Privacy Policy

At Tell Claire, we value your privacy and are committed to protecting your personal information. This Privacy Policy outlines how we collect, use, and safeguard your data when you use our platform. By using Tell Claire, you consent to the practices described in this Privacy Policy. If you do not agree with any part of this policy, please refrain from using Tell Claire.

1. Introduction

Welcome to the Privacy Policy of Tell Claire Limited (“Tell Claire,” “we,” “us,” or “our”).

We are a company registered in the United Kingdom (Company No. 16206182), with our registered business address at 18 Albert Road, Bournemouth, BH1 1BZ, United Kingdom.
Our platform and services (“Platform”) are designed to assist Australian healthcare providers in recording, transcribing, and managing patient consultations for pre-employment medicals and occupational health assessments.
All data storage and processing for this Platform occurs on Australian servers, with minimal exceptions described in Section 9 (Intra-Group Data Transfer & Access Agreement).

We are committed to respecting your privacy and handling personal information in compliance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs). Where applicable, we may also consider relevant UK data protection requirements, but our primary focus is on Australian compliance.

By using Tell Claire, you consent to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of our Platform.

2. Scope & Key Definitions

“Healthcare Providers” refers to organisations, clinics, or medical professionals who use our Platform to record patient consultations, transcribe audio, and generate occupational health documentation.
“Patients” refers to individuals who are the subjects of these medical consultations.
“Personal Information” includes any information or opinion about an identified individual (or an individual who is reasonably identifiable). This can include sensitive information, such as health data.
“Sensitive Information” (as defined under the Privacy Act) includes health information (e.g. medical histories, recordings of patient-doctor consultations).

3. What Information We Collect

3.1 Patient Data (Medical and Personal Information)

Recorded Medical Consultations: Audio, video, or text data relating to pre-employment medicals or occupational health assessments.
Personal Details: Name, date of birth, contact details, or other identifiers collected during the consultation process.
Medical/Health Information: Symptoms, medical history, test results, or notes relevant to the assessment.

Note: These categories of information are collected and processed on behalf of Healthcare Providers, who are primarily responsible for obtaining patient consent.

3.2 Healthcare Provider Data

Account Information: Name of clinic or healthcare professional, contact details, billing and payment information.
User Credentials: Login information for accessing our Platform.

3.3 Usage Data

Technical & Analytics Data: IP address, browser type, usage patterns, and cookie data when using our Platform or public website.
Cookies: We use essential, analytical, and (where applicable) marketing cookies to improve the user experience and analyse usage trends. See Section 10 (Cookies) for more details.

4. How We Collect & Process Data

4.1 Direct Collection

Platform Interactions: When Healthcare Providers record or transcribe patient consultations, the audio/video or text is processed on Australian servers.
Consent Logged: Our system requires the Healthcare Provider to confirm that patient consent has been obtained. This consent confirmation is recorded in the system logs.

4.2 AI Processing

Transcription Models: We utilise AI-driven transcription models that operate entirely within Australia (e.g., AWS Sydney).
No Sharing with Public AI Models: We do not send recorded or transcribed data to external or public AI models for training.

4.3 APIs & Integrations

In-house Integrations: We may integrate with a Healthcare Provider’s internal systems (e.g., patient management software) via secure APIs. These integrations occur within Australia, and no personal data is shared with third parties for secondary purposes.

5. Legal Basis & Role Definitions

5.1 Data Controller vs. Data Processor

Healthcare Providers: In most cases, the Healthcare Provider acts as the “Data Controller,” determining what patient information to collect and how it will be used.
Tell Claire: We act as a “Data Processor,” processing patient data on behalf of the Healthcare Provider according to their instructions.
Mixed Role: For certain data (e.g., billing or account information), Tell Claire may act as a Data Controller. We will clarify these roles in our contracts and comply accordingly.

Patient Consent: Where sensitive health information is involved, the Healthcare Provider must obtain valid patient consent before using our Platform.
Compliance with Legal Obligations: We may process personal information to comply with relevant Australian laws, such as reporting requirements under healthcare regulations.

6. Retention & Deletion of Data

6.1 Retention Period

Default Guideline: Australian regulations generally require medical records be retained for at least seven (7) years from the date of last entry (longer in some cases, e.g., for minors).
Compliance with Provider Policy: We adhere to the Healthcare Provider’s retention instructions. If a Provider directs us to retain data longer or shorter (within legal limits), we will follow those instructions.

6.2 Deletion Requests

Healthcare Provider or Patient-Requested: If a patient or Healthcare Provider wishes to delete personal data, we will comply unless legal obligations require continued retention.
Process: Requests must be made in writing; once approved, data is securely and permanently deleted from our systems, including backups and logs (where feasible).

7. Security Measures

7.1 Technical & Organisational Safeguards

Encryption: Data is encrypted both in transit (TLS 1.2+) and at rest (e.g., AES-256).
Access Controls: Strict role-based access, multi-factor authentication for administrative accounts, and detailed audit logs.
Infrastructure: Hosted on AWS in Sydney, leveraging secure VPC configurations, IAM policies, and continuous monitoring.

7.2 Data Breach Response

Notifiable Data Breaches (NDB) Scheme: We understand our obligation to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if an “eligible data breach” is likely to result in serious harm.
Incident Response Plan: We maintain an internal Data Breach Response Plan outlining containment, assessment, notification steps, and remediation actions in the event of a security incident.

8. International Data Transfers

All patient data is processed and stored in Australia. However, certain employees or executives of Tell Claire, may need to access the Platform from outside Australia for legitimate business or support purposes. This access is governed by our Intra-Group Data Transfer & Access Agreement (see below).

9. Intra-Group Data Transfer & Access Agreement

Because Tell Claire is headquartered in the UK, and certain staff may work remotely outside Australia, we have established an Intra-Group Agreement ensuring that any cross-border access to Australian data complies with the Australian Privacy Principles:

Limited Purpose
- Staff outside Australia may only access personal information for essential business functions (e.g., system administration, troubleshooting, compliance oversight).
APP-Equivalent Protections
- All Tell Claire personnel, regardless of location, are bound by confidentiality obligations and must adhere to internal policies that meet or exceed the standards of the Australian Privacy Principles.
Security Controls
- Remote access requires multi-factor authentication (MFA), secure VPN connections, and strict role-based permissions.
- Data is never stored or duplicated outside Australia; staff only view or process data in real time through secure sessions.
Accountability
- We remain accountable under Australian law for any misuse of personal information by overseas personnel. We will take all reasonable steps to ensure no breach of the APPs occurs.
- If an incident occurs, we will notify the relevant Healthcare Provider(s), affected individuals (if necessary), and the OAIC in accordance with Australian law.
No Onward Transfers
- We do not disclose personal information to third parties outside Australia unless explicitly authorised by the Healthcare Provider or required by law.
- Any such authorised transfer would require a separate written agreement ensuring APP-equivalent protection.

10. Cookies & Tracking

10.1 Types of Cookies

Essential Cookies: Required for the Platform to function properly (e.g., session management).
Analytical Cookies: Help us analyse usage trends and improve user experience.
Marketing Cookies: If applicable, used to gauge ad performance or deliver relevant content. However, we do not use patient consultation data for marketing.

Consent to Cookies: When you visit our public website, a banner or pop-up will inform you about our cookie usage. By continuing to browse, you consent to their use as described here.
Managing Cookies: You can typically adjust browser settings to refuse or remove cookies, though some site features may not function optimally.

11. Access, Correction & Complaints

11.1 Access Requests

Patient Requests: Patients may request access to their personal information by contacting their Healthcare Provider, who can retrieve records from our system.
Healthcare Provider Requests: Providers can access stored records and transcripts at any time through our secure admin portal.

11.2 Correction of Information

Accuracy: If any personal information is inaccurate or outdated, the Healthcare Provider may correct it via our Platform or by contacting us directly.
Patient Disputes: Patients wishing to correct their data should direct their request to the Healthcare Provider, who can update records accordingly.

11.3 Complaint Handling

Complaints to Us: If you believe we have breached the APPs, please contact us at [legal@tellclaire.com]. We will investigate and respond promptly.
Escalation: If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au for further guidance or to lodge a complaint.

12. Direct Marketing

We do not use patient information for direct marketing. From time to time, we may send updates or service-related messages to registered Healthcare Provider accounts. These messages relate only to platform updates, security notices, or administrative matters—not marketing of third-party services.

We do not adopt or use government-issued identifiers (e.g., Medicare numbers) as our own identifiers. If we process such identifiers, it is solely to facilitate or match data within the Healthcare Provider’s system in compliance with Australian law, and not for any other purpose.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or due to regulatory requirements. Any significant modifications will be posted on our website, and we encourage you to review it regularly.

15. Contact Us

If you have any questions or concerns about this Privacy Policy, your personal information, or wish to exercise any privacy rights, please contact us at:
Email: legal@tellclaire.com

Summary of Key Privacy Commitments

All patient data is stored and processed in Australia.
Cross-border access by UK-based or other overseas staff is tightly controlled and governed by an Intra-Group Agreement ensuring APP-equivalent protection.
Strict Consent & Transparency: Healthcare Providers confirm patient consent before using Tell Claire’s AI-driven recording or transcription services.
Security & Compliance: We maintain encryption, access controls, and an incident response plan under Australian privacy law.
Right to Access & Correction: Individuals (through their Healthcare Provider) can request access or correction of personal information.

By adhering to these standards, we demonstrate our commitment to upholding the Australian Privacy Principles and providing a secure environment for handling sensitive health data.

Disclaimer

This Privacy Policy is designed to meet our obligations under Australian privacy law and, where relevant, UK data protection law. It is not a substitute for legal advice. For specific questions about how the Privacy Act 1988 (Cth) or the Australian Privacy Principles apply to your circumstances, please consult a qualified legal advisor.