Privacy Policy

1. Introduction

Medly Pty Ltd (ABN 81684799353) respects your right to privacy and is committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), State and Territory health privacy laws, and where applicable, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (US). We also adhere to the expectations and obligations imposed by the Australian Health Practitioner Regulation Agency (AHPRA) on healthcare providers and platforms.

This Privacy Policy explains how Medly collects, uses, discloses, and protects your personal and health information, and your rights in relation to that information.

By accessing or using Medly’s services, applications, platforms, or websites (collectively, the “Platform”), you agree to the collection, use and disclosure of your information in accordance with this Policy.

Contact Information:
Privacy Officer: support@medly.com.au
Postal Address: PO Box 876, Mooloolaba, QLD 4557

2. Information We Collect

We collect personal information when it is reasonably necessary for delivering healthcare or fulfilling our legal and regulatory obligations. This may include:

Identifying Information

• Full name, date of birth, address, contact numbers, email
• Government identifiers such as Medicare number, IHI (Individual Healthcare Identifier)

Health and Clinical Information

• Medical history, symptoms, medications, allergies, mental health status
• Consultation notes, prescription records, referrals, pathology and imaging results
• Uploaded documents or photos relevant to your care

Practitioner and Contractor Information

• AHPRA registration, qualifications, provider/prescriber numbers, compliance documents

Technical and Analytics Information

• Device and browser information, IP address, usage data, session logs
• Cookies and usage tracking (see Section 8)

We may also collect information about:

• Your next of kin or authorised representative (with your consent)
• Communication history with our support team
• Any consent or authorisation you provide to share your health data with third parties

3. Use of De-Identified Data

Medly will only use de-identified data for research or study purposes if you have explicitly consented during the booking process. Without your consent, your data is not included in the Medly Study or related analysis.

This data is analysed to enhance the accuracy of our intake process, improve triage efficiency, and refine our pricing model for patients with similar conditions in the future.

No information that could reasonably identify you is used in this analysis, and your personal health data is never sold, shared, or disclosed to third parties for commercial purposes.

You may withdraw consent at any time by contacting support@medly.com.au. This data is never used to make decisions about your care or to identify you. Our systems comply with OAIC and APP guidance regarding de-identification and ethical secondary data use.

4. How We Use Your Information

Your personal and health information is used for the following purposes:

• To deliver virtual care, including consultations, prescriptions, certificates, and referrals
• To enable clinical triage and structured intake
• To ensure safety in emergencies (e.g. risk of self-harm)
• To meet legal and professional obligations (AHPRA, OAIC, Medicare)
• For auditing, training, and system improvements
• To send health-related reminders or follow-ups

We will not use your health information for secondary marketing purposes unless you provide explicit, informed consent.

We do not use identifiable or de-identified data to train or develop AI tools without explicit patient consent.

5. Information Sharing

We only share your information when necessary for your care or as required by law. This may include:

• Treating doctors and clinical staff within Medly may have access to your health information if they become involved in your care. This includes any allergies, medical history (conditions), medications, and any outcomes from your consultations, including test results, prescriptions, and correspondence.
• Accreditation bodies assessing our clinical governance (as required by law or regulation)
• Regulatory or legal authorities, where legally required or authorised (e.g. subpoenas, notifiable conditions)

Medly does not share your personal or health information with unrelated external healthcare providers or advertisers without your explicit consent.

Third-party service providers will not receive any health information, but may (as required by their service) require your basic information to process their service. This includes, but is not limited to, payment processors such as Stripe.

In the event of a corporate acquisition, merger or change in control, your personal information may be transferred as part of that transaction, subject to this policy.

6. Overseas Disclosure

All personal information is stored securely in Australia. Where overseas transfer is required (e.g. for limited third-party processing or analytics), it will be:

• De-identified unless strictly necessary
• Governed by binding contractual obligations that meet or exceed APP 8 requirements
• Subject to HIPAA safeguards if health data is accessed in the United States

You will be notified if future changes involve regular overseas disclosure.

7. Data Security

We take data security seriously and implement technical and organisational measures to safeguard your information:

• All clinical data is encrypted in transit (TLS) and at rest
• Secure role-based access controls (zero-trust model)
• Audit trails and access logs for all data access
• Two-factor authentication (2FA) for staff and clinicians
• Regular penetration testing, backup protocols, and system monitoring
• AI-generated summaries and triage tools are hosted on secure infrastructure

Access to health records is restricted to Medly-authorised staff who require it to perform their duties.

8. Retention and Deletion

Patient health records are retained for a minimum of 7 years (or longer for minors), in line with State, Territory and Commonwealth health legislation.

Practitioner compliance documents (e.g. AHPRA, indemnity insurance) are retained according to professional requirements and Medly’s internal governance standards.

Where deletion is legally permitted, we will comply with your request, otherwise your data may be securely archived.

We destroy or de-identify information when it is no longer required, unless legal obligations require us to retain it.

9. Cookies and Analytics

Medly uses cookies and similar technologies for:

• Platform functionality and security
• Improving user experience
• Measuring site traffic and engagement

We do not use cookies to collect sensitive health information. Where third-party analytics (e.g. Google Analytics, Hotjar) are used, data is anonymised unless you consent otherwise.

You can disable cookies in your browser settings, but this may limit your access to some Platform features.

10. Marketing and Direct Communications

Medly may send you:

• Transactional updates (e.g. appointment confirmations, prescription reminders)
• Health nudges or educational content
• Optional marketing updates (with opt-out)

You can manage your communication preferences at any time by:

• Clicking “unsubscribe” in emails
• Adjusting your settings in the Medly app or platform
• Contacting privacy@medly.com.au

We do not sell your data to third parties. No third-party marketing will be sent unless you explicitly opt in.

11. Your Rights

You have the right to:

• Request access to your personal or health information
• Correct inaccurate, outdated, or incomplete information
• Withdraw consent to non-essential data uses
• Request deletion or de-identification of your data (subject to legal limits)
• Lodge a privacy complaint
• You may request a machine-readable copy of your personal health data for transfer to another provider, where technically feasible and legally permitted.

To make a request, contact our Privacy Officer. We will respond within 14 days and resolve all valid concerns in a timely and respectful manner.

If you are not satisfied with our response, you may escalate your concern to:

12. Clinical Governance and AHPRA Compliance

Medly ensures that:

• All doctors are AHPRA-registered and actively monitored for status and compliance
• Sensitive health decisions comply with clinical guidelines and professional codes
• Clinical documentation, prescriptions, and referrals are traceable and securely stored
• Consults and prescribing are auditable and defensible under healthcare law

The platform is governed by internal clinical protocols overseen by Medly’s Medical Director.