Legal

Privacy Policy

Effective date: 1 February 2026 · Last updated: 1 February 2026

1. Introduction

MEDsort Pty Ltd (ABN 84 102 943 944) (“MEDsort”, “we”, “us”, or “our”) operates the MEDsort platform, an AI-powered medical document workflow automation service designed for medical practices across Australia.

We are committed to protecting the privacy of all individuals whose personal information we handle, including medical practitioners, practice staff, and patients whose health information may be processed through our platform.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies to all users of our website (medsort.com.au), web application, APIs, and related services (collectively, the “Service”).

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are a medical practice administrator or authorised user, you are responsible for ensuring that your staff and patients are informed about how their information is handled through MEDsort.

2. Information We Collect

2.1 Account and Practice Information

When you register for an account or subscribe to our Service, we collect:

  • Full name, email address, and contact telephone number of authorised users
  • Practice name, address, ABN, and provider numbers
  • Billing and payment information (processed securely by our third-party payment provider)
  • Role and access level within the practice (e.g. practitioner, receptionist, practice manager)

2.2 Patient Health Information

In the course of providing our document processing service, we may process documents that contain patient health information, including:

  • Patient names, dates of birth, and contact details
  • Medicare numbers and other healthcare identifiers
  • Pathology results, radiology reports, specialist referrals, and other clinical correspondence
  • Diagnoses, test results, medications, and clinical findings extracted by our AI processing

This information is classified as “health information” and “sensitive information” under the Privacy Act and is afforded the highest level of protection. MEDsort processes this data solely as a service provider on behalf of the medical practice, which remains the primary holder and custodian of patient records.

2.3 Usage and Technical Data

We automatically collect certain technical information when you use the Service:

  • IP address, browser type, operating system, and device information
  • Pages visited, features used, and time spent within the application
  • Error logs and performance data to maintain and improve the Service
  • Authentication logs and access timestamps for security and audit purposes

2.4 Cookies and Similar Technologies

We use essential cookies to maintain your session and authentication state. We may also use analytics cookies to understand how the Service is used and to improve the user experience. You can manage cookie preferences through your browser settings. Essential cookies cannot be disabled as they are necessary for the Service to function.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

  • To process, categorise, and extract structured data from incoming medical documents
  • To match documents to patient records within your practice
  • To provide document management, search, and workflow automation features
  • To manage your account, process subscriptions, and provide customer support

3.2 AI Processing

  • To apply artificial intelligence and machine learning models that extract patient details, test results, and clinical findings from PDF attachments and emails
  • To categorise documents by type (pathology, imaging, referrals, etc.)
  • To flag items requiring urgent review or practitioner attention

3.3 Service Improvement

  • To analyse usage patterns and improve the accuracy of our AI models
  • To identify and resolve technical issues, bugs, and performance bottlenecks
  • To develop new features based on aggregated, de-identified usage insights

3.4 Communications

  • To send service notifications, security alerts, and account-related communications
  • To respond to support enquiries and provide technical assistance
  • To send product updates and feature announcements (you can opt out at any time)

4. AI and Automated Processing

MEDsort uses artificial intelligence to automate the extraction and categorisation of information from medical documents. We believe in transparency about how this technology works and the safeguards we have in place.

4.1 How AI Processing Works

When a document is submitted for processing, our system uses large language models (LLMs) to analyse the content of PDFs and email attachments. The AI identifies and extracts structured data such as patient details, test names, result values, reference ranges, and clinical notes. This extracted data is then presented to the authorised user for review.

4.2 Human Oversight

AI-extracted data is always presented as a draft for human review. No clinical decisions are made automatically by our system. Medical practitioners retain full authority and responsibility for reviewing, correcting, and approving any data before it is saved to a patient's record. MEDsort is a clinical support tool, not a diagnostic or decision-making system.

4.3 Data Used for AI Processing

Document content is transmitted securely to our AI processing infrastructure for analysis. We do not use your patient data to train general-purpose AI models. Processing is performed on a per-document basis, and document content is not retained by our AI provider after processing is complete.

4.4 Accuracy and Limitations

While our AI models are designed to achieve high accuracy, no automated system is infallible. Extracted data should always be verified by a qualified healthcare professional. We continuously work to improve accuracy and will notify users of any known limitations relevant to specific document types.

5. Data Sharing and Disclosure

We do not sell, rent, or trade personal information. We may share information in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers who assist in delivering the Service. These include:

  • Cloud infrastructure providers for hosting and data storage
  • AI model providers for document processing
  • Payment processors for subscription billing
  • Analytics providers for service improvement (using de-identified data only)

All service providers are contractually required to protect personal information and may only use it for the specific services they provide to us.

5.2 Legal Requirements

We may disclose personal information where required or authorised by:

  • Australian law, including court orders and subpoenas
  • A lawful request from a government agency or regulatory authority
  • The need to protect the rights, property, or safety of MEDsort, our users, or the public

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users and ensure that any successor entity is bound by equivalent privacy protections.

6. Data Security

We take the security of personal and health information extremely seriously. Our security measures include:

6.1 Technical Safeguards

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Secure authentication with support for multi-factor authentication (MFA) and single sign-on (SSO) for Enterprise plans
  • Role-based access controls ensuring users only access data relevant to their function
  • Regular security assessments, penetration testing, and vulnerability scanning

6.2 Organisational Safeguards

  • Staff access to production data is strictly limited and logged
  • All personnel undergo privacy and security training
  • Incident response procedures are in place for potential data breaches
  • Comprehensive audit logging for all data access and modifications

6.3 Notifiable Data Breaches

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this policy, or as required by law.

  • Account data is retained for the duration of your subscription and for a reasonable period afterward to allow for account reactivation or to comply with legal obligations.
  • Processed documents and extracted data are retained within your practice's account and are available for the duration of your subscription. Upon account termination, this data is securely deleted within 90 days unless you request earlier deletion or we are required to retain it by law.
  • Usage and technical data is retained in aggregated, de-identified form for analytics purposes and in identifiable form for up to 12 months for security and audit purposes.
  • Billing records are retained for 7 years in accordance with Australian tax law requirements.

You may request deletion of your data at any time by contacting our Privacy Officer. We will process such requests in accordance with our legal obligations and within a reasonable timeframe.

8. Your Rights and Choices

Under the Australian Privacy Principles, you have the following rights regarding your personal information:

8.1 Access

You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days. In some circumstances, we may charge a reasonable fee for providing access, and we will inform you of any such fee in advance.

8.2 Correction

You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will take reasonable steps to correct the information within 30 days of your request.

8.3 Deletion

You may request deletion of your account and associated personal information. We will comply with such requests unless we are required to retain the information by law or for a legitimate business purpose.

8.4 Data Portability

You may request an export of your data in a commonly used, machine-readable format. We will provide this within a reasonable timeframe.

8.5 Marketing Communications

You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us directly. This does not affect essential service communications.

8.6 Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint with our Privacy Officer. We will investigate and respond to your complaint within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

9. International Data Transfers

All data storage and processing infrastructure used by MEDsort is located exclusively within Australia. We do not transfer customer data — including patient health information, practice data, and uploaded documents — to any jurisdiction outside of Australia. This applies to primary storage, backups, AI processing, and all ancillary services that handle customer data.

All third-party service providers that handle customer data are contractually required to process and store data within Australian territory. For full details on our data storage infrastructure and Australian data sovereignty commitment, please refer to our Data Storage Policy.

10. Children's Privacy

The MEDsort Service is designed for use by medical professionals and practice staff, and is not directed at individuals under the age of 18. We do not knowingly collect account information from children.

Patient health information processed through our Service may relate to individuals of any age, including minors. This information is processed solely on behalf of the medical practice in accordance with their obligations under applicable health records legislation and the Privacy Act.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify registered users via email or through an in-app notification
  • Where required by law, obtain your consent before implementing changes that affect how your information is handled

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or want to make a complaint, please contact our Privacy Officer:

Privacy Officer

MEDsort Pty Ltd

Email

privacy@medsort.com.au

Post

Privacy Officer
MEDsort Pty Ltd
Beaumaris VIC 3193

OAIC

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au or call 1300 363 992.