Privacy Policy

Last updated: 28 May 2026

Pandion Health is committed to best practice in the management of information we collect, in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains the kinds of information we collect and hold, how we collect and hold personal information, the purposes for which we collect, hold, use and disclose personal information, how you can access and correct your personal information, and how you can make a complaint about a breach of the APPs.

1. Types of personal information collected

The information we collect may include:

  • Personal details: name, address, date of birth, email, contact details.
  • Identifiers: Medicare number, DVA number, and other government identifiers, used for healthcare claiming and identity verification but not as our internal patient identifier.
  • Health information:
    • Clinical notes, symptoms, diagnoses, treatments, test results, and specialist reports.
    • Appointment and billing details.
    • Prescriptions and pharmaceutical purchase history.
    • Genetic information.
    • Healthcare identifiers.
    • Information about race, sexuality, or religion where relevant to your care.
  • Technical and website data:
    • IP address, device type, browser, operating system, referring URL, and pages visited.
    • Form submission metadata (date, time, completion status).
    • Cookies and similar tracking technologies (see Section 10).

2. How we collect and hold personal information

We collect personal information:

  • Directly from you (in person, by phone, via forms, online registration).
  • From a person responsible for you.
  • From third parties, where permitted by law (e.g. your treating team, hospitals, diagnostic centres, Medicare, My Health Record, electronic prescription services).

Online intake forms. Our patient intake forms are provided by Tally (Tally BV, a Belgian third-party form platform). Form data is encrypted in transit and at rest and hosted within the European Union. Before submission completes, patients verify their email address and provide explicit consent to Pandion Health collecting and using their health information to provide care; this consent is recorded with each submission. When you submit an intake form, your responses are transmitted to Tally and then automatically transferred to Pandion Health’s Australian-hosted patient record system. Tally automatically deletes form submissions within 30 days of transfer. Our use of Tally is governed by Tally’s Data Processing Agreement, which is incorporated into their Terms of Service for paid accounts — no separate signed DPA is required. We disclose Tally as an overseas processor under APP 8 (see Section 7).

We hold personal information in secure, access-controlled electronic systems, and where applicable, in locked physical storage.

3. Purposes for collecting personal information

We use and disclose your personal information for purposes including:

  • Providing health services to you.
  • Communicating with you about your care.
  • Liaising with other healthcare providers involved in your treatment.
  • Managing accounts, billing, IT systems, and administrative functions.
  • Meeting legal obligations (e.g. mandatory disease notifications, child protection reporting).
  • Identification and health insurance claiming.
  • Using electronic prescription and secure messaging systems.
  • Liaising with health funds, Medicare, DVA, and regulatory bodies as required.
  • Sending you optional marketing and educational communications about Pandion Health services, where you have opted in. You can withdraw consent at any time by clicking “unsubscribe” in any email or by emailing reception@pandionhealth.com.au.
  • Improving our website, intake forms, and services through aggregate analytics.

4. AI scribe and artificial intelligence tools

  • We may utilise a note-taking AI scribe to accurately and efficiently capture the details of our discussions and the outcomes of our appointments.
  • The use of an AI scribe is at the discretion of your individual clinician — not all Pandion Health clinicians use one. Any AI scribe tool used by our clinicians is selected for its compliance with Australian privacy requirements and appropriate handling of sensitive health information. You can opt out at any time as described below.
  • AI scribes allow us to focus more on our conversation and less on manual notetaking, enhancing the quality of care you receive.
  • Your information is handled with the utmost care, in full compliance with Australian privacy regulations. The AI scribe tool is designed to store and process personal information securely and confidentially.
  • The use of this tool is aimed solely at improving your healthcare experience.
  • Please discuss with your clinician if you do not wish to use AI scribe during your consultation and your preference will be accommodated.

Your rights and consent

  • When you consent to AI scribe tools being used for the purpose of session notes, this consent applies to all appointments unless you specify that you do not wish to have AI scribe active.
  • You have the right to opt out at any time, and your preference will be recorded in your health record.
  • If you opt out, no audio will be recorded, and only manual note-taking will occur.
  • AI scribe data is used only for clinical documentation purposes and is not used for training AI models without your consent.

5. Access and correction

  • You may request access to, or correction of, the personal information we hold about you. Requests can be sent to reception@pandionhealth.com.au.
  • We may require you to verify your identity before releasing or correcting personal information, to protect against unauthorised access.
  • We will respond within 30 days. If we refuse access or correction, we will provide written reasons and information about how to lodge a complaint.

6. Storage and security

We take reasonable steps to protect your information from misuse, loss, and unauthorised access. Security measures include:

  • Storage of clinical records and intake data on Microsoft SharePoint Online, hosted in Australian data centres.
  • Encryption of electronic records in transit and at rest.
  • Multi-factor authentication and role-based access controls for all staff.
  • Staff training in privacy, confidentiality, and information security.
  • Regular review of our security practices and processor agreements.

We comply with the Notifiable Data Breaches Scheme under the Privacy Act 1988 (Cth). If we become aware of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner as required by law.

7. Overseas disclosure of personal information

Some of the service providers we use to deliver our services are located outside Australia, or are part of corporate groups headquartered outside Australia. In line with Australian Privacy Principle 8, we disclose these arrangements to you below.

Wherever an overseas provider processes your personal information, we take reasonable steps to ensure they handle that information consistently with the Australian Privacy Principles, including through written Data Processing Agreements.

ProviderLocationPurpose
Tally BVBelgium (EU)Patient intake forms
Celonis SE (Make.com)Czech Republic / United StatesWorkflow automation between intake forms and our record system
Microsoft CorporationUnited States parent; data hosted in AustraliaSharePoint Online (patient record storage) and Microsoft 365
Google LLCUnited StatesWebsite analytics and reCAPTCHA bot protection on forms
Vision6AustraliaEmail and SMS marketing communications (only if you have opted into our mailing list)

The list above reflects our principal overseas-touching providers at the time this policy was published. We review this list periodically. If we add a new overseas provider that materially affects how your information is handled, we will update this policy.

8. How long we keep your information

We retain personal information only as long as necessary for the purposes it was collected, or as required by law.

  • Intake form submissions (Tally). Submissions are automatically deleted from our intake form provider within 30 days of being transferred to our Australian-hosted patient record system.
  • Clinical records. We retain clinical records in line with our legal obligations under Australian state and territory health records legislation. For adult patients, this typically means at least 7 years from the date of last contact. For patients who were under 18 at the time of their care, records are kept until they turn 25, or 7 years from last contact, whichever is later.
  • Marketing contacts. If you have opted into marketing communications, we retain your contact details until you withdraw consent or we cease offering the service.
  • Website analytics. Aggregate analytics data is retained in line with the settings of our analytics provider (currently 14 months for Google Analytics).

Where information is no longer needed and is not required to be retained by law, we securely delete or de-identify it.

9. Children and young people

Pandion Health provides clinical services to children and adolescents aged 16 and under, as well as adults.

Where the patient is under 16, intake forms and consent are completed by a parent or legal guardian on the patient’s behalf. The clinical information collected is treated with the same level of confidentiality as adult patients.

Older adolescents may have the capacity to consent to their own care and to the handling of their own health information. Where this is the case, we will discuss this with the young person and their family before treatment begins.

If you believe a child has provided us with personal information without appropriate parental or guardian involvement, please contact us at reception@pandionhealth.com.au.

10. Cookies and website analytics

Our website uses cookies and similar technologies to understand how visitors use the site and to improve performance. We use:

  • Essential cookies required for the site to function.
  • Analytics cookies provided by Google Analytics (via Google Tag Manager), which help us understand visitor behaviour in aggregate. These cookies do not identify you personally.
  • reCAPTCHA, provided by Google, on our intake forms to detect and prevent automated abuse.

You can disable cookies through your browser settings. Disabling essential cookies may affect site functionality.

11. Complaints

If you believe we have breached your privacy, please contact us in writing:

We will acknowledge your complaint within 5 business days and respond substantively within 30 days.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC):

12. Anonymity and pseudonyms

Where possible, you may choose not to identify yourself or to use a pseudonym. However, in many cases, accurate identification is required for safe and effective healthcare delivery.

13. Updates to this policy

We review this policy at least annually and publish updates at www.pandionhealth.com.au/privacy-policy. The “last updated” date at the top of this policy reflects the most recent change.

Where we make material changes to how we handle your personal information, we will take reasonable steps to notify you — for example, by email to active patients or by a notice on our website.

If you have any privacy-related queries, please contact reception@pandionhealth.com.au.

Ready to Get Started?

Start Your Assessment in under 5 minutes.

Australian-wide coverage for all ages
FRACP & FRANZCP-qualified specialists
Appointments available within 1–2 weeks