Privacy Policy

1. About This Policy

Figments (“we”, “us”, “our”) is a clinical practice management platform for Australian allied health practices. This Privacy Policy explains how we collect, hold, use, and disclose personal information (including health information) in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Health information is sensitive information under the Privacy Act and is afforded the highest level of protection. We treat all client data accordingly.

2. Who We Are

Figments is operated by Figments Tech Pty Ltd (ABN 91 697 631 780). For privacy enquiries, contact us at privacy@figments.com.au.

Figments acts as a data processor on behalf of the allied health practice (the “Organisation”) that subscribes to our platform. The Organisation is the primary data controller responsible for how client health information is collected and used within their practice.

3. What Information We Collect

Client health information (collected by practices using Figments):

• Full name, date of birth, contact details
• Session notes, SOAP/DAP notes, therapy goals
• Voice recordings processed for AI-assisted documentation (with explicit consent)
• Invoice and funding information (NDIS, private health)
• Guardian / family member details for minor clients
• Communication history (SMS, email reminders)

Clinician and practice information:

• Name, email address, role within the practice
• Authentication credentials (managed by Firebase Auth)
• Billing information (managed by Stripe — we do not store card numbers)
• Usage logs and audit records

4. Cookies, IP Addresses, and Technical Data

Cookies:

• We use essential cookies for authentication (managed by Firebase Auth). These cookies are required for you to log in and use the platform. We do not use advertising or tracking cookies.

IP addresses:

• We collect IP addresses when online forms are submitted, when electronic signatures are captured, and in audit logs recording access to clinical data. IP addresses are used for security, fraud prevention, and compliance purposes only.

Analytics:

• We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personal data. No individual user tracking occurs.

5. How We Use Personal Information

• To provide clinical practice management features to subscribed practices
• To generate AI-assisted session documentation (Voice AI) where consent has been given
• To send appointment reminders and follow-up communications on behalf of the practice
• To process subscription billing
• To maintain audit logs for compliance and security purposes
• To investigate and respond to support requests

We do not use client health information to train AI models. We do not sell personal information to third parties.

6. Voice AI and Consent

Figments's Voice AI feature transcribes session recordings and generates draft clinical notes using Google Cloud Vertex AI. This feature:

• Is opt-in only — clients must provide explicit written consent before any recording is processed
• Consent can be revoked at any time; processing stops immediately upon revocation
• Audio is transmitted securely to Google Cloud Vertex AI (australia-southeast1 region) for transcription and note generation
• Recordings are stored in Google Cloud Storage (australia-southeast1 region)
• Clinicians review and approve all AI-generated notes before they are finalised

7. Where We Store Data

We store data in Australia wherever possible:

• Database: Neon serverless PostgreSQL (AWS ap-southeast-2, Sydney)
• Clinical files & recordings: Google Cloud Storage (australia-southeast1, Sydney)
• Application hosting: Vercel (syd1 region, Sydney)

Some data may be processed by third-party services outside Australia (see Section 8). Where this occurs, we take reasonable steps to ensure those providers maintain equivalent privacy protections under APP 8.

8. Third-Party Service Providers

We engage the following sub-processors to deliver the platform:

9. Overseas Disclosure (APP 8)

Some personal information (including health information) is disclosed to service providers located outside Australia, as listed in Section 8. This occurs when:

• Email communications — messages sent via the platform (including appointment reminders, clinical letters, and clinician-composed emails) are processed by Resend (USA). Message content may include health information where the sending clinician has composed it.
• SMS communications — messages sent via the platform are processed by Twilio (USA). Message content may include health information where the sending clinician has composed it.
• Authentication — login credentials are managed by Firebase Auth (Google Cloud).
• Voice AI — session recordings are processed by Google Cloud Vertex AI (Australia) where the Voice AI feature is enabled and consent has been obtained (see Section 6).

Before disclosing personal information to overseas recipients, we take reasonable steps under APP 8.1 to ensure those recipients do not breach the Australian Privacy Principles. All overseas providers listed above have entered into Data Processing Agreements (DPAs) with us and are bound by equivalent privacy obligations.

By using Figments (as a practice) or by having your health information stored in Figments (as a client of a practice), you acknowledge that your information may be processed by overseas sub-processors as described in this policy.

10. Disclosure of Information

We do not disclose personal information to third parties except:

• To our sub-processors listed above, for the purpose of delivering the platform
• Where required by law, court order, or regulatory authority
• To protect the safety of a person in an emergency
• With your explicit consent

11. Security

We take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. Security measures include:

• Encryption in transit (TLS) and at rest
• Application-level encryption (AES-256-GCM) for session notes, NDIS numbers, message bodies, and OAuth tokens
• Role-based access controls — clinicians only access clients within their organisation
• Multi-factor authentication support
• Audit logging of all data access and modifications
• Automatic guardian access revocation when clients turn 18

12. Data Retention

Clinical records are retained for a minimum of 7 years from the date of last service (or until a minor client turns 25, whichever is later), in accordance with state-based health records legislation. Organisations may request earlier deletion subject to applicable legal obligations.

SMS and email message records are retained for the same period as clinical records (7 years). Message content is encrypted at rest within the database. Organisations may request earlier deletion subject to applicable legal obligations.

Pending guardian user records with no active links are automatically removed after 30 days.

13. Access and Correction

Individuals have the right to access personal information we hold about them and to request correction of inaccurate information. Requests should be directed to the practice that holds your clinical records in the first instance. Platform-level access requests can be directed to privacy@figments.com.au.

We will respond to access requests within 30 days. A reasonable fee may apply for complex requests.

14. Data Breach Notification

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by Part IIIC of the Privacy Act.

15. Complaints

If you believe we have breached your privacy, please contact us at privacy@figments.com.au. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the OAIC at www.oaic.gov.au.

16. Changes to This Policy

We may update this policy from time to time. The current version will always be available at figments.com.au/privacy. Material changes will be communicated to practice administrators by email.