Privacy Policy

This Privacy Policy explains how New Era Medical Pty Ltd (ABN 89 682 028 708) ("we", "us", "our") collects, holds, uses, and discloses personal information in connection with the GPguide service ("Service").

We are bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and any applicable registered APP code. This policy is provided in compliance with APP 1 (open and transparent management of personal information).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

We collect only the personal information reasonably necessary to provide and support the Service (APP 3). The categories of personal information we may collect include:

We collect personal information:

• Directly from you — when you create an account, subscribe, contact support, or interact with the Service
• Automatically — through cookies, analytics tools, and server logs when you use the Service
• From third-party service providers — for example, payment confirmation from Stripe, or authentication data from identity providers

Where practicable, we collect personal information directly from you (APP 3.5). If we receive unsolicited personal information, we will assess whether we could have collected it under APP 3 and, if not, destroy or de-identify it as soon as practicable (APP 4).

We collect, hold, use and disclose your personal information only for purposes that are reasonably necessary for, or directly related to, our functions and activities (APP 6). These purposes include:

• Providing, maintaining, and improving the Service
• Processing payments and managing subscriptions
• Responding to support enquiries and communications
• Sending service-related notifications (e.g. billing confirmations, service updates)
• Analysing usage patterns to improve performance and user experience
• Detecting, preventing, and addressing security incidents, fraud, or technical issues
• Complying with legal obligations (including the Notifiable Data Breaches scheme)

We will not use or disclose your personal information for direct marketing unless you have consented, or it is within your reasonable expectation and we provide a simple opt-out mechanism (APP 7).

We may disclose personal information to the following categories of recipients, solely for the purposes described in Section 4:

• Infrastructure and hosting providers — e.g. Supabase (for database and authentication), Vercel or similar (for hosting)
• Payment processors — Stripe, for processing subscription payments
• Analytics providers — to understand usage patterns (data is aggregated/anonymised where possible)
• Professional advisers — accountants, lawyers, or auditors, where necessary
• Government or regulatory bodies — where required by law or a court/tribunal order

We require all third-party service providers to handle personal information in accordance with applicable privacy laws. We do not sell personal information to any third party.

GPguide is operated by New Era Medical Pty Ltd (ABN 89 682 028 708). At the date of this Privacy Policy, we do not have related companies to which we regularly disclose personal information.

If this changes (for example, through an acquisition, restructure, or establishment of related entities), we will update this section and notify affected users. Any disclosure to a related company will be made in accordance with the APPs and this Privacy Policy.

GPguide is hosted in Australia. Some of our third-party service providers (e.g. Stripe, analytics tools) may store or process data in overseas locations, including the United States (APP 8).

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. Where we cannot ensure compliance, we will either:

• Obtain your consent to the overseas disclosure, or
• Ensure that a prescribed exception under APP 8.2 applies

The GPguide service and your account data are hosted in Australia. We rely on infrastructure providers (including Supabase) that describe encryption in transit (TLS) and at rest (AES-256) as part of their security posture. We implement application-level controls appropriate to the nature of our service.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11). Our security measures include:

• Encryption in transit (TLS) and at rest (AES-256) via our infrastructure providers
• Role-based access controls and least-privilege administrative access
• Multi-factor authentication available for user accounts
• Rate limiting and monitoring to mitigate brute-force and abuse patterns
• Regular review of security configurations and access permissions

No security measure can guarantee absolute security. We take reasonable steps consistent with Australian privacy expectations and the nature of the information we hold.

We retain personal information only for as long as it is needed to fulfil the purposes for which it was collected, or as required by law (APP 11.2). Specifically:

• Drafting inputs/outputs: We do not store the text you enter or the drafts generated
• Account information: Retained while your account is active, and for a reasonable period after closure to handle billing enquiries or legal obligations
• Billing records: Retained as required by Australian tax law (generally up to 5 years)
• Technical/security logs: Retained for a limited period to maintain service reliability, then destroyed or de-identified

When personal information is no longer needed, we take reasonable steps to destroy or de-identify it.

Under the Australian Privacy Principles, you have the right to:

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Take immediate steps to contain the breach and assess the risk of serious harm
• Notify affected individuals as soon as practicable, and in any event within 30 days of becoming aware of the breach (or sooner where required)
• Notify the OAIC as required by law
• Take reasonable steps to reduce the risk of harm
• Maintain a record of the breach and our response in accordance with our data breach response plan

We maintain an internal data breach response plan that is reviewed periodically to ensure compliance with the NDB scheme.

We may use cookies and similar technologies (e.g. local storage, analytics scripts) to:

• Remember your authentication session
• Understand how the Service is used (e.g. pages visited, features accessed)
• Improve performance and user experience

You can control cookie preferences through your browser settings. Disabling cookies may affect certain features of the Service (e.g. staying logged in).

We may de-identify and/or aggregate personal information (excluding health information, which we do not collect) for purposes including:

• Analysing usage patterns to improve the Service
• Developing new features or service offerings
• Identifying business trends
• Compiling aggregated statistics (e.g. number of users, feature popularity)

Once de-identified, this data is no longer personal information and we may use it for our own purposes. We will not publish aggregated data compiled using a sample size small enough to make underlying portions identifiable.

"De-identified" means information that has undergone a process of removing all personal identifiers so that there is no reasonable likelihood of re-identification.

The Service may contain links to third-party websites or services (e.g. MBS Online, RACGP resources, eTG). We are not responsible for the privacy practices or content of those third-party sites. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. The "Last updated" date at the top of this page indicates when the latest changes were made.

Where changes are material, we will take reasonable steps to notify you (for example, by email or a notice within the Service). Continued use of the Service after changes are published constitutes acceptance of the updated Privacy Policy.

For questions about this Privacy Policy, please contact us at support@gpguide.com.au.