Privacy policy

1. About this policy

This policy explains how Riya Jose handles your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), applicable State and Territory health records legislation, and the APS Code of Ethics. It applies to our website, online bookings, consent records and the psychological services we provide.

2. Information we collect

Most of the information we hold is "sensitive information" (health information), which receives a higher level of protection under the Privacy Act. We collect information you provide when you book a session, sign in, complete the consent form, or contact us. This may include:

• Identity and contact details — name, date of birth, address, phone and email;
• Emergency contact and your GP or referrer's details;
• Health information — presenting concerns, relevant history, and the notes we make to provide your care;
• Medicare and/or private health fund details where you choose to claim a rebate; and
• Appointment, billing and communication history.

For telehealth sessions we also process limited technical data (audio, video and connection metadata) for the duration of the call.

3. How we collect it and consent

Wherever practical we collect information directly from you. With your consent we may also receive information from your GP, referrer or another treating practitioner where it is relevant to your care. Because health information is "sensitive information", we collect it with your consent and only for purposes directly related to providing psychological services.

4. How we use your information

We use your information to provide psychological services; schedule and conduct sessions; issue invoices and process Medicare or rebate claims you have consented to; meet professional and legal record-keeping obligations under AHPRA; and communicate with you about your care. We will not use your information for any unrelated purpose without your consent.

5. Clinical session notes

Clinical notes are kept in a separate, secure clinical record system that meets AHPRA requirements. They are not stored in this website's database and are not stored by our video provider.

6. Telehealth and third-party processors

Video and audio sessions are delivered using Daily.co (Daily Co., based in the United States), which acts as a data processor for the real-time call. Audio and video are transmitted over encrypted (TLS/SRTP) connections.

• Sessions are not recorded by default. Recording only occurs with a clear clinical reason and your explicit, written consent.
• Daily.co processes limited connection metadata (e.g. IP address, device type, session duration) on servers that may be located in the United States.
• We also use Lovable Cloud (powered by Supabase) for website hosting, account sign-in, bookings and consent records.

7. Website, cookies and analytics

Our website uses only the cookies and local storage necessary to keep you signed in and to operate bookings and the consent form. We do not use your browsing for advertising, and we do not sell website data.

8. Disclosure of your information

We do not sell your information. We may disclose limited information: to your GP or referrer where clinically appropriate and with your consent; to Medicare or your health fund for claims you've consented to; to our supervisor as part of the Clinical Registrar program (de-identified wherever possible); or where required or authorised by law — for example, a serious and imminent risk to your safety or another person's, a court subpoena, or mandatory reporting obligations.

9. Overseas disclosure

As noted above, our telehealth provider processes limited call metadata on servers that may be located in the United States. By consenting to telehealth you consent to this overseas transfer for the purpose of delivering your session. We take reasonable steps to ensure overseas providers handle your information consistently with the APPs.

10. Direct marketing

We do not use your personal or health information for direct marketing. Any messages you receive from us relate to your appointments and care.

11. Storage, security and data breaches

Records are stored with reputable cloud providers using encryption in transit and at rest, access controls and row-level security. If a data breach is likely to result in serious harm, we will respond in line with the Notifiable Data Breaches scheme under the Privacy Act, including notifying you and the OAIC where required.

12. Retention

In line with APS guidelines and applicable health records legislation, clinical records are generally retained for at least 7 years after your last session, or — for clients who were under 18 — until you turn 25, whichever is later. After that period records are securely destroyed or de-identified.

13. Complaints

If you have a concern about how your information has been handled, please contact Riya first at riya.jose981@gmail.com so we can try to resolve it.

14. Changes to this policy

This policy may be updated from time to time. The current version will always be available on this page, with the "last updated" date shown above.