Legal · Privacy

CYORA Privacy Policy

How CYORA Pty Ltd collects, uses, discloses and protects your personal and health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Version1.4
Effective Date14 July 2026
Last Reviewed14 July 2026
Next Review Due14 July 2027

Version 1.4 change note. Section 6 and section 11.6 were reconciled so that AI-assisted processing is described accurately as an integral, non-severable condition of the CYORA service, rather than an opt-out feature. The standalone "opt out of AI processing by emailing support@" promise was removed, because it could not be honoured operationally and misdescribed the client's rights. The real safeguards (de-identification before any external AI language model, and Australian data residency for identifiable clinical data) are retained. This is a material change; active clients are to be notified per section 14.

On this page
  1. 1. About This Policy
  2. 2. Who We Are
  3. 3. What Personal Information We Collect
  4. 4. How We Collect Your Information
  5. 5. Why We Collect Your Information (Purposes)
  6. 6. Automated Processing and Artificial Intelligence
  7. 7. Disclosure of Your Information
  8. 8. Cross-Border Disclosure
  9. 9. Security of Your Information
  10. 10. Retention of Your Information
  11. 11. Your Rights
  12. 12. Website, Cookies, and Marketing
  13. 13. Complaints
  14. 14. Changes to This Policy
  15. 15. Glossary

1. About This Policy

CYORA Pty Ltd (ABN 59 649 153 935) ("CYORA", "we", "us", "our") is committed to protecting the privacy and confidentiality of your personal and health information.

This Privacy Policy explains:

  • What personal and health information we collect and why
  • How we collect, use, and disclose it
  • Who we share it with (including overseas recipients)
  • How we use artificial intelligence to process your information
  • Your rights to access, correct, withdraw consent, and complain about how your information is handled

This Policy applies to all personal information collected by CYORA Pty Ltd in connection with our health optimisation programs, website, client portal, and onboarding funnel.

We handle personal information in accordance with the Privacy Act 1988 (Cth), the thirteen (13) Australian Privacy Principles (APPs), and the Privacy and Other Legislation Amendment Act 2024 (Cth).

Our services are available to individuals aged 18 years and over only. We do not knowingly collect personal information from children under 18. If we become aware that information has been collected from a person under 18 without parental consent, we will delete it promptly.

We are monitoring the development of the Children's Online Privacy Code (COPC) being developed by the OAIC under the Privacy and Other Legislation Amendment Act 2024 (Cth), which is expected to be registered by 10 December 2026. We will update this Policy as required once the COPC is finalised.


2. Who We Are

CYORA Pty Ltd ABN 59 649 153 935 52/17 Great Southern Drive, Robina QLD 4226 Australia Email: support@cyora.com.au Website: cyora.com.au

Privacy Officer: Hannah King — support@cyora.com.au

Responsible Practitioner: Dr Daniel Kirkbride, Osteopath AHPRA Registration: OST0002224719 | Provider Number: 5605954W


3. What Personal Information We Collect

We collect the following categories of personal information:

3.1 Identity and Contact Information

  • Full name, date of birth, sex
  • Email address, phone number, residential address
  • Emergency contact details

3.2 Health Information (Sensitive Information)

Health information is a category of sensitive information under the Privacy Act 1988 (Cth) and is treated with additional care. We only collect health information with your explicit consent.

We collect:

  • Medical history, current medications, allergies, and supplements
  • Known diagnoses, chronic conditions, and family health history
  • Reproductive status (pregnancy, breastfeeding, contraception)
  • Mental health history and psychological wellbeing
  • Dietary restrictions, food intolerances, and eating patterns
  • Exercise history, injuries, and physical capacity
  • Sleep patterns and recovery metrics

3.3 Diagnostic and Clinical Data (Including Genetic Information)

Where you have consented to diagnostic testing as part of your program, we collect and retain:

  • Comprehensive blood test results (biomarkers, hormone panels, metabolic markers)
  • DNA / genetic SNP analysis reports — this constitutes genetic information, a distinct subcategory of sensitive information under the Privacy Act 1988 (Cth) with additional protections. Genetic information will not be used or disclosed for any purpose beyond the delivery of your clinical program without your explicit consent, and will not be used in any way that could affect your insurability or employment.
  • Microbiome / stool analysis reports
  • Body composition data (DEXA scan results)
  • Cardiorespiratory fitness data (VO2 Max test results)
  • Organic Acids Test (OAT) results
  • Oura ring biometric data (heart rate variability, sleep, activity)
  • CGM (Continuous Glucose Monitor) data

3.4 Program and Engagement Data

  • Onboarding form responses (clinical intake)
  • Signed client agreement and timestamp
  • Consult notes and practitioner assessments
  • Supplement protocol recommendations
  • Meal plan, nutrition blueprint, and food diary entries
  • Training plan and session recordings

3.5 Financial and Transaction Information

  • Payment amounts and transaction references (processed by Stripe; CYORA does not store full card details)
  • Invoice records

3.6 Technical and Usage Information

  • IP address and device type when accessing our portal or websites
  • Usage patterns within the CYORA client portal and public websites

4. How We Collect Your Information

Collection Notice (APP 5)

At or before the point we collect your personal and health information, we notify you of:

  • CYORA Pty Ltd's identity and contact details (see Section 2)
  • Why we are collecting the information (see Section 5)
  • Whether collection is required or authorised by law
  • The main consequences of not providing the information (we may be unable to deliver your program)
  • The categories of third parties to whom we usually disclose your information (laboratory partners, overseas cloud service providers in the USA and EU — see Section 7.4)
  • That this Privacy Policy governs how we handle your information and how you can access or correct it

This notice is provided in our onboarding funnel, intake form, and client agreement. If you have questions about what is collected and why at any step, contact support@cyora.com.au.

We collect information:

  • Directly from you via our online onboarding funnel (cyora.com.au/start), client intake form (via Typeform), clinical consultations, and communications with our team
  • From diagnostic laboratories when you consent to testing through our partner network (Australian Clinical Labs, NutriPATH, iMedical, iScreen)
  • From third-party devices you connect (Oura ring, with your explicit consent and personal access token)
  • From your General Practitioner or specialist only with your written consent
  • Via DocuSeal when you electronically sign your client agreement

We will always tell you why we are collecting information at the point of collection. We will only collect health information with your explicit consent, except in circumstances permitted by law (such as a health emergency).

Unsolicited information: Occasionally we may receive personal information we did not request (for example, if a third party sends us your medical records without our prompting). Where we receive unsolicited personal information, we will assess whether we could have collected it lawfully under the APPs. If not, we will destroy or de-identify it as soon as practicable and, if required, notify you that this occurred.


5. Why We Collect Your Information (Purposes)

We collect and use your personal and health information to:

  1. Deliver clinical care — interpret diagnostic data, develop personalised health protocols, and provide practitioner consultations
  2. Administer your program — manage onboarding, scheduling, billing, and access to program resources
  3. Communicate with you — send protocol updates, appointment reminders, community information, and support responses
  4. Improve our programs — analyse de-identified, aggregated outcomes data to refine our clinical approaches. Once information is de-identified, it is no longer personal information and is no longer subject to this Privacy Policy.
  5. Comply with legal obligations — maintain health records as required by law, respond to legal process
  6. Protect safety — respond to urgent health disclosures that may require referral to emergency services

We will not use your information for any purpose that is incompatible with these primary purposes without your consent.

We take reasonable steps to ensure that the personal information we use or disclose is accurate, complete, and up-to-date (APP 10).


6. Automated Processing and Artificial Intelligence

You have a right to know when AI is used to process your health information.

6.0 AI-assisted processing is an integral part of the service. CYORA delivers a personalised health and longevity service that relies on AI-assisted analysis as an integral, non-severable part of how the service works. We use AI tools to help summarise your intake, organise and score your laboratory, genetic, biomarker and wearable data, prepare pre-consultation briefs for your practitioner, and help draft your protocols. This processing is a standard and necessary component of the service you engage us to provide. It is not an optional add-on, and it cannot be separated out from the rest of the service while still delivering the service you have paid for.

Human oversight. AI assists our practitioners; it does not replace them. A qualified practitioner reviews AI-assisted outputs before they are used in a clinical decision or provided to you. We do not make solely automated decisions that have a significant effect on you without meaningful human review.

The safeguards we apply. Because your health information is sensitive, we apply strict controls whenever AI is used:

  • De-identification before any external AI language model. Before any of your information is sent to a third-party AI language model, we remove the details that identify you (such as your name, date of birth, email and other direct identifiers), so that identifiable information about you does not leave our systems for that processing. Your name is re-attached only inside our own Australian systems afterwards.
  • Australian data residency for your clinical data. Your identifiable diagnostic and clinical data (blood, DEXA, VO2, DNA, stool, OAT results) is stored and processed in Australia (Supabase, Sydney). Identifiable health, genetic or biomarker information is not sent overseas to a third-party AI language model for analysis, scoring, or protocol drafting. Where a specific service necessarily processes identifiable information overseas (for example, consultation recording and transcription by Fathom in the United States), that transfer is separately described in this section and in sections 7.4 and 8, and is made under the cross-border consent explained in section 8.
  • Purpose and access limits. AI-assisted processing is used only to deliver and improve your own care. We do not sell your information, and we do not use your identifiable information to train third-party AI models.

Your choice. Because AI-assisted processing is an integral part of how this service is delivered, you cannot receive the service without it. You are in control of whether you engage the service: if you do not wish your information to be processed in this way, you can decline to commence or continue the service by contacting us at support@cyora.com.au, and we will discuss your options, including ending your engagement. Your consent to AI-assisted processing is given as part of your CYORA client agreement when you sign up for the service.

The specific AI tools we use, and how each is applied, are set out below.

6.1 Clinical Intake Summary

When you complete the CYORA clinical intake form, our system uses Anthropic Claude (an AI language model operated by Anthropic PBC, USA) to extract a brief clinical summary from your intake responses. This summary (3 key items) is:

  • Presented to your assigned practitioner(s) in a Slack notification before your first consultation, so they can brief themselves on your situation
  • Appended to your client file in our practice management system

6.2 Pre-Consult Brief

Prior to a consultation, our system may use AI to compile a summary of recent activity, consult notes, and diagnostic trends to assist your practitioner.

6.3 Consultation Recording and Transcription

With your consent, your consultations may be recorded, transcribed, and summarised using Fathom (operated by Fathom Video Inc, USA). Fathom generates a transcript and an AI summary of the consultation to support accurate clinical record-keeping and your practitioner's follow-up. The recording, transcript, and summary form part of your clinical record and are handled in accordance with this Policy and our retention schedule (Section 10). Consultation data processed by Fathom is sent to servers located in the United States; see Section 8 (Cross-Border Disclosure). If you do not wish a consultation to be recorded, tell your practitioner before the session begins.

6.4 No Automated Clinical Decision-Making

No automated system makes clinical decisions at CYORA. AI tools are used solely as information-gathering and summarisation aids. All diagnostic interpretation, protocol design, supplement and nutrition recommendations, and clinical advice are made exclusively by AHPRA-registered practitioners on our team. No decision that significantly affects your health care is made by an automated process without practitioner review and responsibility.

Your intake data is sent to Anthropic's API for processing on servers located in the United States. Anthropic's data processing is governed by their API Terms of Service and Privacy Policy. Per Anthropic's current API usage policy, customer data submitted via their API is not used to train their models.

AI-assisted intake summarisation is an integral part of the service and is not a separate feature that can be switched off while you continue with the program (see the framing at the start of this section and section 11.6). If you do not wish your information to be processed with AI assistance, contact support@cyora.com.au to discuss your options, including declining to commence or continue the service.

6.5 Automated Decision-Making Transparency (Privacy and Other Legislation Amendment Act 2024)

Under amendments introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), which take full effect in relation to automated decision-making transparency obligations on 10 December 2026, CYORA is required to describe in this Policy the types of personal information used in, and the kinds of decisions produced by or with the assistance of, automated processes.

In preparation for that deadline, we disclose that CYORA's AI-assisted systems currently process your personal and health information for the following functions:

  • Clinical intake summarisation — your intake form responses are processed by the Anthropic Claude API to generate a brief clinical summary for your practitioner
  • Pre-consultation brief — recent consultation notes, program activity, and diagnostic trends are compiled by AI tools to assist your practitioner before each consultation
  • Health scoring — your diagnostic data (blood markers, body composition, VO2, and stool analysis) is used in an automated scoring model (CYORA Performance Score) to generate an overall health score; this score is reviewed and contextualised by your practitioner before being presented to you
  • Biological age estimation — automated calculation of estimated biological age from biomarker data; reviewed and approved by a practitioner

In every case, the AI-generated output is reviewed, interpreted, and approved by an AHPRA-registered practitioner before it is used to inform any recommendation or communication to you. No automated process produces a final clinical recommendation without practitioner oversight.

We will update this section no later than 10 December 2026 to ensure full compliance with the automated decision-making transparency obligations under the Privacy and Other Legislation Amendment Act 2024 (Cth).


7. Disclosure of Your Information

7.1 CYORA Team Members

Your information is accessible to CYORA team members on a need-to-know basis:

  • Dr Daniel Kirkbride (Osteopath, AHPRA OST0002224719) — head clinician, reviews all clinical data
  • Hannah King (APD, DA APD050601) — reviews nutrition-relevant data
  • Dr David Kirkbride (Osteopath, AHPRA OST0002691036) — reviews training and physical capacity data
  • Administrative and support staff — access limited to non-clinical administrative data

7.2 Your General Practitioner or Specialists

With your written consent, we may share a summary of your program, diagnostic findings, or protocol with your GP or treating specialists for coordinated care. We will never share your information with your GP without your explicit consent unless required by law or in a health emergency.

7.3 Diagnostic Laboratories

When you order diagnostic tests through our partner labs, the labs receive identifying information necessary to process and return your results. Partner labs include:

  • Australian Clinical Labs
  • iMedical (Sports Blood Panel)
  • NutriPATH (Microbiome, DNA, OAT)
  • iScreen (OAT)

Each partner lab operates under their own privacy obligations. We recommend reviewing their privacy policies.

7.4 Technology Service Providers

We use the following technology providers to operate our business. All providers are engaged under data processing agreements. We disclose your information to these providers only to the extent necessary to deliver our services.

Provider Purpose Data Location Privacy Reference
Supabase Inc (USA) Database hosting for CYORA client platform Sydney, Australia (ap-southeast-2) supabase.com/privacy
Stripe Inc (USA) Payment processing USA stripe.com/au/privacy
GoHighLevel Inc (USA) CRM — contact management, appointment booking USA gohighlevel.com/privacy-policy
Typeform SL (Spain/EU) Clinical intake form collection EU (GDPR compliant) typeform.com/help/a/privacy-policy
DocuSeal (USA) Electronic signature for client agreements USA docuseal.com/privacy
Google LLC (USA) Google Drive document storage, Google Workspace USA / AU data centres policies.google.com/privacy
Anthropic PBC (USA) AI language model for intake summary USA anthropic.com/privacy
Slack Technologies (USA) Internal team communication (practitioner briefs) USA slack.com/intl/en-au/trust/privacy/privacy-policy
Fathom Video Inc (USA) Consultation recording, transcription, and AI summary USA fathom.video/privacy
Vercel Inc (USA) Application hosting and serverless processing of portal data Sydney, Australia (syd1) vercel.com/legal/privacy-policy
Meta Platforms Inc (USA) Advertising measurement, remarketing, and custom audiences (public marketing pages only) USA facebook.com/privacy/policy
Google LLC (USA) - Advertising Ad measurement, remarketing, and Customer Match (public marketing pages only) USA policies.google.com/privacy

We may disclose your information without your consent where required or authorised by law, including:

  • To AHPRA in response to a regulatory investigation of a registered practitioner
  • To a court or tribunal pursuant to a subpoena, order, or notice
  • To police or emergency services where there is an immediate threat to life
  • To the Office of the Australian Information Commissioner (OAIC) in the context of a privacy complaint

8. Cross-Border Disclosure

Your personal and health information may be transferred to, and stored or processed in, countries other than Australia, including the United States of America and the European Union. See Section 7.4 for the specific overseas providers and locations.

Before disclosing your information overseas, we take reasonable steps to ensure overseas recipients handle it in a manner consistent with the Australian Privacy Principles, including through contractual data processing agreements requiring APP-equivalent protections.

For certain overseas providers — including Anthropic PBC, Fathom Video Inc, Stripe Inc, Slack Technologies, and DocuSeal — we also rely on your consent under APP 8.2(a) of the Privacy Act 1988 (Cth). Before giving that consent, you should be aware of the following:

  1. If you consent to overseas disclosure, APP 8 of the Privacy Act 1988 (Cth) will not apply to CYORA in relation to that disclosure.
  2. CYORA will not be accountable under the Privacy Act 1988 (Cth) if the overseas recipient mishandles your personal information after it has been disclosed.
  3. You will not be able to seek redress under the Privacy Act 1988 (Cth) against the overseas recipient for any breach of the APPs.
  4. The overseas recipient may not be subject to any privacy obligations or principles equivalent to the APPs. In particular, US federal law does not provide a privacy framework substantially similar to the APPs.
  5. You may not be able to seek redress against the overseas recipient in the overseas jurisdiction.
  6. The overseas recipient may be subject to foreign laws — including US national security, surveillance, and law enforcement laws — that could compel disclosure of your personal information to a third party without your knowledge or consent.

By providing your personal information through CYORA's onboarding process and intake form, and by signing the CYORA Client Agreement, you acknowledge that you have been informed of these matters and consent to the cross-border disclosure described in Section 7.4.

Where we transfer information to overseas providers, we rely on:

  • Contractual arrangements with the provider (data processing agreements requiring APP-equivalent protections where available)
  • The provider's certification under an equivalent privacy framework (e.g. Typeform under GDPR, Stripe's SOC 2 Type II certification)
  • Your consent under APP 8.2(a) (with all limitations described above)

Your diagnostic and clinical lab data (blood results, DEXA, VO2, DNA, stool, OAT) is stored in Supabase on servers located in Sydney, Australia and is not transferred overseas. Two categories of clinical information are the exception and are processed overseas: consultation recordings and transcripts (Fathom Video Inc, United States) and the intake information used to generate your clinical intake summary (Anthropic PBC, United States), as described in Section 6. Aside from these two clearly identified flows, your identifiable diagnostic and clinical records remain resident in Australia.


9. Security of Your Information

We take reasonable steps to protect your personal and health information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Our security measures include:

  • Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Role-based access controls — practitioner data access is scoped to relevant records only
  • Signed URLs for document access (time-limited, not publicly accessible)
  • Two-factor authentication for practitioner portal access
  • Regular security reviews

We use Supabase as our primary database, which maintains SOC 2 Type II certification and ISO 27001 compliance.

No security system is impenetrable. In the event of a data breach affecting your information, we will notify you and the OAIC as required under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth). We will notify affected individuals and the OAIC as soon as practicable once we have reasonable grounds to believe an eligible data breach has occurred. Our internal policy requires initial assessment within 30 days of becoming aware of a suspected breach; notification will occur promptly upon confirmation.


10. Retention of Your Information

We retain your personal and health information for:

  • Health and clinical records — minimum 7 years from the date of your last consultation, in accordance with the consensus retention standard recommended by Australian medical defence organisations (Avant, MDA National) for private health practices, and consistent with AHPRA registration standards. CYORA retains records for a minimum of 10 years as a conservative practice to support continuity of care and to ensure records are available in the event of any delayed legal or regulatory matter. Records of individuals who were minors at the time of collection are retained until they turn 25 or for 10 years from last contact, whichever is later.
  • Financial records — 7 years from the date of the transaction (ATO requirement)
  • Onboarding and agreement records — 7 years from the end of your program
  • Marketing communications — until you unsubscribe or withdraw consent

After the applicable retention period, your information will be securely destroyed or permanently de-identified in accordance with our internal data destruction procedures.


11. Your Rights

Under the Privacy Act 1988 (Cth) and the APPs, you have the following rights:

11.1 Access

You have the right to request access to personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for large or complex requests. We may decline access in limited circumstances permitted by law (e.g. where access would pose a serious threat to health or safety).

11.2 Correction

If you believe information we hold is inaccurate, incomplete, or out of date, you may request correction. We will respond within 30 days and correct the information or note your request in the record if we decline.

11.3 Anonymity

Where practicable, you may interact with us anonymously or under a pseudonym. However, we are unable to deliver clinical services without knowing who you are — anonymity is not compatible with program participation.

You may withdraw your consent to our collection, use, or disclosure of your personal information at any time by contacting support@cyora.com.au. Please note:

  • Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal
  • Where consent is required for the delivery of clinical services, withdrawal of consent may mean we are unable to continue delivering your program
  • AI-assisted processing is an integral part of the service and is addressed separately in section 11.6; it cannot be withdrawn while you continue to use the service. Your other, genuinely severable consents (such as direct marketing under section 11.5) can be withdrawn and will be honoured
  • Withdrawal of consent does not remove our obligation to retain clinical records for the minimum periods required by law (see Section 10)

11.5 Opt Out of Direct Marketing

You may opt out of direct marketing communications at any time by:

We will process opt-outs within 5 business days, in accordance with the Privacy Act 1988 (Cth) and the Spam Act 2003 (Cth). Opting out of marketing does not affect program-related communications (appointment reminders, protocol updates, billing).

11.6 AI-Assisted Processing

AI-assisted processing is an integral, non-severable part of the CYORA service (see Section 6). It is not a separate feature you can switch off while continuing to use the service. If you do not wish your information to be processed with AI assistance, your choice is to decline to commence or continue the service; contact support@cyora.com.au and we will help you with that. The safeguards in Section 6 (de-identification before any external AI language model, and Australian data residency for your identifiable clinical data) apply throughout.

To exercise any right, contact us at support@cyora.com.au.


12. Website, Cookies, and Marketing

12.1 Cookies and Similar Technologies

When you visit our public websites (cyora.com.au and our landing pages) and our client portals (command-centre.cyora.com.au, app.cyora.com.au), we and our providers use cookies and similar technologies to keep you signed in, remember your preferences, and measure website performance.

Cookie / Technology Where Purpose Retention
Supabase session cookie Client portals Maintains your authenticated session Session
Vercel analytics All CYORA sites Anonymous performance analytics (page views, load times), no personal data collected 30 days

We do not use advertising cookies, tracking pixels, or remarketing tags inside our client portals, our onboarding funnel, or your health records. Any marketing measurement described below applies only to our public marketing pages.

12.2 Advertising, Remarketing, and Audiences

We advertise our programs on Meta (Facebook and Instagram) and Google. Where we run these campaigns, we may:

  • use a Meta Pixel and a Google tag on our public marketing pages to measure which ads lead to enquiries;
  • show remarketing ads to people who have visited our public website;
  • create audiences by securely uploading a hashed (irreversibly encoded) version of an email address or phone number to Meta Custom Audiences or Google Customer Match, so we can reach or exclude similar people.

We do not upload your health information for advertising, and we do not use health data to target ads. These features involve disclosure of personal information to Meta Platforms Inc and Google LLC, which process data in the United States. See Section 8 (Cross-Border Disclosure) for what that means for you. You can opt out at any time (Section 12.4) and can control ad personalisation directly in your Meta and Google account settings.

We do not sell your personal information to advertisers or anyone else.

12.3 Enquiry and Lead Forms

When you submit an enquiry through our website, a landing page, or a lead form on Meta or Google, we collect the contact details you provide in order to respond to you and tell you about our programs. We collect this with your consent and handle it under this Policy.

12.4 Marketing Communications and Opt-Out

We send marketing communications by email, and by SMS where you have opted in, only where you have consented or where permitted under the Spam Act 2003 (Cth). Every marketing message identifies CYORA and includes a functional unsubscribe, or the option to reply STOP for SMS. We action opt-outs within 5 business days. Opting out of marketing does not affect program-related messages (appointment reminders, protocol updates, billing).


13. Complaints

If you have a complaint about the way we handle your personal information, we encourage you to contact us first:

Privacy Officer: Hannah King Email: support@cyora.com.au Response time: We will acknowledge your complaint within 5 business days and respond fully within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the:

Office of the Australian Information Commissioner (OAIC) Website: oaic.gov.au/privacy/privacy-complaints Phone: 1300 363 992 Post: GPO Box 5218, Sydney NSW 2001

Under the Privacy and Other Legislation Amendment Act 2024 (Cth), the OAIC also has enhanced enforcement powers including the ability to issue compliance notices and infringement notices. Additionally, individuals now have the right to bring a direct action in the Federal Court for serious invasions of privacy without first going through the OAIC complaint process.

You may also raise a complaint about the conduct of a registered practitioner with AHPRA: Website: ahpra.gov.au/Notifications Phone: 1300 419 495


14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active clients via email at least 30 days before they take effect.

The current version of this Policy is always available at www.cyora.com.au/privacy-policy.


15. Glossary

APP — Australian Privacy Principle (one of 13 principles under the Privacy Act 1988 (Cth)) AHPRA — Australian Health Practitioner Regulation Agency Genetic Information — information about an individual's genetic makeup, including DNA and SNP analysis results; a specific subcategory of sensitive information under the Privacy Act 1988 (Cth) Health Information — information or opinion about the health, disability status, or health services received by an individual (a form of sensitive information under the Privacy Act) NDB Scheme — Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) OAIC — Office of the Australian Information Commissioner Sensitive Information — a subcategory of personal information afforded higher protection under the APPs, including health information, genetic information, and biometric data Spam Act — Spam Act 2003 (Cth), governing commercial electronic messages


This Privacy Policy was prepared having regard to the Privacy Act 1988 (Cth), the Australian Privacy Principles, the Privacy and Other Legislation Amendment Act 2024 (Cth), applicable state and territory health records legislation, OAIC APP Guidelines (including Chapter 8 v1.3, October 2025), and AHPRA guidance on the use of artificial intelligence in healthcare (August 2024). It will be updated no later than 10 December 2026 to reflect automated decision-making transparency obligations and the Children's Online Privacy Code, and following any further Privacy Act reform legislation.

CYORA Pty Ltd · ABN 59 649 153 935 · support@cyora.com.au · www.cyora.com.au/privacy-policy