Privacy Policy

Effective Date: February 15, 2026 · Last Updated: February 15, 2026

NoxSoft PBC (incorporation pending) ("NoxSoft," "we," "us," or "our") operates the HEAL telemedicine platform ("HEAL," the "Platform," or the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information and health data when you use our Platform.

HEAL operates across multiple jurisdictions, including Australia, the United States, the United Kingdom, the European Union, India, and Canada. This Privacy Policy addresses the requirements of the applicable data protection legislation in each of these jurisdictions, including but not limited to the Australian Privacy Act 1988 (Cth), the United States Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the European Union General Data Protection Regulation (EU 2016/679, "EU GDPR"), the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), and the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA").

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with the practices described herein, you must not use the Platform.

1. Definitions

In this Privacy Policy:

  • "Personal Information" means any information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable individual.
  • "Health Data" means any information relating to the physical or mental health of an individual, including information about health services provided to the individual. This includes "Protected Health Information" (PHI) as defined under HIPAA, "sensitive information" as defined under the Australian Privacy Act, "special category data" under GDPR, "sensitive personal data" under the DPDP Act, and equivalent categories under PIPEDA.
  • "AI Triage Data" means the symptoms, health indicators, and other information you provide to the HEAL AI triage system, as well as the outputs generated by the AI system based on those inputs.
  • "Healthcare Provider" means a licensed physician, medical practitioner, or other healthcare professional who provides consultations through the Platform.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, date of birth, phone number, postal address, and account credentials when you register for an account.
  • Identity Verification: Government-issued identification documents, professional licences, and medical board registration details (for Healthcare Providers).
  • Health Information: Symptoms, medical history, current medications, allergies, pre-existing conditions, and any other health-related information you provide during AI triage or consultations.
  • Consultation Records: Notes, diagnoses, prescriptions, treatment plans, and follow-up instructions generated during consultations with Healthcare Providers.
  • Payment Information: Billing address and payment method details. Payment card information is processed directly by our payment processor, Stripe, Inc., and is not stored on our servers.
  • Communications: Messages, feedback, support requests, and other communications you send to us or to Healthcare Providers through the Platform.

2.2 Information Collected Automatically

  • Device and Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
  • Usage Data: Pages visited, features used, session duration, click patterns, search queries, and interaction logs.
  • Location Data: Approximate geographic location derived from your IP address, used to determine applicable jurisdiction and connect you with locally licensed Healthcare Providers.
  • Cookies and Similar Technologies: We use strictly necessary cookies for session management and authentication. We do not use advertising or tracking cookies. See Section 12 for details.

2.3 Information Generated by the Platform

  • AI Triage Outputs: Symptom assessments, urgency classifications, specialist recommendations, and other outputs generated by the AI triage system based on information you provide.
  • Audit Logs: Records of data access, modifications, and system events maintained for security, compliance, and accountability purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To operate the AI triage system, facilitate consultations between patients and Healthcare Providers, process prescriptions, and enable payment processing.
  • AI Triage: To analyse your symptoms using machine learning models and provide urgency assessments and specialist recommendations. AI triage outputs are decision-support tools only and do not constitute medical advice.
  • Account Management: To create and manage your account, verify your identity, and authenticate your access to the Platform.
  • Healthcare Provider Verification: To verify the credentials, licences, and professional standing of Healthcare Providers on the Platform.
  • Payment Processing: To process consultation fees, platform fees, and payouts to Healthcare Providers through Stripe.
  • Communication: To send appointment confirmations, consultation reminders, prescription notifications, and essential service communications.
  • Safety and Security: To detect and prevent fraud, abuse, security incidents, and other harmful activity.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
  • Service Improvement: To analyse aggregated, de-identified usage patterns to improve the Platform, the AI triage system, and user experience. We do not use your identifiable Health Data for model training without your explicit, informed consent.

4. Legal Bases for Processing

We process your Personal Information and Health Data on the following legal bases, as applicable to your jurisdiction:

  • Consent: Where we rely on your consent to process Health Data (required under GDPR Article 9(2)(a), DPDP Act Section 6, and PIPEDA Principle 3), you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
  • Contractual Necessity: Processing necessary for the performance of the contract between you and NoxSoft (i.e., the Terms of Service) for providing the Platform and facilitating consultations.
  • Legitimate Interest: Processing necessary for our legitimate interests, including fraud prevention, security, service improvement (using de-identified data), and ensuring the integrity of the Platform, provided such interests are not overridden by your rights and freedoms.
  • Legal Obligation: Processing necessary to comply with applicable legal or regulatory requirements, including mandatory health reporting, tax obligations, and responses to lawful government requests.
  • Vital Interests: In limited circumstances, processing necessary to protect your vital interests or those of another person, such as when the AI triage system detects emergency symptoms.

5. How We Share Your Information

We do not sell your Personal Information or Health Data. We do not share your data with third parties for their own marketing purposes. We share information only in the following circumstances:

  • With Healthcare Providers: We share your health information, AI triage outputs, and relevant Personal Information with the Healthcare Provider you select for a consultation. The Healthcare Provider is an independent data controller (or equivalent) with respect to the clinical records they create during consultations.
  • Payment Processors: We share necessary transaction information with Stripe, Inc. for payment processing. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.
  • Infrastructure Providers: We use Supabase, Inc. for database hosting and authentication services. Where applicable, we maintain a Business Associate Agreement (BAA) with Supabase for HIPAA compliance. Supabase processes data only on our instructions and is subject to contractual data protection obligations.
  • Legal Requirements: We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.
  • De-identified Data: We may share aggregated, de-identified data that cannot reasonably be used to identify you for research, public health, or statistical purposes.

6. Data Retention and Deletion

  • Account Data: Retained for the duration of your account and for a period of 30 days following account deletion to allow for account recovery, after which it is permanently deleted.
  • Health and Consultation Records: Retained for the minimum period required by applicable law in the relevant jurisdiction. In Australia, health records must generally be retained for a minimum of 7 years from the date of last entry (or until the patient reaches 25 years of age, whichever is later). In the United States, HIPAA requires a minimum of 6 years. We retain records for the longest applicable period across all relevant jurisdictions.
  • Payment Records: Retained for the period required by applicable tax and financial regulations, typically 7 years.
  • Audit Logs: Retained for a minimum of 7 years for compliance and accountability purposes.
  • AI Triage Data: Your raw symptom inputs are retained as part of your health record. De-identified, aggregated data may be retained indefinitely for system improvement purposes.

You may request deletion of your Personal Information at any time, subject to our legal obligations to retain certain records. See Section 8 for details on exercising your data rights.

7. Data Security

We implement comprehensive technical and organisational measures to protect your Personal Information and Health Data:

  • Encryption at Rest: All data is encrypted at rest using AES-256 encryption.
  • Encryption in Transit: All data transmitted between your device, our servers, and third-party service providers is encrypted using TLS 1.3.
  • Access Controls: Role-based access controls ensure that only authorised personnel and systems can access your data, on a need-to-know basis consistent with the HIPAA minimum necessary standard.
  • Audit Trails: All access to Health Data is logged with immutable audit trails for compliance monitoring and incident investigation.
  • Secure Development: We follow secure software development practices, including regular code reviews, dependency scanning, and penetration testing.
  • Incident Response: We maintain an incident response plan that includes procedures for breach detection, containment, notification, and remediation in compliance with all applicable breach notification requirements.
  • Employee Training: All personnel with access to Personal Information or Health Data receive regular training on data protection obligations and security best practices.

8. Your Rights

Depending on your jurisdiction, you have specific rights regarding your Personal Information and Health Data. We honour all applicable data subject rights regardless of your location to the extent technically feasible.

8.1 Rights Available to All Users

  • Access: You may request a copy of the Personal Information and Health Data we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete Personal Information.
  • Deletion: You may request deletion of your Personal Information, subject to our legal obligations to retain certain records (such as health records required to be retained under applicable law).
  • Data Portability: You may request your data in a structured, commonly used, machine-readable format.
  • Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.

9. HIPAA Compliance (United States)

To the extent that HEAL handles Protected Health Information ("PHI") of individuals located in the United States, we comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the HITECH Act.

  • Business Associate Agreements: We maintain Business Associate Agreements (BAAs) with all subcontractors and service providers that access, transmit, or store PHI on our behalf, including Supabase (database hosting) and Stripe (payment processing where applicable).
  • Minimum Necessary Standard: We apply the minimum necessary standard to all uses and disclosures of PHI, ensuring that only the minimum amount of information necessary to accomplish the intended purpose is used or disclosed.
  • Administrative, Physical, and Technical Safeguards: We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of electronic PHI.
  • Breach Notification: In the event of a breach of unsecured PHI, we will provide notification to affected individuals, the U.S. Department of Health and Human Services, and, where applicable, the media, in accordance with the HIPAA Breach Notification Rule.
  • Patient Rights: U.S. users have the right to access, amend, and receive an accounting of disclosures of their PHI as provided under HIPAA.

10. GDPR Compliance (United Kingdom and European Union)

For individuals located in the United Kingdom or the European Economic Area, we comply with the UK GDPR and EU GDPR respectively.

  • Data Controller: NoxSoft PBC is the data controller for Personal Information collected through the Platform. Healthcare Providers are independent data controllers for clinical records they create during consultations.
  • Data Protection Officer: You may contact our Data Protection Officer at dpo@noxsoft.net for any inquiries related to data protection.
  • Lawful Basis: We process Health Data on the basis of explicit consent (Article 9(2)(a)), for the provision of health care (Article 9(2)(h)), and where necessary for reasons of substantial public interest (Article 9(2)(g)).
  • Data Subject Rights: In addition to the rights listed in Section 8, EEA and UK residents have the right to: restrict processing, object to processing based on legitimate interests, and lodge a complaint with a supervisory authority (the ICO in the UK, or the relevant DPA in the EEA).
  • Cross-Border Transfers: Where Personal Information is transferred outside the UK or EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms as required.
  • Automated Decision-Making: The AI triage system involves automated processing of your health information. This processing is used as a decision-support tool only and does not produce legally binding or similarly significant decisions without human (physician) involvement. You have the right to request human review of any AI-generated output.

11. Australian Privacy Act Compliance

As an Australian entity, NoxSoft complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

  • APP Compliance: We comply with all 13 Australian Privacy Principles regarding the collection, use, disclosure, storage, and security of Personal Information and health information.
  • Health Information: Health information is classified as "sensitive information" under the Privacy Act and is afforded additional protections. We collect health information only with your consent and for the primary purpose of providing the Service.
  • Notifiable Data Breaches: In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any eligible data breach that is likely to result in serious harm.
  • Cross-Border Disclosure: Before disclosing Personal Information to overseas recipients, we take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information, as required by APP 8.
  • Access and Correction: Australian users may request access to and correction of their Personal Information under APPs 12 and 13. Requests may be made by contacting privacy@noxsoft.net.
  • Complaints: If you are not satisfied with our handling of your complaint, you may lodge a complaint with the OAIC at www.oaic.gov.au.

12. India DPDP Act 2023 Compliance

For individuals located in India, we comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act").

  • Data Fiduciary: NoxSoft acts as a Data Fiduciary under the DPDP Act for the processing of digital personal data of individuals in India.
  • Consent: We obtain free, specific, informed, unconditional, and unambiguous consent with a clear affirmative action before processing your personal data. You may withdraw your consent at any time by contacting us. Withdrawal of consent will result in the cessation of processing, subject to applicable legal retention requirements.
  • Data Principal Rights: As a Data Principal, you have the right to: obtain information about processing, seek correction and erasure of your data, nominate another person to exercise your rights in the event of death or incapacity, and access grievance redressal.
  • Grievance Redressal: In accordance with the DPDP Act, we have established a grievance redressal mechanism. You may contact our Grievance Officer at grievance@noxsoft.net. We will acknowledge and respond to grievances within the timeframes prescribed by the DPDP Act and any rules made thereunder.
  • Data Localisation: We comply with any data localisation requirements that may be notified under the DPDP Act or other applicable Indian legislation.
  • Children's Data: We do not knowingly process the personal data of individuals under the age of 18 in India without verifiable consent from a parent or lawful guardian, in compliance with the DPDP Act.

13. PIPEDA Compliance (Canada)

For individuals located in Canada, we comply with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation.

  • Ten Fair Information Principles: We adhere to the ten fair information principles set out in Schedule 1 of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.
  • Meaningful Consent: We obtain meaningful consent for the collection, use, and disclosure of your Personal Information. For sensitive information such as health data, we obtain express consent. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
  • Accountability: NoxSoft has designated a Privacy Officer responsible for our compliance with PIPEDA. The Privacy Officer may be contacted at privacy@noxsoft.net.
  • Access and Correction: Canadian users may request access to their Personal Information and request correction of any inaccuracies. We will respond to access requests within 30 days.
  • Breach Notification: We will report breaches of security safeguards to the Office of the Privacy Commissioner of Canada and notify affected individuals where the breach creates a real risk of significant harm, as required by PIPEDA.
  • Complaints: If you are dissatisfied with our handling of your Personal Information, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

14. Cookies and Similar Technologies

HEAL uses strictly necessary cookies to provide the Service. We do not use advertising cookies, tracking cookies, or analytics cookies that identify individual users.

  • Session Cookies: Used to maintain your authenticated session while using the Platform. These cookies expire when you close your browser or after a period of inactivity.
  • Preference Cookies: Used to remember your language, timezone, and accessibility preferences.
  • Security Cookies: Used for CSRF protection and other security measures.

Because we use only strictly necessary cookies, consent is not required under GDPR Article 5(3) of the ePrivacy Directive. However, you may configure your browser to refuse cookies, though this may prevent you from using certain features of the Platform.

15. Children's Privacy

HEAL is not intended for use by individuals under the age of 18 without the involvement and consent of a parent or legal guardian. We do not knowingly collect Personal Information or Health Data from individuals under 18 without verifiable parental or guardian consent.

Where a parent or guardian uses the Platform on behalf of a minor, the parent or guardian is responsible for providing accurate information and ensuring appropriate use of the Service. The parent or guardian consents to the collection and processing of the minor's data as described in this Privacy Policy.

If you believe we have inadvertently collected data from an individual under 18 without appropriate consent, please contact us at privacy@noxsoft.net and we will promptly delete such information.

16. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence. We ensure that such transfers comply with applicable data protection laws by implementing appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission (for transfers from the EEA/UK).
  • Adequacy decisions where available.
  • Contractual data protection obligations with all service providers.
  • Compliance with APP 8 (for transfers from Australia).
  • Compliance with PIPEDA cross-border transfer requirements (for transfers from Canada).
  • Compliance with any data localisation requirements under the DPDP Act (for transfers from India).

17. Third-Party Links

The Platform may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of third-party websites or services. We encourage you to review the privacy policy of every third-party site you visit.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Provide notice through the Platform or by email for material changes that affect how we handle your Health Data.
  • Where required by law, seek your renewed consent before processing your data under the updated terms.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: