Privacy Policy

Ember Clinic (emberclinic.com.au) is operated by Monsef Holdings Pty Ltd (ABN: 58 694 849 735), with its registered office at 81-83 Campbell Street, Surry Hills, NSW 2010.

Ember Clinic is a consumer telehealth platform. We connect patients with AHPRA-registered doctors through our clinical partner, Doccy (doccy.com.au). We are responsible for the personal information we collect through our website and intake process.

In this policy, "we", "us", and "our" refer to Monsef Holdings Pty Ltd trading as Ember Clinic.

We collect the following types of personal information:

• Identity information: full name, date of birth, gender
• Contact information: email address, phone number, residential address
• Health information: answers to screening questions, medical history, current medications, allergies, symptoms, and treatment goals
• Payment information: processed securely through Stripe. We do not store credit card numbers on our servers.
• Usage information: pages visited, time on site, device and browser type, collected through analytics tools

We collect personal information in the following ways:

• Directly from you when you complete a screening questionnaire on our website
• When you create an account or book a consultation
• When you contact us by email, phone, or through the website
• From our clinical partner (Doccy) regarding the outcome of your consultation
• Automatically through cookies and analytics when you use our website

We collect and use your personal information for the following purposes:

• To screen your eligibility for treatment and prepare your intake for the consulting doctor
• To book and manage your consultation with a Doccy doctor
• To process payment for your consultation
• To communicate with you about your appointment, results, or follow-up care
• To comply with our legal obligations, including record-keeping
• To improve our service and your experience on the platform

We will not use your health information for marketing purposes. We will not sell your personal information to third parties.

We share your personal information only where necessary to deliver the service you have requested:

• Doccy (doccy.com.au): We share your screening information with the AHPRA-registered doctor who will conduct your consultation. Doccy maintains its own clinical records as required by law.
• Stripe: Payment processing. Stripe is PCI DSS compliant. We do not store your full card details.
• Supabase: Our database provider. Data is hosted in the Sydney, Australia region (ap-southeast-2).
• Pharmacies: If your doctor issues a prescription, your name and prescription details are shared with the dispensing pharmacy.
• Pathology providers: If your doctor orders blood work, a referral is sent to a pathology provider.

We do not sell, rent, or share your personal information with any third party for their own marketing purposes.

Your personal data is primarily stored in Australia (Supabase Sydney region). However, some of our service providers operate infrastructure in other countries:

• Vercel (United States): Our website hosting provider. Website content is served through a global CDN. Server-side functions that process data may execute in US-based data centres.
• Stripe (United States): Payment data is processed under Stripe's global infrastructure with PCI DSS Level 1 compliance.

Where personal information is transferred outside Australia, we take reasonable steps to ensure the overseas recipient handles the information in accordance with Australian Privacy Principles.

Health information is classified as "sensitive information" under the Privacy Act 1988. We only collect health information with your explicit consent, which you provide when you complete a screening questionnaire or book a consultation.

Your health information receives a higher level of protection. We will not use or disclose it for any purpose other than providing the service you have requested, unless required by law.

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure:

• All data transmission is encrypted using TLS/SSL
• Database access is restricted to authenticated, authorised requests only
• Payment information is handled by Stripe and never stored on our servers
• Access to patient data is limited to authorised personnel

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Screening and intake data: Retained for 7 years from the date of your last consultation, in line with health record retention requirements under Victorian law
• Payment records: Retained for 7 years for tax and accounting obligations
• Account data: Retained until you request deletion, subject to the retention periods above
• Usage and analytics data: Retained in de-identified or aggregated form and not linked to your personal identity

When personal information is no longer needed, we destroy or de-identify it in a secure manner. Clinical records held by Doccy are retained and destroyed in accordance with Doccy's own obligations as the health service provider.

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Take immediate steps to contain the breach and reduce any harm
• Assess the breach within 30 days to determine whether it is an eligible data breach
• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Provide a statement describing the breach, the information involved, and recommended steps for affected individuals

We may send you emails related to your consultation, follow-up care, or account. These are service communications, not marketing.

If we send marketing communications (such as information about new treatment categories or services), we will only do so with your consent. You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting us at privacy@emberclinic.com.au.

Opting out of marketing will not affect service communications about your existing consultations or account.

Under the Australian Privacy Principles, you have the right to:

• Access: Request access to the personal information we hold about you
• Correction: Request that we correct any inaccurate or out-of-date information
• Deletion: Request deletion of your personal information, subject to our legal retention obligations
• Complaint: Complain if you believe we have breached the Australian Privacy Principles

To exercise any of these rights, contact us at privacy@emberclinic.com.au. We will respond within 30 days.

Clinical records held by Doccy are managed under Doccy's privacy obligations as the health service provider. Contact Doccy directly for access to clinical consultation records.

We use cookies and similar technologies to improve your experience on our website. This includes:

• Essential cookies: Required for the website to function, including session management and authentication
• Analytics cookies: Help us understand how visitors use the website so we can improve it

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the website.

If you believe we have breached the Australian Privacy Principles, you can:

• Contact us at privacy@emberclinic.com.au and we will investigate and respond within 30 days
• If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

We may update this privacy policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. If we make material changes, we will notify you by email or through a notice on our website.