Login
Get started

Privacy Policy

Peptalkr, owned and operated by NOMADIGITAL PTY LTD (ABN 29 650 216 434), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and store your information in accordance with applicable data protection and privacy laws in Australia, the UK, Europe, Canada, Singapore, and Malaysia.

We may update this policy from time to time, and any changes will be posted on our website at https://peptalkr.com.au/privacy-policy/. Continued use of our services constitutes acceptance of any changes.

1. Definitions

  • Peptalkr, we, us, our: Refers to the Peptalkr software application and services, and the entity behind it.
  • Services: The functionality and assistance provided as part of the Peptalkr application.
  • Practice: The health clinic authorised to use our Services.
  • Patient: An individual who has visited a Practice and may have their personal information stored within the Practice.
  • Personal Information: Information that identifies or can be used to identify an individual, directly or indirectly, such as first and last name, date of birth, email address, physical address, telephone number, gender, or other similar data.
  • Patient Information: Personal Information and other data about Patients, such as treatment notes, appointment history, and electronic medical records.
  • User, you, your: A customer of Peptalkr or any individual using our Services.

2. Applicability of this Privacy Policy

This Privacy Policy applies to information collected in relation to all Users of the Peptalkr website or Services, and any other person whose information is held by Peptalkr.

This Privacy Policy does not apply to how information is handled by any third-party applications or software that may integrate with Peptalkr Services or any other third-party products, services, or businesses.

If you are a Patient and have questions about how your Practice collects, stores, or handles your information, please contact your Practice directly.

3. Information we collect and how we use it

2.1 Personal Information Collected Directly

We collect Personal Information including Patient Information directly from you when you:

  • Use forms on our website.
  • Enter data into fields within our application.
  • Use chat or customer service features.
  • Email us directly or engage with us on social media.
  • Call us.

This data may include your full name, date of birth, phone number, email address, business information, API keys, and DNS information.

2.2 Personal Information Collected Indirectly

We also collect Personal Information including Patient Information indirectly through:

  • Cliniko API: When you provide your Cliniko API key, we connect to your Cliniko account and import data, including patient names, contact details, appointment history, and Cliniko account configurations (e.g., appointment types, categories, practitioners, businesses, services, billable items).
  • Typeform: We use Typeform to create patient intake forms. Patients can submit personal and sensitive information via these forms, which is then transferred to Cliniko. We do not store this data in our databases; and it is erased from Typeform after processing, but logs may be retained for up to 30 days on our AWS servers and Typeform's servers.
  • Tracking Technologies & Cookies: We use cookies and similar technologies to collect data such as IP addresses, browser types, and user interactions for performance analytics and improving our Services.
  • Transaction Data: We store data related to your subscription, payment dates, and renewal dates.

3. How we use Personal Information and Patient Information

4.1 Use of Personal Information

The Personal Information we collect is used for:

  • Account Setup and Management: Create and manage your Peptalkr account.
  • Customer Service: Provide technical support and respond to inquiries.
  • Marketing and Communication: Send updates, promotional materials, and relevant content tailored to your interests.
  • Billing and Payment Processing: Facilitate transactions and manage subscriptions.
  • Contractual Necessity: To fulfil our obligations under the contract with you (e.g., to provide Services).
  • Consent: Where you have given explicit consent for processing (e.g., for marketing communications).
  • Legal Obligations: To comply with legal obligations (e.g., for tax purposes).
  • Legitimate Interests: Where processing is necessary for our legitimate interests (e.g., to improve our Services), and these are not overridden by your rights.

4.1 Use of Patient Information

The Patient Information we collect is used to:

  • Practice Management: Enable healthcare providers to manage patient records, appointment histories, and related information within the Peptalkr platform.
  • Communication Services: Facilitate communication between healthcare providers and their patients, including appointment reminders, follow-up messages, and other patient engagement tools.
  • Integration with Cliniko: Sync patient data and appointment details with Cliniko, ensuring that healthcare providers have up-to-date information.
  • Compliance and Reporting: Assist Practices in meeting regulatory requirements related to patient data management and reporting.

5. Sharing Your Data

We do not sell or rent your Personal Information or Patient Information. We share your data only under the following circumstances:

5.1 With Subprocessors

Peptalkr engages third-party subprocessors to assist in providing our Services. These subprocessors process data on our behalf and are critical to the functioning of Peptalkr. We ensure that all subprocessors comply with applicable data protection laws, including GDPR, and that your data is handled securely.

  • Cliniko: Used for importing patient data and appointment history.
  • Typeform: Used for patient intake forms. Data is transferred to Cliniko and deleted from Typeform after processing.
  • Twilio: Used for sending SMS messages, which may include patient information.
  • Intercom: Used for customer service interactions.
  • AWS: Hosts our application codebase, databases, and logs on Australian-based servers.
  • AUTH0: Provides user authentication services.
  • Stripe: Processes payments for Peptalkr users.

5.2 For Legal Compliance and Enforcement

We may disclose your data to:

  • Enforce our rights arising from contracts between you and us.
  • Comply with legal obligations, court orders, or legal processes.
  • Respond to lawful requests by public authorities.

5.3 Business Transfers

In the event of a merger, sale, or transfer of some or all of Peptalkr’s assets, we may transfer your Personal Information and Patient Information to the buyer or successor.

5. International Data Transfers

Your Personal Information including Patient information may be transferred to, stored, and processed in a country other than your own. These countries may have different data protection laws. When we transfer your data internationally, we ensure appropriate safeguards are in place to protect your data, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy Decisions where the receiving country has been deemed to have adequate data protection by the European Commission.
  • Binding Corporate Rules where applicable.

6. Security of Your Data

6.1 Data Encryption

We use industry-standard encryption (HTTPS) to protect data transmitted between our servers and the platforms we interact with. However, no method of transmission over the Internet is 100% secure. The security of your data is a shared responsibility, and by using our Services, you acknowledge that you transmit data at your own risk.

6.2 Data Breaches

In the event of a data breach that poses a risk to your Personal Information or Patient Information, we will notify you within 72 hours of becoming aware of the breach. We will inform you of the data at risk, the actions taken to mitigate the risk, and the measures implemented to prevent future breaches.

6.3 Data Retention and Erasure

  • Retention: Personal Information is retained as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements. Patient Information is retained for the duration of your Practice’s use of our Services and in accordance with your Practice's policies.
  • Erasure: Upon account cancellation, Patient Information is deleted within 90 days. Personal Information may be retained longer unless you request its erasure. Logs retained on AWS servers are anonymised after 35 days and deleted within 90 days.

7. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website and to analyse website performance. These include:

7.1 Google Analytics

We use Google Analytics to collect anonymised data about website traffic and usage patterns. You can opt-out of Google Analytics by adjusting your browser settings or using the opt-out service provided by Google.

7.2 Facebook Pixel

We use the Facebook Pixel to track user behaviour after interacting with our Facebook ads. This data is anonymous to us but may be used by Facebook according to its Data Usage Policy. You can manage your ad preferences within your Facebook account.

7.3 Google Ads

We use Google Ads to track conversions and measure the effectiveness of our advertising campaigns. Conversion tracking cookies do not personally identify users.

7.4 Intercom

We use Intercom for customer communication and analytics. Intercom may collect data such as your sign-up date, email address, and usage patterns to help us improve our Services. You can opt-out by contacting us.

8. Data Retention, Correction, and Erasure

8.1 Data Retention

We retain your Personal Information for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

  • Personal Information: Retained for the duration of your account and up to 90 days post-termination, unless required by law to retain longer.
  • Patient Information: Retained for 90 days post-termination.

8.2 Data Correction

You have the right to request correction of any inaccurate or incomplete Personal Information we hold about you. Contact us at [email protected] to request corrections.

8.3 Data Erasure

You have the right to request erasure of your Personal Information. We will take all reasonable steps to erase your data unless we are required to retain it for legal reasons. Requests can be made by contacting us at [email protected].

9. Your Rights

Depending on your location, you may have the following rights regarding your Personal Information:

  • Access: Request access to your Personal Information.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data.
  • Restriction: Request restriction of processing your data.
  • Data Portability: Request transfer of your data to another service provider.
  • Objection: Object to the processing of your data based on legitimate interests or for direct marketing.
  • Withdraw Consent: Withdraw consent where we rely on it for data processing.

To exercise any of these rights, please contact us at [email protected].

10. Compliance with Local Laws

13.1 Australia: Privacy Act 1988 (Cth)

The Privacy Act 1988 (Cth) governs the handling of personal information in Australia. The Act sets out 13 Australian Privacy Principles (APPs) that cover the collection, use, disclosure, and storage of personal information, as well as the rights of individuals to access and correct their information.

  • Collection of Personal Information: We collect only the personal information necessary to provide our services, and we do so in a manner that is lawful, fair, and not intrusive.
  • Use and Disclosure: Personal information is used solely for the purposes for which it was collected, such as providing our services, customer support, and communication. We do not disclose personal information to third parties without consent, except as required by law.
  • Data Security: We implement reasonable security measures to protect personal information from misuse, interference, and loss, as well as from unauthorised access, modification, or disclosure.
  • Access and Correction: Individuals have the right to access and correct their personal information held by us. Requests can be made by contacting us at [email protected].

13.2 United Kingdom: UK GDPR and Data Protection Act 2018

The UK GDPR and the Data Protection Act 2018 regulate the processing of personal data in the United Kingdom, ensuring that individuals’ rights to privacy are protected.

  • Lawful Basis for Processing: We process personal data on the basis of consent, contractual necessity, legal obligations, or legitimate interests, in compliance with the UK GDPR.
  • Data Subject Rights: We respect the rights of data subjects under the UK GDPR, including the rights to access, rectification, erasure (right to be forgotten), restriction of processing, and data portability.
  • Data Protection Impact Assessments (DPIAs): We conduct DPIAs for processing activities that may pose a high risk to the rights and freedoms of individuals, ensuring that potential risks are identified and mitigated.
  • Data Transfers: When transferring data outside the UK, we ensure that adequate safeguards are in place, such as Standard Contractual Clauses (SCCs).

13.3 Europe: General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all EU member states. It sets out the principles for data processing and provides individuals with rights regarding their personal data.

  • Transparency and Lawfulness: We ensure that personal data is processed lawfully, fairly, and in a transparent manner. Individuals are informed of the purposes of data processing and their rights through our privacy policy.
  • Data Minimization: We collect only the data that is necessary for the specified purposes and ensure that it is accurate and kept up to date.
  • Accountability and Governance: We maintain records of processing activities, implement appropriate technical and organisational measures, and appoint a Data Protection Officer (DPO) to oversee GDPR compliance.
  • International Data Transfers: When transferring personal data outside the EEA, we use SCCs or other approved mechanisms to ensure that data is protected to GDPR standards.

13.4 Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada. It sets out rules for how organizations collect, use, and disclose personal information in the course of commercial activities.

  • Consent: We obtain explicit consent from individuals before collecting, using, or disclosing their personal information, except where otherwise permitted by law.
  • Accountability: We are responsible for personal information under our control and have designated a Privacy Officer to ensure compliance with PIPEDA.
  • Limiting Collection: We limit the collection of personal information to what is necessary for the purposes identified, and we collect it by fair and lawful means.
  • Safeguards: We implement appropriate safeguards to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification.

13.5 Singapore: Personal Data Protection Act (PDPA)

The Personal Data Protection Act (PDPA) in Singapore governs the collection, use, and disclosure of personal data by private organizations.

  • Consent Obligation: We obtain consent before collecting, using, or disclosing personal data, unless an exception applies under the PDPA.
  • Purpose Limitation: Personal data is collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances, and for which the individual has provided consent.
  • Access and Correction Rights: Individuals have the right to request access to and correction of their personal data held by us.
  • Data Protection Officer (DPO): We have appointed a DPO to oversee compliance with the PDPA and to handle inquiries and complaints.

13.6 Malaysia: Personal Data Protection Act (PDPA)

The Personal Data Protection Act (PDPA) in Malaysia regulates the processing of personal data in commercial transactions.

  • Notice and Choice: We provide individuals with notice of the purposes for which their personal data is collected and offer choices regarding how their data is used.
  • Security Principle: We implement appropriate security measures to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction.
  • Retention Principle: Personal data is retained only as long as necessary to fulfill the purpose for which it was collected, unless otherwise required by law.
  • Rights of Data Subjects: Individuals have the right to access, correct, and withdraw consent for the processing of their personal data.

11. Changes to This Privacy Policy

Peptalkr may update this Privacy Policy from time to time. Any changes will be posted on this page, and if the changes are significant, we will provide a more prominent notice.

12. Contact Us

If you have any questions or concerns about this Privacy Policy or the way we handle your personal information, please contact us at [email protected].

Peptalkr is an email and SMS automation tool, email marketing system and digital form extension for Cliniko.

Youtube Twitter Facebook-f
About Peptalkr
Legal
Support

© Copyright 2023, All Rights Reserved by Nomadigital Pty Ltd

Site designed by nomad