Updated 9th July 2025

    MediRecords Pty Limited (“MediRecords,” “we,” “us,” “our”) is an Australian health technology company with offices in Sydney, Melbourne, and Brisbane and is a wholly owned subsidiary of AsteRx Pty Ltd.

    MediRecords is a leading innovator in health practice management technology and has developed a world-class clinical and practice management solution (“CPMS”) used in private, corporate, and government settings by general practitioners (“GPs”), medical specialists, and allied health professionals. The CPMS product suite also includes a patient mobile app and appointment booking system. The MediRecords platform is highly connected to the Australian health ecosystem, supporting integrations with numerous Australian entities to enable seamless healthcare service delivery.

    Information privacy is a core component of MediRecords’ business activities. We are committed to handling personal information responsibly and in compliance with the thirteen Australian Privacy Principles (“APPs”) contained in the Privacy Act 1988 (Cth) (“Privacy Act”). Additionally, we aim to comply with the General Data Protection Regulation (GDPR) of the European Union and relevant privacy laws in the United States, including the Health Insurance Portability and Accountability Act (HIPAA).

    This Privacy Policy explains how MediRecords collects, uses, discloses, and protects personal information. Our Privacy Policy is reviewed annually and updated as needed to reflect new products and services, privacy legislation, and technology. We encourage you to review our policy from time to time.

    If you have any questions or concerns about this Privacy Policy or our collection and handling of personal information, you may contact our Privacy Officer:

    • Phone: 1300 103 903
    • Email: [email protected] (Attention: Privacy Officer)
    • Address: Privacy Officer, MediRecords Pty Limited, Level 5, 1 Elizabeth Plaza, North Sydney NSW 2060

    1. Open and Transparent Management of Personal Information

    MediRecords has implemented a privacy management framework, which includes the MediRecords Privacy Policy and associated policies, practices, and procedures. This framework, informed by Privacy by Design principles, helps us manage the collection and handling of personal information, including sensitive and health information as defined by the Privacy Act.

    2. Collection of Personal Information

    You are required to provide personal information necessary for us to provide contracted services. If you do not provide this information, we may not be able to offer you access to our products or services.

    We collect personal information for various purposes, including:

    • Personal details such as your name, title, and gender
    • Contact details such as your address, email address, and phone numbers
    • Employee contact information to facilitate user access to MediRecords products or services
    • Personal details related to support calls, inquiries, and complaints
    • Usage details and feedback about your use of our products and services
    • Online details such as your use of our website

    2.1 Privacy Collection Notices

    MediRecords collects personal information directly from customers and users of our patient mobile app through various methods, including forms, website interactions, surveys, emails, phone calls, and in person. We may also collect patient data from customers to enable the use of our products and services. In limited cases, we may obtain personal information from third parties.

    We provide Privacy Collection Notices detailing the purpose(s) of collection, the consequences if information is not provided, and any usual disclosures to third parties, including overseas disclosures

    Updated 9th July 2025

    MediRecords Pty Limited (“MediRecords,” “we,” “us,” “our”) is an Australian health technology company with offices in Sydney, Melbourne, and Brisbane and is a wholly owned subsidiary of AsteRx Pty Ltd.

    MediRecords is a leading innovator in health practice management technology and has developed a world-class clinical and practice management solution (“CPMS”) used in private, corporate, and government settings by general practitioners (“GPs”), medical specialists, and allied health professionals. The CPMS product suite also includes a patient mobile app and appointment booking system. The MediRecords platform is highly connected to the Australian health ecosystem, supporting integrations with numerous Australian entities to enable seamless healthcare service delivery.

    Information privacy is a core component of MediRecords’ business activities. We are committed to handling personal information responsibly and in compliance with the thirteen Australian Privacy Principles (“APPs”) contained in the Privacy Act 1988 (Cth) (“Privacy Act”). Additionally, we aim to comply with the General Data Protection Regulation (GDPR) of the European Union and relevant privacy laws in the United States, including the Health Insurance Portability and Accountability Act (HIPAA).

    This Privacy Policy explains how MediRecords collects, uses, discloses, and protects personal information. Our Privacy Policy is reviewed annually and updated as needed to reflect new products and services, privacy legislation, and technology. We encourage you to review our policy from time to time.

    If you have any questions or concerns about this Privacy Policy or our collection and handling of personal information, you may contact our Privacy Officer:

    • Phone: 1300 103 903
    • Email: [email protected] (Attention: Privacy Officer)
    • Address: Privacy Officer, MediRecords Pty Limited, Level 5, 1 Elizabeth Plaza, North Sydney NSW 2060

    1. Open and Transparent Management of Personal Information

    MediRecords has implemented a privacy management framework, which includes the MediRecords Privacy Policy and associated policies, practices, and procedures. This framework, informed by Privacy by Design principles, helps us manage the collection and handling of personal information, including sensitive and health information as defined by the Privacy Act.

    2. Collection of Personal Information

    You are required to provide personal information necessary for us to provide contracted services. If you do not provide this information, we may not be able to offer you access to our products or services.

    We collect personal information for various purposes, including:

    • Personal details such as your name, title, and gender
    • Contact details such as your address, email address, and phone numbers
    • Employee contact information to facilitate user access to MediRecords products or services
    • Personal details related to support calls, inquiries, and complaints
    • Usage details and feedback about your use of our products and services
    • Online details such as your use of our website

    2.2 Purpose of Data Processing

    To ensure transparency and compliance with privacy regulations, MediRecords processes personal information solely for the purposes listed below. These purposes align with the services we provide to healthcare professionals, patients, and staff: 

    Data Category

    Purpose of Processing

    Legal Basis 

    Personal details (name, title, gender) 

    Identify and manage your account; enable communication with you. 

    Contractual necessity.

    Contact details (email, phone)

    Send important service updates; appointment reminders; respond to support requests.

    Contractual necessity.

    Health and medical data

    Provide clinical services; maintain medical records; comply with legal obligations.

    Legal obligation; consent.

    Usage details and feedback

    Improve and develop our products and services; analytics.

    Legitimate interests.

    MediRecords ensures that these purposes are communicated through Privacy Collection Notices, and consent is obtained where required. You can review and manage your preferences at any time by contacting our Privacy Officer.

    2.3 Legal Basis for Processing Personal Information

    MediRecords ensures that all personal information is processed lawfully and fairly, in compliance with applicable laws and regulations (including the Privacy Act, GDPR, and HIPAA). For each processing activity, we document the legal basis that justifies the processing. The key legal bases we rely on include:

    Processing Activity

    Legal Basis

    Additional Notes

    Providing contracted health practice management services.

    Performance of a contract.

    Necessary to deliver services to our customers and patients.

    Managing patient records, clinical data, and health information.

    Compliance with legal obligations.

    Required under healthcare regulations and national legislation.

    Customer support and account management.

    Legitimate interests.

    Supports customer relationships while protecting privacy rights.

    Marketing communications (where applicable) 

    Consent.

    Obtained via opt-in and can be withdrawn at any time.

    Security monitoring and system maintenance.

    Legitimate interests. 

    Ensures the integrity and security of systems and data.

    Research and development (aggregated and de-identified data)

    Legitimate interests or consent.

    Supports innovation while protecting individual privacy. 

    When processing special categories of personal data (e.g. health or medical data), MediRecords applies additional safeguards as required by relevant legislation, including data encryption, access controls, and explicit consent where required.

    If the purpose for processing changes, we review and update the legal basis accordingly and obtain additional consent where necessary.

    2.4 Consent Management

    MediRecords ensures that consent is obtained whenever required by law or when processing personal data not covered by other legal bases. Consent is obtained through clear opt-in mechanisms, electronic forms, or written agreements. Where explicit consent is required (for example, processing health or sensitive data), MediRecords provides individuals with clear information about the processing and how to provide or withdraw consent.

    We maintain records of consent provided by individuals in accordance with privacy regulations (including GDPR) and provide mechanisms to withdraw consent at any time by contacting our Privacy Officer.

    2.5 Data Subject Rights

    MediRecords is committed to respecting and fulfilling the rights of individuals regarding their personal information, as outlined under the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR), and other applicable privacy regulations. These rights include:

    • Access: You have the right to request a copy of the personal information we hold about you.
    • Correction: You can request that we correct any inaccuracies in your personal information.
    • Erasure: You may request the deletion of your personal information where appropriate.
    • Objection: You may object to certain processing activities, including direct marketing.
    • Consent Withdrawal: Where we rely on your consent, you can withdraw that consent at any time.
    • Automated Decision-Making: If we make decisions about you based solely on automated processing, we will provide meaningful information about the logic involved and the significance of those decisions, and you can request human review.

    Requests to exercise these rights can be made by contacting our Privacy Officer using the details provided below. We aim to respond to all requests within 30 days and will inform any third parties, where applicable, of any changes requested.

    2.6 Third-Party Sharing and Notification

    If your personal information has been shared with third-party partners, MediRecords will take reasonable steps to notify those third parties of any requested corrections, erasures, or withdrawals of consent, where required by law or contract.

    3. Use and Disclosure of Personal Information

    MediRecords uses and discloses personal information for the primary purpose of collection or a permitted secondary purpose, including purposes to which you have consented. Our Privacy Collection Notices may provide more specific information about the use and disclosure of your personal information.

    4. Direct Marketing

    When MediRecords undertakes direct marketing, we let you know. If you do not wish to receive direct marketing communications from us, you can opt-out via the link provided in our marketing emails or by contacting us directly.

    5. Cross-border Disclosure

    MediRecords does not transfer or store any personal or health information outside of Australia. While we engage offshore developers in Indonesia and the Philippines to provide technical services, these personnel access systems through secure remote methods under strict role-based access controls. No PII or health data is permitted to be transferred, stored, or replicated outside of Australian data centres.

    6. Security and Retention of Data

    MediRecords is committed to best practice information security. We store data in secure data centres in Australia and maintain administrative, physical, and technical safeguards to protect personal and health information. Personal and health information is encrypted in transit and at rest. We monitor our security posture regularly and have policies in place for handling potential privacy incidents.

    MediRecords maintains detailed records of processing activities, including the legal basis for processing, categories of data processed, and retention periods, in accordance with ISO 27701 and applicable privacy regulations. Data retention and are managed in line with our Data Retention and Secure Disposal Procedure, ensuring that personal and health information is retained only for as long as necessary and securely disposed of when no longer required.

    7. Information Collected through Technology

    MediRecords uses cookies, web beacons, and other technologies to improve your experience on our website and services. These technologies help us understand website usage and engagement. You can disable cookies in your web browser, but this may affect usability. We use third-party services like Google Analytics and Google AdWords, which may transfer information outside of Australia, the EU, and the USA.

    8. Quality of Data, Access, Correction and Complaints

    Our products and services allow customers and individuals to access and correct their information to ensure it remains accurate. You may request access to, or correction of your personal information held by MediRecords by contacting us. We aim to respond to such requests within 30 days.

    If you have complaints about our handling of your personal information, you may contact us using the provided details. If you are dissatisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) or the relevant data protection authority in the EU or the USA.

    9. Automated Decision Making

    MediRecords uses automated decision-making technologies, including artificial intelligence, to enhance service efficiency and user experience. Where automated decision-making is used to make decisions that may significantly affect individuals, MediRecords ensures that appropriate safeguards are in place, including the right to request human intervention.

    Your Rights:

    You have the right to request human review of any decision made solely by automated means that affects you significantly. To exercise this right, please contact the Privacy Officer using the details below.

    10. MediRecords Privacy Contact Information

    Phone: 1300 103 903 

    Email: [email protected] (attention Privacy Officer)

    Address: Privacy Officer

    MediRecords Pty Limited

    Level 5, 1 Elizabeth Plaza

    North Sydney NSW 2060