Where is my data stored?

All data is stored on enterprise-grade cloud infrastructure in Sydney, Australia. Data remains within Australian jurisdiction and is protected by AES-256 encryption at rest and TLS 1.2+ in transit.

Does ClientForms comply with New Zealand privacy law?

Yes. ClientForms complies with the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC). Our cloud infrastructure acts as an agent under Section 11, and we implement safeguards consistent with IPP 12 for cross-border data handling.

How long is my data retained?

In Australia, adult health records are retained for a recommended minimum of 7 years. In New Zealand, health data must be retained for a minimum of 10 years under the Health (Retention of Health Information) Regulations 1996. Children's records are retained until the patient turns 25.

What happens in a data breach?

In Australia, we notify the OAIC and affected individuals as soon as practicable (within a 30-day assessment period). In New Zealand, we notify the OPC and affected individuals as soon as practicable. Failure to notify in NZ carries a NZD $10,000 criminal fine.

Privacy Policy

How ClientForms collects, uses, stores, and protects your personal and health information.

Effective: 21 February 2026Last updated: 21 February 2026

1. Who We Are

ClientForms is a clinical assessment platform operated from Australia. We provide digital assessment forms for healthcare professionals including psychologists, counsellors, and dermatologists. Our platform enables clinicians to send standardised assessment instruments to their patients, collect responses securely, and view scored results.

We serve clinicians in Australia and New Zealand, with plans to expand to additional markets. This policy explains how we handle data in each jurisdiction we operate in.

2. Information We Collect

Clinician Account Information

Name and email address
Practice name and URL slug
Country of operation
Payment information (processed by Stripe — we do not store card details)

Patient Information

Name (or initials/pseudonym — patients may use pseudonyms)
Email address (optional, for sending assessment links)
Date of birth (for age-appropriate assessments)
Phone number (optional)

Health Assessment Data

Responses to standardised clinical assessments (e.g., PHQ-9, GAD-7, DASS-21, PASI)
Calculated scores and severity classifications
Assessment completion timestamps

Health assessment data is classified as sensitive information under both Australian and New Zealand privacy law and receives heightened protection.

Technical Information

IP address and browser type (for security and analytics)
Pages visited and interaction patterns (via Vercel Analytics — privacy-preserving, no personal data)
Cookies necessary for authentication and preferences

3. How We Use Your Information

We use your information only for purposes directly related to providing and improving our clinical assessment service:

Service delivery: Rendering assessment forms, calculating scores, displaying results to clinicians
Account management: Authentication, billing, subscription management
Communication: Service notifications, support responses, product updates (you can opt out of non-essential communications)
Security: Fraud prevention, breach detection, access logging
Improvement: Aggregated, de-identified analytics to improve the platform (we never use identifiable health data for analytics)

We do not: sell your data, use patient health data for marketing, share identifiable patient data with third parties for their own purposes, or use health data for automated decision-making.

4. Who We Share Data With

We share data only with the following service providers who process data on our behalf (as agents/processors):

Provider	Purpose	Data Location
Supabase	Database hosting (PostgreSQL)	Sydney, Australia
Vercel	Application hosting (edge/serverless)	Global edge network
Clerk	Authentication	United States
Stripe	Payment processing	Global

These providers act solely as our agents/processors and do not use your data for their own purposes. We maintain data processing agreements with each provider.

5. Cross-Border Data Transfers

Your clinical data (patient information and health assessment responses) is stored in Sydney, Australia on Supabase infrastructure. Some ancillary data is processed overseas:

Authentication data (email, name) is processed by Clerk in the United States
Payment data is processed by Stripe globally — we never store card details
Application code runs on Vercel's global edge network — but clinical data is fetched from the Australian database at runtime

For Australian Clinicians

Under APP 8 of the Privacy Act 1988, we take reasonable steps to ensure overseas recipients of personal information comply with the Australian Privacy Principles. Our service providers are contractually bound to protect your data to a comparable standard.

For New Zealand Clinicians

Under IPP 12 of the Privacy Act 2020, overseas disclosure of personal information requires adequate safeguards. Our cloud infrastructure providers (Supabase, Vercel) act as our agents under Section 11 of the Privacy Act 2020, meaning data held by them is legally considered to be held by us. Australia is generally considered to provide comparable privacy safeguards under IPP 12(1)(c). We maintain contractual safeguards consistent with the OPC's model contract clauses.

6. Data Security

Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
Access controls: Role-based access enforced at the database level
Authentication: Multi-factor authentication available for all accounts
Monitoring: 24/7 security monitoring, DDoS protection, real-time threat detection
Backups: Automatic daily backups with point-in-time recovery
Data isolation: Each practice's data is logically isolated at the database level

For more detail, see our Security & Privacy page.

7. Data Retention

Data Type	Australia	New Zealand
Adult health records	7 years (recommended)	10 years (mandatory)
Children's health records	Until patient turns 25	Until patient turns 25
Clinician account data	Duration of account + 12 months after closure
Payment records	7 years (tax compliance)

The applicable retention period depends on the country selected during account setup. After the retention period, data is securely deleted including from backups.

8. Your Rights

Under both Australian and New Zealand privacy law, you have the right to:

Access: Request a copy of the personal information we hold about you
Correction: Request that inaccurate information be corrected
Deletion: Request deletion of your data (subject to legal retention requirements)
Complaint: Lodge a complaint with the relevant privacy regulator (see Section 13)

To exercise any of these rights, contact us at privacy@clientforms.app. We will respond within 20 working days (NZ) or 30 days (AU).

9. Australia — Privacy Act 1988

ClientForms complies with the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Key commitments:

Open and transparent management

This policy documents our personal information handling practices.

Anonymity and pseudonymity

Patients may use initials or pseudonyms when completing assessments.

Collection of personal information

We collect only information that is reasonably necessary for clinical assessment services.

Use and disclosure

Personal information is used only for the purpose it was collected — delivering clinical assessment services.

Direct marketing

We do not use patient health data for marketing purposes.

Cross-border disclosure

Data is stored in Australia. Where data is processed overseas (authentication, payments), we ensure comparable protection.

Security

We take reasonable steps to protect personal information with encryption, access controls, and monitoring.

Access

You may request access to your personal information at any time.

Correction

You may request correction of inaccurate personal information.

For the full list of 13 APPs and how we meet each one, see our Security & Privacy page. You may also contact the OAIC (opens in new tab) to make a privacy complaint.

10. New Zealand — Privacy Act 2020

ClientForms complies with the 13 Information Privacy Principles (IPPs) under the New Zealand Privacy Act 2020. Where health information is processed, the Health Information Privacy Code 2020 (HIPC) applies, with HIPC Rules replacing the IPPs.

Purpose of collection

We collect personal information only for purposes directly connected to our assessment platform service.

Source of information

Personal information is collected directly from clinicians and patients, not from third parties.

Collection from the individual

When we collect information, we inform individuals of the purpose, intended recipients, and their rights.

Storage and security

We take reasonable steps to protect personal information against loss, unauthorised access, and misuse.

Access to personal information

Individuals may request access to their personal information held by us.

Correction of information

Individuals may request correction of personal information that is inaccurate, incomplete, or misleading.

Use of information

Information is used only for the purpose it was collected, unless an exception applies.

Disclosure of information

We disclose personal information only where authorised by the individual or required by law.

Disclosure outside New Zealand

Cross-border transfers are governed by IPP 12. Our cloud providers act as agents under Section 11, and Australia provides comparable safeguards.

Health Information Privacy Code 2020

The HIPC applies 13 health-specific Rules that replace the IPPs when health information is involved. Key differences include stricter rules on collection purposes, additional grounds for disclosure to health or disability services, and a mandatory 10-year retention period for health data under the Health (Retention of Health Information) Regulations 1996.

Notifiable Privacy Breaches

Under Sections 112–118 of the Privacy Act 2020, if we become aware of a privacy breach that poses a risk of serious harm, we must notify the Office of the Privacy Commissioner (OPC) and affected individuals as soon as practicable. Health data breaches are virtually always notifiable due to the sensitivity of the information. You may contact the OPC (opens in new tab) to make a privacy complaint.

11. Cookies and Tracking

We use cookies and similar technologies for authentication and analytics. For full details, see our Cookie Policy.

Essential cookies: Required for authentication and security (Clerk, Supabase)
Analytics: Vercel Analytics (privacy-preserving, no personal data collected)
Advertising: Google Ads conversion tracking (loaded only with your consent)

Non-essential cookies are only loaded with your consent via our cookie consent banner.

12. Children's Information

Some assessments (such as child ADHD assessments) involve children's health data. This data is always provided by a parent, guardian, or treating clinician — never directly by the child. Children's health records are subject to extended retention periods (until the patient turns 25) in accordance with applicable health records legislation.

13. Contact & Complaints

For privacy enquiries, access requests, or complaints:

Privacy Officer

Email: privacy@clientforms.app

Australian Privacy Regulator

Office of the Australian Information Commissioner (OAIC)
www.oaic.gov.au (opens in new tab)

New Zealand Privacy Regulator

Office of the Privacy Commissioner (OPC)
www.privacy.org.nz (opens in new tab)

14. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered clinicians. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of our service after changes constitutes acceptance of the updated policy.

Have questions about our privacy practices?

Contact Privacy Officer View Security Details