PRIVACY POLICY

NewDoc Pty Ltd ABN 95 686 031 318 | Last updated: 29 May 2026

1. INTRODUCTION

This document sets out the privacy policy of NewDoc Pty Ltd ABN 95 686 031 318 (referred to as 'we', 'us', or 'our'). We take our privacy obligations seriously. By providing personal information to us, you consent to our handling of that information in accordance with this policy.

This policy should be read together with our Terms & Conditions.

We may change this privacy policy from time to time by posting an updated copy on our website. We encourage you to check our website regularly to ensure that you are aware of our most current privacy policy.

2. TYPES OF PERSONAL INFORMATION WE COLLECT

The personal information we collect may include name; mailing or street address; email address; social media information; telephone number and other contact details; age; date of birth; credit card or other payment information; sensitive information (such as health information) as set out in section 7; information about your business or personal circumstances; information in connection with surveys, questionnaires and promotions; device identity and type, IP address, geo-location, page view statistics, advertising data and standard web log information; information about third parties; and any other information provided by you to us via our website or platforms.

3. HOW PERSONAL INFORMATION IS COLLECTED

We collect personal information in a lawful and fair way, only with your consent or otherwise in accordance with the law. We may collect from you directly (when you sign up, contact us, receive services, communicate with us, interact with our platforms), from third parties (medical practitioners entering details, parents or guardians of minors, referrals from other health care providers, our analytics providers), and from cookies and tracking technologies on our website.

If you provide personal information about someone else, you must have their consent. If you provide information about a minor, you must be the parent or legal guardian and must consent on their behalf.

4. USE OF YOUR PERSONAL INFORMATION

We collect and use personal information for the following primary purposes: identity confirmation; providing services and processing payments; making appointments and reminders; administrative messages; facilitating third-party communications (for example, by GPs or health service providers on the platform); record keeping; provision to AHPRA-registered practitioners providing your clinical care, our employees and contractors performing their roles, third-party technology service providers who process data on our behalf and are bound by confidentiality obligations, and other healthcare providers where a referral or clinical handover is required; service improvement; legal compliance; administrative messages; and considering employment applications.

We may also use personal information for closely-related secondary purposes, to lessen or prevent serious threats to life or safety, with your consent, or as permitted by law.

NewDoc may also use automated systems and AI-assisted tools to support care delivery, administrative workflows, appointment management, clinical documentation, and the presentation of relevant healthcare services, care pathways, preventative health measures or follow-up recommendations within the Platform based on information you provide during consultations, intake forms, questionnaires, clinical documents or your use of the Services. These systems are assistive only and do not replace clinical judgment.

5. HOW WE DISCLOSE YOUR PERSONAL INFORMATION

We respect your privacy and protect your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. We may disclose your personal information to: relevant staff to deliver services; general or specialist practitioners and health care providers on the platform; our professional advisors (lawyers, accountants, auditors); our related entities; or any third parties you have consented personal information to be disclosed to.

We use third-party software providers and platforms for data storage, communications, analytics, practice management, and related business functions. We require third parties to use information only for activities we have asked them to perform on our behalf, in accordance with this policy and the Australian Privacy Principles.

We will not otherwise disclose personal information unless: you have consented; in an emergency or investigation of suspected criminal activity; under subpoena or court order; to lessen or prevent a serious threat; for legal claim establishment, exercise or defence; or as otherwise authorised or required by law.

6. STORAGE OF YOUR PERSONAL INFORMATION

We use a range of third-party providers to operate our business and provide our services. These include providers for cloud database hosting, website hosting and content delivery, practice management, patient booking, video consultation infrastructure, AI-assisted clinical note generation, and analytics. Where these providers handle personal or health information, they do so on our behalf and are bound by confidentiality obligations and our requirement that they comply with applicable privacy laws.

The infrastructure that handles personal and health information is configured to keep processing within Australia, except for our video consultation provider, which is based in the United States. While the audio and video stream of your consultation is not stored, some routing or connection information may transit international networks. We obtain your consent for this data flow as part of the consent process at the start of each video consultation.

We do not use overseas providers to handle Sensitive Information (as defined under the Privacy Act) in providing you with our services, unless you provide your explicit consent or we are otherwise permitted or required by law.

We may use third-party analytics tools that store information across multiple countries. You can opt out of analytics tracking through your browser settings or via the analytics provider's opt-out mechanisms.

When you communicate with us through a social media service, the social media provider and its partners may collect and hold your personal information overseas.

6A. DATA RETENTION

We retain your personal and health information for the minimum periods required by applicable laws. For adult patients, clinical records are retained for a minimum of 7 years from the date of last entry. For patients under 18 at the time of treatment, records are retained until the patient turns 25, or for 7 years from the date of last entry, whichever is later.

7. SENSITIVE INFORMATION

We may collect sensitive information about you during the course of providing you with goods and services, only with your consent. The types of sensitive information we collect include health and medical information, history and reports; referring health care provider details; private health fund details; Medicare number, healthcare identifiers or concession card details; and any other sensitive information you or a third party provide to us.

Sensitive information will only be used for: providing services; complying with legal obligations or enforcing agreements; sending messages, reminders or notices; recording or transcription of appointments with your consent; or any other purpose permitted or required under privacy laws.

Sensitive information will only be disclosed to third parties for: providing services (and related purposes such as liaising with other healthcare providers); providing referrals to another health care provider; or any other purpose permitted or required under privacy laws.

If you wish to withdraw your consent to our collection, use or disclosure of your sensitive information, please contact us using the contact details below.

8. MARKETING

We may send marketing communications in accordance with the Spam Act 2003 (Cth). Where consent is needed we will ask before sending, except where you have explicitly opted in or were given the option to opt out at sign-up. You can opt out at any time using the unsubscribe link in our emails or by contacting us.

9. DE-IDENTIFIED INFORMATION

The information we collect may have analytical, educational, or commercial value to us. Where we have de-identified the information we have collected, we reserve the right to process and discuss such information. We will seek your consent to release any de-identified written documentation.

9A. PARTNER ORGANISATIONS AND REFERRALS

Some patients access NewDoc via a partnership we have with another organisation, for example a digital health platform that refers patients to us, or an employer that makes our service available to its employees.

Where you have been referred by a partner organisation, that partner is a separate organisation with its own privacy obligations. We share information with referring partners only where you have given consent at the point of referral, and only the categories of information set out in the partnership agreement between us and the partner (which may include your referral details, your progress through the NewDoc service such as appointment status, and clinical outputs such as care plans and pathology or imaging results).

Where an employer or similar organisation makes our service available to its workforce, that organisation only ever sees aggregate, de-identified usage information. They do not see your individual personal or health information. Your consultations and clinical information remain confidential between you and your NewDoc practitioner.

You should also review the privacy policy of any partner organisation that referred you, which describes how that partner handles your information.

9B. TELEHEALTH VIDEO AND AI SCRIBE

This section provides additional information about how we handle your information when you use NewDoc's video and telephone consultations and AI scribe service.

Video consultations

We deliver video consultations through a third-party video infrastructure provider based in the United States. The audio and video stream during your consultation is routed through that provider's network in real time. NewDoc does not record or retain the audio or video of your consultation, and the video provider does not retain the stream once the call ends.

While the audio and video stream itself is not stored, some routing or connection information may transit international networks. Before each video consultation, we obtain your consent to this data flow as part of the consent screen displayed when you join the call.

If a video consultation is recorded for any reason, for example where required for clinical review or by law, this will be done only with your knowledge and, where required, with your explicit consent. We do not record consultations by default.

Telephone consultations

Where your consultation is delivered by telephone, the audio is not recorded or retained by NewDoc or by our telephony provider, except where you consent to the use of our AI scribe (see below).

AI Scribe

Where you consent during a consultation, NewDoc uses an AI scribe service to transcribe the audio of your consultation and produce a draft clinical note for your treating practitioner. The AI scribe is a tool to assist the practitioner, who reviews and finalises the note. We will only use the AI scribe with your consent, and you may decline without affecting your access to care.

(a) What is collected and processed: the AI scribe processes the audio of your consultation in real time. From that audio it generates a transcript, and from the transcript it generates a draft clinical note.

(b) Where the data is processed: all processing occurs within Australia. Speech-to-text transcription and AI note generation are performed by cloud-based AI services configured to keep processing within Australian regions. Specific providers and configurations may be updated from time to time, and we will only use providers and configurations that keep processing within Australia.

(c) What is and isn't kept: the audio of your consultation is briefly held in memory while the AI scribe is running, but is not stored to disk. The cloud-based AI services do not retain your audio, transcript or note. The transcript and draft clinical note are stored in NewDoc's systems and are retained for the same period as the underlying clinical record (see Section 6A).

(d) No training of AI models: your audio, transcript and draft note are not used to train any AI or machine learning model.

(e) Consent: the AI scribe is opt-in. Your treating practitioner will ask for your consent before turning it on, and you may decline without affecting your care. You may withdraw your consent at any time during the consultation by telling your practitioner.

(f) Practitioner responsibility: the AI scribe is an assistive tool. Your treating practitioner is responsible for reviewing the draft note and for the clinical content of your medical record.

9C. AI ASSISTANCE WITH CLINICAL DOCUMENTS

We use AI tools to help our practitioners read and structure information from clinical documents, including pathology results.

(a) Where the data is processed: processing occurs on infrastructure we operate within Australia, using cloud-based AI services configured to keep processing within Australian regions. Our cloud AI providers operate under contracts that prohibit them from retaining your data or using it to train their models.

(b) No external AI training: your data is not used to train any AI or machine learning model, whether ours or any third party's. We do not share your data with any external or open-source AI service.

(c) Practitioner review: the AI is a tool to assist your treating practitioner. The practitioner is responsible for clinical judgment and the content of your medical record.

(d) Improving our AI tools: to improve how accurately our AI tools extract information from clinical documents, our authorised personnel may use real documents we have received to refine the instructions we send to our AI services. This work is done entirely on infrastructure we operate within Australia, by a small number of authorised NewDoc personnel, and is handled with the same confidentiality and security protections as the rest of your clinical record.

(e) Care recommendations and workflow assistance: NewDoc may use AI-assisted systems and automated workflows to help identify relevant clinical services, follow-up actions, care pathways or administrative next steps that may be appropriate for a patient based on information contained in clinical records, consultation information, intake responses or uploaded documents. These systems are designed to support care navigation and practitioner workflows and are not used to make autonomous clinical decisions.

10. SECURITY

We take reasonable steps to ensure your personal information is secure and protected from misuse or unauthorised access. Our information technology systems are password protected, and we use a range of administrative and technical measures to protect these systems. However, we cannot guarantee the security of your personal information.

11. LINKS

Our website may contain links to other websites. Those links are provided for convenience and may not remain current or be maintained. We are not responsible for the privacy practices of those linked websites.

12. REQUESTING ACCESS OR CORRECTING YOUR PERSONAL INFORMATION

You may request access to or correction of your personal information by contacting us using the details below. We may need to verify your identity. In some cases we may be unable to provide access; we will explain why if so. You may also request that we stop processing your data or delete data we hold about you. We reserve the right to refuse access in certain circumstances under the Privacy Act 1988 (Cth).

13. COMPLAINTS

If you wish to complain about how we handle your personal information, please contact us using the details below. If you are still concerned, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au or 1300 336 002.

14. CONTACT US

For further information about our privacy policy or practices, or to access or correct your personal information, or make a complaint, please contact us:

  • Name: Shavin Wijeyaratne

  • Email: hello@newdoc.com.au

14A. PARTNER PORTAL USERS

This section applies to Authorised Users of the NewDoc Partner Portal at partner.newdoc.com.au, individuals nominated by partner organisations to access the Portal in a business capacity on behalf of their organisation. It does not apply to NewDoc patients, whose information is handled in accordance with the rest of this Privacy Policy.

Information we collect

In connection with operating the Partner Portal, we collect: name, work email address and role within the partner organisation; login credentials and authentication data including multi-factor authentication codes and tokens; IP address, device and browser information, and audit logs of Portal activity (including login events, configuration changes, API key issuance and revocation, and webhook configuration changes); communications with our support team; and information provided when an Authorised User is nominated, re-attested or removed.

How we use this information

We use this information to provision and manage Portal access; authenticate Authorised Users and protect Portal security; maintain audit logs and meet our compliance obligations; investigate security incidents and suspected misuse; and communicate with Authorised Users about Portal access, updates and changes.

What partners can and cannot see

(a) Aggregate Analytics Partners (such as workplace partners) only see aggregate, de-identified usage data. They do not see any individual patient or employee personal information, sensitive information or clinical content.

(b) Patient Data Access Partners (such as health platform partners that have referred patients to NewDoc) see information only about the patients they referred, and only the categories of information that the patient has consented to share with NewDoc and the partner under the relevant partnership agreement.

Authorised Users' obligations

Authorised Users access the Portal subject to the Partner Portal Terms of Use and the relevant partnership agreement, which include obligations to handle data securely, keep credentials confidential, and (for partners who only see aggregate data) not to attempt to re-identify any individual.

Retention of Portal records

Audit logs of Portal activity are retained for a minimum of twelve (12) months. Authorised User account records are retained for the duration of the partner organisation's relationship with NewDoc and for a reasonable period afterwards for record-keeping and audit purposes.

Subprocessors and overseas storage

Information collected through the Partner Portal is stored on the same Australian-located infrastructure described in Section 6 of this Privacy Policy. We do not disclose Authorised User personal information overseas without consent, except as required by law.