رازداری کی پالیسی | Potentialz Unlimited

Potentialz Unlimited Pty Ltd (ABN 34 629 683 432) · Last updated: 5 June 2026

1. Introduction

Potentialz Unlimited Pty Ltd (ABN 34 629 683 432) ("we", "our", "us") operates the Potentialz Unlimited mobile application (the "App") and the website www.potentialz.com.au (the "Website"), together the "Services".

We are committed to protecting your privacy and the confidentiality of your personal and health information. This Privacy Policy explains how we collect, use, store, disclose, and protect your information across both the App and the Website, in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), applicable State health-records legislation (including the Health Records and Information Privacy Act 2002 (NSW)), and the Notifiable Data Breaches (NDB) scheme.

As AHPRA-registered psychologists, we are also bound by professional codes of ethics, including the Psychology Board of Australia / Australian Psychological Society (APS) Code of Ethics and AHPRA regulations on client confidentiality. The same confidentiality protections that apply to in-person care apply to your use of the App and Website.

2. Information We Collect

2.1 Information You Provide

Clinical & Personal Information: Name, date of birth, gender, contact details, emergency contact information, Medicare/healthcare card numbers, medical and mental health history, current symptoms, medications, GP details, and referral information.
Clinical Records: Session notes, assessment results, treatment plans, psychological test results, and correspondence with other healthcare providers.
Financial Information: Payment details, Medicare claims, NDIS plan information, and insurance details.
Account Information: Email address and authentication credentials used to access the App.
Questions & Feedback: Messages, enquiries, or feedback you send through the App, the Website contact form, or by email.

2.2 Information Collected Automatically

Device & Browser Information: Device model, operating system and version, app version, browser type, and language settings.
Usage Information: Features used, pages or screens viewed, and interactions within the Services.
Log & IP Data: IP address, access times, and standard request logs used for security and abuse prevention.
Analytics & Diagnostics: Aggregated usage analytics and crash/diagnostic data used to keep the Services reliable.

2.3 Cookies & Tracking (Website)

Cookies: Our Website uses cookies and similar technologies to operate the site and improve your experience.
Essential Cookies: Some cookies are strictly necessary for the Website to function. You can disable non-essential cookies in your browser settings.
We do not sell your personal data, and we do not use third-party advertising identifiers for marketing.

2.4 Mobile App Permissions

The App only requests device permissions necessary for the features you use. We do not access your mobile device's contacts, camera, microphone, or location without your explicit permission. You can review and revoke these permissions at any time in your device settings.

2.5 Local On-Device Data

Certain App content — such as journal entries and personal notes — is stored locally on your device and is not transmitted to our servers unless you choose to sync or back it up. Local data is removed when you delete the App, subject to your device's own backup settings.

3. How We Use Your Information

Provide Clinical Treatment: Deliver psychological assessment and treatment, and maintain accurate clinical records as required by AHPRA.
Provide & Operate the Services: Authenticate your account, deliver App features, and respond to your enquiries.
Billing & Claims: Process Medicare rebates, NDIS claims, and insurance payments.
Communication: Send appointment reminders, treatment updates, service messages, and push notifications. You can opt out of marketing and notifications (see Section 7).
Improve the Services: Diagnose issues and improve reliability and usability.
Research: We may use de-identified data for research and service improvement, only with appropriate consent and where individuals cannot reasonably be re-identified.
Legal Obligations: Comply with mandatory reporting, court orders, and subpoenas.

4. Clinical Confidentiality & Disclosure

All information disclosed during psychological services is confidential and will not be shared without your consent, except in specific circumstances:

With Your Consent / Prior Approval: When you provide written consent to share information with GPs, psychiatrists, schools, employers, insurers, or other providers.
Risk of Harm: When there is a serious and imminent risk of harm to you or another person.
Mandatory Reporting: Child protection concerns, elder abuse, or domestic violence, as required by NSW law.
Legal Obligation: When legally compelled by court order or subpoena.
Funding Bodies: Medicare, NDIS, or insurers, for the limited purpose of claims and reporting where you have consented.
Professional Supervision: De-identified case discussion with clinical supervisors, as required by our professional obligations.

5. Data Storage & Security

5.1 Where Your Information Is Stored

Clinical Records: Held in your secure patient file within our practice management system, and physical records (where they exist) in locked cabinets on secure premises.
App & Web Data: Stored on secure servers, including Supabase (PostgreSQL), with encryption at rest and in transit.
Authentication: Managed via Firebase Authentication.
Local App Data: Journal entries and notes are stored locally on your device and are not transmitted unless you sync them (see Section 2.5).

5.2 Security Measures

TLS/SSL encryption for data in transit.
Encryption of stored data at rest.
Role-based access controls limiting access to authorised clinical and technical staff.
Secure destruction of records after the applicable retention period.

If a data breach likely to result in serious harm occurs, we will respond in accordance with the Notifiable Data Breaches scheme.

6. Third-Party Services

We use the following third-party service providers and SDKs to operate the Services. Each handles your data under its own privacy policy:

Provider	Purpose	Privacy Policy
Supabase	Database and storage (App & Web data)	supabase.com/privacy
Firebase (Google)	Authentication and push notifications	firebase.google.com/support/privacy
Expo	App delivery and over-the-air updates	expo.dev/privacy
Amazon SES (AWS, USA)	Sends Website contact-form and notification emails	aws.amazon.com/privacy
Mautic (self-hosted, Australia)	Stores Website enquiry contact details	mautic.org/privacy-policy
SendFox (USA)	Email marketing list (name and email only)	sendfox.com/legal/privacy
Cloudflare (USA / global)	Website delivery, security, request logging	cloudflare.com/privacypolicy

Overseas Recipients (APP 8)

Under Australian Privacy Principle 8, we disclose that some Website and App data is processed by overseas service providers, including in the United States (Amazon SES, SendFox, Cloudflare, Firebase/Google, Expo) and globally (Supabase, Cloudflare). Mautic is hosted in Australia. By using the Services you consent to your information being transferred to and processed in these jurisdictions. We take reasonable steps to ensure these providers handle your information consistently with the Australian Privacy Principles.

7. Your Rights & Choices

7.1 Access to Clinical Records

You may request access to your clinical records by written request. Reasonable fees may apply for copying, and limited exceptions apply where access would pose a serious risk or affect another person's privacy.

7.2 Digital Data Rights

For data held in the App and Website, you may request to:

Access the personal data we hold about you;
Correct inaccurate or incomplete data;
Delete your account and associated digital data (see Section 8).

To exercise these rights, contact [email protected].

7.3 Opt-Outs

Marketing & Notifications: Unsubscribe via the link in our emails, or disable push notifications in your device settings.
Cookies: Manage or disable cookies in your browser settings.

8. How to Delete Your Data or Account

You can request deletion of your account and associated personal data at any time:

In-App: Open the App and go to Settings → Account → Delete Account (where available), then confirm.
By Email / Web: Email [email protected] with the subject "Delete My Data", or use the deletion request page at www.potentialz.com.au/data-deletion.

We will process verified deletion requests within 30 days. Please note: clinical and health records that we are legally required to retain (see Section 9) cannot be deleted before the end of the mandatory retention period; in that case we will restrict access to those records and delete them securely once the retention period expires.

9. Data Retention

Clinical & Health Records: Retained as required by Australian health-record laws — generally a minimum of 7 years from last contact for adults, or until age 25 for records created when the client was a child.
Analytics & Usage Data: Up to 2 years.
Questions & Feedback: Up to 3 years.
Account Data: Until you request deletion (subject to legal retention obligations).

Records are securely destroyed (shredding or secure digital deletion) after the applicable retention period.

10. Telehealth Services

Telehealth sessions are conducted via a secure, encrypted video platform. Sessions are not recorded unless you provide explicit consent. Standard confidentiality and privacy protections apply to telehealth services.

11. Children & Adolescents

The App and Website are not directed to children under 16 for independent account creation. For clients under 18 receiving clinical services, parents/guardians are provided with general information about treatment progress, while specific session content remains confidential unless the young person consents to disclosure, or there are safety concerns requiring parental notification.

12. Australian Privacy Law Compliance

We handle your information in accordance with the Australian Privacy Principles, the Privacy Act 1988 (Cth), applicable State health-records legislation, and the Psychology Board of Australia / APS Code of Ethics. The confidentiality and privacy protections that apply to in-person psychological services apply equally to your use of the App and Website.

13. Privacy Complaints

Contact us directly: [email protected] or 0410 261 838.
We will investigate and respond within 30 days.
If you are not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au.
Professional conduct concerns may be directed to AHPRA or the Australian Psychological Society.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in legal requirements, the App, or our practices. Updated policies will be posted within the App and on our Website with a revised "Last updated" date.

15. Contact Us

Potentialz Unlimited Pty Ltd (ABN 34 629 683 432)
Unit 608, 8 Elizabeth Macarthur Drive, Bella Vista NSW 2153
Phone: 0410 261 838
Fax: 02 8458 5127
Email: [email protected]
Website: www.potentialz.com.au