Privacy Policy
Last updated: 29 June 2026
Constellation Therapies Pty Ltd (ABN 69 667 303 639) operates Constellation Therapies. We provide allied health, NDIS therapy, aged care therapy, and related clinical services.
This policy explains how we collect, hold, use, disclose and protect your personal information. It also covers health information we collect as part of your care.
We comply with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth). We also follow applicable state and territory health records legislation, including the Health Records Act 2001 (Vic) and the Health Records and Information Privacy Act 2002 (NSW).
You can read the full Australian Privacy Principles on the Office of the Australian Information Commissioner website at www.oaic.gov.au.
What is personal information and health information?
Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable. Examples include your name, address, email, phone number and date of birth.
Health information is a subset of sensitive information under the Privacy Act. It includes information about your physical or mental health, disability, health service history, treatment plans, clinical notes, and any information collected to provide you with a health service.
Sensitive information also includes information about racial or ethnic origin, religious beliefs, sexual orientation, criminal records, and biometric data. We only collect sensitive information when it is directly relevant to providing your care.
1. Open and transparent management (APP 1)
We manage your personal information openly and transparently. This policy is freely available on our website. You can request a copy at any time.
We keep this policy up to date and review it regularly. If we make significant changes, we will update the "Last updated" date above and publish the revised version on our website.
We train our staff on their privacy obligations. Our clinicians and administrative team understand how to handle personal and health information appropriately.
2. Anonymity and pseudonymity (APP 2)
You can deal with us anonymously or by pseudonym when making general enquiries about our services.
However, we cannot provide clinical services anonymously. We need your real identity to deliver safe and effective healthcare. This includes your full name, date of birth, and relevant health history. Without this information, we cannot create clinical records, communicate with other providers, or meet our professional and legal obligations.
If you are an NDIS participant, we are required to collect your NDIS number and plan details to deliver and report on your funded supports.
3. What we collect and how (APP 3)
We collect only the personal information we need to provide our services. This includes:
- Identity details: name, date of birth, address, phone number, email address
- Health information: medical history, diagnoses, referral letters, assessment results, treatment plans, clinical progress notes, discharge summaries
- Funding details: NDIS plan and participant numbers, aged care package details, DVA file numbers, Medicare number, private health insurance details
- Emergency contacts: name, relationship and phone number of your nominated emergency contact
- Referral information: GP or specialist referral letters and reports from other health providers
- Payment details: billing address, invoice records and payment method (we do not store full credit card numbers)
- Communication records: emails, phone call notes, SMS messages, and correspondence about your care
- Website data: information collected through our website forms, cookies and analytics tools (see our Cookies section below)
How we collect your information
We collect personal information directly from you wherever possible. This happens when you:
- Complete an intake form or enquiry form (online or in person)
- Book or attend an appointment (in clinic, by telehealth, or via mobile visit)
- Communicate with us by phone, email, SMS, or through our website
- Provide consent forms or feedback
We may also collect information from third parties when it is necessary for your care. These third parties include:
- Your GP, specialist, or other treating health providers
- Hospitals and diagnostic services
- The NDIA (National Disability Insurance Agency) or your NDIS plan manager
- Your aged care provider or support coordinator
- Schools or early childhood services (with your consent)
- Family members or carers (with your consent, or where required for a child or person under guardianship)
We only collect information by lawful and fair means. We will tell you why we need the information and what we plan to do with it.
4. Unsolicited personal information (APP 4)
If we receive personal information that we did not ask for, we assess whether we could have collected it under APP 3. If we could have, we treat it in accordance with this policy.
If the information is not reasonably necessary for our functions, we will destroy or de-identify it as soon as practicable. We will do so in a secure manner.
5. What we tell you at collection (APP 5)
At or before the time we collect your personal information, we will tell you:
- Our identity and contact details
- Why we are collecting the information
- The main consequences if you choose not to provide it
- Who we usually share it with
- That this privacy policy explains how to access, correct, or complain about the handling of your information
- Whether we are likely to disclose it overseas
We provide this notice through our intake forms, consent forms, and this privacy policy. If you have questions, contact us at any time.
6. Use and disclosure (APP 6)
We use your personal and health information for the primary purpose of providing you with clinical services. This includes:
- Assessing your needs and developing treatment plans
- Delivering therapy sessions (in clinic, mobile, or telehealth)
- Writing clinical notes, reports, and assessments
- Coordinating care with your other health providers
- Billing and processing payments, including NDIS, aged care, DVA, and Medicare claims
- Meeting our professional registration and reporting obligations
Secondary purposes
We may use or disclose your information for secondary purposes that are directly related to the primary purpose, where you would reasonably expect this. For example:
- Internal quality improvement and clinical supervision
- Training of staff and students (de-identified where possible)
- Responding to complaints or legal claims
- Meeting audit or compliance requirements from funding bodies
We may also disclose your information where required or authorised by law. This includes:
- Mandatory reporting of child abuse or neglect
- Mandatory notifications to AHPRA about a practitioner's conduct
- Court orders, subpoenas, or lawful government requests
- Notifiable data breach obligations
We will not use or disclose your health information for a purpose you would not reasonably expect, unless we have your consent or are required by law.
7. Direct marketing (APP 7)
We may send you information about our services, events, or health resources that we believe may be relevant to you. We only do this using the contact details you have provided to us directly.
We will never sell your personal information to third parties for marketing purposes.
We do not use your health information for direct marketing.
Your opt-out rights: You can opt out of marketing communications at any time. Use the unsubscribe link in any marketing email we send, or contact us directly. We will action your request within five business days. Opting out of marketing will not affect your clinical care.
8. Cross-border disclosure (APP 8)
We aim to store and process your personal information within Australia. Our primary systems and databases are hosted in Australia.
Some of our technology providers may store data on servers outside Australia. For example, cloud-hosted software may use data centres in the United States, the European Union, or Singapore. Where this occurs, we take reasonable steps to ensure the overseas recipient handles your information consistently with the APPs. This includes reviewing their privacy policies and data processing agreements.
We will not send your health information overseas without your informed consent, unless required by law.
9. Government identifiers (APP 9)
We collect government identifiers (such as your Medicare number, DVA file number, or NDIS participant number) only when they are required for billing, funding claims, or legal compliance.
We do not use government identifiers as our own client identifier. We assign our own internal reference numbers for practice management.
10. Quality of personal information (APP 10)
We take reasonable steps to make sure your personal information is accurate, complete and up to date. We do this by:
- Asking you to confirm your details at regular intervals
- Updating your records when you tell us something has changed
- Cross-checking information when it is provided by a third party
Please let us know as soon as possible if any of your details change. Accurate information helps us provide you with the best possible care.
11. Security of personal information (APP 11)
We protect your personal and health information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:
- Password-protected systems with role-based access controls
- Encryption of data in transit (TLS/SSL) and at rest where supported
- Secure storage of physical records in locked facilities
- Staff training on privacy, confidentiality, and information security
- Regular review of access permissions
- Secure disposal of records that are no longer required (shredding for paper, secure deletion for digital)
When your personal information is no longer needed for any purpose covered by this policy, and we are not required by law to keep it, we will take reasonable steps to destroy or permanently de-identify it.
12. Access to your personal information (APP 12)
You have the right to access the personal and health information we hold about you. This includes your clinical records.
To request access, contact us in writing at [email protected]. We will respond within 30 days.
Constellation Therapies Pty Ltd will not charge a fee for lodging an access request. We may charge a reasonable administrative fee for preparing and providing copies of your records. We will tell you about any fee before we proceed.
We may verify your identity before releasing your information. We do this to protect your privacy.
In limited circumstances, we may refuse access. For example:
- Where providing access would pose a serious threat to the life, health, or safety of any individual
- Where access would unreasonably impact the privacy of another person
- Where the request is frivolous or vexatious
- Where access would be unlawful or would prejudice legal proceedings
If we refuse access, we will explain our reasons in writing and outline how you can complain about the decision.
13. Correction of personal information (APP 13)
You have the right to ask us to correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
To request a correction, contact us in writing at [email protected]. We will respond within 30 days.
If we agree the information is incorrect, we will update our records and notify any third parties we have previously shared it with (where reasonable).
If we disagree with your correction request, we will explain our reasons in writing. You can ask us to attach a statement of your requested correction to the record.
Clinical records: Clinical notes written by a clinician reflect their professional observations at the time of the consultation. We may not alter these notes, but we can add an addendum to reflect your views or updated information.
14. Health information
As an allied health practice, we collect and handle health information as defined in section 6 of the Privacy Act 1988. This includes:
- Information about your physical or mental health, including a disability
- Information about a health service provided or to be provided to you
- Other personal information collected to provide you with a health service
- Genetic information about you
We also comply with state and territory health records legislation where it applies, including the Health Records Act 2001 (Vic) for our Victorian operations and the Health Records and Information Privacy Act 2002 (NSW) where relevant. Queensland does not have separate health records legislation, so the Commonwealth Privacy Act applies.
We handle all health information with additional care, consistent with the Health Privacy Principles (HPPs) where applicable.
15. Clinical records retention
We retain clinical records for the minimum periods required by law:
- Adults: A minimum of 7 years from the date of the last entry in the record
- Children (under 18 at the time of treatment): Until the person turns 25 years of age, or 7 years from the date of the last entry, whichever is longer
These retention periods are consistent with the Health Records Act 2001 (Vic) (s.19), the Health Practitioner Regulation National Law, and relevant professional registration board guidelines.
After the retention period expires, we securely destroy or permanently de-identify the records. We use appropriate methods for both paper and digital records.
Some records may need to be kept longer. This may apply where ongoing legal proceedings, complaints, or professional investigations are in progress.
16. Notifiable Data Breaches scheme
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (ss 26WA to 26WR).
An eligible data breach occurs when personal information we hold is lost, accessed, or disclosed without authorisation, and this is likely to cause serious harm to any affected individual.
If we suspect an eligible data breach has occurred, we will:
- Conduct a reasonable and expeditious assessment within 30 days
- Take immediate steps to contain the breach and reduce potential harm
- Notify the Office of the Australian Information Commissioner (OAIC) if the breach is assessed as eligible
- Notify all affected individuals as soon as practicable, with information about what happened, what data was involved, and what steps they can take
If you believe your personal information has been compromised, please contact us immediately at [email protected] or 1300 294 635.
17. Cookies and tracking technologies
Our website uses cookies and similar tracking technologies to understand how visitors use our site and to improve your experience.
What we use
- Google Analytics (GA4): Collects anonymised data about page views, session duration, device type, and traffic sources. Google Analytics uses cookies to distinguish between visitors. Data is processed by Google and may be stored on servers outside Australia.
- Google Tag Manager (GTM): Manages the loading of analytics and marketing scripts on our website. GTM itself does not collect personal data, but it facilitates the tags that do.
- Meta Pixel (Facebook Pixel): Tracks website activity to measure the effectiveness of our advertising on Facebook and Instagram. The Meta Pixel may collect data such as pages visited, actions taken, and device information. This data is shared with Meta Platforms, Inc. and may be processed outside Australia.
Essential cookies
Some cookies are essential for the website to function correctly. These include session cookies and security cookies. You cannot opt out of essential cookies.
Managing your cookie preferences
You can control cookies through your browser settings. Most browsers let you block or delete cookies. Please note that disabling cookies may affect your experience on our website. You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
Cookie data does not include your health information or clinical records.
18. Telehealth privacy
We provide therapy services via telehealth (video and phone consultations). The following additional privacy measures apply to telehealth sessions:
- Platform security: We use reputable video conferencing platforms with end-to-end encryption or transport-layer encryption. We select platforms that comply with Australian privacy standards.
- Recording: We do not record telehealth sessions without your explicit consent. If recording is necessary (for example, for clinical supervision), we will explain why and ask for your written consent beforehand.
- Your environment: We encourage you to take telehealth sessions in a private space. We cannot guarantee the privacy of your environment during the session.
- Data in transit: Audio and video data transmitted during telehealth sessions is encrypted. We do not store recordings of sessions unless you consent.
- Clinical notes: Our clinicians take notes during or after telehealth sessions, just as they would in a face-to-face appointment. These notes are stored in our practice management system under the same security measures as all clinical records.
19. Third-party tools and platforms
We use third-party software and platforms to support the delivery of our services. These include:
- Practice management software: For scheduling, clinical record keeping, billing, and client communication. Access is restricted to authorised staff.
- Video conferencing platforms: For telehealth consultations (such as Zoom, Microsoft Teams, or similar).
- Cloud storage and email: For secure storage of files and business communication.
- Payment processing: For processing payments securely. We do not store full credit card numbers in our systems.
- NDIS and funding portals: For submitting service claims and reports to the NDIA and other funding bodies.
We choose third-party providers that have appropriate privacy and security practices. Where possible, we select providers that store data in Australia. We review their privacy policies and terms of service before use.
We are responsible for the personal information we share with these providers and take reasonable steps to ensure they handle it in accordance with the APPs.
20. My Health Record
My Health Record is Australia's digital health record system, managed by the Australian Digital Health Agency.
If you have a My Health Record and we are a registered healthcare provider in the system, we may upload relevant health information (such as shared health summaries or discharge summaries) to your My Health Record. We will only do so in accordance with the My Health Records Act 2012 (Cth).
You control your My Health Record. You can set access controls, remove documents, and restrict which healthcare providers can view your record. For more information, visit www.myhealthrecord.gov.au.
21. AI and automated tools
We may use artificial intelligence (AI) or automated tools to support our administrative and clinical operations. Examples may include:
- Automated appointment reminders and scheduling
- AI-assisted transcription of clinical notes (where used, these are reviewed by a clinician before being saved to your record)
- Automated form processing for intake or referral information
If we use AI tools that process your personal or health information, we will:
- Tell you about the use of AI in your care
- Ensure a qualified clinician reviews any AI-generated clinical content before it is added to your record
- Assess the privacy and security practices of any AI tool before use
- Not use AI to make clinical decisions without human oversight
Clinical decisions about your care are always made by qualified health professionals. AI tools support administrative efficiency. They do not replace clinical judgment.
22. Complaints and external pathways
If you believe we have breached your privacy, or if you have a complaint about how we have handled your personal or health information, we want to hear about it.
Contact us first
Please contact us directly:
- Email: [email protected]
- Phone: 1300 294 635
- Post: Privacy Officer, Constellation Therapies Pty Ltd, 1 Smithfield Street, Gympie QLD 4570
We will acknowledge your complaint within five business days and investigate it. We aim to resolve complaints within 30 days. We will keep you informed of our progress.
External complaints
If you are not satisfied with our response, or if you prefer to complain to an external body, you can contact:
- Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au/privacy/privacy-complaints | Phone: 1300 363 992
- Queensland Office of the Health Ombudsman (OHO): www.oho.qld.gov.au | Phone: 133 OHO (133 646)
- Victorian Health Complaints Commissioner (HCC): www.hcc.vic.gov.au | Phone: 1300 582 113
- NSW Health Care Complaints Commission (HCCC): www.hccc.nsw.gov.au | Phone: 1800 043 159
- Australian Health Practitioner Regulation Agency (AHPRA): www.ahpra.gov.au | Phone: 1300 419 495
AHPRA handles complaints about the conduct, health, or performance of registered health practitioners. The state health complaints bodies handle complaints about health services more broadly.
Policy updates
We may update this policy from time to time. The current version is always available on our website. We encourage you to review it periodically.
If we make changes that materially affect how we handle your health information, we will take reasonable steps to notify you.
Contact us
If you have any questions about this privacy policy or how we handle your personal information, please contact us:
- Email: [email protected]
- Phone: 1300 294 635
- Address: 1 Smithfield Street, Gympie QLD 4570