We may collect and process the following types of personal and health information:
‍

a. Personal Information

• Name, email address, phone number, role, and organisation
• Login credentials and preferences
• Billing and payment details

‍

b. Health Information (Patient Data)

• Audio recordings, transcriptions, and consultation notes
• Structured health summaries, referrals, and medical letters
• Metadata linked to clinical records

‍

c. Technical Information

• IP address, browser type, device information, and usage logs
• Cookies and tracking data to enhance the user experience
• Mobile-specific data, including OS version, device model, push notification tokens, crash logs, and app usage analytics

D. Analytics and Advertising Identifiers

We use Google Firebase Analytics to understand app usage and improve performance. As part of this, we collect your device's advertising identifier (Google Advertising ID on Android / Identifier for Advertisers on iOS).

This identifier is used only for:

• Measuring app usage and feature adoption
• Diagnosing crashes and performance issues
• Aggregated, non-identifying analytics

We do not use the advertising identifier for advertising, marketing, profiling, or sharing with third-party advertisers. You can reset or limit this identifier at any time through your device settings (Android: Settings → Privacy → Ads; iOS: Settings → Privacy → Tracking).

‍

We only collect data that is relevant, necessary, and lawful for the operation of the Platform.

Information may be collected when:

• You register for or log in to the Platform
• You upload, record, or submit clinical content
• You communicate with our team (e.g. support or onboarding)
• The Platform automatically logs activity or events for security and analytics
• You use the mobile app, which may collect usage analytics, crash logs, or device-specific data as described above

We use the information collected to:

• Deliver transcription, clinical documentation, and related services
• Manage user accounts and authentication
• Provide customer support and respond to enquiries
• Improve system performance, reliability, and security
• Ensure compliance with applicable health privacy standards
• Notify users of service updates, product changes, or legal notices

We do not use your data for advertising purposes or sell your data to third parties.

The mobile app may request the following device permissions, each for the stated purpose:

• Microphone: To record audio for transcription purposes
• Storage: To temporarily store drafts, recordings, and cached files on your device
• Push Notifications: To deliver service updates, reminders, and platform notifications

Users can choose to deny permissions; however, certain features may not function fully if permissions are disabled.

Some data may be stored locally on your device, including cached recordings, drafts, and temporary files. This data is encrypted and secured with device-level protections such as passcode or biometric authentication. Local storage is used to improve app performance and allow offline functionality.

We use push notifications to send alerts and updates to users. Push notification data, including tokens and interaction logs, may be collected to manage delivery and analytics. Users can opt out of push notifications in their device settings at any time.

• All data is securely stored on Australian servers in ISO 27001-certified data centres.
• Bank-grade encryption is used for data both in transit and at rest.
• Access is restricted to authorised personnel with appropriate role-based permissions.
• Regular audits, vulnerability scans, and penetration tests are conducted.

‍

If you are a healthcare provider, your data is handled per your obligations under the Health Practitioner Regulation National Law and other clinical data retention policies.

To provide our transcription and clinical letter generation features, we use Microsoft Azure AI services hosted in the Australia East (Sydney) region:

• Azure Speech Services receives audio recordings of clinical consultations and returns text transcripts.
• Azure OpenAI Service receives transcript text along with the patient's first name and gender (and date of birth for consultant report letters specifically), and returns a draft clinical letter.

All AI processing happens within Australia. Microsoft's Data Processing Agreement prohibits the use of submitted customer data to train its AI models. Your data is processed only to return the requested transcript or letter draft.

All AI-generated transcripts and letter drafts are presented to the clinician for review and editing — they are never sent, filed, or actioned without explicit clinician approval. AI output is not used as authoritative clinical documentation in its own right

‍

• With our AI service providers (Microsoft Azure) for the limited purpose of producing transcripts and clinical letter drafts, as described in Section 8 (AI and Transcription Services). Audio recordings, transcript text, and patient first name and gender are processed in Microsoft's Australia East (Sydney) region under a Data Processing Agreement that prohibits use of this data for training purposes.
• With trusted third-party infrastructure providers (e.g. cloud hosting, push notification delivery, email delivery) who are contractually bound to maintain confidentiality and comply with privacy laws.
• In the event of a company merger, acquisition, or restructuring (with notification to users)
• When legally required (e.g. under court order, subpoena, or other legal obligation)

‍

We retain data:

• For as long as your account is active or as necessary to provide services
• As required to comply with legal, regulatory, or contractual obligations
• In line with the retention policies of your clinical practice

‍

You may request deletion or access to your data at any time, subject to certain legal exceptions.

Under the Australian Privacy Act, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate, incomplete, or out-of-date information
• Request deletion of data (where legally applicable)
• Withdraw consent to data processing

‍

Requests should be submitted in writing to Info@arvihealth.com .

We use cookies for session management, authentication, and to understand platform usage. You may disable cookies in your browser settings, though this may limit certain functionality.
‍

We may use third-party analytics tools (such as Google Analytics) to improve performance. These tools do not collect personally identifiable patient information.

‍

The mobile app analytics and crash reporting do not collect patient-identifiable information. All analytics comply with Apple’s App Tracking Transparency (ATT) and Google Play Data Safety requirements.

All patient health data, including audio recordings, transcripts, and clinical letter drafts, is processed and stored in Australia.

• Primary data storage: Australian ISO 27001-certified data centres.
• AI processing: Microsoft Azure Australia East (Sydney) region.
• Backups and disaster-recovery copies: Australian regions only.

Some operational data of a non-clinical nature (e.g. anonymised crash logs, app analytics, push notification routing) may be processed by service providers whose infrastructure is global. In those cases we ensure appropriate contractual safeguards (Standard Contractual Clauses or equivalent) are in place, and no patient health information is included in those flows.

We may update this Privacy Policy periodically. You will be notified of any material changes via email or through the Platform. The latest version will always be available on our website.