Skip to content

Legal

Privacy Policy

How we collect, use, and protect your personal information.

Effective Date: 13 March 2026

Chillin Labs Pty Ltd ("Chillin Labs", "we", "us", "our") is committed to protecting the privacy of your personal information. This Privacy Policy ("Policy") outlines how we collect, use, store, disclose, and protect your personal information, including sensitive and health information, in accordance with:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • My Health Records Act 2012 (Cth)
  • Applicable State and Territory health privacy laws

1. Scope

This Policy applies to all individuals who interact with us, including patients, website visitors, service users, contractors, and employees, and covers all methods of personal information collection, whether electronic, verbal, or written.

2. Definitions

  • Personal Information: Information or an opinion about an identifiable individual, recorded in any form, including names, contact details, or other details from which a person's identity can reasonably be ascertained.
  • Sensitive Information: A subset of personal information that includes racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, or membership in professional or trade associations.
  • Health Information: Information about your health, disabilities, or use of health services.

3. What Information We Collect

We may collect the following types of personal information:

For Patients

  • Full name, date of birth, gender
  • Contact details: phone number, email, residential address
  • Medicare number, private health insurance details
  • Medical history, current health status, referrals, pathology results, prescriptions
  • Payment and billing details
  • Telehealth session records and usage data

For Website Visitors

  • Technical Data: IP address, browser type, operating system, device information, and website usage data.
  • Personal Data: Any personal information you choose to provide through contact forms, newsletter sign-ups, or online queries.

4. How We Collect Information

We collect personal information through various methods, including:

  • Direct interactions with patients during consultations, via telehealth platforms, phone calls, or emails.
  • Online forms, such as appointment booking or contact forms on our website.
  • Automatic collection through cookies and similar technologies when you visit our website.
  • Third-party referrals from other healthcare providers, insurers, or authorised representatives.

We collect personal information with your consent, when necessary for the performance of healthcare services, to comply with legal obligations, and where otherwise permitted under the Privacy Act 1988 (Cth) and applicable health privacy legislation.

Express and Informed Consent for Health Information

We collect Health Information and other sensitive information only with your express and informed consent, except where otherwise permitted or required by law (for example, where collection is required or authorised by or under Australian law, for the management of a serious threat, or for the purpose of mandatory reporting). Before you provide Health Information to us, we will make reasonably clear:

  • what information is being collected and why;
  • how the information will be used and who it may be shared with;
  • the consequences (if any) of not providing the information; and
  • your right to withdraw consent at any time.

Consent may be obtained through a checkbox or acknowledgement on our online forms, verbal confirmation during a telehealth consultation, or by your acceptance of our Terms & Conditions when you engage our Services. Certain activities (for example, the recording of a telehealth consultation, or the secondary use of Health Information for service improvement or research) require a separate, specific consent beyond general consent to treatment. Where practical, that consent will be documented at the point of collection.

You may withdraw your consent at any time by contacting us using the details in Section 14. Withdrawal of consent does not affect the lawfulness of any collection, use, or disclosure carried out before the withdrawal. Where withdrawing consent affects our ability to continue providing Services safely (for example, if you withdraw consent for pharmacy disclosure), we will explain the consequences before the withdrawal takes effect.

5. How We Use Your Information

For Patients

We use your personal information to:

  • Provide healthcare services, including telehealth consultations, clinical assessment, treatment, and follow-up care.
  • Communicate with you regarding appointments, treatment plans, and health-related information.
  • Process payments, including Medicare and private health insurance claims.
  • Comply with legal and regulatory obligations.
  • Improve our services, telehealth platforms, and website functionality.
  • Provide you with service updates and appointment reminders. You can opt out at any time by following the "unsubscribe" instructions or contacting us directly.

Direct Marketing

We do not use your Health Information for direct marketing. We may use non-health personal information (such as your name, email address, or phone number) to send you service updates, educational content, or information about our protocols, where:

  • you have given us consent to do so (for example, by opting in when you submit a contact form, create an account, or subscribe to our newsletter); or
  • it is reasonable to expect you would receive the communication in connection with the Services you have engaged us for, and we have provided a simple way for you to opt out.

Every direct marketing email includes an unsubscribe link. You may also opt out at any time by replying to any marketing message with the word "STOP" (for SMS), by emailing us at [email protected], or by updating your preferences if you have an account. Opt-out requests are actioned within a reasonable time, and in any event within the timeframes required by the Spam Act 2003 (Cth) and the Privacy Act 1988 (Cth). You may also ask us to tell you the source of the personal information we used to contact you.

For Website Visitors

We use your information to:

  • Respond to your inquiries or requests made through our website.
  • Analyse website usage and improve user experience.
  • Manage our website's functionality and security.

6. Disclosure of Information

We do not sell or rent your personal information to third parties. We may share your personal information in the following circumstances:

  • Healthcare Providers: With your consent, we may share your health information with other healthcare providers involved in your care.
  • Third-Party Service Providers: We may share your information with providers who assist us in delivering our services (e.g. IT providers, payment processors) under strict confidentiality agreements.
  • Legal Requirements: We may disclose your information where required or authorised by law.
  • Regulatory Authorities: We may disclose your information to regulatory authorities as required for compliance with health regulations.

Overseas Disclosure (APP 8)

Some of the service providers we rely on to operate our Platform and deliver our Services store or process personal information on servers located outside Australia. These currently include:

  • Cloud hosting and infrastructure (for example, Amazon Web Services and Cloudflare), which may process data in the United States or other jurisdictions;
  • Payment processing (for example, Stripe), processed in Australia with certain data held in the United States;
  • Telehealth video platforms and communication tools, which may route session metadata through servers outside Australia;
  • Analytics, email delivery, and customer support tooling, some of which is operated from overseas.

Where we disclose personal information to an overseas recipient, we remain accountable under Australian Privacy Principle 8 (APP 8). Before disclosing, we will either:

  • take reasonable steps to ensure that the overseas recipient does not breach the APPs (APP 8.1) — this is generally achieved through written contracts, data processing agreements, and the overseas recipient's compliance with comparable privacy frameworks (such as the EU GDPR or HIPAA in the United States); or
  • rely on an exception under APP 8.2, including your informed consent to the disclosure after we have told you that APP 8.1's reasonable steps will not apply.

Where we rely on APP 8.1, we remain accountable for any act or practice of the overseas recipient in relation to your information that would breach the APPs. Where we rely on APP 8.2 consent, that accountability does not apply and your information may be handled under overseas laws that differ from Australian privacy law. We will tell you which basis applies before collecting your consent where consent is relied on.

Telehealth Risks and Limitations

Telehealth consultations involve risks and limitations that you should be aware of before participating:

  • Data transmission: While video and messaging are encrypted, no internet transmission is completely secure. There is a residual risk of interception, interruption, or technical failure.
  • Third-party platforms: Telehealth is delivered using third-party video, messaging, and scheduling platforms. These providers have their own privacy and security practices, which we assess but do not directly control.
  • Identity verification: Patient identity is verified remotely using the information you provide and photo identification where appropriate. Remote verification is less robust than in-person verification, and you are responsible for the accuracy of the information you supply.
  • Clinical limitations: A telehealth consultation cannot substitute for a hands-on physical examination. Certain conditions, signs, and symptoms can only be assessed in person, and our practitioners may refer you for face-to-face care where clinically appropriate.
  • Recording: Consultations are not recorded unless you have given separate, express consent. Clinical notes are kept in accordance with professional record-keeping obligations.

7. Data Security Measures

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. The measures we use include:

  • Encryption: Personal information is encrypted during transmission using TLS (Transport Layer Security) technology.
  • Access Controls: Access to your personal information is restricted to authorised personnel who need it to perform their duties.
  • Secure Storage: Digital data is stored on servers protected by firewalls and security software.
  • Regular Audits: We conduct periodic security reviews to identify and address potential vulnerabilities.
  • Multi-Factor Authentication (MFA): Employees are required to use MFA to access systems containing sensitive information.

No method of electronic transmission or storage is completely secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website to improve your browsing experience, analyse traffic, and support the functionality and security of our online services.

Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for the operation of our website, enabling basic features such as page navigation, secure access, and session management.
  • Performance and Analytics Cookies: Collect anonymised information about how visitors use our website to help us improve performance and user experience.
  • Functionality Cookies: Remember your preferences and settings to provide enhanced, more personalised features.
  • Third-Party Cookies: In some cases, third-party services (such as embedded videos or social media plug-ins) may place cookies on your device.

Managing Your Cookie Preferences

You can choose to accept, decline, or customise your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality or performance of our website.

Where required by law, we will seek your consent before placing non-essential cookies on your device. By continuing to use our website after seeing a cookie notice, you are deemed to consent to the use of cookies as described in this Policy.

9. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal and regulatory obligations, and for legitimate operational requirements.

Retention of Health Records

Health records are retained in accordance with applicable State and Territory health records legislation and relevant professional standards, including the requirements of AHPRA-registered practitioners. Minimum retention periods are:

  • Adult Patients: At least 7 years from the date of the last consultation or entry in the record.
  • Child Patients: Until the patient turns 25 years of age, or for 7 years from the date of the last entry, whichever is longer.
  • Deceased Patients: Retained in accordance with the above timelines unless a longer period is required for legal or clinical reasons.

Retention of Website and Technical Data

Data collected from website visitors, such as cookies, IP addresses, and analytics, is retained for up to 2 years, or longer if required for legal, technical, or business continuity purposes.

Other Records

Administrative, financial, or communication records are retained in line with legal retention obligations, typically between 5 to 7 years depending on the nature of the document.

Once personal information is no longer required, we securely dispose of or de-identify it in accordance with industry standards and applicable law.

10. Your Rights

Under the Privacy Act 1988 (Cth) and relevant health privacy laws, you have the right to:

  • Request access to your personal information
  • Request correction or updating of your information
  • Request deletion of your data where no longer required
  • Object to processing for marketing purposes
  • Make a privacy complaint to us directly, and escalate to the OAIC if not resolved
  • Withdraw consent (where consent is the basis for processing)

To exercise any of these rights, please contact us in writing using the details provided below. We may request verification of your identity. We aim to respond to all valid requests within 30 days. If you are not satisfied with our response, you may escalate your concern to the Office of the Australian Information Commissioner (OAIC).

11. Data Breach Notification

In the event of a data breach, we will comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). If we have reasonable grounds to believe that a data breach is likely to result in serious harm, we will:

  • Promptly assess the breach to determine its nature, scope, and potential impact;
  • Contain the breach where possible and take steps to prevent further unauthorised access;
  • Notify affected individuals as soon as practicable, including details of the breach and recommended steps;
  • Notify the Office of the Australian Information Commissioner (OAIC) by submitting a Notifiable Data Breach Statement;
  • Document the breach and all steps taken in response;
  • Review our policies and security safeguards to prevent recurrence.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be published on our website and will take effect from the Effective Date listed at the beginning of this Policy. We encourage you to review this Policy periodically. Where material changes are made, we will take reasonable steps to bring these to your attention.

13. Privacy Complaints and Enquiries

If you have any questions, concerns, or complaints regarding this Privacy Policy or how your personal information is handled, please contact us directly. We take all privacy-related enquiries seriously and are committed to resolving complaints in a timely and respectful manner.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Mail: GPO Box 5218, Sydney NSW 2001

14. Contact Us

If you have questions about this Privacy Policy, wish to access or correct your information, or want to make a complaint, please contact us. As a telehealth service, we do not maintain a public-facing physical address. Written privacy enquiries should be directed to us by email.