MedReleaf Telehealth Clinic Privacy Policy

Effective Date: July 1, 2025

1. About this Policy

This Privacy Policy (Policy) applies to Indica Industries Pty Ltd (ABN 25 611 697 762) trading as MedReleaf Telehealth Clinic (we, us, our).

We are a national telehealth clinic comprised of medical practitioners, pharmacists and nurse practitioners expert in treating patients with holistic healthcare. For more information see: https://www.medreleafclinics.com.au.

We are committed to protecting your personal information. We must comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth)(Act), and other laws that regulate how private sector health service providers handle your personal information.

This Policy outlines how we handle personal information, including:

• how we collect, use, store and disclose personal information related to individuals, including clinic patients, website visitors, service users, next-of-kin, nominated support persons, referring doctors, health professionals, trainees, service providers, medical representatives and other individuals;
• if you have opted in, our direct-marketing activities;
• our privacy management practices; and
• how individuals may access and correct personal information that we hold.

This Policy may be updated from time to time.

1. Key Terms

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information is recorded in material form or not. Personal information includes incorrect, inferred, or artificially generated information where it is about a reasonably identifiable individual. Personal information also includes health information and sensitive information. Personal information does not include information that is properly de-identified.

Sensitive information is a subset of personal information. Sensitive information includes information about an individual’s race, religion, ethnic origin, political opinion, sexual orientation or criminal record, where the information is in relation to a reasonably identifiable individual. Sensitive information includes health information about an individual and genetic information that is not otherwise health information. An image of a person is sensitive information where it implies one of the categories of sensitive information, or will be used for automated identification. Sensitive information attracts a higher privacy standard under the Act.

Health information is a subset of personal information. It includes personal information that is also information or an opinion about, or in relation to, an individual’s health (including illness or injury at any time) or disability, or the health services provided to an individual, and includes an individual’s expresses wishes regarding the future provision of health services.

Health information also includes other personal information that is:

• collected to provide, or in providing, a health service to an individual;
• collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances; and
• genetic information about an individual in a form that is, or could be, predictive of the health of the individual or their genetic relative.

1. How we handle your personal information
   1. What Personal Information Do We Collect?

The types of personal information we may collect from you depends on the dealings you have with us. We will only collect personal information that is reasonably necessary for our functions or activities.

Patients and prospective patients

We collect personal information that is reasonably necessary to provide you with healthcare services, and for our administrative and business purposes. This personal information may include your name, address, date of birth, contact details, billing details and emergency contact information. We may also collect your health information, including but not limited to:

• Your current and past medical history, including relevant family medical history, lifestyle and/or ethnic background, to enable the healthcare team to manage your condition
• Medications you are currently taking
• Details of other healthcare providers and services involved in your care
• Your healthcare preferences and directives
• Healthcare results
• Family contact information
• Information about your legal advisors, guardian, or individuals responsible for your

healthcare decisions.

If applicable, we may collect data like your Medicare number, private healthcare provider details, Department of Veterans’ Affairs (DVA) details, or healthcare card number, and information about your entitlements under these arrangements.

Other individuals

We may collect personal information about individuals who are not our patients, such as:

• Individuals engaging our services;
• Independent service providers and contractors working with us;
• Other individuals who engage with us on a commercial basis;
• Healthcare professionals referring patients to us or providing services to our patients;
• Visitors to our websites;
• Persons applying for jobs with us.

This personal information may include your name, address, date of birth, contact details, payment information (e.g. banking details) and other information reasonably necessary for us to engage with you.

For those individuals providing services to us (such as contractors), we may also collect sensitive information such as your criminal record, working with children checks and health information.

We may also collect personal information about individuals who engage with our AI systems such as Zendesk. Zendesk may generate and infer personal information in your interactions.  We will only collect personal information about you that is:

• reasonably necessary for our functions and activities; and
• only by lawful and fair means.

The kinds of personal information which we may use AI systems to generate or infer about you may include:

• your name;
• background; and
• contact details.

Personal information generated or inferred about you by our AI systems will be managed by us in accordance with the APPs and this Privacy Policy.

1. 1. How Do We Collect Your Personal Information?

Where reasonable and practicable, we will collect personal information directly from you.

Patients and prospective patients

We may collect personal information directly from you when you:

• register as a patient at one of our clinics and complete the necessary documentation;
• communicate with us through email, telephone, SMS, our websites, our MyRecord APP or social media, or schedule an appointment online;
• engage with our websites;
• interact with our staff or representatives during the course of receiving our services; or
• conduct business with us.

With your consent, or where it is not reasonable or practical for us to collect this information directly from you (such as where you are experiencing a medical emergency, or you do not know the relevant information) we may collect personal information from third parties such as from your relative, treating healthcare providers, the My Health Record system, Australian Immunisation Register or family members.

Prospective Employees/Applicants

When you apply for a position with us, we may collect your personal information, such as your name, contact details, qualifications, and employment history. This information is typically obtained directly from you but may, with your consent, also be sourced from third parties like recruitment agencies, Government departments providing relevant record checks, or referees you have nominated.

If you apply for a position with us and that application is successful, we may also collect other information from you, including your bank details and tax file number.

1. 1. How Do We Collect and Use Personal Information about Children?

We may collect personal information about children (individuals under the age of 18) for the purposes of providing services to our pediatric patients from their responsible adult, such as their parent or guardian. Whether a child has the capacity to make their own privacy decisions will be determined by us on a case-by-case basis. We will consider, among other factors, the child’s maturity and age.  We will otherwise treat consent provided by the relevant responsible adult as consent provided on behalf of the child.

1. 1. Engaging with us electronically

Website Visitors

You can visit our website www.medreleafclinics.com.au, without disclosing your identity. Any personal information you provide to us via our websites will be managed in accordance with this Policy.

Cookies

Our websites use cookies. A cookie is a small file stored on your computer’s browser, used to manage customised settings and content delivery. Cookies collect certain non-identifiable information about your device type, browser type, IP address, accessed pages, and third-party websites. You can refuse to accept cookies by adjusting your internet browser settings, but this may affect the full functionality of our websites. We utilise third-party services, such as Google Analytics, for demographic analysis of website visitors to assist us in improving our website.

1. How Do We Hold and Protect Your Personal Information?

We collect and store your personal information in various forms, including electronic form, paper records, on our MyRecord APP, visual records (such as x-rays, CT scans, videos, and photos), and audio recordings.  Paper records may be converted into electronic format, and the original paper documents securely destroyed. Information in paper, visual, and audio formats is securely kept either at our facilities or in secure archive facilities within Australia and Canada.

Information about individuals who apply for a position with us, and personnel working with us (including employees after July 1, 2025 will be stored on our HR platform, SuccessFactors. This electronic information is securely stored on computer systems and servers located in Canada.

We maintain physical security measures for paper, visual, audio, and electronic data, including on-site and off-site locks and security systems. Additionally, we employ computer and network security measures like firewalls and user authentication with passwords to control access to our computer systems.

Our employment contracts with staff and agreements with contractors include reasonable confidentiality obligations.

We take reasonable steps to safeguard personal information against misuse, interference, loss, unauthorised access, modification, or disclosure, including to and by our related entity located in Canada, Aurora Cannabis Inc.

1. How Do We Use and Disclose Your Personal Information?

We use your personal information for the primary purpose for which it was collected, or:

• a secondary purpose that is related (or for sensitive information, directly related) to the primary purpose and you would reasonably expect, or we have told you, that your personal information will be used or disclosed in that way;
• otherwise with your consent;
• where we are required or authorised by law to use or disclose your personal information;
• where disclosure will prevent or lessen a serious or imminent threat to life, health or safety; or
• the disclosure is reasonably necessary for the enforcement of a law.

Note: A related ‘secondary purpose’ is one that is connected to, or associated with, the primary purpose.

Note: For the use or disclosure of sensitive information, the secondary purpose must be ‘directly related’ to the primary purpose of collection. This means it must be closely associated with the primary purpose, even if it is not strictly necessary to achieve the primary purpose.

1. 1. Specific details of how we may disclose your personal information

In the course of providing our services to you or after we have provided a service, we may use or disclose your personal information to:

• your treating practitioners and allied health providers to provide your medical care;
• health service providers outside of our clinic to whom you may be referred for further treatment or diagnostic tests (e.g. pathology or diagnostic imaging), or to your referring practitioner;
• MyHealth Record unless you have opted-out;
• our administrative staff including admitting officers to assess your suitability for our service, and receptionists to make appointments;
• Medicare or other funding bodies as part of our billing process;
• our professional advisers such as lawyers, insurers, accountants, or auditors; or
• anyone to whom part or all of our assets or business are transferred or sold.

For the purpose of determining the appropriate services to provide you or to ensure multidisciplinary collaboration in your care, your personal information may be discussed in our team meetings or shared with other persons within our organisation. Where you opt in for direct marketing, we may also share your personal information with our marketing team for direct marketing purposes. 

With your informed consent, we may use your personal information in, or disclose your personal information to, AI systems for the following purposes:

• to provide you with an answer to your query;
• to provide you with a health service; or
• as notified by us from time to time.

We do not input personal information into publicly available AI systems.

We may engage third parties to perform services on our behalf, and we may use and disclose personal information to facilitate these arrangements. This may include specialist care services, allied health services, general domestic and personal care services, customer satisfaction surveys, IT, debt collection, and practice supplier services, among others. Third parties to whom we disclose your personal information may directly inform you of the collection of your personal information and provide information about their privacy policies.

1. 1. Overseas Disclosure

We do not routinely disclose patient personal information to overseas recipients outside of our organisation.

If you have applied for a job with us, or are a current employee, we may transfer your personal information to servers located in Canada. We will otherwise only disclose your personal information to overseas recipients if we have your consent or if an exception under the APPs applies.

1. Dealing With Us Anonymously or Using A Pseudonym

Where possible and lawful, you may interact with us anonymously or by using a pseudonym but this may limit the services we can provide. For example, if you call us with a general question, we will not record your name unless we need it to adequately address your query.  We will usually need to know your identity to provide health care services.

1. What Happens If You Do Not Provide Your Personal Information?

If you choose not to provide us with some or any of your personal information, we may not be able to verify or respond to your enquiry, provide you with the full extent of our services, or offer you employment or volunteer opportunities (as applicable).

1. Purposes For Which We Collect, Hold, and Use Your Personal Information

We collect personal information for the purposes of performing our functions and activities, including providing our services to you. This includes, but is not limited to:

• Coordinating with other healthcare services;
• Enabling medical practitioners at our clinics to provide appropriate healthcare, treatment, and services;
• Managing and conducting our business;
• Obtaining feedback and managing any complaints lodged;
• Undertaking safety and quality assurance activities;
• Administering billing, payments, debt recovery and benefits;
• Providing requested services, including contacting you for appointments, sending reminders, reporting back to referring practitioners, or making referrals;
• Complying with our legal obligations, resolving any disputes, or enforcing our agreements and rights with third parties;
• For persons applying for a position with us, considering your suitability for engagement or employment;
• Providing you with electronic prescriptions;
• Uploading information to the MyHealth Record in accordance with your consent settings;
• Invite you to participate in research;
• Training our personnel;
• Obtaining approval from regulatory bodies such as the Therapeutic Goods Administration to provide our services; and
• Assessing job applications.

1. Direct Marketing

Occasionally, with your consent, we may contact you to share important healthcare news and updates or inform you of changes at your clinic, such as opening hours, new doctors, or healthcare services. If you do not wish to receive direct marketing communications or want to change your preferences, you can withdraw your consent at any time by unsubscribing from the mailing list or contacting our Privacy Officer at privacy@medreleafaustralia.com.au.

We do not provide your personal information to other organisations for their direct marketing purposes.

We do not engage in direct marketing to children.

1. Access to and Correction of Your Personal Information

You have the right to request access to, or correction of, the personal information we hold about you. To request access to, or correction of, your personal information, please contact our Privacy Officer using the details below.

We will need to verify your identity before responding to your request. Subject to any applicable exceptions or requirements, we will provide you with access to the personal information you request within a reasonable time and usually within 28 days.

If your access request is made on behalf of an individual (e.g. you are a solicitor or legal guardian of a patient), we may request evidence of your authority to act on behalf of that person.

In certain circumstances, requests may be declined in accordance with privacy laws. If we deny your access request, we will provide reasons for the decision and inform you of your right to make a complaint.

There are no charges for requesting access (or correction) of your personal information, however we may charge an administration fee for giving you access to your information. 

1. Retention of Your Personal Information

We will retain your personal information for as long as it is required for the purpose for which it was collected, or as otherwise required by applicable laws. For example, in NSW, generally patient personal information is held for a minimum of 7 years from the date of the last entry in your record. For children, the record is retained until the patient attains or would have attained 25 years of age, to comply with legal requirements.

You may request the transfer of your medical records to an alternate doctor outside our service, and a reasonable administrative fee may apply.

Information that is no longer needed or required by law will be securely destroyed or de-identified in accordance with laws.

1. Data Breach Incidents

If we discover that there has been actual or suspected unauthorised access to, disclosure or use of, your personal information (a data breach), we may contact you to inform you. We will work with you to mitigate the consequences, including harms, resulting from any such data breach.

We are required under privacy laws to notify Government regulators about certain data breaches.

1. How to Make a Complaint About the Handling of Your Personal Information

If you have any questions or concerns about this Policy or how your personal information has been handled, including its collection, use, disposal, or destruction, please feel free to contact our Privacy Officer on the details provided below.

We may request additional details regarding your complaint and the desired outcome. Subsequently, we typically undertake the following steps: collecting pertinent facts, examining relevant documents, and engaging in discussions with involved parties.

In most instances, we aim to investigate and respond to complaints within a 30-day timeframe. If the matter proves to be more intricate or requires a more extended investigation period, we will inform you accordingly.

Should you find our response unsatisfactory, you have the right to file a complaint with the Office of the Australian Information Commissioner. You can reach the Office of the Australian Information Commissioner at 1300 363 992 or access their contact information online at www.oaic.gov.au.

1. Contact Us

You can contact our Privacy Officer using the details below:

Mailing address: The Privacy Officer, GPO Box 2846, Brisbane QLD 4001

Email: privacy@medreleafaustralia.com.au

Phone:1800 675 323

Last updated: July 1, 2025