Security & Privacy
Your clients trust you with sensitive information. We take that responsibility seriously.
Where is my data stored?
All clinical data is stored in Sydney, Australia on enterprise-grade cloud infrastructure. We serve practitioners in Australia and New Zealand, with all data hosted within Australian jurisdiction on infrastructure that meets both countries' privacy requirements.
Is my client data secure?
Absolutely. We protect your data with multiple layers of security:
- Bank-level encryption for all data in transit and at rest
- Strict access controls ensuring only authorised users can see client information
- Automatic backups to prevent data loss
- 24/7 security monitoring by our infrastructure providers
Who can access my client information?
Only you and the clinicians in your practice that you authorise. We have strict internal policies against accessing client data without explicit consent. Our systems enforce access controls at the database level — queries simply won't return data you're not authorised to see.
Is ClientForms designed for healthcare privacy?
Yes. We're built with healthcare privacy requirements in mind:
- Data encrypted everywhere it moves and where it's stored
- Secure authentication with multi-factor options
- Data isolation — each practice's data is completely separate
- Built on infrastructure trusted by healthcare organisations worldwide
What happens if there's a security incident?
We have multiple layers of protection:
- Enterprise DDoS and attack prevention
- Real-time threat detection
- If an incident ever occurred, we'd notify affected users and relevant regulators promptly — within 30 days for Australia (OAIC) and as soon as practicable for New Zealand (OPC)
Can I export or delete my data?
You have complete control over your data. You can request full account deletion at any time, and we honour all data subject access requests. Data export functionality is on our roadmap — in the meantime, you can view all assessment results directly in your dashboard.
Do you share data with third parties?
We never sell your data. The only third parties involved are:
- Payment processing — for billing only, no clinical data is shared
- Cloud infrastructure — they store but cannot read your encrypted data
Privacy Compliance
We comply with privacy legislation in every jurisdiction we operate in. For full details, see our Privacy Policy.
Australia — Privacy Act 1988
We follow all 13 Australian Privacy Principles (opens in new tab) (APPs). Here's what each one means for you.
1We're upfront about what we collect
This page is our privacy policy. No hidden data collection, no surprises. If anything changes, we'll update this page and let you know.
2Patients can use initials or pseudonyms
Forms capture what clinicians need for assessment. Patients aren't required to provide full legal names — initials or preferred names work fine for clinical purposes.
3We only collect what's clinically necessary
Forms ask only for information needed to complete the assessment. No unnecessary fields, no data harvesting.
4Unrequested information is handled carefully
If someone sends us information we didn't ask for, we assess whether we're allowed to keep it. If not, we delete it securely.
5Patients know what they're submitting
Each form clearly shows what information is being collected and for what purpose. Consent is captured before submission.
6Data is used only for clinical care
Assessment data goes to the clinician who requested it. We don't sell it, share it with marketers, or use it for anything other than delivering your service.
7Patients never receive marketing from us
Patient information is never used for marketing. Clinicians may receive product updates, with a clear unsubscribe option in every email.
8Clinical data is stored in Australia
All clinical data is stored on servers in Sydney, Australia. Where ancillary data is processed overseas (authentication, payments), we ensure comparable privacy protections are in place.
9Government IDs aren't used as identifiers
We generate our own internal identifiers. Medicare numbers, driver's licences, and other government IDs are never adopted as account or patient identifiers.
10Assessment data is preserved accurately
Form responses are timestamped and stored exactly as submitted. This maintains clinical integrity and supports audit requirements.
11Strong security protects everything
Bank-level encryption, strict access controls, and continuous monitoring. Healthcare record retention follows jurisdictional requirements — Australia: adult records kept 7 years, children's until age 25. New Zealand: health records kept 10 years from last entry.
12You can access or delete your data
Want to see what we hold? Need something removed? Just ask. We honour requests promptly, subject to healthcare retention requirements.
13Patient details can be corrected
Clinicians can edit patient contact details directly in the dashboard.
Learn more about the Australian Privacy Principles at oaic.gov.au (opens in new tab)
New Zealand — Privacy Act 2020 & HIPC 2020
For New Zealand practitioners, we comply with the Privacy Act 2020 (opens in new tab) and the Health Information Privacy Code 2020 (opens in new tab) (HIPC). Here's how we meet all 13 Information Privacy Principles (IPPs).
1Lawful purpose for collection
We only collect health information for a lawful purpose connected to clinical assessment — directly related to the practitioner-client relationship.
2Collection directly from individuals
Health information is collected directly from the individual (or their parent/guardian for children), through assessment forms they complete themselves.
3Individuals know what we collect and why
Each form clearly explains who is collecting the information, why it's needed, and that it will be shared with their practitioner. Consent is captured before submission.
4Collection is fair and not intrusive
Our neurodivergent-friendly forms are designed to reduce anxiety. No deceptive practices, no hidden tracking — just straightforward clinical assessment.
5Information is stored securely
All data is protected with AES-256 encryption, strict access controls, and continuous monitoring. Health records are retained for a minimum of 10 years as required by HIPC Rule 5.
6Individuals can access their information
Individuals have the right to request access to their health information held by us. We respond to access requests promptly.
7Information can be corrected
Practitioners can correct patient contact details directly in the dashboard. Individuals may request corrections to their personal information at any time.
8Data accuracy is maintained
Form responses are timestamped and stored exactly as submitted. We take reasonable steps to ensure information is accurate before it is used.
9Information is not kept longer than needed
Health information is retained for 10 years from the last entry (HIPC requirement). After that, it is securely destroyed unless ongoing retention is required by law.
10Information used only for its purpose
Health information is used only for the clinical purpose for which it was collected. We never sell data, use it for marketing, or repurpose it without consent.
11Disclosure only to authorised recipients
Assessment data is shared only with the requesting practitioner and authorised clinicians within the same practice. No third-party disclosure without consent.
12Cross-border transfers are controlled
Clinical data is stored in Australia (Sydney). Under Section 11 of the Privacy Act 2020, we ensure comparable protections are in place for any ancillary data processed overseas.
13No government identifiers used
We generate our own internal identifiers. NHI numbers and other government identifiers are never adopted as account or patient identifiers.
Learn more about New Zealand privacy requirements at privacy.org.nz (opens in new tab)
Questions about security?
We're happy to discuss your specific requirements.