Privacy Policy

Last updated: 6 March 2024

1. About this policy
  1. HotDoc Online Pty Ltd ABN 84 159 662 558 (HotDoc) provides the ‘HotDoc’ online platform and website for booking and managing health appointments, patient communications, and associated technologies and services (Platform).
  2. In terms of who is who, all references to ‘us,’ ‘we’ and ‘our’ in this Privacy Policy are references to HotDoc. All references to ‘you’ and ‘your’ in this Privacy Policy are references to:
    1. the individual practitioners, employees and contractors of the health or medical clinics, hospitals or other healthcare provider organisations (Practices) who are customers, or potential customers, of our products and services (Practice Representatives);
    2. the patients or other individuals who use our Platform (such as to make an online booking or communicate with a Practice), or who otherwise receive communications from their Practice via our Platform (Patients); and
    3. our individual contractors and suppliers, potential employees, other website users and any other individuals we might deal with in running our business or providing our services.
  3. We know that your privacy is important to you – it’s important to us as well. We publish this Privacy Policy to make it easier for you to understand the types of personal information we might collect, why and how we might use, disclose or otherwise handle it, and the rights you have to access or correct it.
  4. When this Privacy Policy refers to ‘personal information,’ this term has the meaning given to it by the Privacy Act 1988 (Cth) (Privacy Act) and includes information or an opinion about an individual which is reasonably capable of identifying that individual (and might include their health or other sensitive information) (Personal Information). We’re committed to protecting and dealing with your Personal Information in ways that comply with the Privacy Act and any other applicable health records or privacy laws.
  5. If you have any questions, concerns or feedback about this Privacy Policy, please contact us using our contact details contained in section 9 below.
2. A bit of information about our Platform…
  1. To properly understand our Personal Information-handling, you need to understand a bit about our Platform and what it does.  At its core, our Platform provides a means of connecting Patients and Practices and supporting their interactions and engagements.
  2. Some of the functionalities of our Platform (which will be relevant to the types of personal information we deal with) include enabling:
    1. Practices and Patients to create and manage an online profile;
    2. Practices and Patients to manage and hold health appointments (such as by booking, cancelling and rescheduling appointments, or holding those appointments via our video platform);
    3. Practices to communicate with Patients about their appointment or other important matters (such as reminders, recalls, and other Practice notifications), and to simplify their practice management;
    4. digital forms to be completed by Patients ahead of their appointment, and in some instances, payment for that appointment to be processed;
    5. Patients to request repeat prescriptions (by electronic or other means) from their Practice, or to arrange home-delivered prescription fulfilment and dispensation from our fulfilment partners (partner prescription fulfilment functionality) or by us directly (direct prescription fulfilment functionality);
    6. key integrations, such as those which enable Practices to conduct online patient verification (OPV) of Patients’ Medicare and Department of Veterans’ Affairs (DVA) details prior to an appointment (OPV functionality) or upload their Patients’ immunisation information to the Australian Immunisation Register (AIR) following an immunisation appointment (AIR integration functionality); and
    7. support for public healthcare initiatives, such as enabling bookings for the Australian Government temporary respiratory clinic that has been set up as part of the COVID-19 pandemic response (Respiratory Clinic).
3. The types of Personal Information we collect
  1. To provide our services and run our business, we need to collect Personal Information.  We may collect and hold your Personal Information for a range of reasons, such as to allow us to identify who an individual is before they access or use the Platform, to facilitate bookings or communications between Patients and their Practice, or other Platform functionalities, or to generally work and deal with individuals in the ordinary course of business.  You can click through the policy below to read more about the types of Personal Information we collect for different categories of individuals we deal with.
3.2. If you are a Patient:
  1. If you are a Patient:
    1. we will generally collect Personal Information about you in one of two ways:
      1. directly from you or from a person who is authorised to act on your behalf (such as a legal guardian or representative) when you or they access or use the Platform; or
      2. from a Practice that you are a patient of, or have made a booking with, to enable the Platform’s functionality or our provision of services to that Practice (and only as necessary to support those functionalities or services and not to commercialise the information). Any Practice that uses HotDoc must agree to  collect your consent to send us your data in our Terms of Service;
    2. the types of Personal Information we may collect, depending on the circumstances, include:
      1. general information such as your name, location, date of birth, gender, Medicare details, family details including marital status, contact information (including your email address, telephone and fax number, residential, business and postal addresses), your registration details for the Platform, and details of your use of, or access to, the Platform;
      2. health information such as information about your health, the health services which have been or are to be provided to you, or other information which falls within the scope of ‘health information’ as that term is defined in the Privacy Act. Some common examples of the types of health information we might collect include: details of your appointments booked, confirmed or cancelled; the content of other communications or interactions you and your Practice have via the Platform; information contained in a digital form you complete via our Platform; information about any prescriptions you seek to fulfil;
      3. other ‘sensitive information’ as that term is defined in the Privacy Act (excluding health information, which is addressed above), such as information which might relate to, among other things, your racial or ethnic origin, sexual orientation or practices, criminal record or religious or philosophical beliefs. We will only collect this type of information if you provide it to us directly;
      4. if you use our location-based appointment search functionality, the approximate location information you submit to the Platform or share from your device;
      5. if you use our ‘check-in’ functionality, your location information at the time you check in to the relevant Practice (though this will only be captured if you allow it on your device’s settings);
      6. if you process a payment or other financial transaction with your Practice via the Platform, general details of that transaction (including a record), however credit card information will be held by a secure payment provider to ensure it is kept safe. We don’t see your full credit card number, nor do we store it, though we do have the ability to transact on your behalf to enable payment processing only;
      7. if you are a Patient of a Practice that is using AIR integration functionality and you attend an immunisation appointment made via our Platform, your Medicare number and specific immunisation. Note that if this is relevant, this information is collected from third parties such as Services Australia and claiming.com.au via software integrations with their services;
      8. if you are a Patient of a Practice that is using OPV functionality, your Medicare, DVA or pension/healthcare card details (including number, cardholder name, reference number and expiry date) and OPV results (i.e. ‘valid’ or ‘not valid’), if and as applicable. Note that if this is relevant, this information is also collected from third parties such as Services Australia, the DVA, and claiming.com.au via software integrations with their services;
      9. if you use our partner prescription functionality (which will only occur at your election), details of your request and confirmation of your order being fulfilled by our fulfillment partner, but not the details of your prescription or order content;
      10. if you use our direct prescription functionality (again, this will only occur at your election), a copy of your relevant prescription from your referring practitioner or their Practice, your delivery information such as your contact number and address, information about the dispensation and fulfilment of that prescription (including transaction details), any government identifiers that are relevant to the prescription fulfilment (such as your Medicare, DVA, pensioner, concession, Commonwealth seniors health or heath care card details), information obtained to verify your identity, and any other relevant information to support that service;
      11. if you use or access our Platform (including the website), aggregated statistical information such as information about your online preferences and movements, and other information which is typically obtained from cookies (although you can adjust your browser’s settings to accept or reject cookies). If you are an unregistered user, this statistical information will be collected on an anonymised basis only. If you are a registered user, this statistical information may in some circumstances be collected on an identifiable basis; and
      12. any other Personal Information you send or disclose to us, including our records of any communications or interactions we have with you.
3.3. If you are a Practice Representative:
  1. If you are a Practice Representative:
    1. most Personal Information we collect about you will be received from you directly, your patients or potential patients, or the Practice that employs or otherwise engages you. However, and depending on the nature of your relationship (or potential relationship) with us, we may also collect your Personal Information from other sources such as advertising, public records, mailing lists, contractors, our staff and our business partners. We may also display online reviews of Practices on the Platform, which may refer to you personally (although we do not host or store this information); and
    2. the types of Personal Information we may collect about you include:
      1. general information such as your name, location, date of birth, contact information (including your email address, telephone and fax number, residential, business and postal addresses), your log-in details for the Platform, and details of your use of, or access to, the Platform;
      2. financial information such as any of your bank or credit card details used to transact with us, or other financial information that allows us to transact with you or provide you with our services;
      3. details of any communications or interactions you have with a patient using the Platform – for example, details of an appointment with you that is managed using the Platform (and any related communications);
      4. as relevant to your relationship with us, information about your online preferences and movements, location information, trends, decisions and other information which is typically obtained from cookies (although you can adjust your browser’s settings to accept or reject cookies), and other information about your preferences and purchases in relation to our products;
      5. information about your professional registration, credentials and experience, associations or memberships, or any other information that you or your Practice provide about you to be published on your profile or listing;
      6. if you are a Practice Representative at a Practice that is using AIR integration functionality and you administer an immunisation to a Patient, your practitioner provider number and Healthcare Provider Identifiers – Individual (HPI-I); and
      7. any other Personal Information you send or disclose to us, including our records of any communications or interactions we have with you.
3.4. If you are a contractor or supplier, potential employee, other website user, or any other individual we deal with in running our business:
  1. If you are a contractor or supplier, potential employee, other website user, or any other individual we deal with in running our business:
    1. most Personal Information we collect will be received from you directly, however depending on the circumstances it might also be collected from third parties such as recruitment agencies, reference check providers, or our business partners; and
    2. the types of Personal Information we might collect about you will ultimately differ based on the circumstances, but might include:
      1. your name and contact details;
      2. your professional qualifications or skills;
      3. details of your employment history (including details of any personal or professional references provided to us by third parties);
      4. financial information such as any of your bank or credit card details used to transact with us;
      5. if you use or access our Platform or website, or receive subscription email communications from us, we may collect statistical information using cookies or analytical services (although you can adjust your browser’s setting to accept or reject cookies), or by using pixel tags, which enable us to send email messages in a format customers can read and they tell us whether mail has been opened. If you are an unregistered user, this statistical information will be collected on an anonymised basis only. If you are a registered user, this statistical information may in some circumstances be collected on an identifiable basis; and
      6. any other Personal Information you send or disclose to us, including our records of any communications or interactions we have with you.
4. How Personal Information is used and disclosed
  1. The primary purposes for which we collect Personal Information are to enable the functionality of the Platform (you can read more about those functionalities in section 2 above), provide you with our services, and to support the operation of our business.  How we use or disclose your Personal Information will generally be tied to these primary purposes – but please click through below to read more about our uses and disclosures for the different categories of individuals we deal with.
4.2. If you are a Patient:
    1. we are not interested in making money out of trading your Personal Information, and will never sell or exploit it;
    2. we will use your Personal Information (including your health and other sensitive information) for the primary purpose for which we collected it (for example, to register your account for the Platform, or communicate with you about an appointment you have booked with a Practice, or offer and provide you other Platform functionalities that assist you or the Practice to manage your healthcare services);
    3. we will only use your Personal Information for secondary purposes if you have provided your consent for us to do so, or if you might reasonably expect us to do so (for example, to investigate or respond to a complaint that you have raised with us, or to verify your identity if you have forgotten your user details for the Platform);
    4. we maintain all Personal Information (especially health information) in strict confidence, and will only disclose it to third parties:
      1. to enable us to provide you with your use of the Platform or our services;
      2. to enable your Practice to keep up to date records, communicate with you, verify your identity, or
      3. provide certain services to you or facilitate payment for an appointment via the Platform; or
    5. if we are otherwise authorised or required to do so under relevant laws, such as if you have given your express consent, or particular circumstances exist to authorise the disclosure – for example if it’s reasonably necessary due to law enforcement activities, or to lessen a serious threat to the life, health or safety of any individual.
      1. the types of third parties that we might generally disclose your Personal Information to for the above purposes include:
        1. the Practice that you have previously had, or intend to book, an appointment with or otherwise communicate or interact with via the Platform; and
        2. our service providers who support and enable us to provide our services and run our business, such as:
          1. our information technology, network, software and cloud storage providers, including support service and messaging, email or push notification services providers;
          2. any practice management software providers which your Practice uses, to enable the Practice to communicate or interact via the Platform;
          3. our payment providers to ensure that your financial information is kept safe; and
          4. our external professional advisers (such as legal advisors).
4.3. If you are a Practice Representative:
    1. we will use your Personal Information (including your financial information) for the primary purposes of providing you with our services or enabling your use of the Platform, such as to:
      1. communicate with you, including about an appointment or patient communication;
      2. monitor your use of the Platform or our services;
      3. publish your profile or listing online;
      4. enable patients to book appointments or communicate with you via the Platform;
      5. verify your identity; and
      6. perform billing and payment activities; and
    2. we may also use your Personal Information (including your financial information) for some secondary purposes, such as:
      1. communicating with you about:
        1. your relationship with us;
        2. our goods and services;
        3. our own marketing and promotions; or
        4. competitions, surveys and questionnaires;
      2. investigating any issues or complaints about, or made by, you or another individual, or if we have reason to suspect that you or another individual are in breach of any of our terms and conditions or have been otherwise engaged in any unlawful activity; or
      3. any other purposes which are required or authorised by any laws (including the Privacy Act);
    3. we will only disclose your Personal Information to third parties where this is reasonably necessary to enable us to operate our business or provide you with our services and the use of the Platform, or as is otherwise required or authorised by any laws (including the Privacy Act);
    4. the types of third parties we may generally disclose your Personal Information to for the above purposes include:
      1. your Patients or potential patients;
      2. any individuals or entities, including members of the general public, who access your details published on the Platform;
      3. the Practice that employs or engages you;
      4. our service providers such as those which provide us with:
        1. our information technology, network, software and cloud storage providers;
        2. the practice management software provider used by the Practice that employs or engages you;
        3. subscription and mailing operations;
        4. billing and related financial functions; and
        5. our external professional advisers, such as legal advisors or accountants; and
    5. other third parties that we might disclose your Personal Information for the purposes of a specific Platform functionality (in addition to the disclosures described above). For example, if you are a Practice Representative at a Practice that is using AIR integration functionality and you administer an immunisation to a Patient, we may, for the purposes of enabling the Practice to upload Patient immunisation information to the AIR using the Platform, disclose details of the immunisation appointment, your provider number and HPI-I in relation to an immunisation you administered.
4.4. If you are a contractor or supplier, potential employee, other website user, or any other individual we deal with in running our business:
    1. we will only use or disclose any Personal Information that we collect for the purpose for which it was collected, or for any secondary purposes which you might reasonably expect and which are related to the primary purpose; and
    2. the primary purpose of our collection can generally be determined by the circumstances in which the information was collected or submitted. For example, if you are a potential employee and provide us with your CV, we will use it for the purposes of assessing your application for employment and may disclose your details, as necessary, to our staff and anyone that we contact for the purposes of a reference check.
5. Overseas recipients
  1. While all Personal Information is hosted and stored on our Australian servers, the types of disclosures described in section 4 might also involve your Personal Information being sent to some overseas recipients.
  2. Currently, this might include:
    1. Our software and other service providers in the United States of America (however, these service providers are required to comply with confidentiality restrictions and only have access to limited identifiable information); and
    2. members of our staff who might be working remotely from overseas locations;
    though this may change from time to time.
6. Opting out
  1. An individual may opt not to have us collect their Personal Information, or for us to de-identify any Personal Information we hold about them. Of course, this may mean that we can’t provide them with some or all of our services, and need to terminate their access to the Platform.
  2. To opt out, please contact us using our contact details contained in section 9 below.
  3. If an individual believes that they have received information from us that they did not wish to receive, they should also contact us on the details above to unsubscribe from that sort of communication.
7. Keeping your Personal Information secure
  1. We will take all reasonable precautions to protect your Personal Information from unauthorised access or disclosure, or misuse or loss.
  2. Some of these precautions include:
    1. appropriately securing our physical facilities, systems and electronic networks with at least standard industry protections;
    2. undergoing external security assessments and auditing, such as through SOC2 certification and bug bounty testing;
    3. using standard industry encryption methods when storing and transferring Personal Information;
      implementing monitoring and access controls that regulate who can access particular information;
      requiring our team and service providers to comply with confidentiality obligations before they access Personal Information;
    4. conducting background checks on our staff before they commence work for us;
    5. reviewing changes to our Platform to ensure these meet our privacy and security commitments; and
      ensuring all our staff use multi-factor authentication when accessing our systems.
  3. Your Personal Information will be stored in secure, encrypted electronic format and will be stored in Australia.
  4. We will only retain Personal Information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
8. How to access, correct or update your Personal Information
  1. Under the Privacy Act, you have the right to request access to, or correction of, the Personal Information that we hold about you.
  2. If you would like to make such a request, you can:
    1. if you are a user of the Platform, update some of your Personal Information or delete some of your Personal Information from within your Patient account or Practitioner profile; or
    2. otherwise contact us using the details in section 9 to request access or correction.
  3. If you contact us directly to make the request, we will take reasonable steps to:
    1. correct any errors within 7 days of receipt of a written notice of those errors; or
    2. provide you with access within 28 days of receipt of a written request.
  4. We may charge you a reasonable fee for our costs in providing you with access to your Personal Information, but we’ll let you know about this once we’ve processed the initial request.
  5. If we deny you access to or we refuse your request to correct your Personal Information, we’ll give you our reasons for this in writing.
9. Contacting us and complaints
  1. All questions, comments, requests or complaints regarding this Privacy Policy or the way in which we handle your Personal Information can be addressed in writing to:
    1. by email: [email protected]; or
    2. by post:
      The Privacy Officer
      HotDoc Online Pty Ltd
      Level 7, 276 Flinders Street
      Melbourne VIC 3000
  2. We will aim to resolve any issue raised with you directly and promptly.
  3. If you are not satisfied with our response to any complaint, you can also lodge a complaint with the Office of the Australian Information Commissioner:
    1. by phone: 1300 363 992; or
    2. online at: www.oaic.gov.au.
10. Changes to this policy
  1. From time to time, we may need to change this Privacy Policy, without notice. If we do, we will post the updated Privacy Policy on our website.
  2. You should review this Privacy Policy from time to time to review any changes. Any revised Privacy Policy, once published on our website, will apply to all Personal Information that is handled by us.