SleepSpan Privacy Policy

1. Introduction and Purpose

This Privacy Policy ("Policy") outlines how SleepSpan (ABN [INSERT YOUR ABN], "we," "us," "our," or "SleepSpan") collects, uses, discloses, stores, protects, and manages personal information, including health information ("Personal Information" or "Health Information").

SleepSpan is a sleep diagnostics and longevity-focused healthcare service provider operating in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs)[1].

This Policy applies to all individuals who interact with SleepSpan, including patients, clients, website visitors, and any person whose information we collect, use, or disclose in the course of providing our services.

2. Collection of Personal Information

2.1 Types of Information We Collect

We collect the following categories of Personal Information:

Personal Identifiers:

· Full name, date of birth, contact details (phone, email, address)

· Government-issued identification numbers

Health Information:

· Sleep diagnostic data and test results

· Medical history relevant to sleep disorders

· Medications and supplements

· Current health conditions and diagnoses

· Sleep and lifestyle questionnaires

· Appointment history and clinical notes

Contact and Appointment Information:

· Communication preferences

· Appointment scheduling details

· Payment and billing information

Device and Technical Information:

· Internet Protocol (IP) address

· Browser type and device information

· Cookies and tracking technology usage

2.2 How We Collect Information

We collect Personal Information through:

· Direct provision by patients (registration forms, questionnaires, consultations)

· Online booking and appointment systems

· Sleep diagnostic equipment and wearable devices

· Direct communication (email, phone, video consultations)

· Automatically through our website and digital platforms

2.3 Collection Consent

We will only collect Personal Information with your consent, except where:

· Collection is required by law

· Collection is reasonably necessary for our functions or activities

· An exception applies under the Privacy Act 1988 (Cth)

3. Use and Disclosure of Information

3.1 Primary Purposes

We use your Personal Information for:

· Providing sleep diagnostic services and clinical assessments

· Creating and maintaining clinical records

· Scheduling and managing appointments

· Communicating with you regarding your care and services

· Processing payments and managing your account

· Responding to your inquiries and requests

· Ensuring quality assurance and improving our services

· Complying with legal and regulatory obligations

3.2 Secondary Uses

We may also use your information for:

· De-identified research and analysis (with your consent)

· Training and educational purposes for our clinical staff

· System administration and security purposes

· Direct marketing communications (with your consent)

3.3 Disclosure to Third Parties

Your Personal Information may be disclosed to:

Cliniko:

· Our practice management and patient record system provider

· Cliniko processes your information as a Data Processor under our instructions

· For full details, refer to Cliniko's Privacy Policy: www.cliniko.com/policies/privacy/[2]

Nox Cloud:

· Our secure cloud platform for storing diagnostic test data

· Nox Cloud is HITRUST, ISO 27001, SOC 1 Type 2, and SOC 2 Type 2 certified[3]

· Sleep diagnostic equipment data is transmitted to and stored securely in Nox Cloud

Other Healthcare Providers:

· With your explicit consent, we may disclose information to your referring practitioners or other healthcare providers involved in your care

· You will be informed of any disclosures to third parties

Legal and Regulatory Authorities:

· To comply with legal obligations, court orders, or regulatory requirements (AHPRA, health complaints bodies, etc.)

· For health and safety emergencies where disclosure is necessary

Payment Processors:

· Payment information is processed securely by our payment processor through Cliniko's integrated Stripe integration

We do not sell, rent, or trade your Personal Information to third parties for marketing purposes.

4. Data Security and Protection

4.1 Security Measures

SleepSpan implements comprehensive security measures to protect your Personal Information:

Cliniko Security:

· All patient data is encrypted using AES-256 encryption algorithms

· Access to patient records is restricted through role-based access control

· Cliniko maintains strict internal policies regarding data handling and security

· Cliniko is HIPAA and GDPR compliant[4]

Nox Cloud Security:

· Holds ISO 27001, SOC 1 Type 2, and SOC 2 Type 2 certifications[3]

· Advanced encryption for data transmission and storage

· Secure authentication protocols

· Regular security audits and penetration testing

SleepSpan Practices:

· Limited access to patient records on a need-to-know basis

· Staff training on privacy obligations and data security

· Secure storage of physical records (if applicable)

· Regular security reviews and updates

4.2 Data Breach Notification

In the event of an unauthorized access to your Personal Information, we will:

· Conduct a prompt assessment of the breach

· Notify you within 30 days if the breach is likely to cause serious harm to your privacy[5]

· Notify the Office of the Australian Information Commissioner (OAIC) as required

· Take immediate remedial action

5. Data Storage, Retention, and Deletion

5.1 Data Storage Location

Your information is stored in:

· Cliniko servers: Cliniko stores data across multiple secure server locations internationally. Patient data associated with Australian practices is managed in accordance with Australian privacy requirements[2]

· Nox Cloud: Sleep diagnostic data is stored in Nox Cloud infrastructure, which maintains ISO 27001 and SOC compliance certifications

5.2 Retention Periods

We retain your Personal Information for:

· Clinical records: Minimum 7 years from date of last attendance or as required by professional standards and regulatory bodies (AHPRA guidelines recommend 7 years)

· Payment records: 7 years for taxation and financial audit purposes

· Marketing information: Until you opt-out or request deletion

· Website analytics: De-identified data retained for 12 months

5.3 Data Deletion

Upon request, we will:

· De-identify your records where possible while maintaining clinical continuity

· Permanently delete data in accordance with APP 11 requirements and regulatory obligations

· Note that some data may be retained where required by law or for legal claims

6. Your Privacy Rights

6.1 Access to Your Information

You have the right to:

· Request access to the Personal Information we hold about you

· Request access in a format that is portable and easy to use

· Receive confirmation of whether we hold your information

To request access, contact us at [INSERT YOUR EMAIL/CONTACT DETAILS]. We will respond within 30 days.

6.2 Correction of Information

You have the right to:

· Request correction of any inaccurate or incomplete information

· Ask us to add statements of correction to your records

· Contact us to update your information at any time

6.3 Opt-Out Rights

You may:

· Opt-out of direct marketing communications at any time

· Withdraw consent for secondary uses of your information

· Request limitation on use of your data for specific purposes

Note: Opting out of essential communications may affect your ability to receive clinical care or important health information.

6.4 Right to Complain

If you believe we have breached the Australian Privacy Principles or this Policy, you may:

· Contact us directly to lodge a complaint (details below)

· Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au

· Contact AHPRA if you have concerns about professional conduct: www.ahpra.gov.au

7. Use of Cookies and Tracking Technology

7.1 Cookies

Our website may use cookies to:

· Enhance your user experience

· Remember your preferences

· Track website usage patterns

· Improve service delivery

You can disable cookies through your browser settings. However, some functionality may be limited.

7.2 Analytics

We use de-identified analytics to understand how our website is used and to improve our services. This information does not identify you personally.

8. Third-Party Links and External Services

Our website may contain links to third-party websites. This Privacy Policy does not apply to external websites. We encourage you to review the privacy policies of any external services before providing your information.

9. Children's Privacy

SleepSpan does not knowingly collect information from individuals under 18 years of age without parental or guardian consent. If we become aware that we have collected information from a minor without appropriate consent, we will delete it promptly.

10. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

· Changes in our practices

· Changes in privacy legislation

· Updated technological security measures

· Changes to our service offerings

We will notify you of material changes by updating this page and noting the revision date. Your continued use of our services constitutes acceptance of updates.

Last Updated: [INSERT DATE]
Current Version: 1.0

11. Contact Us

For questions about this Privacy Policy, to request access to your information, to lodge a complaint, or to discuss your privacy concerns, please contact:

SleepSpan
Email: admin@sleepspan.com.au
Phone: 03 9988 5027

Address: PO Box 97, Vermont, VIC 3133

We aim to respond to all inquiries within 5 business days.

References

[1] Australian Government Attorney-General's Department. (2024). Privacy Act 1988 (Cth) and Australian Privacy Principles. https://www.oaic.gov.au/privacy/privacy-principles

[2] Cliniko. (2025). Privacy Policy. Retrieved from https://www.cliniko.com/policies/privacy/

[3] Nox Medical. (2024). Nox Cloud Security and Compliance. NoxConnect demonstrates ISO 27001, SOC 1 Type 2, and SOC 2 Type 2 certifications. https://noxmedical.com/noxconnect/

[4] Cliniko. (2024). How Cliniko helps you comply with the Australian Privacy Principles. Retrieved from https://help.cliniko.com/en/articles/4274054-how-cliniko-helps-you-comply-with-the-australian-privacy-principles

[5] Office of the Australian Information Commissioner (OAIC). (2024). Notifiable Data Breaches. https://www.oaic.gov.au/privacy/notifiable-data-breaches-scheme