Privacy Policy - Clexa Health

1. Introduction

This Privacy Policy describes how Clexa ("we", "our", or "us") collects, uses, stores, and protects personal information in connection with our clinical inbox management platform. This policy applies to all users of Clexa services, including healthcare providers, clinicians, and healthcare organizations.

Clexa is committed to protecting the privacy of individuals whose information is processed through our platform. We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1.1 Our Commitment to Privacy

Data Minimization: We collect and store only the minimum data necessary for our services
Australian Data Sovereignty: All data remains within Australia
Transparency: We are clear about how we use your information
Security First: We implement robust technical and organizational security measures
Your Rights: We respect and facilitate your privacy rights under Australian law

1.2 Implementation Status

Current Status: Pre-deployment documentation and planning phase

This Privacy Policy represents Clexa's firm commitments regarding data handling, security, and privacy practices. While vendor selection is in progress, all provisions in this policy will be fully implemented before processing any patient data. We are documenting our privacy approach early to ensure:

Privacy-by-design principles guide all technical decisions
Vendor selection criteria align with our privacy commitments
Healthcare providers can evaluate our privacy practices before deployment
Transparency about our development stage and privacy roadmap

Key Pre-deployment Activities:

Finalizing cloud infrastructure vendor (AWS, Google Cloud, or Microsoft Azure)
Selecting Australian-hosted LLM provider with contractual data protection guarantees
Establishing Data Processing Agreements with all subprocessors
Completing security audits and penetration testing
Privacy policy and breach response procedures documented
Technical architecture designed with privacy-by-design principles

Timeline: We anticipate completing vendor selection and security implementations by Q1 2026, with full operational readiness for patient data processing by Q2 2026.

2. Scope and Application

2.1 Who This Policy Applies To

This Privacy Policy applies to:

Healthcare Providers: General practitioners, specialists, and other clinicians using Clexa
Healthcare Organizations: Medical practices, hospitals, and healthcare facilities
Patients: Individuals whose clinical information is processed through Clexa
Administrative Users: Practice managers and administrative staff

2.2 What This Policy Covers

This policy covers all personal information and health information processed through Clexa's clinical inbox management platform, including:

Clinical documents (laboratory results, specialist letters, diagnostic reports)
AI-generated clinical suggestions
Audit logs and system access records
User account information

3. Information We Collect

3.1 Clinical Information (Minimal Collection)

Clexa is designed with data minimization principles. We collect and store only:

What We Collect:

Document Identifiers: Unique document ID referencing the original clinical document
Patient Identifiers: Pseudonymized patient ID (not full patient demographics)
AI-Generated Suggestions: Clinical action recommendations (e.g., "Start atorvastatin 20mg daily")
Evidence Excerpts: Short text snippets from clinical documents supporting each suggestion
Audit Information: User actions (approve/reject decisions), timestamps, user identifiers

What We Do NOT Collect or Store:

Complete clinical documents (processed but not stored)
Full patient demographics (name, address, date of birth)
Complete medical histories (processed but not stored)
Sensitive personal information beyond what's required for clinical workflow
Financial or billing information

3.2 User Information

For healthcare providers and staff accessing Clexa:

Name and professional credentials
Email address and contact information
Professional registration numbers (e.g., AHPRA registration)
Employment organization
Role and access permissions
Login credentials (securely hashed)
User activity logs

3.3 Technical Information

IP addresses and device information
Browser type and version
Access times and session duration
System logs for security and troubleshooting
Performance and diagnostic data

3.4 De-identified Information Processing

Before AI analysis, clinical documents undergo de-identification:

Personally Identifiable Information (PII) is removed or redacted using automated tools (e.g., Microsoft Presidio)
Medical histories and medications are processed but not stored in order to produce relevant suggestions
Clinical content of documents is preserved for AI processing
De-identified documents are processed by our Australian-hosted LLM
Original documents are not stored by Clexa

4. How We Use Your Information

4.1 Primary Purpose: Clinical Decision Support

We use collected information to:

Generate AI-powered clinical suggestions for healthcare providers
Validate suggestions against medical terminology databases
Present actionable recommendations to clinicians
Facilitate clinician approval/rejection of suggestions
Update patient management systems with approved actions

4.2 Secondary Purposes

We may use information for:

System Security: Detecting and preventing unauthorized access
Quality Improvement: Improving system performance, user interface, and workflow optimization
Audit and Compliance: Maintaining clinical governance and regulatory compliance
Technical Support: Troubleshooting and resolving system issues
Analytics: Analyzing system usage patterns and performance metrics (using aggregated, de-identified data only)

Important - No LLM Training on Patient Data: We do NOT use patient data, clinical documents, or any identifiable health information to train, fine-tune, or improve AI/LLM models. Any improvements to AI algorithms are based solely on:

Aggregated, fully de-identified performance metrics
Clinical validation studies with synthetic or publicly available medical literature
Expert clinical feedback on suggestion quality (without patient-specific data)

4.3 Human-in-the-Loop Principle

Critical: All AI-generated suggestions require explicit clinician approval. No automated changes are made to patient records. Clinicians maintain full control over all clinical decisions.

5. How We Share Your Information

5.1 Sharing with Healthcare Providers

Suggestions and evidence are shared with authorized clinicians within the patient's care team
Approved suggestions are communicated back to the source patient management system
Access is controlled based on role-based permissions

5.2 Subprocessors

We engage trusted subprocessors to assist in delivering our services. All subprocessors will be bound by data processing agreements and must comply with Australian privacy laws and our security requirements.

Subprocessor Categories and Requirements:

Prior to commercial deployment, we will finalize vendor selection across the following categories. All vendors will meet our strict security and privacy requirements:

Subprocessor Category	Purpose	Data Processed	Location Requirement	Security Requirements
Cloud Infrastructure	Platform hosting, data storage, compute resources	All operational data	Australia (Sydney/Melbourne)	Data Processing Agreement, ISO 27001, SOC 2 Type II, encryption at rest and in transit
De-identification Service	PII removal and data anonymization	Clinical documents (temporary processing only)	Australia	Data Processing Agreement, zero data retention, encryption in transit
Medical Terminology Service	Medical terminology validation (Ontoserver or equivalent)	AI suggestions, terminology codes	Australia	Data Processing Agreement, access via secure API, minimal data transfer
LLM Provider	AI-powered clinical analysis	De-identified clinical content only	Australia	Data Processing Agreement, zero data retention, no model training clause, encryption in transit
Security Monitoring	Security monitoring and threat detection	System logs, access logs	Australia	Data Processing Agreement, SOC 2, limited data retention

Pre-deployment Commitments:

Vendor selection is in progress, with priority on Australian data sovereignty
All vendors will be required to maintain Australian operations exclusively
Data Processing Agreements will be finalized before any patient data processing begins
Complete subprocessor list will be made available to customers upon commercial deployment
We will notify customers of final vendor selections at least 30 days before deployment

Subprocessor Commitments (Post-deployment):

All subprocessors will operate exclusively in Australian data centers
Data Processing Agreements in place with all subprocessors
Subprocessors prohibited from using data for their own purposes
LLM providers contractually prohibited from training on our data
Regular security audits and compliance reviews
Right to audit subprocessor security controls

Subprocessor Changes: We will notify customers of any new subprocessors or changes to existing subprocessors via email at least 30 days in advance, allowing customers to object if they have legitimate concerns.

5.3 Required Disclosures

We may disclose information when required by law:

In response to valid court orders, subpoenas, or legal processes
To comply with regulatory requirements
To report notifiable data breaches under the Privacy Act
To protect the rights, property, or safety of Clexa, users, or the public

5.4 No Overseas Disclosure

Important: All data remains within Australia. We do not transfer personal information or health information to overseas recipients. All processing, including AI analysis, occurs on Australian-hosted infrastructure.

6. Data Storage and Security

6.1 Australian Data Residency

All data stored in Australian data centers (Sydney or Melbourne regions)
All processing occurs within Australia
No data transmitted to overseas servers
Compliance with Australian data sovereignty requirements

6.2 Infrastructure Security

Encryption:

Data encrypted at rest using AES-256 encryption
Data encrypted in transit using TLS 1.3
Encryption key management following industry best practices
Regular key rotation

Access Controls:

Role-Based Access Control (RBAC)
Principle of least privilege
Multi-factor authentication (MFA) for all users
Regular access reviews and deprovisioning
Detailed audit logging of all access

Network Security:

Virtual Private Cloud (VPC) isolation
Network segmentation and firewall rules
Intrusion detection and prevention systems (IDS/IPS)
DDoS protection
Regular vulnerability scanning

Application Security:

Secure software development lifecycle
Regular security testing and penetration testing
Input validation and output encoding
Protection against OWASP Top 10 vulnerabilities
Security patch management

6.3 De-identification Process

Clinical documents undergo automated de-identification before AI processing:

PII Removal: Names, addresses, dates of birth, contact details
Clinical Preservation: Medical content preserved for analysis
Validation: Regular audits of de-identification effectiveness
Fallback: Manual review for complex cases

6.4 Data Retention

Operational Data:

Document identifiers: Retained for 7 years (aligned with medical record retention)
AI suggestions and evidence: Retained for 7 years for clinical governance
Audit logs: Retained for 7 years for compliance

User Account Data:

Active user accounts: Retained while account is active
Deactivated accounts: Retained for 12 months, then deleted
Audit trails: Retained for 7 years

System Logs:

Security logs: Retained for 2 years
Performance logs: Retained for 1 year
Diagnostic logs: Retained for 90 days

6.5 Data Deletion

Upon request or at end of retention period:

Secure deletion using industry-standard methods
Multiple-pass overwriting or cryptographic erasure
Deletion from backups within standard backup retention cycle
Certificate of destruction available upon request

7. Your Privacy Rights

Under the Australian Privacy Act 1988 and Australian Privacy Principles, you have the following rights:

7.1 Right to Access

For Healthcare Providers:

Healthcare providers can request access to their own account information
Requests processed within 30 days
Access provided in commonly used format

For Patients: Due to our data minimization design, we store only pseudonymized patient identifiers and do not maintain complete patient records. Patients seeking access to their clinical information should contact their healthcare provider, who maintains the complete medical record. We can provide information about:

Whether AI suggestions were generated for documents associated with a pseudonymized patient ID (if the healthcare provider can supply this ID)
The nature of suggestions generated and whether they were approved or rejected
Access requests must be coordinated through the patient's healthcare provider

7.2 Right to Correction

You can request correction of inaccurate or incomplete information:

Submit correction requests in writing
We will take reasonable steps to correct information
If we refuse correction, we will provide written reasons
You may request a statement of disagreement be attached

Note for Patients: Due to data minimization, corrections to clinical information should be made through your healthcare provider's patient management system, which maintains your complete medical record.

7.3 Right to Complain

You have the right to complain about our privacy practices:

Submit complaints to our Privacy Officer
We will investigate and respond within 30 days
If not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC)

7.4 Right to Restrict Processing

In certain circumstances, you may request restriction of processing:

While we investigate accuracy of information
If you believe processing is unlawful
For establishment, exercise, or defense of legal claims

Note: Restriction requests from patients should be coordinated through their healthcare provider, who can control whether clinical documents are sent to Clexa for processing.

7.5 Data Portability

For Healthcare Providers: Where technically feasible, healthcare provider organizations can request export of:

User account information
Audit logs for their organization
System usage analytics
Data provided in structured, commonly used format (e.g., JSON, CSV)

For Patients: Due to our data minimization approach, we do not store complete patient records or sufficient identifying information to facilitate direct patient data portability requests. Patients seeking portability of their complete medical records should contact their healthcare provider. We can provide (via the healthcare provider):

AI suggestions generated for the patient
Evidence excerpts used to support suggestions
Approval/rejection history

Data portability may be subject to technical limitations and must be coordinated through the healthcare provider for patient requests.

8. Data Breach Notification

8.1 Our Commitment

We are committed to protecting your information and have implemented comprehensive security measures. However, in the event of a data breach, we will act swiftly and transparently.

8.2 Detection and Response

Immediate Detection: 24/7 security monitoring for potential breaches
Rapid Assessment: Evaluate scope, severity, and impact within 24 hours
Containment: Immediate steps to contain and remediate the breach
Investigation: Root cause analysis and corrective actions

8.3 Notification Process

To Affected Individuals:

Target notification within 72 hours of becoming aware of eligible data breach (in accordance with NDB scheme requirements, with commitment to notify as rapidly as circumstances permit)
Clear description of the breach and information involved
Steps we have taken to mitigate harm
Recommendations for individuals to protect themselves
Contact information and dedicated support resources

Our Commitment: While the NDB scheme requires notification within 72 hours where practicable, we are committed to notifying affected parties as rapidly as possible once we have verified the breach and assessed its scope, even if this occurs sooner than the statutory requirement.

To OAIC (Office of the Australian Information Commissioner):

Notification of eligible data breaches as required by law
Within 72 hours of becoming aware
Detailed breach report including remediation

To Healthcare Organizations:

Immediate notification to affected healthcare providers
Support for patient communication if required

8.4 Eligible Data Breaches

Under the Notifiable Data Breaches (NDB) scheme, we will notify if:

Unauthorized access or disclosure of personal information occurs
Personal information is lost in circumstances likely to result in unauthorized access or disclosure
The breach is likely to result in serious harm to affected individuals

8.5 Post-Breach Actions

Implement additional security measures to prevent recurrence
Conduct thorough post-incident review
Update security procedures and policies
Provide ongoing support to affected individuals

9. Clinical Governance and Quality Assurance

9.1 AI Model Oversight

Regular validation of AI suggestion accuracy
Clinical review of AI model outputs
Continuous monitoring for bias and safety
Updates to models based on clinical evidence and medical literature
No training or fine-tuning on patient data

9.2 Terminology Validation

All AI suggestions validated against authoritative medical terminology databases via Ontoserver:

SNOMED CT Australia (clinical terminology)
Australian Medicines Terminology (AMT)
Pharmaceutical Benefits Scheme (PBS)
Prevents hallucinated or invalid medical terms

9.3 Audit Trail

Complete audit trail maintained for:

All AI-generated suggestions
Clinician decisions (approve/reject)
Evidence supporting each suggestion
User access and actions
System changes and updates

9.4 Clinical Safety

Multi-layer validation before presentation to clinicians
Human-in-the-loop requirement for all actions
No automated changes to patient records
Clinician can modify or reject any suggestion

10. Consent and Lawful Basis

10.1 Healthcare Provider Consent

By using Clexa, healthcare providers consent to:

Collection and use of information as described in this policy
Processing of de-identified clinical documents by AI
Storage of suggestions and evidence for clinical governance
Audit logging of system access and actions

10.2 Patient Consent

Patient consent for Clexa processing is typically obtained by the healthcare provider as part of:

General consent for healthcare treatment
Consent for electronic health records
Information about how the practice uses technology

Healthcare providers are responsible for ensuring appropriate patient consent.

10.3 Lawful Basis for Processing

We process health information under the following legal bases:

Primary Purpose (APP 6.1):

Clinical decision support and healthcare provision
With consent of the individual
Necessary for provision of healthcare services

Secondary Purpose (APP 6.2):

Quality improvement and system security (directly related)
System analytics with aggregated, de-identified data
Legal compliance and regulatory requirements

11. Children's Privacy

Clexa is a healthcare professional tool, not directed at children. Clinical information about patients of all ages, including paediatric patients, may be processed through our platform.

Our Approach:

We apply the same rigorous privacy protections and data minimization principles to all patient data, regardless of age
Consent for processing paediatric patient information is obtained by the healthcare provider as part of standard clinical consent processes
Parents or legal guardians provide consent on behalf of minors as per standard healthcare practice
No additional data collection or special processing for paediatric patients

Healthcare providers remain responsible for obtaining appropriate consent from parents or legal guardians for the treatment of minors.

12. Changes to This Privacy Policy

12.1 Updates

We may update this Privacy Policy from time to time:

Material changes will be notified to users via email
Updated policy posted on our website with effective date
Continued use of Clexa constitutes acceptance of updated policy
Users may contact us with questions about changes

12.2 Version History

Version 1.2 (2025-10-24): Added implementation status section (1.2), revised subprocessor table to reflect pre-deployment stage, strengthened breach notification commitment, updated effective date, added vendor selection criteria appendix (Appendix B)
Version 1.1 (2025-10-23): Updated data portability section to reflect data minimization approach; simplified children's privacy section
Version 1.0 (2025-10-23): Initial privacy policy

13. Contact Information

13.1 Privacy Officer

For privacy-related questions, requests, or complaints:

Privacy Officer
Email: privacy@clexa.health

13.2 General Inquiries

For general questions about Clexa:

Email: support@clexa.health

13.3 Regulatory Complaints

If you are not satisfied with our response to your privacy complaint, you may contact:

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Email: enquiries@oaic.gov.au
Phone: 1300 363 992

14. Definitions

AI Suggestion: A clinical recommendation generated by Clexa's artificial intelligence system based on analysis of de-identified clinical documents.

De-identification: The process of removing personally identifiable information from clinical documents while preserving clinical content for analysis.

Evidence Excerpt: A short text snippet from a clinical document that supports an AI-generated suggestion.

Health Information: Information or opinion about the health or disability of an individual, as defined in the Privacy Act 1988.

Personal Information: Information or opinion about an identified individual, or an individual who is reasonably identifiable, as defined in the Privacy Act 1988.

Pseudonymization: Replacement of identifying information with pseudonyms (e.g., patient ID instead of patient name).

Subprocessor: A third-party service provider engaged by Clexa to process personal information on our behalf, subject to data processing agreements and security requirements.

Terminology Validation: The process of verifying that AI suggestions refer to valid medical terms in authoritative databases such as SNOMED CT, AMT, or PBS.

Appendix A: Australian Privacy Principles Compliance

This section demonstrates Clexa's compliance with the Australian Privacy Principles (APPs):

APP 1 - Open and Transparent Management:

This Privacy Policy clearly describes our practices
Contact information for Privacy Officer provided
Policy publicly available
Subprocessor list maintained and disclosed

APP 2 - Anonymity and Pseudonymity:

De-identification applied before AI processing
Pseudonymized patient identifiers used
Minimal data collection principles

APP 3 - Collection of Solicited Personal Information:

Only health information necessary for clinical decision support
Collection reasonably necessary for our functions
Sensitive information collected with consent

APP 5 - Notification of Collection:

Users notified through this Privacy Policy
Healthcare providers inform patients about Clexa use
Purposes of collection clearly stated

APP 6 - Use or Disclosure:

Primary purpose: Clinical decision support
Secondary purposes directly related or with consent
No overseas disclosure
No use of patient data for LLM training
Subprocessors bound by data processing agreements

APP 7 - Direct Marketing:

Not applicable - Clexa does not engage in direct marketing

APP 8 - Cross-border Disclosure:

All data remains in Australia
No cross-border disclosure
All subprocessors operate in Australia only

APP 9 - Adoption, Use or Disclosure of Government Related Identifiers:

We do not adopt government identifiers as our own identifiers

APP 10 - Quality of Personal Information:

Reasonable steps to ensure accuracy
Correction mechanisms available
Regular data quality reviews

APP 11 - Security:

Comprehensive technical and organizational security measures
Encryption, access controls, audit logging
Secure deletion at end of retention period
Subprocessor security requirements

APP 12 - Access to Personal Information:

Access requests processed within 30 days
Reasonable access provided based on data minimization constraints
Patient access requests coordinated through healthcare providers
Refusal only in specific circumstances with reasons

APP 13 - Correction:

Correction mechanisms available
Reasonable steps to correct information
Statement of disagreement if correction refused
Patient corrections coordinated through healthcare providers

Appendix B: Vendor Selection Criteria

To ensure our privacy commitments are met, all vendors must satisfy these requirements before selection:

Mandatory Requirements

Australian Data Sovereignty:

Australian data centre operations
No cross-border data transfers under any circumstances
All processing infrastructure located in Australia
Australian-based support and operations team

Security Certifications:

ISO 27001 certification (Information Security Management)
SOC 2 Type II compliance (Security, Availability, Confidentiality)
Regular third-party security audits (at least annually)
Penetration testing program with documented remediation

Contractual Commitments:

Willingness to sign comprehensive Data Processing Agreement
Zero data retention clause (for LLM and de-identification services)
Contractual prohibition on using customer data for AI training or model improvement
Right to audit subprocessor security controls
Breach notification within 24 hours

Healthcare Industry Experience:

Demonstrated experience with healthcare data
Understanding of Australian Privacy Act and healthcare compliance
HIPAA or equivalent healthcare privacy framework experience

Technical Capabilities:

AES-256 encryption at rest
TLS 1.3 encryption in transit
Multi-factor authentication support
Comprehensive audit logging capabilities
Role-based access control (RBAC)

Business Continuity:

Documented disaster recovery plan with RPO/RTO commitments
Regular backup and restoration testing
Business continuity insurance

Privacy PolicyPre-deployment