CardiAction

    Privacy Policy

    1. Introduction

    CardiAction Pty Ltd (ABN 41 619 022 141) ("CardiAction", "we", "us", "our") is committed to protecting the privacy and security of your personal information. We understand that health-related information is particularly sensitive, and we take our obligations seriously.

    This Privacy Policy explains how we collect, use, disclose, and protect personal information through our websites, platforms, and services, including the CardiAction website (www.cardiaction.com), PreScreen, ProScreen, and BookNow (collectively, the "Services").

    We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we handle information about individuals in New Zealand, we also comply with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs).

    By using our Services, you acknowledge that you have read and understood this Privacy Policy.

    2. What Information We Collect

    2.1 Information You Provide Directly

    Depending on how you interact with our Services, we may collect the following categories of personal information:

    Identity and contact information:

    • Name, email address, phone number, date of birth, and postal address.

    Health and biometric information:

    • Self-reported health information provided through PreScreen (such as age, gender, smoking status, medical history, and family history of cardiovascular disease).
    • Clinical measurements obtained during cardiovascular screenings conducted using the Uscom BP+ device, including peripheral and central blood pressure, heart rate, arterial stiffness indicators, and pulse wave analysis metrics.
    • Height, weight, and body mass index (BMI) recorded during screenings.
    • Screening results, risk assessments, clinical notes, and GP referral information recorded by screeners and clinicians.

    Booking and appointment information:

    • Appointment details, preferred screening location, and scheduling preferences provided through BookNow.

    2.2 Information We Collect Automatically

    When you use our Services, we may automatically collect:

    • Device information, including device type, operating system, browser type, and screen resolution.
    • Usage data, including pages visited, time spent on pages, navigation paths, and interaction patterns.
    • IP address, approximate geographic location, and referring website.
    • Cookies and similar tracking technologies (see Section 11 below).

    2.3 Information from Third Parties

    We may receive personal information from our screening partner organisations (such as CSA and HSNZ) in connection with the delivery of screening services. This may include information collected from you at the time of your screening appointment.

    3. How We Use Your Information

    We collect and use personal information for the following purposes:

    • Delivering screening services: To conduct cardiovascular health screenings, generate screening reports, calculate risk assessments, and facilitate GP referrals where clinically indicated.
    • Providing our platforms: To operate and maintain PreScreen, ProScreen, and BookNow, including managing user accounts, processing bookings, and delivering communications related to your appointments.
    • Communicating with you: To send appointment confirmations, reminders, recall notifications, screening results, and other service-related communications by email or SMS.
    • Improving our Services: To analyse de-identified and aggregated data for the purpose of improving our screening methodologies, platform functionality, and the quality of our services.
    • Research and analytics: To conduct de-identified population health research and generate statistical insights that contribute to cardiovascular health outcomes. Individually identifiable health information is used for research purposes without appropriate consent or ethical approval.
    • AI-assisted clinical interpretation: To provide AI-generated clinical context for screening results. Only de-identified metrics and anonymised screening data are sent to AI models. No personally identifiable information or protected health information is shared with any AI service provider. See Section 5 for more detail.
    • Payment processing: To process payments for screening services through our screening partners' nominated payment providers.
    • Legal and regulatory compliance: To comply with our legal obligations, including the Notifiable Data Breaches scheme under the Privacy Act 1988, applicable health records legislation, and any lawful requests from regulatory authorities.
    • Security and fraud prevention: To protect the security and integrity of our Services, detect and prevent fraud or unauthorised access, and enforce our Terms of Use.

    4. Legal Basis for Collection and Use

    Under the Australian Privacy Principles, we collect personal information only where it is reasonably necessary for one or more of our functions or activities. For health and biometric information (which is classified as sensitive information under the Privacy Act), we collect this information only with your consent or where otherwise permitted by law.

    Under the New Zealand Privacy Act 2020, we collect personal information directly from you wherever reasonably practicable, and only for lawful purposes connected with our functions and activities.

    Where we rely on consent for any particular use of your information, you may withdraw that consent at any time by contacting us at privacy@cardiaction.com. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.

    5. AI-Assisted Analysis and De-Identified Data

    ProScreen includes an AI-assisted clinical interpretation feature that provides contextual information about screening results. This feature operates under strict data protection controls:

    • Only de-identified clinical metrics (such as blood pressure values, arterial stiffness indices, and risk scores) are sent to the AI service. No names, dates of birth, contact details, or other personally identifiable information is included.
    • AI-generated interpretations are provided as clinical decision support for qualified screeners and clinicians. They do not constitute a medical diagnosis.
    • De-identified data may also be used for platform research and analytics, including through the ProScreen research workbench, to support improvements in cardiovascular screening methodology.

    CardiAction retains full ownership and control of all de-identified datasets and AI-generated outputs. No third-party AI service provider retains or has any proprietary claim over data processed through our platform.

    6. Who We Share Your Information With

    We may share your personal information with the following categories of recipients:

    Screening partner organisations:

    • CardiAction Screening Australia Pty Ltd (CSA) and Health Screening NZ Ltd (HSNZ) and their authorised screeners and clinicians, for the purpose of delivering screening services and managing your care.

    Healthcare providers:

    • Your nominated general practitioner or other healthcare provider, where a GP referral is generated as part of your screening results and you consent to the referral.

    Service providers:

    We engage trusted third-party service providers to help us operate our Services. These providers are contractually required to handle your information securely and only for the purposes we specify. They include:

    • Cloud infrastructure and database hosting (Supabase/AWS).
    • Payment processing (Stripe).
    • Email delivery (Resend).
    • SMS communications (Twilio).
    • Appointment scheduling (Acuity Scheduling, during the transition period).
    • Analytics and reporting tools.

    Legal and regulatory disclosures:

    We may disclose personal information where required or permitted by law, including to comply with a court order, subpoena, or other legal process, or to respond to a lawful request from a government authority.

    With your consent:

    We may share your information for other purposes where you have given us your specific consent to do so.

    We do not sell your personal information to any third party. We do not share your personally identifiable health information with advertisers or marketing platforms.

    7. Cross-Border Data Transfers

    CardiAction operates in both Australia and New Zealand. Your personal information may be stored and processed in either country, or in other jurisdictions where our cloud infrastructure providers maintain servers (primarily the United States and the Asia-Pacific region).

    8. Data Security

    We take the security of your personal information seriously and implement a range of technical and organisational measures to protect it from unauthorised access, misuse, loss, and disclosure. These measures include:

    • Encryption of data in transit (TLS/SSL) and at rest.
    • Row-level security controls on all database tables, ensuring strict data isolation between organisations on our multi-tenant platform.
    • Role-based access controls that limit access to personal information based on the user's role and responsibilities.
    • Automatic session timeouts after periods of inactivity.
    • Regular security reviews and monitoring of our platform infrastructure.
    • Invitation-only onboarding for ProScreen platform users, with no self-registration.

    While we take all reasonable steps to protect your information, no method of electronic storage or transmission is completely secure. We cannot guarantee the absolute security of your personal information.

    9. Data Retention

    We retain personal information only for as long as is reasonably necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention practices include:

    • Screening records and clinical data are retained for a minimum period consistent with applicable health records legislation and clinical best practice guidelines. In Australia, this is generally a minimum of 7 years from the date of the last screening for adults (or until a minor turns 25, whichever is later).
    • Account and access records for ProScreen platform users are retained for the duration of the user's access and for a reasonable period after deactivation for audit and security purposes.
    • Booking and appointment records are retained for a reasonable period to support recall and follow-up processes.
    • De-identified and aggregated data may be retained indefinitely for research, analytics, and platform improvement purposes.

    10. Your Rights

    10.1 Australian Users

    Under the Australian Privacy Act 1988, you have the right to:

    • Access the personal information we hold about you by making a request to us.
    • Request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
    • Make a complaint about how we have handled your personal information (see Section 14 below).

    We will respond to access and correction requests within a reasonable period (generally within 30 days). In some circumstances, we may refuse a request, for example, where providing access would unreasonably impact the privacy of others or where we are required by law to withhold the information. If we refuse a request, we will provide you with written reasons.

    10.2 New Zealand Users

    Under the New Zealand Privacy Act 2020, you have the right to:

    • Request access to the personal information we hold about you (Information Privacy Principle 6).
    • Request correction of personal information that is inaccurate (Information Privacy Principle 7).
    • Make a complaint to the Office of the Privacy Commissioner if you believe your privacy has been interfered with.

    10.3 Exercising Your Rights

    To exercise any of these rights, please contact us at privacy@cardiaction.com. We may need to verify your identity before processing your request.

    11. Cookies and Tracking Technologies

    Our websites use cookies and similar tracking technologies to improve your experience, analyse usage patterns, and support our marketing activities.

    Types of cookies we use:

    • Essential cookies: Required for the basic operation of our websites, including authentication and security. These cannot be disabled.
    • Analytics cookies: Help us understand how visitors interact with our websites so we can improve content and functionality.

    12. Marketing Communications

    We may send you marketing communications about our Services where you have consented to receive them or where we are otherwise permitted to do so under applicable law.

    You may opt out of receiving marketing communications at any time by using the unsubscribe mechanism in any marketing email, or by contacting us at privacy@cardiaction.com. Opting out of marketing communications does not affect service-related communications (such as appointment reminders and screening result notifications), which are sent as part of the delivery of our Services.

    13. Children's Privacy

    Our Services are primarily intended for individuals aged 18 years and over. We do not knowingly collect personal information from children under 18 without the involvement and consent of a parent or legal guardian. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information.

    14. Complaints

    If you believe that we have breached the Australian Privacy Principles, the New Zealand Information Privacy Principles, or otherwise mishandled your personal information, you may lodge a complaint with us by contacting:

    Privacy Officer
    CardiAction Pty Ltd
    Email: privacy@cardiaction.com

    We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we cannot resolve the matter to your satisfaction, you may escalate your complaint to the relevant external body:

    • Australia: Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

    15. Data Breach Response

    In the event of a data breach that is likely to result in serious harm to affected individuals, we will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). This includes notifying the Office of the Australian Information Commissioner and affected individuals as soon as practicable.

    For breaches involving the personal information of New Zealand individuals, we will comply with the mandatory notification requirements under the New Zealand Privacy Act 2020.

    We maintain an internal data breach response plan and take all reasonable steps to contain and remediate any breach as quickly as possible.

    16. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this document.

    We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes take effect constitutes your acceptance of the revised Privacy Policy.

    17. Contact Us

    If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or would like to make a complaint, please contact us:

    Privacy Officer
    CardiAction Pty Ltd
    Email: privacy@cardiaction.com
    General enquiries: info@cardiaction.com
    Website: www.cardiaction.com

    Last updated: 16 March 2026