Privacy Policy

Wellifiy Privacy Policy

Wellifiy is an integrated health management platform that allows clinicians, health care organisations and patients to manage their care (“Platform”). The Platform is comprised of a patient-facing Patient App and a clinician-facing Clinical Portal.

Wellifiy Pty Ltd (ACN 644 326 125) (“we”, “us” or “our”) and our operation of the Platform is committed to respecting your privacy. This privacy policy sets outs out how we collect, use, process, store, share and disclose your Personal Information on our Platform (“Privacy Policy”). You can view our terms and conditions [www.wellifiy.com/terms-of-use] and contact us at support@wellifiy.com.

In this Privacy Policy, “User”, “you” or “your” means:

  • A clinician who uses the Platform to manage patients (“Clinician”)
  • A health organisation that purchases our Services for Clinicians it engages or employs (“Health Organisation”); and/or
  • A patient who uses the Platform (“Patient”)

We are committed to protecting your privacy and upholding your rights under all relevant privacy laws and regulations. This includes the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth), the General Data Protection Regulation (EU 2016/679) (GDPR), and, where applicable, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States.

We act as a data controller under the GDPR and a Business Associate under HIPAA when handling Protected Health Information (PHI) on behalf of U.S.-based Covered Entities. We take all necessary and reasonable steps to ensure compliance with these Privacy Laws, including implementing administrative, technical, and physical safeguards to protect personal and health information. We operate secure cloud infrastructure with data hosting options in the United States, United Kingdom, and Australia, and we also have procedures in place to address inquiries or complaints relating to our compliance with these Privacy Laws.

By accessing and using our Platform, products and services, you freely and expressly consent to the collection, use, processing, storage and disclosure of Personal Information by us as set out in this Privacy Policy.

1.   Your Information

We will collect Personal Information only by lawful and fair means and not in an unreasonably intrusive way. Generally, we will collect Personal Information directly from you, and only to the extent necessary to provide the Platform and our services to you and to carry out our administrative functions or as required by a relevant Privacy Law.

We will not collect sensitive personal information (as defined under the relevant Privacy Laws) from you. We ask that you do not send us, or do not disclose, any sensitive personally identifiable information (such as information related to racial or ethnic origin, religion or other beliefs, health, criminal background or trade union membership) on or through the Platform or otherwise. If, contrary to this request, you do provide any sensitive personal information, in doing so you consent to us collecting and handling that information in accordance with this Privacy Policy.

If you use a pseudonym when dealing with us or you do not provide identifiable information to us, we may not be able to provide you with any or all of our services as requested. If you wish to remain anonymous when you use our Platform, do not sign into it or provide any information that might identify you.

We require individuals to provide accurate, up to date and complete Personal Information at the time it is collected.

2.   Personal information

We collect personal information from Clinician and Health Organisations who use the Platform.

“Personal information” is information or an opinion about an individual whose identity is apparent, or can be reasonably ascertained, from that information or opinion (whether true or not, and whether recorded in a material form or not).

  • Full name
  • Work email address
  • Telephone number
  • Work address
  • Registration number
  • Provider number
  • Any additional information relating to you that you provide to us directly through our website or indirectly through your use of our website or online presence or through other websites or accounts from which you permit us to collect information
  • Details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services and respond to your enquiries
  • Information you provide to us through customer surveys
  • Billing information
  • Details of any specialist practice, qualifications and industry body memberships relevant to the Clinician or Health Organisation
  • Any other personal information may be required in order to facilitate your dealings with us

3.   Health Information

We collect the health information of Patients who use the Platform.

“Health information” means:

  • Information or an opinion about:
  • The health, including an illness, disability or injury, (at any time) of an individual
  • An individual’s expressed wishes about the future provision of health services to him or her
  • A health service provided, or to be provided, to an individual;
  • Other personal information collected to provide, or in providing a health service to an individual. This includes personal details such as a patient’s name, address, admission and discharge dates, billing information and Medicare number, as well as information entered by Patients via the Patient App including that Patient’s mood ratings, sleep records, daily journals, psychological assessment responses and results; and
  • Genetic information about an individual in a form that is, or could be, predictive of the health of that individual or a genetic relative of the individual.

The types of health information we may seek to collect in relation to Patients are:

  • Full name
  • Date of birth
  • Medicare number
  • Health fund details
  • Medical history and details of any current illness, injury or condition of the Patient
  • Health services to be provided
  • Primary and secondary diagnoses
  • Details of any consultations or referrals
  • Social and background history
  • List of current medications
  • Patient-provided information
  • Other information that the Clinician, Health Organisation or Patient deems relevant.

4.   Collection

Personal Information

We will collect personal information only by full and fair means and not in an unreasonably intrusive way.  Generally, we collect personal information directly from Clinicians and Health Organisations, and only to the extent necessary to provide our products and services, to carry out our administrative functions, and as required by law.

We may also collect personal information from you when you fill in an application form, communicate with us, visit our website, provide us with feedback, complete online surveys or participate in competitions.

Health information

We will collect health information on the registration of a new Patient via the Platform.

5.   What is our legal basis?

Under the GDPR, we must have a legal basis to process Personal Information collected from individuals residing in the European Union. We rely on several legal bases to process your Personal Information, including:

  • Where it is necessary to provide you with access to, and use of, products, services and websites;
  • For our legitimate interests to provide, operate and improve our products, services or Platform;
  • Where you have freely and expressly consented to the processing of your Personal Information by us, which you may withdraw at any time; or
  • Where we are under a legal obligation to process your Personal Information.

6.   How your information is used

Clinician and Health Organisations

We use and disclose the personal information of Clinician and Health Organisations for the purposes for which the information is collected, or for a directly related purpose, including (but not limited to):

  • Providing our Platform, products and services to you;
  • Verifying your identity and place of work
  • Administering, protecting, improving or optimising our website, products and services law (including performing data analytics, conducting research and for advertising and marketing purposes);
  • Billing users for our products and services;
  • Informing you  about our website, products, services, rewards, surveys, contests, or other promotional activities or events sponsored or managed by us or our business partners;
  • Responding to any inquiries or comments that you submit to us;
  • Any other purpose you have consented to; and
  • Any use which is required or authorised by law.

We may disclose the personal information of Clinicians and Health Organisations to:

  • Other Clinicians or Health Organisations who are providing or receiving a referral in respect of a Patient;
  • Third-parties we ordinarily engage from time to time to perform functions on our behalf for the above purposes;
  • Any person or entity to whom you have consented to us disclosing your personal information to;
  • Our external business advisors, auditors, lawyers, insurers and financiers where necessary; and

Any person or entity to whom we are required or authorised to disclose your personal information to in accordance with the law.
We do not sell or share personal information with third party marketers.

Patients

We will disclose the health information of a Patient only as directed by the Clinician or Health Organisation providing health services to that Patient, in accordance with the express consent of that Patient, or as required to do so in accordance with the law.

7.   Direct Marketing

Clinicians and Health Organisations

Where we:

  • Have your express consent (which you may withdraw at any time by contacting us in writing at support@wellifiy.com);
  • Have a legal basis; or
  • Are otherwise permitted by relevant Privacy Laws,

We may use and process your Personal Information to send you information about products and services we believe are suited to you and your interests or we may invite you to attend special events.

At any time, you may opt out of receiving direct marketing communications from us. Unless you opt out, your consent to receive direct marketing communications from us and to the handling of your Personal Information as detailed above will continue. You can opt out by following the unsubscribe instructions included in the relevant marketing communication, or by contacting us in writing at support@wellifiy.com.

Patients

No health information will be used to market directly to Patients. As discussed below, all health information is stored securely in an anonymised format, and Wellifiy staff and service providers will not have access to such information except in very limited, exceptional circumstances.

8.   Cookies

We use cookies, web beacons and similar technologies (collectively “Cookies”) on our Website. By accessing or using this Website, you agree that we can store and access Cookies in accordance with this Privacy Policy.

Cookies are small files that can be stored on and accessed from a user’s device when the user accesses a website. They enable authorised web servers to recognise you across different websites, services, devices and browsing sessions.

We may use Cookies to enable users to access and use our Website and Services, including to:

  • Identify users of our Website and Services;
  • Process user requests;
  • Improve user experience;
  • Remember user preferences on our Site;
  • Monitor the use of our Site and for analysis of our user base;
  • Facilitate communication with users;
  • Control access to certain content on our Site; and
  • Protect our Site.

The data collected through Cookies will not be kept for longer than is necessary to fulfil the purposes mentioned above.

We will handle any Personal Information collected by Cookies in the same way that we handle all other Personal Information.

You can delete and refuse to accept browser Cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of the Website.

Unless you have adjusted your browser setting so that it will refuse Cookies, our system will issue Cookies when you direct your browser to our Website.

9.   Our Platform

When transmitting Personal Information via the Platform, you must keep in mind that the transmission of information over the internet is not always completely secure or error-free. Other than liability that cannot lawfully be excluded, we will not be liable in any way in relation to any breach of security or any unintended loss or disclosure of that information.

10.  Data Storage

We may hold your personal or health information in either electronic or (in rare circumstances) hard copy. We take reasonable steps to protect all personal and health information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

We have implemented best practice processes to protect personal information and health information from unintended disclosure, misuse and loss. This includes a number of physical, administrative, personnel and technical measures, including by:

  • Storing all our cloud information in APP, GDPR, and HIPAA complaint servers;
  • Storing all health information in an anonymised and encrypted format;
  • Restricting the external transmission of personal and health information;
  • Adopting measures to protect our computer systems and networks for storing, processing and transmitting personal and health information;
  • Adopting procedural and personnel measures for limiting access to personal information by our staff and contractors;
  • Restricting our staff and service providers from accessing health information, except in exceptional circumstances and with the oversight of senior management;
  • Regularly reviewing and updating our information collection, storage and usage practices;
  • Using password protection, multi-factor authentication procedures and physical access restrictions to limit unauthorised access;
  • Complying with laws applicable to the collection, use, transmission and storage of personal and health information; and
  • Regularly testing our systems and networks and assessing security risks.

Further, in accordance with our obligations under the Health Records and Information Privacy Act 2002 (NSW), Health Practitioner Regulation (NSW), Health Records Act 2001 (Vic), Health Records (Privacy and Access) Act 1997 (ACT), and the Privacy Act 1988 (Cth), we are obliged to retain health information in Australia for a period of:

• For adults: Seven (7) years from the date of last entry
• For children: Until they reach the age of twenty-five (25) years

In addition, where we operate under the U.S. Health Insurance Portability and Accountability Act (HIPAA) as a Business Associate, we retain records containing Protected Health Information (PHI) for a minimum of six (6) years from the date of creation or last effective use, whichever is later, or longer if required under applicable U.S. state laws.

For individuals whose data is governed by the General Data Protection Regulation (GDPR), we retain personal and health data only for as long as necessary to fulfil the purposes for which it was collected, or as required under applicable laws. We ensure that such data is securely disposed of once it is no longer required.

    However, we cannot guarantee the security of any personal or health information transmitted over the internet and therefore you disclose information to us at your own risk. To the maximum extent permitted under law, we are not liable for any unauthorised access, modification or disclosure, or misuse of personal or health information.

    11.  Access to information

    Under the GDPR, an individual residing in the European Union has enhanced privacy rights, including the right to:

    • require us to correct any Personal Information held about you that is inaccurate or incomplete;
    • require the deletion of Personal Information concerning you in certain situations;
    • data portability for Personal Information you provide to us;
    • object or withdraw your consent at any time to the processing of your Personal Information;
    • object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you; or
    • otherwise restrict our processing of your Personal Information in certain circumstances.

    Subject to some exceptions provided by the relevant Privacy Laws,in accordance with Article 27 of the UK and EU General Data Protection Regulation (GDPR), we have appointed Data Protection Representative Limited (trading as "DataRep") as our Data Protection Representative in the United Kingdom for data subjects in the UK and the European Economic Area (EEA).

    If you are a data subject in the UK or EEA and wish to make an inquiry regarding your personal data, or exercise your rights under the GDPR, you may contact DataRep at:

    DataRep
    107–111 Fleet Street,
    London, EC4A 2AB,
    United Kingdom

    Please ensure your request is addressed to “Wellifiy” and clearly references our company so that it can be directed appropriately.

    If you believe that we hold Personal Information about you that is not accurate, complete or up-to-date then you may request that your Personal Information be amended.  We will respond to your request to correct your Personal Information within a reasonable timeframe and you will not be charged a fee for correcting your Personal Information.

    If we no longer need your Personal Information for any of the purposes set out in this Privacy Policy, or as otherwise required by the relevant Privacy Laws, we will take such steps as are reasonable in the circumstances to destroy your Personal Information or to de-identify it.

    12.  Clinician and Health Organisations obligations

    This clause applies to Clinician and Health Organisations who use our services.

    In providing or receiving the health information of a Patient via the Platform, you warrant that you have sought all required consents from the Patient to do so and that you have otherwise fully complied with the Privacy Act and all other relevant legislation and regulations pertaining to the collection, storage, use and disclosure of health information.

    You agree to indemnify us for any liability, costs and expenses (including our reasonable legal costs) which we incur as a result of a breach by you of your privacy obligations.

    We disclaim any liability whatsoever for information collected or shared outside the Platform.

    13.  Mandatory data breach notifications

    In the circumstances where Wellifiy suffers a data breach that contains personal or health information, we will take all necessary steps to comply with the Notifiable Data Breach Scheme outlined under the Privacy Act and any other laws that apply to the type of information the subject of the data breach.

    This means we will immediately make an objective assessment of whether a breach of personal information is likely to result in serious harm to individuals, and if this is the case, endeavour to notify the affected individual(s) and the Australian Information Commissioner.

    You will be notified of any data breach affecting your health information.

    14.  Contact information

    If you require further information regarding our Privacy Policy or wish to make a privacy complaint, please contact us in writing at support@wellifiy.com.

    15.  Notices and Revisions

    We reserve the right to modify this Privacy Policy in whole or in part from time to time without notice. Non-material changes and clarifications will take immediate effect, and material changes will take effect immediately after the posting of the amended Privacy Policy on the Platform.

    16.  Enforcement

    We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personally identifiable information that cannot be resolved between us and the individual.

    Dated: 07/01/2025