Privacy Policy

1. Scope of This Policy

This Privacy Policy applies to:

• Patients who use PreConsult to provide health information before medical appointments
• Healthcare practitioners who use PreConsult to receive and review patient information
• Healthcare organisations that subscribe to PreConsult services
• Visitors to our website and marketing materials

PreConsult operates as a data processor on behalf of healthcare organisations (data controllers) for patient health information, and as a data controller for practitioner account information and website visitor data.

2. Information We Collect

2.1 Patient Health Information

When patients use our pre-consultation interview service, we collect:

• Identifying information: Name, date of birth, contact details, appointment information
• Health information: Symptoms, presenting complaints, medical history, current medications, allergies, family history, social history
• Demographic information: Age, gender, language preferences
• Communication records: Chat transcripts, voice recordings (if voice interview feature is used)

2.2 Practitioner and Organisation Information

For healthcare practitioners and organisations, we collect:

• Account information: Name, email address, professional credentials, organisation affiliation
• Authentication data: Login credentials, multi-factor authentication details
• Usage data: Session activity, features used, time spent reviewing patient information
• Preferences: Notification settings, clinical workflow preferences

2.3 Technical and Device Information

We automatically collect:

• Device information: Device type, operating system, browser type
• Connection information: IP address, referring URLs, pages visited
• Usage analytics: Feature usage, session duration, interaction patterns

3. How We Use Your Information

3.1 Primary Purposes

We use your information to:

• Facilitate pre-consultation health history collection through AI-guided interviews
• Provide structured clinical summaries to healthcare practitioners
• Generate clinical decision support suggestions (differential diagnoses, treatment considerations, billing codes)
• Enable secure communication between patients and healthcare providers
• Maintain and improve our clinical decision support platform

3.2 Secondary Purposes

With appropriate safeguards, we may also use information to:

• Improve and develop our AI models and services
• Conduct quality assurance and clinical safety monitoring
• Generate anonymised analytics and insights
• Comply with legal and regulatory requirements
• Respond to medical emergencies or safety concerns

3.3 What We Do NOT Do

4. Legal Basis for Processing

We process your information based on the following legal grounds:

• Consent: For patient health information collection and processing
• Contractual necessity: To provide services to healthcare organisations under our agreements
• Legitimate interests: For service improvement, security, and fraud prevention
• Legal obligations: To comply with healthcare regulations, audit requirements, and legal requests
• Vital interests: In medical emergencies to protect life and health

5. Use of AI-Powered Services

5.1 How AI Is Used

PreConsult uses artificial intelligence, including large language models (LLMs), to:

• Conduct conversational health history interviews with patients
• Extract and structure clinical findings from patient responses
• Generate clinical summaries for practitioner review
• Suggest potential differential diagnoses and treatment considerations
• Recommend appropriate billing codes

5.2 AI Processing Location

We use enterprise-grade AI language model services from leading providers. Depending on your location and the services you use:

• Australian users: AI processing primarily occurs in Australian data centres where available
• Other regions: AI processing may occur in the United States or other jurisdictions with appropriate safeguards
• Clinical Terminology: SNOMED coding via regional terminology servers

Where AI processing occurs outside your country of residence, you will be informed and asked for consent before proceeding. We only use AI providers that offer enterprise data protection agreements and do not use customer data for model training.

5.3 AI Data Use Commitments

5.4 De-identified Data for Service Improvement

We may use de-identified and aggregated data — information that cannot reasonably be used to identify you — to improve our services. This includes:

• Improving AI model accuracy and clinical relevance
• Enhancing interview question flows
• Generating population-level health insights

De-identification is performed in accordance with applicable privacy guidelines (OAIC in Australia, ICO in UK, HIPAA Safe Harbor in US) before any such use. Once de-identified, this information is no longer considered personal information.

6. Information Sharing and Disclosure

6.1 Healthcare Providers

Patient health information is shared with:

• The healthcare practitioner conducting the appointment
• Authorised staff at the healthcare organisation
• Other healthcare providers involved in your care (with appropriate consent or as required for treatment)

6.2 Service Providers (Sub-processors)

We use carefully selected service providers who process data on our behalf. These include:

All sub-processors are bound by data processing agreements that require them to protect your information to the same standards we maintain. A detailed list of current sub-processors is available upon request to healthcare organisations under data processing agreements.

6.3 Legal and Regulatory Disclosure

We may disclose information when required by law, including:

• Court orders or legal process
• Regulatory investigations or audits
• Mandatory reporting obligations (e.g., notifiable diseases)
• To protect the rights, safety, or property of PreConsult, our users, or the public

7. International Data Transfers and Data Residency

7.1 Regional Data Residency

PreConsult operates a multi-region architecture to ensure your data is stored and processed in the appropriate jurisdiction. Your healthcare organisation's data region determines where your primary data is hosted:

Within each region, the following data is stored locally:

• Patient health information and clinical records
• AI-powered interview transcripts
• Clinical summaries and suggestions
• Audit logs and compliance records

7.2 Centralised Services

Some services are managed centrally for operational efficiency:

• User authentication: Account credentials and login sessions are managed from our primary region (Australia) but shared securely across regions via encrypted cookies
• Organisation settings: Administrative configuration is stored centrally

This centralised authentication allows practitioners to access multiple organisations across regions with a single login, while patient health data remains in the designated regional jurisdiction.

7.3 Cross-Border Processing

Some services may involve processing outside your designated data region:

• AI Language Models: Where regional AI services are not available, processing may occur in the United States with appropriate safeguards. You will be informed and asked for consent where required.
• Voice interviews: Audio processing may occur in the United States. You will be informed and asked for explicit consent before using this feature.
• SMS notifications: Delivery services may involve US-based processing. SMS messages contain minimal data: patient first name, clinic name, and interview link.

7.4 Transfer Safeguards

For any data transfers outside your designated region, we ensure appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• UK International Data Transfer Agreement (IDTA) for UK data
• Data Processing Agreements with all service providers
• Adequacy decisions where available (e.g., UK adequacy for EU transfers)
• Supplementary technical and organisational measures

7.5 Data Processing Agreements

Healthcare organisations using PreConsult enter into region-specific Data Processing Agreements that document our data handling obligations. Templates are available for review:

• UK Data Processing Agreement (UK GDPR with IDTA provisions)
• EU Data Processing Agreement (GDPR with Standard Contractual Clauses)
• Australia Data Processing Agreement (Privacy Act 1988 compliant)
• US Business Associate Agreement (HIPAA compliant)

To request a customised agreement, contact legal@preconsult.ai.

8. Data Security

We implement comprehensive security measures to protect your information:

8.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit; AES-256 encryption for data at rest
• Access controls: Role-based access, multi-factor authentication for practitioners
• Network security: Firewalls, intrusion detection, DDoS protection
• Secure development: Regular security audits, penetration testing, code reviews

8.2 Organisational Safeguards

• Staff training: Regular privacy and security awareness training
• Access logging: Comprehensive audit trails for all data access
• Incident response: Documented breach response procedures
• Vendor management: Security assessments for all service providers

8.3 Data Breach Response

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within required timeframes (72 hours for GDPR, "as soon as practicable" for Australian Privacy Act)
• Notify affected individuals where required
• Take immediate steps to contain and remediate the breach
• Document the breach and our response

9. Data Retention

9.1 Patient Identifying Information (PII)

PreConsult implements configurable PII retention to minimise data exposure while preserving clinical value:

• Retention period: Healthcare organisations can configure PII retention from 2 hours to 90 days after appointments (default: 7 days)
• Automatic anonymization: After the configured period, patient identifying information (name, email, phone, date of birth) is automatically and irreversibly anonymized
• Clinical data preserved: Symptoms, findings, clinical summaries, and AI-generated suggestions are retained for quality improvement and analytics
• Manual anonymization: Administrators can manually anonymize patient data at any time upon request

9.2 Clinical Records

Anonymized clinical data may be retained longer in accordance with healthcare record-keeping requirements:

• Australia: Minimum 7 years from last service (longer for minors)
• UK: As per NHS Records Management Code of Practice
• Other jurisdictions: As per applicable healthcare record retention laws

Your healthcare provider is the primary custodian of your health records. PreConsult retains anonymized clinical information to support quality improvement and analytics after PII has been removed.

9.3 Account Information

Practitioner and organisation account information is retained:

• While the account is active
• For a reasonable period after account closure for audit and legal purposes
• As required to comply with legal obligations

9.4 Technical Logs

Security and access logs are retained for 12-24 months for security monitoring and incident investigation.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

10.1 Access and Portability

• Request a copy of the personal information we hold about you
• Receive your data in a structured, commonly used format (data portability)

10.2 Correction and Erasure

• Request correction of inaccurate or incomplete information
• Request deletion of your information (subject to legal retention requirements)

10.3 Restriction and Objection

• Request restriction of processing in certain circumstances
• Object to processing based on legitimate interests
• Withdraw consent at any time (where processing is based on consent)

10.4 Exercising Your Rights

For patients: Contact your healthcare provider directly, as they are the controller of your health information.

For practitioners: Contact us at privacy@preconsult.ai.

We will respond to requests within the timeframes required by applicable law (generally 30 days, or 45 days for complex requests).

11. Cookies and Tracking

11.1 Essential Cookies

We use essential cookies that are necessary for the platform to function, including:

• Session management cookies
• Authentication cookies
• Security cookies (CSRF protection)

11.2 Analytics Cookies

We use analytics to understand how our service is used and to improve it. We use:

• Ahoy: Self-hosted analytics (data stays on our servers)

We do not use third-party advertising cookies or trackers.

11.3 Cookie Preferences

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of our platform.

12. Children's Privacy

PreConsult may be used to collect health information about minors when arranged by their healthcare provider or parent/guardian. In such cases:

• Parental or guardian consent is required for minors under the applicable age of consent
• We implement additional safeguards for information about minors
• Health records for minors are retained for longer periods as required by law

12.1 Age Thresholds by Region

The minimum age for independent consent to data processing varies by jurisdiction:

For users below these age thresholds, parental or guardian consent is required. Healthcare providers are responsible for obtaining appropriate consent for minors using their services.

Our marketing website is not directed at children, and we do not knowingly collect information from children for marketing purposes.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Minor changes: Posted on this page with an updated "Last updated" date
• Material changes: We will notify healthcare organisations and provide prominent notice on our platform

We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Contact Information

Privacy Officer

Slay Pty Ltd (trading as PreConsult)
ABN 59 686 642 366
Email: privacy@preconsult.ai
Address: Melbourne, Australia

Complaints

If you believe your privacy has been breached or you are dissatisfied with how we have handled your information, you may:

1. Contact us at privacy@preconsult.ai and we will investigate and respond
2. Lodge a complaint with the relevant supervisory authority (see Jurisdiction-Specific Information below)

15. Jurisdiction-Specific Information