in the circumstances to ensure the recipient does not breach the APPs in relation to the information, unless an exception under APP 8.2 applies, including where you have provided informed consent to the disclosure or the disclosure is required or authorised by law.
Where we rely on your consent to an overseas disclosure, you acknowledge and agree that APP 8.1 will not apply and that we will not be accountable under section 16C of the Privacy Act for the overseas recipient's handling of the Personal Information.
14. Access and correction requests
You may request access to your Personal Information or Sensitive Information under the Privacy Act, or request deletion of your Personal Information or Sensitive Information in accordance with our data retention policies. You can make such a request by contacting us using the contact details set out in this Privacy Policy.
We will respond to any such request for access as soon as reasonably practicable. Where access is to be given, we will provide you with a copy or details of your information in the manner requested by you where it is reasonable and practicable to do so.
We will not charge you a fee for making a request to access your information. However, we may charge you a reasonable fee for giving you access to your information. We may refuse access to your requested information, or provide only partial access, where required by law, including where information must be retained for clinical, legal or regulatory reasons. If access is refused, we will provide a written statement of reasons unless it is unreasonable to do so.
We will take such steps (if any) as are reasonable in the circumstances to make sure that the information we collect, use or disclose is accurate, complete, up to date and relevant for the purpose of its use or disclosure. If you believe the information we hold about you is inaccurate, irrelevant, out of date or incomplete, you can ask us to update or correct it.
15. How to contact us or make a complaint
If you have any questions about this Privacy Policy, if you wish to correct or update information we hold about you or if you wish to request access or correction of your Personal Information or make a complaint about a breach by us of our privacy obligations, please contact:
- Attention: Privacy Officer, HealthMate Co Pty Ltd
- Suite 309, Level 4, 54 Wellington Street, Collingwood VIC 3066
- Email: privacy@healthmate.co
- Telephone: 0435 362 282
We will acknowledge and investigate any complaint about the way we manage information as soon as practicable. We will take reasonable steps to remedy any failure to comply with our privacy obligations. If we agree that your complaint is well founded, we will, in consultation with you, take appropriate steps to rectify the problem.
If you remain dissatisfied with the outcome, you may refer the matter to the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au.
Complaints relating to the conduct of a Practitioner may be made to the relevant state or territory health complaints entity. Complaints concerning the professional conduct of a registered health practitioner may also be made to the Australian Health Practitioner Regulation Agency (AHPRA).
Questions or complaints
HealthMate Co Pty Ltd
ACN 691 309 663
Suite 309, Level 4, 54 Wellington Street
Collingwood VIC 3066
