Privacy Policy

Last updated: April 2026

1. About This Policy

This Privacy Policy explains how Medio Australia Pty Ltd (ACN 654 518 868, ABN 28 654 518 868), trading as Medio Telehealth (“we”, “our”, “Medio”), collects, uses, stores, discloses, and protects your personal and health information.

We are bound by the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable state and territory health records legislation. We treat your information with the highest standard of care consistent with our obligations as a registered healthcare provider.

2. Information We Collect

2.1 Personal information

When you book an appointment or use our services, we may collect:

  • Full name
  • Date of birth
  • Sex
  • Email address
  • Phone number
  • Residential address
  • Medicare number and Individual Reference Number (IRN)
  • Photo identification (if Medicare is not available)

2.2 Health information

To provide clinical services, we collect health information through our health questionnaires and during consultations, including:

  • Medical history and current conditions
  • Current medications and allergies
  • Previous treatments and their outcomes
  • Mental health screening responses
  • Substance use history
  • Pregnancy and breastfeeding status
  • Employment and driving information (relevant to prescribing)
  • Cannabis use history (for medical cannabis consultations)
  • Medication evaluation feedback (for medical cannabis patients)

Health information is classified as “sensitive information” under the Privacy Act 1988. We only collect sensitive information with your consent or where otherwise authorised by law, and we apply additional safeguards to its storage and handling.

2.3 Payment information

Payment is processed by Square, our payment provider. We do not store your credit card or bank details. Square's handling of your payment data is governed by their own privacy policy.

2.4 Technical information

When you visit our website, we may collect technical information through cookies and analytics tools, including:

  • IP address and browser type
  • Pages viewed and time spent
  • Referring website
  • Device type

3. How We Collect Information

We collect information directly from you when you:

  • Book an appointment through our website
  • Complete a health questionnaire
  • Attend a telehealth consultation
  • Complete a medication evaluation form
  • Contact us via email or our contact form
  • Upload identity documents (photo ID)

We may also receive information from Halaxy, our clinical management system, when your treating doctor updates your clinical record.

4. Why We Collect Information

We use your information for the following purposes:

  • Providing clinical care: your health information is shared with your treating doctor to prepare for and conduct your consultation
  • Medicare and IHI verification: your Medicare number and identity details are used to verify your Individual Healthcare Identifier (IHI) for clinical record-keeping
  • Appointment management: sending booking confirmations, reminders, and follow-up communications
  • Payment processing: processing consultation fees and refunds
  • Treatment evaluation: collecting feedback on medical cannabis medications to help doctors optimise treatment
  • Legal compliance: meeting our obligations under healthcare regulations, including TGA reporting requirements for medical cannabis prescriptions
  • Service improvement: analysing usage patterns to improve our platform (using anonymised data only)

5. Who We Share Information With

We only share your information where necessary to provide our services or where required by law:

  • Halaxy — our clinical management system where patient records, appointments, and clinical notes are stored. Halaxy is an Australian healthcare platform compliant with Australian privacy legislation.
  • Square — our payment processor. Square receives your name and email for payment purposes only.
  • Resend — our email delivery provider. Resend processes your email address to deliver appointment confirmations, reminders, and notifications.
  • Pharmacies — when your doctor issues a prescription, it is sent electronically to your nominated pharmacy.
  • TGA — for medical cannabis prescriptions, your treating doctor may be required to submit information to the Therapeutic Goods Administration as part of the Special Access Scheme or Authorised Prescriber pathway.
  • Pathology providers — when a blood test request is issued, relevant clinical information is shared with the pathology provider.
  • Law enforcement — where required by law, court order, or to protect the safety of individuals.

We do not sell, rent, or trade your personal or health information to third parties for marketing purposes.

6. Data Storage & Security

Your information is stored on secure, encrypted servers. Clinical records are managed in Halaxy, which uses enterprise-grade encryption and is hosted in Australia.

Patient data in our booking system is stored in a PostgreSQL database hosted on Railway (cloud infrastructure) with encrypted connections. Photo identification documents are stored in encrypted cloud storage.

We implement industry-standard security measures including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Access controls and authentication for admin systems
  • Webhook signature verification for payment and integration events
  • Token-based access for patient-facing forms (no shared URLs)
  • Regular security reviews

7. Overseas Transfers

Some of our service providers store or process data outside Australia. Specifically:

  • Square (payment processing) — United States
  • Resend (email delivery, powered by Amazon SES) — United States
  • Railway (database hosting) — United States
  • Vercel (website hosting) — global edge network

Where we disclose personal information overseas, we take reasonable steps to ensure the overseas recipient handles it in a manner consistent with the Australian Privacy Principles.

8. Data Retention

Health records are retained in accordance with Australian healthcare legislation. In general:

  • Clinical records are retained for a minimum of 7 years from the last date of service (or until the patient turns 25, whichever is later)
  • Medicare and identity verification data is retained for the duration of the patient relationship
  • Payment transaction records are retained for 7 years for tax and audit purposes
  • Website analytics data is retained for 26 months (Google Analytics default)

Rebook credits expire after 30 days. Photo ID uploads are retained for the duration of the patient relationship and deleted upon request.

9. Cookies & Analytics

We use Google Analytics (GA4) to understand how visitors use our website. GA4 uses cookies to collect anonymised usage data. You can opt out of analytics tracking through our cookie consent banner or by adjusting your browser settings.

We do not use cookies for advertising or behavioural targeting.

10. Marketing

We may occasionally send you information about our services that we believe may be of interest to you. You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us at info@medio.com.au.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

11. Links to Other Websites

Our website may contain links to third-party websites (e.g. pharmacy providers, pathology labs, payment processors). We do not control those websites and are not responsible for their privacy practices. We encourage you to review the privacy policy of any website you visit.

12. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access your personal and health information held by us
  • Correct inaccurate or outdated information
  • Request deletion of your personal information (subject to our legal retention obligations for health records)
  • Withdraw consent to receiving marketing communications at any time
  • Complain if you believe your privacy has been breached

To exercise any of these rights, contact us at info@medio.com.au.

13. Notifiable Data Breaches

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

14. Children's Privacy

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal information from children under 18.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or on our website. The “Last updated” date at the top of this page indicates when the policy was last revised.

16. Complaints

If you believe your privacy has been breached or you are unhappy with how we have handled your information, please contact us first at info@medio.com.au. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

17. Contact Us

For questions about this Privacy Policy or your personal information, contact us at:

Medio Australia Pty Ltd
Email: info@medio.com.au