Privacy policy

We’re committed to protecting the privacy of all individuals that provide Personal Information to us, including the data recorded by customers in Cliniko that relates to their clients or patients. This Privacy Policy explains how we collect, protect, use and share personal information.

We may review and change this policy from time to time. When we do, we'll update this version located at https://www.cliniko.com/policies/privacy/ and notify our customers within Cliniko, and in other suitable places.

Let's go through a few definitions before we get started:

  • ‘Red Guava’, or ‘Red Guava Pty Ltd (ACN 147 311 466)’, is us—the company behind Cliniko.
  • ‘Cliniko’ is the Cliniko software application and services related to it that don't have a separate privacy policy.
  • ‘Agreement’ refers to the Cliniko Terms of Service found at https://www.cliniko.com/policies/terms/.
  • ‘Customer’ is a user of Cliniko who has agreed to our Terms of Service.
  • ‘Personal Information’ means information that can identify an individual.
  • ‘Services’ means the provision of the Cliniko software application and related platform, and services related thereto (such as customer support).

Personal Information we collect

We collect personal data in a couple of different ways—directly and indirectly.

Personal Information we collect directly from you

We directly collect Personal Information if you send an enquiry to us from our website, use Cliniko, or get in touch with us by chat, email, or phone. We may also collect some Personal Information if you engage with us through social media.

This information can include your name, gender, date of birth, country of birth, addresses, telephone numbers, email addresses, and credit and banking details.

We do not directly collect any special categories of personal data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. Nor do we collect any information about criminal convictions and offences.

Personal Information we collect indirectly

We indirectly collect Personal Information when someone uses Cliniko to record data about someone other than themselves. A typical scenario would be when a healthcare professional records information about a patient.

This information can include names, genders, dates of birth, countries of birth, residential addresses, telephone numbers, email addresses, a person’s emergency contacts, health insurance numbers, and patient treatment notes and records. This can include sensitive information such as health records.

  • Browser and hardware data, such as IP address, type of device, operating system, browser type, screen resolution, language, device make and model, as well as the versions of the above mentioned services.
  • Cookie and tracking technology data, which would include pages visited, time spent on pages, language preferences, and other anonymous traffic data.
  • Transaction data, including details about your Cliniko subscription, payment dates, and renewal dates.

How this information is used

Generally speaking, the Personal Information we collect is used by us to operate Cliniko.

The Personal Information we collect about our own Customers is mostly used for billing, identification, authentication, and for contacting them if we need to.

We may, with consent, use email addresses to share news, tips, updates and special offers. People who receive these promotional emails can unsubscribe at any time.

Our use of data collected in Cliniko by a business or practitioner that is Personal Information relating to third parties is limited to providing support and technical assistance to our Customers.

We may use other data for a range of different purposes, provided we comply with applicable law and our contractual commitments. In some countries (for example, European Economic Area countries), local legal regimes may require us to treat some or all of other data as “personal data” under applicable data protection laws. Where this is the case, we will process other data only for the same purposes as “personal data” under this Privacy Policy.

Other ways we may use your Personal Information:

  • To deliver customer service and assist you with any inquiries you may have.
  • To analyze trends, administer or optimise Cliniko, monitor usage or traffic patterns (including to track users’ movements around Cliniko) and gather demographic information about our user base as a whole.
  • To control unauthorised use or abuse of Cliniko—or otherwise detect, investigate or prevent activities that may violate our policies or be illegal.

How information is disclosed

Except as described in this Privacy Policy, Cliniko will not share, sell, or rent Personal Information with anyone without your permission or unless ordered by a court of law.

We work with third-party services in Australia and the USA (such as our web host, data backup and payment provider) that we allow access to Personal Information, and may use it on our behalf strictly for the purposes for which they are engaged. We minimise the amount of personal data that is utilised by these services, and we have ensured that these services process your data in accordance with the appropriate regulations. A list of third-party services (Subprocessors) we use can be found at https://help.cliniko.com/privacy/data-processing/cliniko-subprocessors

Cliniko Customers have the option of providing API keys to third-party apps, allowing the app to access the data (including Personal Information) in their Cliniko account. We are not responsible for the privacy policies and practices of these third-party services—you are responsible for reading and understanding their privacy policies if you wish to use their services.

In rare circumstances, we may be obliged to disclose Personal Information if disclosure is required to comply with the law, if we believe our Terms of Service, located at https://www.cliniko.com/policies/terms/, have been violated, if we believe it is necessary to protect our rights, or if the ownership and assets of Red Guava were to be transferred to another party.

The security of your Personal Information

We take security seriously. Data is encrypted, stored in state-of-the-art facilities, access is restricted to those who have a need to know, and we regularly review our technology to maintain security.

In the event that there is a breach and your Personal Information that we have collected directly is at risk, you will be notified within 72 hours of discovering the breach. You will be informed of what information is at risk, steps that we have taken to ensure your safety, and what action we are taking or have taken to rectify the breach. To the extent permissible at law, in the event that there is a breach and indirectly collected information is at risk, we will follow the same protocol, however the affected Customers (rather than the individuals) will be notified instead.

More about security can be found at https://www.cliniko.com/security.

Access, correct or delete Personal Information about you

You can request access to the Personal Information you have provided to us, via email to privacy@cliniko.com. This enables you to receive a copy of the data and to check that we are lawfully processing it.

If you think there’s a problem with the Personal Information we hold about you, you will either have the tools available to make these changes, or you can request a correction. This enables you to have any incomplete or inaccurate data we hold about you corrected (though we may need to verify the accuracy of the new data you provide to us).

If you want to request erasure of your Personal Information, we'll take all reasonable steps to do so unless we are required to keep it for legal reasons, which will be notified to you, if applicable, at the time of your request. As we only collect information that is required, it is likely that revoking your consent will limit the functionality of your Cliniko account.

Should you require to move your data to another service, you may request the transfer of your data (including Personal Information) to you or to a third party. We will provide to you, or a third party that you have chosen, your data in a structured, commonly used, machine-readable format.

You may withdraw consent at any time where we are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. This will be notified to you at the time of your request if applicable.

Data controlled by our Customers

Cliniko’s Customers may submit information to the Services for hosting and processing purposes (“Customer Data”). Cliniko will not review, share, distribute, or reference any such Customer Data except as provided in Cliniko’s Terms of Service (https://www.cliniko.com/policies/terms/), or as may be required by law. In accordance with Cliniko’s Terms of Service, Cliniko may access Customer Data only for the purpose of providing the Services, or preventing or addressing service or technical problems, or as may be required by law.

Cliniko acknowledges that you have the right to access your personal information. If personal information pertaining to you as an individual has been submitted to us by a Cliniko customer and you wish to exercise any rights you may have to access, correct, amend, or delete such data, please inquire directly with our customer. We have limited access to data our customers submit to our Services, if you wish to make your request directly to Cliniko, please provide details of the Cliniko Customer who submitted your data to our Services. We will refer your request to that Customer, and will support them as needed in responding to your request.

Local access and privacy laws

Cliniko is a worldwide service, and we acknowledge that Personal Information about patients, and the obligations of medical practitioners relating to them, may be subject to access and privacy laws in the country of residence of those patients.

We'll take all reasonable steps to comply with local access and privacy laws, to the extent consistent with legal obligations we have under Australian law, where we are based.

Red Guava also offers the Standard Contract Clauses included in a Data Processing Addendum (DPA). This is important for Customers that operate in the European Union, United Kingdom, or those that are bound to the General Data Protection Regulation (GDPR) or UK General Data Protection Regulation (UK GDPR) requirements. The DPAs are incorporated into the Agreement (as applicable) by reference. The UK DPA can be found at https://www.cliniko.com/policies/uk_dpa/ and the EU DPA can be found at https://www.cliniko.com/policies/eu_dpa/.

Questions or complaints

If you have any questions or complaints about our Privacy Policy or the way we handle your Personal Information, you can contact us at privacy@cliniko.com. This is our preferred method of contact.

VeraSafe have been appointed as Red Guava’s representative in the European Union and United Kingdom for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union and United Kingdom. If required, VeraSafe can be contacted on matters related only to the processing of Personal Information. To make such an inquiry, please contact VeraSafe using the contact form at https://verasafe.com/public-resources/contact-data-protection-representative.

Alternatively, VeraSafe can be contacted at:

For data protection matters in the European Union
VeraSafe Czech Republic s.r.o
Klimentská 46
Prague 1, 11002
Czech Republic
For data protection matters in the United Kingdom
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom

We also have a dedicated Data Protection Officer to help you with any requests or questions you have about your data. They can be reached at dpo@cliniko.com.

Last updated: 26 December 2022