Search
Search
START TYPING AND PRESS ENTER TO SEARCH
Skip to content

Privacy Policy

Overview

Updated 13th February 2026

MediRecords Pty Limited (“MediRecords,” “we,” “us,” “our”) is an Australian health technology company with offices in Sydney, Melbourne, and Brisbane and is a wholly owned subsidiary of AsteRx Pty Ltd.

MediRecords is a leading innovator in health practice management technology and has developed a world-class clinical and practice management solution (“CPMS”) used in private, corporate, and government settings by general practitioners (“GPs”), medical specialists, and allied health professionals. The CPMS product suite also includes a patient mobile app and appointment booking system. The MediRecords platform is highly connected to the Australian health ecosystem, supporting integrations with numerous Australian entities to enable seamless healthcare service delivery.

Information privacy is a core component of MediRecords’ business activities. We are committed to handling personal information responsibly and in compliance with the thirteen Australian Privacy Principles (“APPs”) contained in the Privacy Act 1988 (Cth) (“Privacy Act”). Additionally, we aim to comply with the General Data Protection Regulation (GDPR) of the European Union and relevant privacy laws in the United States, including the Health Insurance Portability and Accountability Act (HIPAA).

This Privacy Policy explains how MediRecords collects, uses, discloses, and protects personal information. Our Privacy Policy is reviewed annually and updated as needed to reflect new products and services, privacy legislation, and technology. We encourage you to review our policy from time to time.

If you have any questions or concerns about this Privacy Policy or our collection and handling of personal information, you may contact MediRecords on:

Phone: 1300 103 903

  • Email: [email protected]
  • Address: MediRecords Pty Limited, Level 5, 1 Elizabeth Plaza, North Sydney NSW 2060

Purpose

1. Open and Transparent Management of Personal Information

MediRecords Privacy Policy and associated policies, practices, and procedures define the framework with which MediRecords operate. This framework, informed by Privacy by Design principles, helps us manage the collection and handling of personal information, including sensitive and health information as defined by the Privacy Act.

2. Collection of Personal Information

Customers are required to provide personal information necessary for us to provide contracted services. If Customers do not provide this information, we may not be able to offer access to our products or services.

We collect personal information for various purposes, including:

  • Personal details such as name, title, and gender
  • Contact details such as address, email address, and phone numbers
  • Employee contact information to facilitate user access to MediRecords products or services
  • Personal details related to support calls, inquiries, and complaints
  • Usage details and feedback about use of our products and services
  • Online details such as use of our website

2.1 Privacy Collection Notices

MediRecords collects personal information directly from customers and users of our patient mobile app through various methods, including forms, website interactions, surveys, emails, phone calls, and in person. We may also collect patient data from customers to enable the use of our products and services. In limited cases, we may obtain personal information from third parties.

We provide Privacy Collection Notices at the point.

2.2 Purpose of Data Processing

To ensure transparency and compliance with privacy regulations, MediRecords processes personal information solely for the purposes listed below. These purposes align with the services we provide to healthcare professionals, patients, and staff:

Data Category

Purpose of Processing

Legal Basis 

General Personal Information (name, title, gender)

Identify and manage your account; enable communication with you. 

Contractual necessity.

Contact details (email, phone)

Send important service updates; appointment reminders; respond to support requests.

Contractual necessity.

Health and medical data (patient health data)

Provide clinical services; maintain medical records; comply with legal obligations, to use the basic services of the product

Legal obligation; consent.

Financial and claim information (Medicare card, claim details, bank accounts)

This is to pay for services or for processing payments or make claims.

Contractual necessity Legitimate interests

Usage and activity information (usernames, passwords, communications with us)

To allow users to access and use the services and audit logs purposes. Also to improve our product and services.

Legitimate interests.

Device Information (desktop, laptop, browser type, time zone settings, diagnostic data)

To deliver enhanced functionality and better understand customer interaction and usage.

Legitimate interests.

Support Information (contact information, patient information, summaries of issues, images and recordings)

Any information provided by customer to our support teams aiding in relation to our services. This is to support technical and non-technical requests.

Legitimate interests.

Job Application Information (resume, eligibility to work, employment details)

To provide information to us to assist in our decision on whether or not to make an offer of employment or engage personnel under a contract.

Legitimate interests.

Marketing and Feedback information (preferences, interests, opinions)

This is improving our services and develop our product to suit the needs of our customers. To communicate and share about the services, special offers, and promotional materials.

Legitimate interests.

We collect and use personal information (including health information where relevant) for purposes noted above and for additional reasons, including:

  • providing and managing our services;
  • managing user accounts and authentication;
  • responding to enquiries and providing support;
  • communicating service-related information (e.g., updates, reminders);
  • meeting legal and regulatory obligations;
  • maintaining the security, integrity, and performance of our systems;
  • improving our services, including analytics and quality assurance (where appropriate); and
  • any other purpose explained to you at the time of collection.

Certain aspects of personal, patient information are required to be able to use the application in full and allow MediRecords to provide you with the services to support the customer needs.

MediRecords ensures that these purposes are communicated through Privacy Collection Notices, and consent is obtained where required. You can review and manage your preferences at any time by contacting MediRecords.

2.3 Legal Basis for Processing Personal Information

MediRecords ensures that all personal information is processed lawfully and fairly, in compliance with applicable laws and regulations (including the Privacy Act, GDPR, and HIPAA). For each processing activity, we document the legal basis that justifies the processing. The key legal bases we rely on include:

Processing Activity

Legal Basis

Additional Notes

Providing contracted health practice management services.

Performance of a contract.

Necessary to deliver services to our customers and patients.

Managing patient records, clinical data, and health information.

Compliance with legal obligations.

Required under healthcare regulations and national legislation.

Customer support and account management.

Legitimate interests.

Supports customer relationships while protecting privacy rights.

Marketing communications (where applicable) 

Consent.

Obtained via opt-in and can be withdrawn at any time.

Security monitoring and system maintenance.

Legitimate interests. 

Ensures the integrity and security of systems and data.

Research and development (aggregated and de-identified data)

Legitimate interests or consent.

Supports innovation while protecting individual privacy. 

When processing special categories of personal data (e.g. health or medical data), MediRecords applies additional safeguards as required by relevant legislation, including data encryption, access controls, and explicit consent where required.

If the purpose for processing changes, we review and update the legal basis accordingly and obtain additional consent where necessary.

2.4 Consent Management

MediRecords ensures that consent is obtained whenever required by law or when processing personal data not covered by other legal bases. Consent is obtained through clear opt-in mechanisms, electronic forms, or written agreements. Where explicit consent is required (for example, processing health or sensitive data), MediRecords provides individuals with clear information about the processing and how to provide or withdraw consent. This is referred to in our Privacy Policy.

We maintain records of consent provided by individuals in accordance with privacy regulations (including GDPR) and provide mechanisms to withdraw consent at any time by contacting MediRecords.


MediRecords services are mostly intended for use by the business organisation. The party to the subscription terms will control its instance of the services and be responsible for the personal information it discloses to MediRecords.

2.5 Data Subject Rights

MediRecords is committed to respecting and fulfilling the rights of individuals regarding their personal information, as outlined under the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR), and other applicable privacy regulations. These rights include:

  • Access: You have the right to request a copy of the personal information we hold about you.
  • Correction: You can request that we correct any inaccuracies in your personal information.
  • Erasure: You may request the deletion of your personal information where appropriate.
  • Objection: You may object to certain processing activities, including direct marketing.
  • Consent Withdrawal: Where we rely on your consent, you can withdraw that consent at any time.
  • Automated Decision-Making: If we make decisions about you based solely on automated processing, we will provide meaningful information about the logic involved and the significance of those decisions, and you can request human review.

Requests to exercise these rights can be made by contacting MediRecords using the details provided below. We aim to respond to all requests within 30 days and will inform any third parties, where applicable, of any changes requested.

2.6 Third-Party Sharing and Notification

If your personal information has been shared with third-party partners, MediRecords will take reasonable steps to notify those third parties of any requested corrections, erasures, or withdrawals of consent, where required by law or contract.

MediRecords may share or disclose the personal information listed above to third parties. These may include:

  • Technology and media vendors/partners (includes telecommunications services providers, third party applications, data storage services)
  • Social media platforms
  • MediRecords lawyers, accountants and professional advisors
  • Law enforcement authorities and government agencies where MediRecords are required or permitted to do so by law, or as a result of legal process.

3. Use and Disclosure of Personal Information

MediRecords uses and discloses personal information for the primary purpose of collection or a permitted secondary purpose, including purposes to which you have consented. Our Privacy Collection Notices may provide more specific information about the use and disclosure of your personal information.

4. Direct Marketing

When MediRecords undertakes direct marketing, we let you know. If you do not wish to receive direct marketing communications from us, you can opt-out via the link provided in our marketing emails or by contacting us directly.

5. Cross-border Disclosure

MediRecords does not transfer or store any personal or health information outside of Australia. While we engage offshore developers in Indonesia and the Philippines to provide technical services, these personnel access systems through secure remote methods under strict role-based access controls. No PII or health data is permitted to be transferred, stored, or replicated outside of Australian data centres.

This Privacy Policy does not apply to any third-party websites, applications or software that integrates with the Services or any other third-party products, services or businesses.

6. Security and Retention of Data

MediRecords is committed to best practice information security. We store data in secure data centres in Australia and maintain administrative, physical, and technical safeguards to protect personal and health information. Personal and health information is encrypted in transit and at rest. We monitor our security posture regularly and have policies in place for handling potential privacy incidents.

MediRecords maintains detailed records of processing activities, including the legal basis for processing, categories of data processed, and retention periods, in accordance with ISO 27701 and applicable privacy regulations. Data retention and disposal are managed in line with our Data Retention and Secure Disposal Procedure, ensuring that personal and health information is retained only for as long as necessary and securely disposed of when no longer required.

MediRecords use safeguards to protect our customer information, but like any online service, we can’t guarantee absolute security during internet transmission or while information is stored with MediRecords

6.1 Data Breach

Security Commitment MediRecords Pty Ltd takes reasonable steps to protect personal information and health information from misuse, interference, loss, unauthorised access, modification, or disclosure.

Definition of Data Breach A Data Breach means any actual or suspected unauthorised access to, unauthorised disclosure of, or loss of personal information or health information held by MediRecords.

Incident Response If MediRecords becomes aware of a Data Breach, we will take reasonable steps to: (a) contain and mitigate the breach (b) investigate the nature and scope of the incident (c) assess the potential risk of harm to affected individuals.

Notification Requirements Where a Data Breach is likely to result in serious harm, MediRecords will notify affected individuals and relevant regulatory authorities as soon as reasonably practical in accordance with the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme.

7. Information Collected through Technology

MediRecords uses cookies, web beacons, and other technologies to improve experience on our website and services. These technologies help us understand website usage and engagement. You can disable cookies in your web browser, but this may affect usability. We use third-party services like Google Analytics and Google AdWords, which may transfer information outside of Australia, the EU, and the USA.

8. Quality of Data, Access, Correction and Complaints

Our products and services allow customers and individuals to access and correct their information to ensure it remains accurate. You may request access to, or correction of your personal information held by MediRecords by contacting us. We aim to respond to such requests within 30 days.

If you have complaints about our handling of your personal information, you may contact us using the provided details. If you are dissatisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) or the relevant data protection authority in the EU or the USA.

9. Automated Decision Making

MediRecords uses automated decision-making technologies, including artificial intelligence, to enhance service efficiency and user experience. Where automated decision-making is used to make decisions that may significantly affect individuals, MediRecords ensures that appropriate safeguards are in place, including the right to request human intervention.

Your Rights:

You have the right to request human review of any decision made solely by automated means that affects you significantly. To exercise this right, please contact MediRecords using the details below.

10. MediRecords Privacy Contact Information

Phone: 1300 103 903 

Email: [email protected]

Address: MediRecords Pty Limited

Level 5, 1 Elizabeth Plaza

North Sydney NSW 2060

11. Privacy Policy Changes

MediRecords may change this policy at any time. MediRecords will post any such changes online where applicable. If you disagree with any changes to the policy you can contact MediRecords using the above contact details.