PrivacyPolicy

InstantMed ("we", "our", or "us") is committed to protecting your privacy and complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, use, disclose, and protect your personal and health information.

We collect the following types of information:

• Identity Information: Full name, date of birth, email address, phone number
• Medicare Information: Medicare number, IRN, and expiry date (for eligible services)
• Address Information: Residential address for delivery of prescriptions
• Health Information: Medical history, current medications, symptoms, allergies, and other health-related information you provide
• Usage Information: How you interact with our platform, including pages visited and features used

We use your information to:

• Provide telehealth consultations and medical services
• Process prescriptions, medical certificates, and referrals
• Communicate with you about your care
• Comply with legal and regulatory requirements
• Improve our services and user experience
• Prevent fraud and ensure platform security

InstantMed uses Anthropic (Claude) to assist with certain administrative tasks, including summarizing intake information for doctor review and drafting documents such as medical certificates. All AI-generated content is reviewed and approved by a registered Australian doctor before being sent to you.

AI assistance does not extend to clinical decision-making. Doctors make all medical decisions independently. Health information shared during intake may be processed by Anthropic's systems in accordance with their data processing agreements with us.

We share your information with trusted third parties only where necessary to deliver our services:

• Supabase: Database hosting and storage
• Clerk: Authentication and identity management
• Stripe: Payment processing (no card data stored by InstantMed)
• Resend: Transactional email delivery
• Anthropic (Claude): AI-assisted documentation drafting
• Parchment: Electronic prescription generation
• PostHog: Product analytics (anonymised usage data)
• Sentry: Error monitoring (no PHI in error reports)

All providers are contractually bound to use your data only for the purposes we specify and to maintain appropriate security standards.

Health information is sensitive personal information under the Privacy Act 1988 (Cth). We handle your health information with the highest level of care and in accordance with the Australian Privacy Principles. Your health information is:

• Encrypted at rest using AES-256-GCM field-level encryption
• Transmitted over TLS-encrypted connections only
• Accessible only to treating clinicians and authorised staff
• Never sold or shared for marketing purposes
• Retained for a minimum of 7 years as required by law

We implement industry-standard technical and organisational measures to protect your information against unauthorised access, disclosure, alteration, or destruction. These measures include:

• AES-256-GCM field-level encryption for all health (PHI) data
• TLS encryption for all data in transit
• Role-based access controls — data is only accessible to authorised personnel
• Row-level security enforced at the database layer
• Regular security assessments and internal audits

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your account (subject to legal retention requirements)
• Opt out of non-essential communications
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at privacy@instantmed.com.au. We will respond within 30 days.

We use cookies and similar tracking technologies to improve your experience and understand how our platform is used. This includes:

• Essential cookies: Required for authentication and platform functionality
• Analytics: PostHog collects anonymised usage data to help us improve our services
• Error monitoring: Sentry captures technical error information (no health data included)

You can control cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

• Health records: minimum 7 years from last consultation (as required by law)
• Account data: until you request deletion (subject to health record retention)
• Payment records: 7 years (as required by Australian tax law)
• Analytics data: anonymised and retained indefinitely for service improvement

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal information from individuals under 18 without verified parental or guardian consent. If you believe a minor has provided us with personal information without appropriate consent, please contact us immediately.

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme within 30 days of becoming aware of the breach.

For questions, requests, or complaints about this Privacy Policy or how we handle your information, please contact our Privacy Officer:

• Email: privacy@instantmed.com.au
• Phone: 0450 722 549
• Address: Level 1/457-459 Elizabeth Street, Surry Hills NSW 2010

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.