Privacy Policy
Effective date: 1 June 2025 · Auburn Health Pty Ltd (trading as Open Book Clinical) · ABN 86 679 963 681
1. Overview
Open Book Clinical is a clinical decision-support platform operated by Auburn Health Pty Ltd (trading as Open Book Clinical). We help AHPRA-registered allied health professionals find evidence-based answers from trusted clinical sources including Cochrane, PubMed, and Australian clinical guidelines.
This Privacy Policy explains how we handle personal information — including health information — that we collect from clinicians, students, and organisations who use our platform. It covers our website at openbook-clinical.vercel.app and all associated services.
By creating an account or using our services, you agree to the collection and use of information as described in this policy.
2. What we collect
We collect the following categories of personal information:
Account information
Full name, email address, professional role, AHPRA registration number, registration renewal date, specialisation, practice type.
Required to provide the service.
Search queries
The text of clinical questions you submit. These may incidentally include patient information if you choose to include it — see Section 3.
Required to return search results.
CPD activity logs
Activity type, AHPRA category, hours, date, and any notes you add when logging CPD activities.
Required to provide CPD tracking.
Payment information
Billing email, subscription plan, Stripe customer ID. We do not store card numbers, CVVs, or bank account details — these are held exclusively by Stripe.
Required to manage paid subscriptions.
Usage data
Pages visited, features used, search counts, care plans generated. Used in aggregate to improve the platform.
Legitimate interest in service improvement.
Technical data
IP address, browser type, device type, referring URL. Collected automatically by our hosting provider.
Security and platform stability.
3. Health information and patient queries
Search queries you submit may constitute health information under the Privacy Act 1988 (Cth) if they relate to the health of an identifiable individual. We treat all search query text as potentially sensitive and apply the same protections as other health information.
What we do with query text: Queries are transmitted to our AI processing pipeline to generate responses. Query text is stored in our database for up to 90 days to enable your search history feature, after which it is automatically and permanently deleted (see Section 7 — Data Retention).
What we do not do: We do not use query text to build profiles of individual patients. We do not sell or disclose query text to third parties except as required to operate the service (see Section 5). We do not use query text for advertising.
Your AHPRA number and registration details are stored solely to power the compliance tracking features of your account and are never shared with AHPRA or any third party without your explicit consent.
4. How we use your information
We use personal information we collect to:
- Provide, operate, and improve the Open Book Clinical platform
- Return AI-generated clinical evidence summaries in response to your queries
- Manage your account, subscription, and billing
- Track CPD hours and AHPRA registration renewal dates at your request
- Send transactional emails (account confirmation, password reset, subscription receipts)
- Send product update and engagement emails (you may opt out at any time)
- Detect and prevent fraud, abuse, and security incidents
- Comply with our legal obligations under Australian law
We do not use your information to make automated decisions with legal or significant effects without human review. Our platform provides decision support — clinical decisions remain entirely with the treating clinician.
5. Third-party service providers
We share personal information with the following third-party providers, each of whom processes data only as necessary to provide their service:
Supabase Inc.
Database and authentication
Data stored in AWS ap-southeast-2 (Sydney)
Vercel Inc.
Web hosting and edge functions
United States (with Australian edge nodes)
Stripe Inc.
Payment processing
United States — PCI DSS Level 1 certified
Postmark (Wildbit)
Transactional email delivery
United States
OpenAI / AI provider
AI processing of search queries
United States — queries are processed but not used for model training under our agreement
Where providers are located outside Australia, we take reasonable steps to ensure they are subject to substantially similar privacy protections, consistent with APP 8.
We do not sell personal information to third parties. We do not share personal information with advertisers. We do not share information with AHPRA, Medicare, or any government body except where compelled by law.
6. Data retention
We retain personal information only for as long as necessary for the purposes set out in this policy or as required by law:
Account information
Duration of account + 7 years after closureTax and compliance obligations
Search query history
90 days, then automatically deletedMinimise health information retention
CPD activity logs
Until you delete them or close your accountRequired for CPD tracking feature
Payment records
7 years from transaction dateAustralian tax law (ITAA 1997)
Audit logs (security)
12 monthsSecurity incident investigation
Marketing email opt-outs
IndefinitelyTo honour opt-out requests permanently
Search query history is deleted automatically by a scheduled process that runs every 24 hours. You can also delete individual searches manually from your search history at any time.
7. Security
We implement the following technical and organisational measures to protect your information:
- All data in transit is encrypted via TLS 1.2+
- Data at rest is encrypted by our database provider (Supabase/AWS)
- Row-level security policies ensure each user can only access their own data
- Passwords are hashed using bcrypt — we never store plaintext passwords
- Payment card data is never transmitted to or stored on our servers
- Production API keys and secrets are stored as environment variables, never in source code
- Access to production systems is restricted to authorised personnel only
No system is completely secure. If you have reason to believe your account has been compromised, please contact us immediately at privacy@openbook-health.com.
8. Your rights (APP 12 & 13)
Under the Australian Privacy Principles, you have the right to:
Access your data
Request a copy of all personal information we hold about you. We will respond within 30 days.
Correct your data
Request correction of inaccurate or out-of-date information. You can update most information directly in your account settings.
Delete your account
Request deletion of your account and associated personal information, subject to retention requirements for tax and legal records.
Opt out of marketing
Unsubscribe from non-essential emails at any time via the link in any email or by contacting us.
Data portability
Request an export of your CPD logs and search history in CSV format before account deletion.
Lodge a complaint
If you believe we have breached the APPs, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
To exercise any of these rights, email us at privacy@openbook-health.com. We will respond within 30 days. Identity verification may be required before we can action requests.
10. Data breach response
We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to any affected individual, we will:
- Contain the breach and assess its likely impact
- Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and no later than 30 days after becoming aware
- Notify affected individuals directly where required
- Take steps to prevent a recurrence
If you become aware of a potential security vulnerability or breach involving our platform, please disclose it responsibly to privacy@openbook-health.com.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify you by email. Your continued use of the platform after a change constitutes acceptance of the revised policy.
Previous versions of this policy are available on request.
12. Contact us
For privacy inquiries, access requests, correction requests, or complaints:
Privacy Officer — Auburn Health Pty Ltd (trading as Open Book Clinical)
Email: privacy@openbook-health.com
We aim to respond to all privacy enquiries within 5 business days, and to resolve all requests within 30 days as required by the Privacy Act.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).
This policy was last updated on 1 June 2025. It is written to comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the Notifiable Data Breaches scheme. This document does not constitute legal advice.