1. Introduction
AudZone Pty Ltd ("AudZone", "we", "our", or "us") provides AI-powered clinical documentation services for audiologists and hearing care professionals. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
By using our services, you acknowledge that you have read and understood this Privacy Policy. This policy applies to all users of our platform, including hearing care professionals (clinicians), their patients, and administrative staff.
Effective Date: 1 October 2025
Last Updated: 28 December 2025
2. Information We Collect
2.1 Patient Information
We collect the following patient information as part of clinical documentation:
- Identification Details: Names, date of birth, external patient identifiers
- Health Information: Audio recordings of clinical sessions, transcripts, hearing assessments, treatment history, medical conditions
- Clinical Documentation: AI-generated clinical notes, treatment plans, compliance assessments
- Consent Records: Documentation of patient consent for recording and data processing
2.2 Clinician Information
For hearing care professionals using our platform:
- Account Details: Name, email address, professional credentials, role
- Performance Insights: Clinical effectiveness metrics, patient engagement scores (for self-improvement only)
- Usage Data: Session logs, feature usage patterns, system interactions
2.3 Company/Clinic Information
- Business Details: Clinic name, address, phone, specialties, logo
- Integration Data: ERM system connections, appointment information
2.4 Uploaded Documents and Images
When you upload documents or images to enhance clinical documentation:
- Clinical Documents: PDFs, forms, referral letters, and reports you upload for processing
- Audiogram Images: Hearing test results uploaded for data extraction
- Appointment Data: Calendar screenshots for streamlined patient check-in creation
- Questionnaires: Patient intake forms and questionnaire responses
Note: We only collect information necessary for providing our clinical documentation services. We do not collect information for marketing purposes.
3. How We Use Information
3.1 Primary Purposes
We use collected information for:
- Clinical Documentation:Generate accurate, AI-powered clinical notes from patient sessions
- Quality Improvement:Provide clinicians with performance insights for professional development
- Patient Care:Maintain comprehensive patient records and treatment histories
- Compliance Monitoring:Ensure documentation meets clinical standards and regulatory requirements
3.2 AI Processing
We use artificial intelligence to enhance clinical documentation:
Audio Transcription
Convert clinical session recordings into accurate text transcripts with speaker identification
Clinical Note Generation
Create comprehensive clinical notes from session transcripts using AI
Document Processing
Extract data from uploaded documents, forms, audiograms, and clinical images to streamline data entry
Form Assistance
Help complete clinical forms and templates using session context
Metrics Extraction
Analyze sessions to provide quality metrics and improvement recommendations
History Extraction
Automatically identify medical history, symptoms, and treatments from conversations
PHI Protection: Patient identifiable information is automatically sanitized using our comprehensive protection system covering 60+ sensitive data types before external AI processing.
4. Information Disclosure
4.1 Service Providers
We engage trusted service providers to deliver our services. These providers do not store your data and only process it temporarily:
Deepgram (Audio Transcription)
United States- • Processes audio recordings in real-time
- • No data retention - processing only
- • SOC 2 Type II certified
OpenAI (Clinical Documentation)
United States- • Generates clinical notes from de-identified transcripts
- • Assists with form completion and document processing
- • No data retention via API settings
- • Data processing only, not stored
Google Cloud AI (Document Processing)
United States- • Extracts data from clinical documents and images
- • Processes uploaded forms and audiograms
- • No data retention - processing only
- • Data processed transiently, not stored
Supabase (Infrastructure)
Sydney, Australia- • All data stored in Sydney, Australia
- • SOC 2 compliant infrastructure
- • Encryption at rest and in transit
Vercel (Application Hosting)
Australia- • Application hosted in Australia
- • Industry-standard security
- • No patient data storage
Resend (Email Delivery)
United States- • Delivers emails when you choose to send documents
- • Only used when you explicitly initiate sending
- • SOC 2 Type II certified
4.2 Cross-Border Data Transfers
Some services are located in the United States (Deepgram, OpenAI, Google Cloud, Resend). When we transfer data internationally for processing, we ensure compliance with APP Principle 8:
- Personal identifiers are removed or replaced with pseudonyms before transfer
- Service providers are selected for their security practices and no-retention policies
- Service providers are contractually prohibited from data retention
- Processing occurs under strict security protocols
- Data is immediately deleted after processing
4.3 Other Disclosures
We may also disclose information:
- • When required by law or court order
- • To prevent serious threats to health or safety
- • With your explicit consent
- • To defend legal claims or enforce our rights
We never: Sell your data, use it for marketing, or share it with third parties for their commercial purposes.
4.4 Your Responsibilities
As a healthcare professional using AudZone, you acknowledge and accept responsibility for:
- Obtaining appropriate patient consent before recording sessions and processing their information
- Reviewing AI-generated content for accuracy before use in clinical documentation
- Ensuring any documents or information you send via email are appropriate to share
- Complying with your professional obligations under applicable privacy laws and regulations
- The accuracy and appropriateness of information you upload, including calendar data and clinical documents
Important: AudZone is a tool to assist clinical documentation. You remain responsible for all clinical decisions, the accuracy of final documentation, and compliance with your professional and legal obligations.
5. Data Security
We implement comprehensive security measures to protect your information:
Encryption
TLS 1.3 for data in transit, AES-256 for data at rest
Access Controls
Role-based permissions with multi-tenant isolation
PHI Protection
Automatic sanitization of 15+ identifier types
Infrastructure
Australian-hosted with industry-standard security
5.1 Security Features
- Row-level security on all database tables
- Automatic session timeout for inactive users
- Comprehensive audit logging (without PHI)
- Regular security assessments and updates
- Secure API endpoints with PHI protection
5.2 Data Breach Response
In the unlikely event of a data breach, we will:
- Immediately contain and assess the breach
- Notify affected individuals within 72 hours if required
- Report to the OAIC as per the Notifiable Data Breaches scheme
- Take remedial action to prevent future incidents
6. Your Rights
Under the Australian Privacy Principles, you have the following rights:
Access Your Information
You can request access to the personal information we hold about you.
Correct Your Information
You can request correction of inaccurate or outdated information.
Delete Your Information
You can request deletion of your personal information.
Data Portability
You can export your data in common formats.
6.1 How to Exercise Your Rights
To exercise any of these rights:
- Use the self-service features in your account dashboard
- Contact our Privacy Officer at privacy@audzone.com.au
- Submit a written request to our office address
We will respond to your request within 30 days. We may need to verify your identity before processing your request.
7. Data Retention
We provide flexible, configurable data retention policies that allow your organization to manage data lifecycle according to your compliance requirements and preferences.
7.1 Configurable Retention Policies
Organization administrators can configure retention settings in Settings → Privacy:
Audio Recordings
Session recordings can be configured to delete:
- • Immediately after transcription completes
- • After a set period (30, 90, 180, 365 days, or custom)
- • Never (keep forever)
Transcriptions
Text transcripts can be retained for:
- • 90 days to 7+ years (AU standard: 7 years)
- • Custom retention periods
- • Forever (no automatic deletion)
7.2 Jurisdiction-Based Defaults
Retention defaults are pre-configured based on your selected jurisdiction:
Australia
Recordings: 90 days
Transcriptions: 7 years
United States (HIPAA)
Recordings: 90 days
Transcriptions: 6 years
European Union (GDPR)
Recordings: 30 days
Transcriptions: 10 years
7.3 Record Protection
Individual records can be flagged to prevent automatic deletion:
- Legal Holds: Protect records for ongoing legal matters
- Active Cases: Retain records for ongoing patient care
- Quality Reviews: Keep records for audit or training purposes
- Expiring Holds: Set expiration dates for temporary protection
7.4 Default Retention Periods
Clinical Notes & Sessions
Core clinical documentation (not configurable)
Account Information
User profiles and access logs
Database Metadata
Audit trail retention after audio deletion
Backup Data
For disaster recovery purposes
Note: Retention periods may be extended if required by law, legal proceedings, or professional standards. Automated cleanup runs daily and respects all record protection flags.
8. Consent
8.1 Patient Consent
We require explicit consent before:
- • Recording clinical sessions
- • Processing recordings with AI
- • Generating clinical documentation
- • Extracting performance metrics
Consent is tracked per session and patients may withdraw consent at any time.
8.2 Clinician Consent
By using our service, clinicians consent to:
- • AI processing of de-identified session data
- • Generation of performance metrics for quality improvement
- • Cross-border processing with PHI protection
- • Storage of clinical documentation
You can manage consent preferences in your account settings at any time.
9. Children's Privacy
Our service processes health information of patients of all ages as part of clinical care. For patients under 18 years of age:
- • Parental or guardian consent is required
- • Information is handled with additional care
- • Access is restricted to authorized clinicians
- • Deletion requests must come from parent/guardian
10. Cookies and Tracking
We use minimal cookies necessary for platform functionality:
Essential Cookies
Authentication, security, and user preferences
What We Don't Use
- • No marketing or advertising cookies
- • No third-party analytics (Google Analytics, Facebook Pixel)
- • No cross-site tracking
- • No behavioral profiling
11. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- • We will notify you via email
- • An in-app notification will be displayed
- • We may require acknowledgment for significant changes
- • The "Last Updated" date will be revised
Continued use of our services after changes indicates acceptance of the updated policy.
12. Contact Us
Privacy Officer
Christo Fourie
Privacy Officer
For privacy inquiries and data requests
Suite 9-10 / 60 Cecil Avenue
Lawton House, Castle Hill
NSW 2154, Australia
Complaint Process
- Contact our Privacy Officer
- We acknowledge within 48 hours
- Investigation and response within 30 days
- If unsatisfied, contact the OAIC
Office of the Australian Information Commissioner
We are committed to protecting your privacy and handling your information responsibly. If you have any questions or concerns, please don't hesitate to contact us.
Australian Privacy Principles Compliant
AudZone is committed to protecting your privacy in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). We regularly review and update our practices to ensure ongoing compliance.