Privacy Policy

Account and identity information

• ›Full name, professional title, and email address
• ›Role and specialty (e.g. Intensivist, ED Registrar)
• ›Hospital or health service name, department, and ward
• ›Clinic access code and user credentials (passwords are hashed; we never store them in plain text)

Voice and biometric data

During onboarding, we collect three voice recordings (each up to about 25 seconds) for the purpose of generating a voice identification profile. This data constitutes sensitive information under the Privacy Act (biometric data) and health information under the Health Records Act. We collect it only with your explicit, informed consent.

Clinical handover content

During a handover session, audio is streamed and transcribed in real time. The resulting transcript and AI-generated ISBAR summary constitute health information relating to patients. This data is held on behalf of your employing health service and is subject to their clinical records obligations as well as ours.

• ›Live audio stream (processed in real time; raw audio temporarily buffered during the session)
• ›Full-session audio merged for post-session processing, then deleted within 24 hours of processing completion
• ›Transcription segments with speaker labels and timestamps
• ›AI-generated ISBAR clinical summaries
• ›Extracted patient identifiers, clinical observations, and care recommendations

Usage and technical data

• ›Device type, browser, and operating system
• ›Session timing, feature interactions, and error logs
• ›IP address (used for security and abuse prevention; not linked to clinical data)

We use your information only for the purposes for which it was collected or directly related purposes you would reasonably expect:

• ›Providing the handover platform: authenticating users, creating and managing handover sessions, generating ISBAR summaries
• ›Speaker identification: matching live audio to enrolled voice profiles to attribute speech to clinicians
• ›Clinical records: producing searchable, auditable records of clinical handovers for your health service
• ›Platform improvement: anonymised, aggregated analysis of system performance (never individual patient data)
• ›Security and compliance: fraud prevention, audit logging, and regulatory obligations
• ›Communicating with you: service updates, account notices, and support responses

We do not use your personal information or health information for advertising, profiling, or sale to third parties.

Health information (including patient data in handover transcripts, voice biometric data, and any clinical observations) is treated with heightened protection in accordance with:

• ›APP 3.3 and APP 6 (collection and use of sensitive information only with consent or where permitted by law)
• ›Health Privacy Principles 1–11 under the Health Records Act 2001 (Vic)
• ›Clinical records retention obligations applicable to health services in Victoria (minimum 7 years from last entry, or 25 years from date of birth for minors)

Patient health information processed through Handovex is handled on behalf of the clinical facility. The health service remains the primary data custodian for patient records; Handovex acts as a data processor in respect of that information.

We do not sell or trade personal information. We disclose information only as follows:

Service providers and sub-processors

To deliver the platform, we engage third-party service providers across the following categories. Each is bound by contractual data processing agreements and is required to maintain standards consistent with the APPs:

• ›Cloud infrastructure: primary data hosting and database storage (located in Australia)
• ›Authentication and identity services: user login, session management, and MFA
• ›Voice transcription services: real-time and post-session audio-to-text processing
• ›Speaker identification services: biometric voice matching to attribute speech to enrolled clinicians
• ›AI language model services: clinical summary generation and multi-source reconciliation

A current list of sub-processors, including their names and data processing locations, is available to Organisations on request at handovex@gmail.com. We will notify Organisations of material sub-processor changes with at least 14 days' notice.

Overseas disclosure notice (APP 8)

Some of our service providers are located outside Australia. Before disclosing your information to overseas recipients, we take reasonable contractual steps to ensure they handle it consistently with the APPs. However, under APP 8.2(a), by using Handovex you expressly consent to such disclosures and acknowledge that the obligations in APP 8.1 will not apply to those overseas recipients. We have reviewed each provider's security certifications and data processing practices prior to engagement.

Legal and regulatory disclosure

We may disclose information if required by law, court order, or regulatory authority, or where disclosure is necessary to prevent a serious and imminent threat to health or safety.

• ›All data is stored in Australia (Sydney region). Data does not leave Australia except when processed by the overseas sub-processors described above
• ›Data at rest is encrypted using AES-256; data in transit is protected by TLS 1.2+
• ›Access controls use row-level security policies enforced at the database layer, isolating each clinic's data
• ›Multi-factor authentication (AAL2) is enforced for clinical users
• ›PHI access is logged to immutable audit tables with user, action, and timestamp
• ›Voice biometric embeddings are stored as numerical vectors; raw enrollment audio is deleted once the embedding is generated

Handovex is a beta product. While we implement the security measures described above, no system is completely secure. We encourage you to use strong passwords and to notify us immediately if you suspect any unauthorised access.

Upon termination of a facility's subscription, we will provide a data export and then delete account data within 90 days, subject to any legal holds.

Under the Privacy Act and Health Records Act, you have the following rights:

• ›Access: Request a copy of the personal or health information we hold about you
• ›Correction: Request correction of inaccurate, out-of-date, or incomplete information
• ›Deletion: Request deletion of your account and associated personal data (subject to legal retention obligations for clinical records)
• ›Complaint: Lodge a complaint with us and, if unresolved, with the Office of the Australian Information Commissioner (OAIC) or the Health Complaints Commissioner (HCC) Victoria

To exercise these rights, contact us at handovex@gmail.com. We will respond within 30 days. We may need to verify your identity before processing a request.

We use session cookies and local storage solely for authentication and user preference storage. We do not use third-party tracking cookies, advertising pixels, or behavioural analytics. You may configure your browser to refuse cookies, but some features of the platform may not function correctly without them.

Handovex is a professional clinical platform intended for use by qualified healthcare workers. We do not knowingly collect information from individuals under 18 years of age. Patient health information relating to minors processed through the platform is subject to the retention rules described in Section 6.

We may update this Privacy Policy from time to time. Material changes will be notified to users by email at least 14 days before they take effect. The effective date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

For privacy questions, access requests, or complaints, contact our Privacy Officer:

If your complaint is not resolved to your satisfaction, you may contact:

• ›Office of the Australian Information Commissioner (OAIC): oaic.gov.au
• ›Health Complaints Commissioner Victoria (HCC): hcc.vic.gov.au