Privacy Policy

MedRail Pty Ltd (ABN to be confirmed) (“MedRail”, “we”, “us”, “our”) provides clinical infrastructure services to direct-to-consumer health brands operating in Australia. This Privacy Policy explains how we collect, hold, use, and disclose personal information and health information in accordance with the Privacy Act 1988(Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”).

This policy applies to all individuals whose personal information we handle, including representatives of our brand partners (“Brand Partners”), end consumers who access clinical services through Brand Partner platforms (“Consumers”), our employees, contractors, and visitors to our website at medrail.com.au.

By engaging with MedRail — whether as a Brand Partner, a Consumer accessing clinical services through a Brand Partner platform, or a visitor to our website — you acknowledge and consent to the collection, use, and disclosure of your personal information as described in this policy.

The types of personal information we may collect depend on the nature of your interaction with us:

2.1 Brand Partner representatives

• Full name, job title, and business contact details
• Business name, ABN, and registered address
• Billing and payment information
• Communications, correspondence, and meeting records

2.2 Consumers (end users of Brand Partner platforms)

• Full name, date of birth, and contact details
• Residential address and delivery address
• Health information including medical history, current medications, allergies, clinical screening responses, consultation notes, prescriptions, and dispensing records
• Medicare number and Individual Healthcare Identifier (IHI) where required for prescribing or dispensing
• Identity verification information as required by law

2.3 Website visitors

• Name, email address, phone number, and company name provided through contact forms
• Technical data including IP address, browser type, operating system, referring URL, and pages visited
• Cookie and analytics data (see section 11 below)

2.4 Employees and contractors

• Employment records, AHPRA registration details, professional qualifications, tax file numbers, superannuation details, and working with children checks where applicable

We collect personal information primarily from the individual to whom the information relates. This includes information provided:

• Through clinical intake and screening forms on Brand Partner platforms
• During telehealth consultations with our AHPRA-registered prescribers
• Via our website contact form or email correspondence
• Through contractual and commercial dealings with Brand Partners
• Through pharmacy dispensing and fulfilment processes

We may also collect personal information from third parties including:

• Brand Partners who provide consumer information for the purpose of facilitating clinical consultations
• Other healthcare providers involved in a Consumer's care
• AHPRA and other regulatory bodies for the purpose of verifying practitioner registrations
• The Australian Immunisation Register, My Health Record, or the Pharmaceutical Benefits Scheme where clinically necessary and authorised

Where we collect health information, we do so only with the individual's consent or as otherwise permitted or required by law, including under the Health Records Act of the relevant state or territory.

We collect, hold, use, and disclose personal information for the following purposes:

4.1 Clinical service delivery

• Facilitating clinical screening, eligibility assessments, and prescriber consultations
• Generating and transmitting electronic prescriptions via eRx Script Exchange
• Dispensing, packaging, and delivering prescribed medications through our pharmacy or nominated pharmacy partners
• Maintaining clinical records as required by law and professional obligations
• Clinical governance, audit, quality assurance, and incident management

4.2 Business operations

• Establishing, managing, and administering Brand Partner relationships
• Invoicing, payment processing, and accounting
• Responding to enquiries submitted through our website or by email
• Internal reporting, analytics, and service improvement

4.3 Legal and regulatory compliance

• Complying with obligations under the Privacy Act, the Therapeutic Goods Act 1989 (Cth), AHPRA codes and guidelines, state and territory health records legislation, and any other applicable law
• Cooperating with regulatory authorities, law enforcement, and courts as required
• Enforcing our contractual rights and protecting our legitimate interests

We may disclose personal information to the following categories of recipients:

• Brand Partners — limited operational information necessary for order fulfilment and customer service. We do not disclose clinical consultation notes, prescriber assessments, or clinical reasoning to Brand Partners.
• Pharmacy partners— prescription and dispensing information required to fulfil prescriptions where a Brand Partner's nominated pharmacy is used instead of our own
• Logistics and courier providers — name and delivery address for medication fulfilment
• Payment processors — billing and payment information for transaction processing
• Professional advisers — legal, accounting, and insurance advisers in the course of obtaining professional advice
• Regulatory authorities — AHPRA, the TGA, state and territory health complaints bodies, and other regulators as required or permitted by law
• Technology service providers — hosting, clinical software, e-prescribing, and communication platforms, subject to appropriate contractual protections

We do not sell personal information. We do not use personal information for direct marketing unless you have provided explicit consent, and you may withdraw that consent at any time.

Health information is a subset of sensitive information under the Privacy Act and is subject to additional protections. We handle health information in accordance with APP 3.3 and applicable state and territory health records legislation.

We collect health information only where:

• The individual has consented to the collection, and the information is reasonably necessary for one or more of our functions or activities; or
• The collection is required or authorised by or under an Australian law or a court/tribunal order; or
• A permitted health situation exists under section 16B of the Privacy Act

Clinical records are maintained by our prescribers in accordance with AHPRA and Medical Board of Australia guidelines on record-keeping. These records are retained for the minimum periods prescribed by applicable law (generally a minimum of seven years from the date of last consultation, or until the patient turns 25 if they were a minor at the time of treatment, whichever is longer).

Our prescribers maintain full clinical independence. Clinical decisions, consultation notes, and prescribing rationale are not accessible to Brand Partners.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and role-based permissions limiting access to personal information on a need-to-know basis
• Multi-factor authentication for all systems containing personal or health information
• Regular security assessments and penetration testing
• Staff training on privacy obligations and information security
• Incident response and data breach notification procedures in accordance with the Notifiable Data Breaches (NDB) scheme

Personal information is stored on servers located in Australia. Where any personal information is processed by a service provider located overseas, we ensure that appropriate contractual protections are in place in accordance with APP 8.1.

We use technology service providers that may store or process data outside of Australia (for example, cloud infrastructure providers). Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs, including by entering into contractual arrangements that require the recipient to handle personal information in accordance with the Privacy Act.

We will update this section if the countries in which our overseas recipients are located change materially.

Under APP 12 and APP 13, you have the right to:

• Request access to the personal information we hold about you
• Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading

To make an access or correction request, please contact our Privacy Officer using the details in section 14 below. We will respond to your request within 30 days. We may charge a reasonable fee for providing access to personal information where permitted by the Privacy Act.

In some circumstances, we may refuse access or correction — for example, where providing access would pose a serious threat to the life, health, or safety of any individual, or where the request is frivolous or vexatious. If we refuse a request, we will provide written reasons and advise you of available complaint mechanisms.

If you are a Consumer and wish to access your clinical records, you may also make a request directly to the prescriber who conducted your consultation, as they maintain independent clinical records in accordance with their professional obligations.

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods include:

• Clinical records: minimum 7 years from date of last consultation (or until the patient turns 25 if a minor at the time of treatment, whichever is longer), in accordance with applicable state and territory health records legislation
• Prescription records: minimum 2 years in accordance with state and territory pharmacy legislation
• Commercial records: 7 years in accordance with taxation and corporations law
• Website enquiries: 2 years, unless a commercial relationship is established

When personal information is no longer required, we will take reasonable steps to destroy it or ensure that it is de-identified, in accordance with APP 11.2.

Our website uses cookies and similar technologies for the following purposes:

• Essential cookies: necessary for the website to function correctly (e.g., session management)
• Analytics cookies: to understand how visitors interact with our website and to improve its performance. We use privacy-focused analytics that do not track individuals across websites.

You can control cookies through your browser settings. Blocking essential cookies may affect the functionality of our website.

Our website does not use advertising cookies or tracking pixels and does not engage in behavioural advertising.

In the event of a data breach that is likely to result in serious harm to any individual, we will comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. This includes:

• Taking reasonable steps to contain the breach and assess the risk of serious harm
• Notifying the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notifying affected individuals as soon as practicable with details of the breach and recommended steps

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint with our Privacy Officer using the contact details below. We will acknowledge your complaint within 5 business days and investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Online: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

For complaints relating to clinical care, you may also contact the health complaints body in your state or territory (e.g., the Health Care Complaints Commission in NSW, or the Health Complaints Commissioner in Victoria).

If you have any questions about this Privacy Policy, wish to make an access or correction request, or wish to lodge a complaint, please contact:

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will publish any updated policy on our website with a revised “Last updated” date. Where changes are material, we will take reasonable steps to notify affected individuals.

We encourage you to review this policy periodically.