Privacy Policy

1. Introduction

Recovery VR PTY LTD trading as RecovrFlow (“RecovrFlow”, “we”, “us”, or “our”) is committed to protecting the privacy of our users, including Allied Health Professionals, their patients, and visitors to our website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024 (which received Royal Assent on 10 December 2024), and all relevant guidance issued by the Office of the Australian Information Commissioner (OAIC), including the OAIC’s dual AI Privacy Guidance published 21 October 2024 and the updated APP Guidelines (November 2025).

RecovrFlow operates exclusively in Australia. We do not offer our services internationally and do not collect or process personal information from individuals located outside Australia.

The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy, effective 10 June 2025. We acknowledge that individuals whose privacy is seriously invaded — including through misuse of health information — may bring a direct civil claim in the courts without requiring OAIC involvement. We take this right seriously, and our practices are designed to prevent any circumstances that could give rise to such a claim.

2. Anonymity and Pseudonymity (APP 2)

Under APP 2, we are required to give individuals the option of not identifying themselves, or of using a pseudonym, when dealing with us — where this is lawful and practicable.

3. Information We Collect (APP 3)

We collect personal information only where it is reasonably necessary for one or more of our functions or activities, and in accordance with APP 3. Health information is sensitive information under the Privacy Act 1988 and can only be collected with express consent and where reasonably necessary for our platform’s clinical documentation functions.

In accordance with OAIC AI Privacy Guidance (October 2024), where our AI processes clinical information and generates outputs — such as structured clinical notes, NDIS reports, or patient summaries — those AI-generated outputs about identified individuals constitute a new “collection” of personal information, not merely a use of existing information. Such AI-generated outputs must comply with all applicable APPs, including accuracy obligations under APP 10.

4. Unsolicited Personal Information (APP 4)

Occasionally, RecovrFlow may receive personal information that we did not solicit — for example, where a clinician pastes third-party patient data into a platform field beyond what the system requested, where we receive an unsolicited email containing health information, or where incidental information about a third party is included in material submitted to the platform.

In accordance with APP 4, when we receive unsolicited personal information, we will promptly assess whether we could have collected that information under APP 3 (i.e., whether collection was reasonably necessary for our functions and, in the case of sensitive information, whether express consent was obtained). If we determine that we could lawfully have collected the information, we will handle it in accordance with this Privacy Policy. If we determine that we could not have collected the information under APP 3, we will, as soon as practicable, destroy the information or ensure it is de-identified, provided it is lawful to do so.

If you have any concerns about information you may have submitted to the platform in excess of what was requested, please contact us at hello@recovrflow.health so that we can take appropriate action.

5. Collection Notice and How We Use Your Information (APP 5 & APP 6)

In accordance with APP 5, at or before the time we collect personal information (or as soon as practicable after), we notify individuals of: the identity and contact details of RecovrFlow; the purposes for which the information is being collected; the consequences if the information is not provided; any third parties to whom we usually disclose the information (including overseas recipients and AI service providers); and rights to access and correction.

For Ambient Consult Mode, this notification must occur before any recording commences. Our in-platform AI Consent Module supports clinicians in recording patient consent and displaying a disclosure notice prior to activation. Consistent with OAIC guidance, the notification specifically discloses that clinical data will be transmitted to third-party AI providers for processing — this disclosure is made at or before the time of collection.

We use the information we collect to:

• Provide, operate, and maintain the RecovrFlow platform and services
• Generate clinical reports and documentation compliant with NDIS, DVA, Medicare, and private health insurance requirements (primary purpose)
• Cross-reference your clinical documentation against published funding scheme criteria (such as NDIS section 34 Reasonable and Necessary requirements) to highlight which criteria your documentation already addresses and flag areas that may need attention
• Improve and personalise the platform experience (using de-identified, aggregated data only)
• Communicate with you, including sending product updates, security alerts, and support messages
• Comply with legal obligations and enforce our Terms of Service

In accordance with APP 6, we will not use or disclose personal information for a secondary purpose unless you have consented, or an exception under the Privacy Act applies. We will never use patient data to train, fine-tune, or improve AI models (see Section 9).

We note that the transmission of clinical data to our third-party AI providers for inference is itself a “disclosure” under APP 6, even where those providers operate under zero data retention agreements. This transmission is justified as directly related to the primary purpose of collection (generating clinical documentation) and is a purpose that patients would reasonably expect. Our zero-retention agreements address storage and model training, but we acknowledge — consistent with OAIC guidance — that they do not eliminate the disclosure itself.

6. Ambient Scribe Data Handling

When a clinician activates Ambient Consult Mode, the following data lifecycle applies:

7. NDIS, DVA and Medicare Data (APP 9)

APP 9 restricts the adoption, use, and disclosure of government-related identifiers. RecovrFlow collects the following government-related identifiers solely for the purposes described below:

All government scheme identifiers are stored exclusively at Microsoft Azure (Australia East — Sydney) and are never transferred overseas (APP 8). Access is restricted to the treating clinician and their organisation via role-based access controls and Row Level Security at the database level. We do not use government-related identifiers as RecovrFlow’s own internal identifiers for any purpose.

8. AI and Automated Processing (APP 10 & Automated Decision-Making)

RecovrFlow uses artificial intelligence and automated processing to assist clinicians in generating clinical documentation. In accordance with OAIC AI Privacy Guidance (October 2024) and the Privacy and Other Legislation Amendment Act 2024, we disclose the following:

9. Disclosure of Information (APP 6)

We do not sell, rent, or trade your personal or clinical information. We may share information only in the following circumstances:

• Service Providers: Trusted sub-processors who assist in operating the platform (as listed in Section 10), bound by strict confidentiality and data processing obligations
• Third-party AI providers: Clinical data is transmitted to AI inference services for the sole purpose of generating clinical documentation (the primary purpose of collection). This transmission is itself a “disclosure” under APP 6, justified as directly related to the primary purpose and within the reasonable expectation of patients who have provided informed consent. All AI providers operate under zero-retention agreements (no storage or model training). See Section 10 for provider details and countries of processing.
• Legal Requirements: When required by Australian law, regulation, or legal process (e.g. court order, regulatory demand)
• Safety: To protect the rights, property, or safety of RecovrFlow, our users, or the public
• Consent: With your explicit consent for any purpose not listed above

10. Sub-processors and Third Parties (APP 8 — Cross-Border Disclosure)

In accordance with APP 8, before disclosing personal information to an overseas recipient, we must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. If an overseas recipient breaches the APPs, RecovrFlow is taken to have breached the APPs. We disclose the following sub-processors and their countries of processing.

We note that zero-retention agreements address storage and model training but do not, of themselves, fully satisfy APP 8. Consistent with OAIC guidance, we maintain genuine due diligence obligations over all overseas AI providers, including requiring SOC 2 Type II certification, ISO 27001 certification, documented data processing agreements, and breach notification timelines of 24 hours or less to RecovrFlow.

We review our sub-processors regularly and update this register as our technology stack evolves. You may request a current list of sub-processors, including their processing locations and applicable safeguards, at any time by contacting us (see Section 17).

11. Data Storage, Sovereign Data Residency & Retention Periods

RecovrFlow employs a Sovereign Data Residency architecture. All clinical and patient data is stored exclusively in Australia:

• Australia: Microsoft Azure (Australia East — Sydney) — all clinical data, patient records, and generated reports

Patient data is never transferred outside Australia for storage purposes. We do not operate data storage in the United States, Europe, or any other jurisdiction. This is a deliberate design decision consistent with the Safer Care Victoria Ambient AI Scribes Advisory requirement that health services use AI scribes that store and process data in Australia.

All data is encrypted at rest (AES-256) and in transit (TLS 1.3).

12. Notifiable Data Breaches

RecovrFlow is an APP entity subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of a suspected eligible data breach:

• We will conduct an assessment within 30 days of becoming aware of the suspected breach (APP 11 / s 26WH obligation)
• If the assessment concludes there are reasonable grounds to believe an eligible data breach has occurred, we will notify the OAIC and affected individuals as soon as practicable
• Where a breach originates from or is discovered by a sub-processor (including an AI provider), we require that sub-processor to notify RecovrFlow within 24–48 hours of discovery. We will relay this notification to affected clinician customers as soon as practicable to enable them to meet their own NDB obligations. Our contractual terms with sub-processors specify this 24–48 hour vendor-to-customer notification timeline.
• Notifications will include: the nature of the breach, the kinds of information involved, the steps we have taken in response, and recommendations for affected individuals
• Given that our platform handles health information (a sensitive information category), we treat potential breaches with the highest level of urgency

To report a suspected data breach or security incident, please contact hello@recovrflow.health immediately.

13. Direct Marketing (APP 7)

RecovrFlow may use the contact details of clinician customers and prospects for direct marketing communications, including product updates, feature announcements, educational content, and promotional offers relating to the RecovrFlow platform. We only use personal information for direct marketing where we have obtained consent or where an individual is an existing customer and the marketing relates to our own similar services, consistent with the Spam Act 2003 (Cth) and APP 7.

Opt-out: Clinician customers may opt out of marketing communications at any time by: (a) clicking the “unsubscribe” link in any marketing email; (b) updating communication preferences in the platform account settings; or (c) contacting us at hello@recovrflow.health. We will process opt-out requests promptly and within five business days. Opting out of marketing communications does not affect the receipt of essential service communications (such as security alerts, billing notices, and policy updates).

We do not use patient health information for direct marketing purposes. We do not sell or share customer contact details with third parties for their marketing purposes.

14. Security (APP 11)

We implement robust technical and organisational measures to protect your data, consistent with the objective standard affirmed in Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224, including:

• AES-256 encryption at rest and TLS 1.3 encryption in transit
• Role-based access controls and multi-factor authentication
• Row Level Security (RLS) policies at the database layer ensuring strict organisational data isolation
• Regular security audits, penetration testing, and vulnerability assessments
• Comprehensive audit logging for all data access and modifications
• Documented incident response procedures

15. Your Rights (APP 12 & APP 13)

Under the Australian Privacy Principles, you have the following rights regarding your personal information:

• Access (APP 12): Request a copy of the personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for access requests that require significant effort.
• Correction (APP 13): Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information, including AI-generated content. If we correct your information, we will take reasonable steps to notify any third parties to whom we have disclosed the information. If we decline to correct, we will provide written reasons and information on how to escalate to the OAIC.
• Deletion: Request deletion of your personal information, subject to legal and professional record-keeping retention obligations (see Section 11 for statutory retention periods).
• Portability: Request a copy of your data in a structured, machine-readable format.
• Objection to AI processing: Request that your records not be processed by our AI features. Clinicians may disable Ambient Consult Mode on a per-patient basis through the platform settings.
• Serious privacy invasion tort: Where a serious invasion of privacy has occurred involving your personal information, you may have the right to bring a direct civil claim under the statutory tort introduced by the Privacy and Other Legislation Amendment Act 2024, effective 10 June 2025. This right exists independently of the OAIC complaints process.

To exercise any of these rights, please contact us at the details provided in Section 17.

16. Cookies and Tracking Technologies

We use essential cookies to maintain your session and ensure the platform functions correctly. We may also use analytics cookies (such as Vercel Analytics) to understand how the platform is used and to improve the experience. We do not use cookies for advertising purposes.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable Australian laws. We will notify you of any material changes by posting the updated policy on our website with a revised “Last updated” date. We encourage you to review this policy periodically.

18. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us: