Privacy Policy

1. About this Privacy Policy

This Privacy Policy explains how LIGNIFIED VENTURES PTY LTD trading as Mehema ("we", "us", "our") collects, holds, uses, discloses and protects personal information, including sensitive health information, in the course of providing mental health services via telehealth.

We are committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy applies to:

• our website and client portal;
• telehealth psychology and counselling services;
• appointment bookings, billing, and administration; and
• any other interactions you have with us.

By engaging our services or providing personal information to us, you acknowledge that we will handle your information in accordance with this Privacy Policy. Where required by law, we will obtain your express consent for the collection, use or disclosure of sensitive health information.

2. Definitions

In this Privacy Policy:

• Personal information has the meaning given in the Privacy Act 1988 (Cth) and includes information that identifies you or could reasonably identify you;
• Sensitive information includes health information and mental health records, as defined under the Privacy Act;
• Services means psychology and counselling consultations and related administrative services provided via telehealth;
• Clinicians means AHPRA-registered psychologists and ACA/PACFA-registered counsellors engaged by or practising through our clinic.

3. What personal information we collect and hold

To provide mental health services safely and lawfully, we may collect the following types of personal information:

• identifying information, such as your name, date of birth, gender and contact details;
• Medicare details, concession card information and referral information (where applicable);
• payment and billing information;
• emergency contact and next-of-kin details;
• health and mental health information, including clinical notes, assessments, treatment plans and progress information;
• details of other healthcare providers involved in your care;
• communications between you and our clinic or Clinicians; and
• technical and usage data when you access our website or systems, such as IP address, browser type, device information and cookies.

4. Sensitive health information

Mental health services necessarily involve the collection of sensitive health information. We collect this information only where it is reasonably necessary to provide psychological or psychiatric services, and we do so with your consent or where otherwise permitted by law.

If you do not provide required health information, or if you withdraw consent for its use, we may be unable to provide Services to you.

5. How we collect personal information

We may collect personal information:

Directly from you, including when you:

• make an enquiry or book an appointment;
• complete intake forms or assessments;
• participate in telehealth consultations; or
• communicate with us by phone, email or online systems;

From third parties with your consent or where authorised or required by law, such as:

• referring general practitioners or specialists;
• other healthcare providers involved in your care; or

Automatically when you access our website or systems, through cookies and similar technologies.

6. Purposes for collection, use and disclosure

We collect, use and disclose personal information for purposes including:

• providing psychology and counselling services, including assessment, diagnosis and treatment;
• managing appointments, billing and Medicare claims;
• communicating with you about your care, appointments or service updates;
• liaising with other healthcare providers involved in your treatment, with your consent or as required by law;
• complying with legal and professional obligations, including mandatory reporting requirements;
• quality assurance, clinical governance and practice management;
• AI-assisted clinical documentation tools to support accurate and efficient note-taking, used only with your informed consent; and
• operating, maintaining and improving our website and telehealth systems.

7. Confidentiality and limits to confidentiality

All information disclosed during therapy sessions is treated as confidential, subject to the limits imposed by law.

We may disclose personal or health information without your consent where:

• disclosure is required or authorised by law, including by court order or subpoena;
• there is a serious and imminent threat to your life, health or safety, or to another person;
• mandatory reporting obligations apply (for example, where a child is at risk of harm); or
• disclosure is otherwise permitted under the Privacy Act.

Where practicable and appropriate, we will take reasonable steps to inform you of such disclosures.

Clinicians may also discuss de-identified information with professional colleagues for supervision or consultation purposes, in accordance with professional ethical standards.

8. Medicare and referrals

Where you receive Services under Medicare, Clinicians may be required to provide reports to referring practitioners (such as your GP) in accordance with Medicare requirements and professional obligations.

9. Use of digital platforms and third-party providers

We use secure third-party software systems for practice management, telehealth delivery, billing and clinical record keeping. These include:

• Cliniko (practice management, appointment scheduling, billing, clinical records and telehealth video consultations), hosted on Amazon Web Services (AWS) with data stored in Australia. Cliniko Telehealth provides end-to-end encrypted video sessions with screen sharing and text chat. Cliniko complies with the Australian Privacy Principles (APPs). Data is encrypted at rest using AES-256 and in transit using HTTPS with 2048-bit SSL.
• Cloudflare (website hosting and form processing), with edge servers located globally.
• Arlo (AI-assisted clinical note-taking, integrated with Cliniko). Used with your informed consent to assist practitioners with clinical documentation during sessions. All data is processed within Australia with end-to-end encryption. Notes are automatically destroyed after practitioner review and finalisation. Your participation is voluntary; if you decline, your session proceeds without any impact on care.

We take reasonable steps to ensure that third-party providers handle personal information in a manner consistent with Australian privacy requirements or equivalent standards, including through data processing agreements and standard contractual clauses where applicable.

We are not responsible for the privacy practices of third-party websites or platforms that are not operated by us, and we encourage you to review their privacy policies separately.

Where AI-assisted tools are used in connection with your care, we will obtain your informed consent before use. You may decline at any time without affecting the quality or availability of services.

10. Overseas disclosure of personal information

Your clinical and personal data is stored in Australia via Cliniko (hosted on AWS Australian servers). Clinical notes processed by Arlo are also handled within Australia and are not stored or transmitted offshore. Some data may be processed by Cloudflare, which operates edge servers globally including in the United States and Europe.

Where personal information is disclosed to overseas recipients, those recipients may not be subject to the Privacy Act 1988 (Cth), and we may not be able to enforce Australian privacy standards in those jurisdictions.

11. Data storage, security and retention

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Information may be stored electronically, in hard copy, or both.

In most cases, health records are retained for at least 7 years from the date of last contact, or in the case of children, until they reach at least 25 years of age, unless a longer retention period is required by law.

12. Notifiable Data Breaches

If we become aware of a data breach that is likely to result in serious harm, we will respond in accordance with the Notifiable Data Breaches (NDB) Scheme and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.

More information is available at www.oaic.gov.au/privacy/notifiable-data-breaches.

13. Access and correction

You may request access to, or correction of, personal information we hold about you by contacting us using the details below. We may require verification of your identity.

Access may be refused or limited where permitted by law, including where providing access may pose a serious threat to health or safety or unreasonably impact the privacy of others. Reasons for refusal will be provided in writing where required.

14. Children and young people

We provide Services to children and adolescents where appropriate. We assess capacity to consent in accordance with legal and professional standards and may require consent from a parent or guardian where necessary.

15. Unsolicited personal information

From time to time, we may receive personal or health information that we did not solicit. Where we receive unsolicited personal information, we will promptly assess whether that information is of a kind we could have collected under our standard collection practices. If not, we will destroy or de-identify it as soon as practicable, unless we are required by law to retain it.

16. My Health Record

We do not currently upload information to or access the My Health Record system as part of our telehealth services.

17. Complaints

If you have concerns about how we handle your personal information, you may contact us using the details below. We will investigate and respond within a reasonable timeframe.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au/privacy/privacy-complaints.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology or our practices. The current version will be published on our website, and material changes will be notified where appropriate.

19. Contact details