YOU'RE IN AU (click to change)
Privacy and security at halaxy

Privacy and Security

Collection statement

Halaxy Pty Ltd ACN 633 220 612 ('we', 'us' or 'our') collect personal information about you in order to provide you with services relating to health records of you or your patients and for purposes otherwise set out in our Privacy Policy.

The information you provide will be collected by or on behalf of us and may be disclosed to third parties, including those that help us deliver our services (including information technology suppliers, communication suppliers and our business partners) or as required by law. If you do not provide this information, we may not be able to provide all our services to you. Your data is stored in Australia, and we may disclose your personal information to recipients that are located outside of Australia, for example, to Xero (which stores data in the USA) if Halaxy practitioner accounts are integrated to Xero.

Our Privacy Policy explains: (i) how we store and use, and how you may access and correct your personal information; (ii) how you can lodge a complaint regarding the handling of your personal information; and (iii) how we will handle any complaint. If you would like any further information about our privacy policies or practices, please contact us at privacy@halaxy.com. By providing your personal information to us, you consent to the collection, use, storage and disclosure of that information as described in the Privacy Policy and this Collection Notice.

About this policy

In this Privacy Policy, 'us' 'we' or 'our' means Halaxy Pty Ltd ACN 633 220 612and our related bodies corporate. We are committed to respecting your privacy. Our Privacy Policy sets outs out how we collect, use, store and disclose your personal information. We are bound by the Australian Privacy Principles contained in the Privacy Act.

This policy applies to practitioners and consumers alike, and practitioners’ patients are required to get their patients’ consent to their data being stored in Halaxy and covered by this Privacy Policy and the Terms.

By providing personal information to us, you consent to our collection, use and disclosure of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us. We may change our Privacy Policy from time to time by publishing changes to it on our website. We encourage you to check our website periodically to ensure that you are aware of our current Privacy Policy.

Personal Information includes information or an opinion about an individual that is reasonably identifiable. For example, this may include your name, age, gender, postcode and contact details. It may also include financial information, including your credit/debit card and/or bank account information.

In addition to this Privacy Policy, we comply with various privacy legislation, including:

  • the Privacy Act 1988 (Cth) (“Privacy Act”) (including the Australian Privacy Principles under that Act);
  • health records legislation, including the Health Records Act 2001 (Vic), Health Records and Information Privacy Act 2002 (NSW), Health Records (Privacy and Access) Act 1997 (ACT); and
  • marketing legislation, including the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).

What, how and why

This section covers our collection, use and disclosure of different types of data and personal information.

If you do (or your practitioner) does any of these thingsWe might obtain these types of information from youAnd we might do these things with that information

register on our website

communicate with us in person, by phone, via mail, through correspondence, chats, email, online, or when you or your practitioner shares information with us from other social applications, services or websites, or when we contact you or your practitioner through any means

interact with our sites, services, content and advertising or when you or your practitioner register, log in for and use services offered by us

invest in our business or enquire as to a potential purchase in our business

your name, address, telephone and email contact details

if you are a practitioner, your areas of focus and contact details

to enable you or your practitioner to access and use our website and our services

to operate, protect, improve and optimise our website and our services, business and our users’ experience, such as to perform analytics, and conduct research

for practitioners - to provide your contact details and areas of focus to patients and the public and to other practitioners so that they can contact you via the website.

For practitioners – for advertising and marketing (which you can opt out of)

when you or your practitioner use our services to bill you, or to process a payment or to obtain a rebate or equivalent from a funding body

your billing details, your bank account or credit/debit card information

Government related identifiers, including your Medicare number

to process payments or to facilitate a practitioner’s billing system or to process payments to us by practitioners, including that information going to third parties such as Medicare or Xero accounting software

upload information relating to your health into our system

health information recorded in our system including the treatment you have received, including date, service type, description of the service, which practitioner treated you, test results, current and past medical history, data uploaded by any of your connected health devices, your gender, date of birth or age and marital status

your name, address, telephone and email contact details

to enable you or your practitioner to access and use our website and our services;

to share information between practitioner users, between practitioner users and patients and practitioner to public communications, with your permission;

to conduct research or compile or analyse statistics using reasonable steps to not personally identify you, and only on an aggregated and de-identified basis:

to access and aggregate data we have collected from you using reasonable steps to use your personal information in a way it does not personally identify you. We may access and aggregate this data for our own use or for use by third parties:

  • to audit, research, measure and analyse the information in order to maintain, administer, enhance and protect our products and services, including analysing usage trends and patterns and measuring the effectiveness of content, advertising, features or services;
  • for contextual and cookie-based automated content delivery, such as tailored ads or search results;
  • to conduct research or compile or analyse statistics relevant to health or safety; and
  • to prepare aggregate reports for current or future advertisers, sponsors or other partners to show trends about the general use of our services. Such reports may include age, gender, geographic, demographic or other general user information, but do not include personal information that personally identifies you.

We will never sell patients’ or consumers’ identifiable personal information to third parties. We have never done so and will never do so.

if you are a practitioner user

details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services and respond to your enquiries

to send you marketing and promotional messages and other information that may be of interest to you, including information sent by, or on behalf of, our business partners that we think you may find interesting

to send you service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you

to administer rewards, surveys, contests, or other promotional activities or events sponsored or managed by us or our business partners

We and/or our carefully selected business partners may send you direct marketing communications and information about our services. This may take the form of emails, SMS, mail or other forms of communication, in accordance with the Spam Act and the Privacy Act. You may opt-out of receiving marketing materials from us by contacting us using the details set out below or by using the opt-out facilities provided (eg an unsubscribe link).

if you browse our website and use our services but without signing up to Halaxy

your device ID, device type, geo-location information, computer and connection information, statistics on page views, traffic to and from the sites, ad data, IP address and standard web log information;

to enable you or your practitioner to access and use our website and our services

to operate, protect, improve and optimise our website and our services, business and our users’ experience, such as to perform analytics, conduct research and for advertising and marketing (e.g. through automatic remarketing)

if you take a survey

information that you provide to us in a survey

to access and aggregate data we have collected from you using reasonable steps to use your personal information in a way it does not personally identify you. We may access and aggregate this data for our own use or for use by third parties:

  • to audit, research, measure and analyse the information in order to maintain, administer, enhance and protect our products and services, including analysing usage trends and patterns and measuring the effectiveness of content, advertising, features or services;
  • for contextual and cookie-based automated content delivery, such as tailored ads or search results;
  • to conduct research or compile or analyse statistics relevant to health or safety; and
  • to prepare aggregate reports for current or future advertisers, sponsors or other partners to show trends about the general use of our services. Such reports may include age, gender, geographic, demographic or other general user information, but do not include personal information that personally identifies you.

apply for a job with us

when you apply for a job or position with us we may collect certain information from you (including your name, contact details, working history and relevant records checks) from any recruitment consultant, your previous employers and others who may be able to provide information to us to assist in our decision on whether or not to make you an offer of employment or engage you under a contract.

to consider your employment application

(Note: This Privacy Policy does not apply to acts and practices in relation to employee records of our current and former employees, which are exempt from the Privacy Act.)

Our data commitment

We will never sell patients’ or consumers’ identifiable personal information to third parties. We have never done so and will never do so.

Disclosure of personal information outside Australia

If we send your information outside of Australia, we will require that the recipient of the information complies with local privacy laws and contractual obligations to maintain the security of the data.

Information of another individual

Through your use of our services or website, we may also collect information from you about someone else (ie if you are a practitioner). If you provide us with personal information about someone else (ie your patients), you must ensure that you are authorised to disclose that information to us and that, without us taking any further steps required by applicable data protection or privacy laws, we may collect, use and disclose such information for the purposes described in this Privacy Policy. This means that you must take reasonable steps to ensure the individual concerned is aware of and/or consents to the various matters detailed in this Privacy Policy, including the fact that their personal information is being collected, the purposes for which that information is being collected, the intended recipients of that information, the individual’s right to obtain access to that information, our identity, and how to contact us. Where requested to do so by us, you must also assist us with any requests by the individual to access or update the personal information you have collected from them and entered into our website.

Anonymisation and pseudonymisation

For practitioners: It is impracticable for us to permit practitioners to use our services without identifying themselves and so anonymisation and pseudonymisation is not available for practitioner users.

For consumers: You may register to use our services under a pseudonym, however, if you are sharing information with a practitioner of your choosing, that practitioner might have their own requirements about identification. You should discuss this with your practitioners.

Using our website and cookies

We may collect personal information about you when you use and access our website.

While we do not use browsing information to identify you personally, we may record certain information about your use of our website, such as which pages you visit, the time and date of your visit and the internet protocol address assigned to your computer.

We may also use 'cookies' or other similar tracking technologies on our website that help us track your website usage and remember your preferences. Cookies are small files that store information on your computer, TV, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions.

You can disable cookies through your internet browser but our websites may not work as intended for you if you do so.

We may also use cookies to enable us to collect data that may include personal information. For example, where a cookie is linked to your account, it will be considered personal information under the Privacy Act. We will handle any personal information collected by cookies in the same way that we handle all other personal information as described in this Privacy Policy.

You are responsible for transfer of your data to third-party applications

Our services may allow you, or others within the relevant subscription to our services to transfer Data, including your personal information, electronically to and from third-party applications and services. We have no control over, and take no responsibility for, the privacy practices or content of these applications or for their data storage processes. You are responsible for checking the privacy policy of any such applications so that you can be informed of how they will handle personal information.

Security

We may hold your personal information in either electronic or hard copy form. We take reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your personal information. However, we cannot guarantee the security of your personal information.

Links

Our website may contain links to websites operated by third parties. Those links are provided for convenience and may not remain current or be maintained. Unless expressly stated otherwise, we are not responsible for the privacy practices of, or any content on, those linked websites, and have no control over or rights in those linked websites. The privacy policies that apply to those other websites may differ substantially from our Privacy Policy, so we encourage individuals to read them before using those websites.

Sub-processor list

To be able to deliver our services, we use third-parties (known as sub-processors in the context of the GDPR). A list of these third-parties is set out below and we maintain this list regularly:

Sub processors

EntityCorporate Location Activities
Amazon Web Services,Inc (AWS)United States Web hosting
TwilioUnited States SMS messages, video telehealth, phone telehealth
Google LLCUnited States Analytics
BraintreeUnited States Processing user payments
PayPalUnited States Processing user payments
MailchimpUnited States Email sending

Logging and monitoring

Entity Corporate Location Activities
SentryUnited States Application performance monitoring
NewRelicUnited States Application performance monitoring
Logz.ioUnited States Application performance monitoring
HotJarUnited States Application performance monitoring and user experience insight
UserPilotUnited States Application performance monitoring and user experience insight

Independent audit monitoring

EntityCorporate Location Activities
Security MetricsUnited States Independent audit monitoring
Rapid7United States Independent audit monitoring

Integration sub-processors

We manage a range of optional integrations you can choose to enable from your Halaxy account. We provide only the data providers require to perform their services. The list of these sub-processors is below:

Accounting software

Entity Corporate Location Activities
XeroNew Zealand Accounting integration
ReckonUnited States Accounting integration
QuickbooksUnited States Accounting integration


Clinical modules

EntityCorporate Location Activities
PhysitrackUnited Kingdom Client exercise prescriptions
ValidicUnited States Health device tracking

Communication tools

Entity Corporate Location Activities
TwilioUnited States Phone and SMS integration
CronofyUnited States Integrated Calendar syncing
MailChimpUnited States Emails
CoviuAustraliaOnline consultations
ReferralNetAustraliaSecure Messaging
ArgusAustraliaSecure Messaging
GoLogicAustraliaFax Integration

Payment / Insurance Integrations

EntityCorporate Location Activities
Medicare Australia and Department of Veteran AffairsAustraliaClaims and payments submitted under Medicare and DVA
StripeUnited States Client payments
BraintreeUnited States Client and debit card payments
PayPalUnited States Client PayPal payments
MedipassAustralia Client Private Health payments
TyroAustralia Client Private Health and EFT payments
WorkSafe QueenslandAustralia Client insurance payments
HICAPSAustralia Client insurance payments
HyperWalletEU Client payments


Accessing or correcting your personal information

As required under the Australian Privacy Principles, you can access the personal information we hold about you by contacting us at privacy@halaxy.com. Sometimes, we may not be able to provide you with access to all of your personal information and, where this is the case, we will tell you why.

We may also need to verify your identity when you request your personal information.

If you think that any personal information we hold about you is inaccurate, please contact us and we will take reasonable steps to ensure that it is corrected.

Making a complaint

If you think we have breached the Privacy Act, or you wish to make a complaint about the way we have handled your personal information, you can contact us at privacy@halaxy.com. Please include your name, email address and/or telephone number and clearly describe your complaint. We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take.

Contact us

For further information about our Privacy Policy or practices, or to access or correct your personal information, or make a complaint, please contact us using the details set out below: privacy@halaxy.com.