Privacy Policy – Preve

Privacy Policy – Preve

Effective Date: 11 November 2025

Contact: privacy@preve.co

Preve Pty Ltd (ABN 85 676 649 513) (Preveweus, or our) understands the importance of safeguarding personal information. This Privacy Policy outlines our approach to the collection, use, disclosure, and protection of personal information in accordance with applicable privacy legislation, including:

  • the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs),

  • the New Zealand Privacy Act 2020 and Information Privacy Principles,

  • the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") for individuals in the European Economic Area (EEA),

  • the United Kingdom General Data Protection Regulation and the Data Protection Act 2018 ("UK GDPR"),

  • the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") for individuals in the United States,

  • the Personal Information Protection and Electronic Documents Act ("PIPEDA") for individuals in Canada.

This policy explains what personal information we collect, how we use it, the circumstances under which we may share it with others, and your rights in relation to that information. Where required by law, we will provide additional notices that supplement this policy.

1. Scope and Application

This Privacy Policy applies to all personal information collected by Preve in connection with the use of our services, products, websites, mobile applications, APIs, and any associated tools or systems (collectively, the "Services"). This includes, but is not limited to:

  • Practitioners using the Preve platform to manage their clinical workflows;

  • Patients whose data is entered or processed via the Preve platform;

  • Business partners, suppliers, and contractors;

  • Visitors to our website and applicants for employment.

2. Information We Collect

We may collect and process the following types of personal information:

(a) Practitioners and Business Users

  • Identity Data: full name, professional title, date of birth.

  • Contact Data: address, email address, telephone number.

  • Professional Data: qualifications, certifications, clinic or practice details, registration numbers.

  • Financial Data: billing details, transaction history.

  • Usage and Technical Data: IP address, device identifiers, geolocation, operating system, browser type, pages visited, referral URLs, login timestamps, and interaction logs with our Services.

  • Profile Data: account credentials, preferences, subscription level.

  • Support and Communication Data: interactions with our customer service team.

(b) Patients (via Practitioners)

  • Personal Health Information (PHI): medical history, clinical notes, treatment plans, diagnoses, symptoms, prescribed exercises, and progress notes.

  • Contact Information: name, email, phone number (if entered by practitioner).

  • Appointment and Interaction Data: booking history, session data, feedback.

Note: Preve acts as a processor of patient data on behalf of the practitioner (data controller) in most cases.

(c) Job Applicants

  • Recruitment Data: employment history, references, qualifications, and any other information you submit as part of a job application.

3. Methods of Collection

We collect personal information in the following ways:

  • Directly from you, when you sign up, complete forms, correspond with us, or use the Services.

  • Automatically through tracking technologies (e.g., cookies, device logs).

  • From third parties, such as your clinic, integrated practice management systems (e.g., Cliniko, Nookal), public databases, or recruitment partners.

4. Purposes for Collection and Use

We collect and use personal information for the following purposes:

Purpose

Purpose

Legal Basis

Legal Basis

Types of Data

Types of Data

To register users and create accounts

To register users and create accounts

To register users and create accounts

Contract

Contract

Contract

Identity, Contact, Profile

Identity, Contact, Profile

Identity, Contact, Profile

To provide and personalise our Services

To provide and personalise our Services

To provide and personalise our Services

Contract; Legitimate Interests

Contract; Legitimate Interests

Contract; Legitimate Interests

All categories

All categories

All categories

To facilitate transcription and treatment planning

To facilitate transcription and treatment planning

To facilitate transcription and treatment planning

Consent; Contract

Consent; Contract

Consent; Contract

PHI, Technical, Usage

PHI, Technical, Usage

PHI, Technical, Usage

To respond to support requests

To respond to support requests

To respond to support requests

Legitimate Interests

Legitimate Interests

Legitimate Interests

Contact, Support, Profile

Contact, Support, Profile

Contact, Support, Profile

To improve and develop our technology

To improve and develop our technology

To improve and develop our technology

Legitimate Interests

Legitimate Interests

Legitimate Interests

Technical, Usage, Interaction

Technical, Usage, Interaction

Technical, Usage, Interaction

To comply with legal obligations

To comply with legal obligations

To comply with legal obligations

Legal Obligation

Legal Obligation

Legal Obligation

All categories

All categories

All categories

To process billing and payments

To process billing and payments

To process billing and payments

Contract

Contract

Contract

Financial, Transaction, Contact

Financial, Transaction, Contact

Financial, Transaction, Contact

To send marketing and service communications

To send marketing and service communications

To send marketing and service communications

Consent

Consent

Consent

Contact, Marketing Preferences

Contact, Marketing Preferences

Contact, Marketing Preferences

5. Use of Sensitive and Health Information

Where permitted by law, we may collect and use health information and other sensitive information for the following purposes:

  • To support patient care and documentation workflows.

  • To generate or transcribe clinical records.

  • To help clinicians manage exercise and treatment planning.

We do not use identifiable health information to train our AI models. Where health data is used to improve performance or conduct analytics, it is anonymised or de-identified in accordance with applicable law.

6. Lawful Bases for Processing (EU, UK, Canada, US)

For residents in the EU and UK, our processing activities are justified under one or more of the following legal bases:

  • Your consent (where explicitly provided)

  • Performance of a contract

  • Compliance with legal obligations

  • Our legitimate interests, provided these do not override your fundamental rights

For US residents, we comply with HIPAA when handling PHI, including:

  • Only processing PHI for permitted use cases

  • Entering into Business Associate Agreements (BAAs) where required

For Canadian residents, our practices comply with PIPEDA, including:

  • Ensuring meaningful consent for collection, use, and disclosure

  • Providing access and correction rights

  • Limiting retention and ensuring secure disposal

7. Disclosure of Personal Information

We may disclose personal information to:

  • Our employees and contractors

  • Third-party service providers (e.g. cloud infrastructure, analytics platforms)

  • Payment processors (e.g. Stripe)

  • Professional advisers (e.g. legal and accounting services)

  • Regulatory and government bodies as required by law

  • Third-party processors operating under a Data Processing Agreement (DPA) or equivalent safeguards

We do not sell or rent personal data.

Sensitive data will only be disclosed:

  • With the data subject’s consent;

  • To provide healthcare support services;

  • To protect someone’s life, health, or safety in emergencies;

  • Where required by law or legal obligation.

8. Cross-Border Transfers

Your data may be processed or stored in countries outside your own jurisdiction. When we transfer personal data internationally, we:

  • Rely on adequacy decisions, where applicable;

  • Enter into Standard Contractual Clauses (SCCs) or other approved legal mechanisms;

  • Implement additional contractual, technical and organisational safeguards;

  • Comply with HIPAA when transferring US PHI to offshore processors;

  • Limit transfers of Canadian personal health information to parties with equivalent safeguards under PIPEDA.

9. Data Security

We maintain robust data security measures including:

  • End-to-end encryption (data in transit and at rest)

  • Regular vulnerability assessments

  • Role-based access controls and audit logging

  • Secure authentication mechanisms

  • Staff training in information security and privacy

Despite our efforts, no security system is impenetrable. If we detect a data breach involving your personal information, we will notify you and the appropriate regulatory authority as required.

10. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected or to meet legal, regulatory, or operational requirements. Specific retention periods include:

  • Practitioner account data: retained for the duration of the account and up to 7 years post-termination for compliance.

  • Clinical data: retained only as per agreement with the practitioner and securely deleted or de-identified thereafter.

  • Analytics and usage data: de-identified and retained for product improvement.

11. Your Rights

Depending on your jurisdiction, you may have rights to:

  • Access your personal information

  • Request correction or deletion

  • Withdraw consent at any time

  • Restrict or object to certain types of processing

  • Data portability (EU, UK, Canada)

  • Lodge a complaint with a data protection authority

To exercise these rights, contact us at privacy@preve.co. We may need to verify your identity before fulfilling your request.

12. Cookies and Analytics

We use cookies and similar tracking technologies to:

  • Maintain secure sessions and authentication

  • Understand user behaviour and engagement

  • Improve platform performance and features

You can manage cookie preferences through your browser settings. Blocking cookies may impact your experience on our platform.

13. Third-Party Websites

Our Services may contain links to external websites. We are not responsible for the privacy practices or content of those third-party sites. Please review their privacy policies before sharing personal information.

14. Google and YouTube Video Policy

Preve uses YouTube API Services to provide video content functionality within our application. By using Preve, you acknowledge that YouTube API Services are being used to access and display video content, and you implicitly agree to be bound by the YouTube Terms of Service.

Preve's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. For more information about how Google handles your data, please refer to the Google Privacy Policy.

15. Changes to this Policy

We may revise this policy from time to time to reflect updates in our practices or legal obligations. Updated versions will be published on our website with a new effective date.

16. Contact Us

For questions, requests, or complaints about this Privacy Policy, please contact our Privacy Officer at:

Email: support@preve.co

We aim to respond to all requests within 30 days. If you are not satisfied with our response, you may contact your local data protection authority.