Naia Health — Privacy Policy

Last Updated: 17/01/26

1. Purpose

The OA Hub Pty Ltd trading as Naia Health (“Naia Health”, “The OA Hub”, “we”, “our”, “us”) is committed to protecting the privacy and confidentiality of our patients’ personal and health information.

This Privacy Policy explains how we collect, use, store, and share your information in accordance with the Privacy Act 1988 (Cth), the Health Records and Information Privacy Act 2002 (NSW), and the Australian Privacy Principles (APPs).

By engaging our services or providing your personal information, you acknowledge and consent to the collection and handling of your information in accordance with this Privacy Policy.

2. Legal Basis for Collection

We collect and process personal and health information as permitted under Australian law.

Collection is necessary to:

  • provide and coordinate healthcare services;

  • manage administrative, financial, or communication systems required to operate the clinic;

  • comply with clinical, legal, and professional obligations;

  • improve quality and safety of care; and

  • support legitimate business, research, and health-outcome development activities across Naia Health and any future affiliated entities.

3. Information We Collect

We may collect a wide range of personal, health, and related information necessary to deliver healthcare services and to support our clinical, operational, and research objectives. This may include, but is not limited to:

  • Personal information: name, date of birth, gender, contact details, Medicare and health-fund information;

  • Health information: medical history, diagnoses, pathology and imaging results, medications, allergies, and clinical notes;

  • Lifestyle and outcome data: weight, BMI, strength, mobility, diet, physical-activity and rehabilitation data, and data from wearable or digital devices;

  • Audio and transcription data: recordings or transcriptions of consultations created through approved clinical documentation systems (e.g., digital or voice-transcription tools) used solely for accurate record-keeping and quality assurance;

  • Administrative data: billing, appointment, consent, and communication records; and

  • Other relevant information: any additional information that we reasonably determine is necessary or beneficial—now or in the future—for providing, coordinating, or improving healthcare, research, risk assessment, insurance, or other related services delivered by Naia Health or its affiliated or successor entities.

4. How We Collect Information

We collect information directly from you (for example, through forms, consultations, or digital tools), from your referring or treating practitioners, and from approved third parties such as diagnostic providers, allied-health professionals, laboratories, or insurers—always with your consent or as otherwise authorised by law.

Consultations may be securely recorded or transcribed using approved digital systems to assist accurate documentation and support clinical efficiency.

We may also receive information generated automatically through connected devices, health platforms, or partner systems used in the delivery or coordination of your care.

Where permitted, we may supplement this with information from publicly available or affiliated data sources to ensure the accuracy and continuity of your clinical record.

5. How We Use Your Information

We use your information to:

  • Deliver, coordinate, and continuously improve clinical care, including communication between clinicians and other providers involved in your treatment;

  • Manage administrative, financial, operational, and compliance functions, including billing, audit, and governance requirements;

  • Analyse clinical and operational outcomes to enhance quality, safety, and effectiveness of services;

  • Develop and evaluate new healthcare models, products, and programs, including data-driven approaches to prevention, rehabilitation, and insurance or risk-management services;

  • Support education, training, research, and innovation, both internally and with approved research or industry partners; and

  • Comply with professional, regulatory, and legal obligations.

By agreeing to this Privacy Policy, you consent to Naia Health collecting, using, and retaining your identified and de-identified health information to support the provision and development of healthcare, insurance, and risk-management services conducted by Naia Health Pty Ltd or any current or future affiliated or holding entities.

All such use will remain consistent with this Privacy Policy, applicable Australian law, and recognised privacy safeguards. Naia Health retains the right to update this policy as required to remain compliant with law and industry standards.

6. Identified Data Use & Ownership

You consent to Naia Health — and any current or future holding, parent, subsidiary, or successor entity — collecting, storing, analysing, and using your identified personal and health information for lawful purposes directly or reasonably related to the clinic’s functions, including:

  • the delivery, continuity, and coordination of care;

  • the integration and administration of healthcare, insurance, and related risk-management services;

  • quality assurance, audit, and model-of-care development;

  • data analysis, clinical and operational improvement, and legitimate business or research operations; and

  • the development, evaluation, or provision of future health, rehabilitation, digital-health, or insurance programs and predictive analytics systems.

Where legally permitted, Naia Health may share identified data with trusted partners — including affiliated healthcare providers, research institutions, insurers, or private or public healthcare companies — for collaborative activities aligned with evidence-based practice and conducted under confidentiality and data-protection agreements. All such sharing is subject to applicable Australian law and ethical requirements for clinical and research data.

All identified information remains the property of Naia Health and is handled in accordance with this Privacy Policy and Australian law. Identified information will never be disclosed for direct marketing or promotional purposes.

7. De-identified Data Use

You consent to Naia Health — and any current or future holding, parent, subsidiary, or successor entity — collecting, creating, analysing, commercialising, using, and disclosing de-identified data (with all personal identifiers removed or irreversibly encrypted) for any lawful purpose directly or reasonably related to healthcare, research, or business operations, including:

  • clinical research, health-outcome measurement, quality improvement, and service optimisation;

  • collaboration with universities, research institutions, government agencies, or other healthcare organisations;

  • partnerships with public or private healthcare, insurance, or related service organisations for activities aligned with evidence-based or regulatory-compliant practice;

  • the design, development, validation, or commercialisation of analytical, predictive, or digital-health models, artificial-intelligence systems, or data-driven wellness and insurance programs; and

  • any other legitimate purpose that contributes to the advancement, improvement, or delivery of healthcare, rehabilitation, prevention, or insurance-related services by Naia Health or its affiliates.

All de-identified information remains the property of Naia Health and is managed in accordance with the Privacy Act 1988 (Cth) and Australian Privacy Principles.

Recipients of de-identified data are strictly prohibited from attempting re-identification and must enter into binding confidentiality and data-protection agreements enforcing this obligation.

8. Third-Party Service Providers

We use secure external systems and service providers — including but not limited to practice management, cloud storage, email, communication, and billing platforms — to support the delivery of our services.

These providers operate under their own privacy and security frameworks and are required, by contract or by their own compliance standards, to maintain safeguards consistent with Australian privacy law and industry best practice.

While Naia Health does not directly control how such third parties store or secure data, we take reasonable steps to ensure that all service providers used by us have appropriate privacy and data-protection measures in place.

9. Digital Tools, AI, and Data Analytics

Naia Health uses approved digital systems, including artificial intelligence (AI), data analytics, and voice or transcription tools, to assist in the delivery, documentation, and continuous improvement of patient care.

Examples include digital health platforms, wearable devices, and clinical transcription software used for secure recording and conversion of consultations into clinical notes.

AI-assisted tools may analyse health data, generate insights, or suggest treatment options; however, all clinical decisions remain subject to review and confirmation by a qualified clinician.

No AI or automated system independently determines or replaces professional medical judgement.

By engaging our services, you consent to the collection, storage, and analysis of your information through these systems in accordance with this Privacy Policy and Australian law.

All such tools are used within controlled, privacy-compliant frameworks, and Naia Health takes reasonable steps to ensure that data used by or shared with these systems is protected against unauthorised access, misuse, or disclosure.

Naia Health accepts no liability for external system errors or AI outputs beyond its reasonable control but remains committed to maintaining clinical oversight, transparency, and data security in all AI-enabled activities.

10. Ownership and Transfer

If Naia Health undergoes any change in ownership, control, structure, or corporate affiliation — including but not limited to merger, acquisition, sale, reorganisation, corporate restructure, formation of or transfer to a holding, parent, subsidiary, or successor entity — all data (including personal, health, administrative, and de-identified information) may be transferred, assigned, or otherwise shared with the new or related entity.

Such transfer may occur for any lawful purpose directly or reasonably connected to the ongoing operation, continuity, or commercial development of Naia Health and its affiliates, including the continued delivery of healthcare, research, insurance, and related services.

Where legally permitted, data may also be stored, processed, or accessed by affiliated or successor entities in other jurisdictions, subject to privacy and security safeguards consistent with Australian law and this Privacy Policy.

Any acquiring, merging, or successor organisation will be required to adopt this Privacy Policy or an equivalent framework that provides substantially the same level of protection, ensuring ongoing compliance and continuity of obligations.

11. International Storage and Processing

Your information may be stored, processed, analysed, or accessed in Australia or in other jurisdictions where Naia Health, its holding, parent, subsidiary, or successor entities—or their approved service providers and partners—operate.

Such transfers may occur for lawful purposes directly or reasonably related to the delivery, coordination, development, or improvement of healthcare, insurance, research, or business operations.

All international transfers will be conducted in accordance with this Privacy Policy and the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APP 8) governing cross-border disclosures.

Naia Health takes reasonable steps to ensure that any overseas recipient upholds privacy protections that are substantially similar to those required under Australian law.

By providing your information or continuing to use our services, you expressly consent to this international storage, processing, and disclosure of your data for the purposes described in this Policy.

This Policy may be updated as Naia Health expands internationally to reflect local legal requirements.

12. Website Cookies, Analytics, and Tracking Technologies

Naia Health’s website and digital platforms may use cookies, pixel tags, session identifiers, analytics tools, device identifiers, and similar technologies (“Tracking Technologies”) to support secure system functionality, improve user experience, and analyse website performance.

Tracking Technologies may collect information such as IP addresses, device and browser details, pages visited, session duration, referral sources, and interaction patterns. This information may be used for:

  • website functionality and security;

  • fraud prevention and system monitoring;

  • analytics and performance measurement (e.g., Google Analytics);

  • lawful marketing or remarketing activities; and

  • service optimisation and user-experience improvement.

Where Tracking Technologies are operated by third-party service providers, those third parties process data in accordance with their own privacy policies. Naia Health takes reasonable steps to engage providers that maintain privacy safeguards consistent with Australian law but is not responsible for the independent privacy practices of those providers.

You may configure your browser to refuse cookies; however, doing so may affect website functionality or limit access to certain features.

Any information collected through Tracking Technologies will be handled in accordance with this Privacy Policy and the Privacy Act 1988 (Cth).

13. Payments and Billing Information

Naia Health may collect personal and billing information when processing payments for services, whether in person, over the phone, or through invoices issued electronically. This may include your name, contact details, appointment details and limited payment-related information necessary to complete the transaction.

All card payments made electronically or over the phone are processed securely through approved third-party payment providers such as Ezidebit or other PCI-DSS compliant processors. Where payment is made through such providers, Naia Health does not receive or store your full card number, security code (CVV/CVC), or other sensitive financial information. These details are provided directly to the payment processor and handled in accordance with their privacy and security frameworks.

For in-clinic payments, point-of-sale terminals may collect limited transaction details, but Naia Health does not retain full card data or security codes. Receipts or partial card identifiers printed on receipts do not constitute storage of financial information.

You acknowledge and agree that:

  • third-party payment processors operate under their own privacy, security, and data-handling policies;

  • while Naia Health takes reasonable steps to use reputable, compliant payment providers, it is not responsible for the acts, omissions, breaches, errors, or system failures of any third-party payment processor;

  • payment information may be stored or processed outside Australia through such providers, in accordance with their security frameworks; and

  • where you provide billing information over the phone or electronically, you authorise Naia Health and its payment processors to process the payment in accordance with applicable law and this Privacy Policy.

To the extent permitted by law, Naia Health accepts no liability for unauthorised access, loss, or misuse of financial information that occurs within third-party payment systems despite the implementation of reasonable safeguards.

14. Marketing Communications & Opt-Out

Naia Health may use your contact information to send you administrative, service-related, operational, and clinical communications, as well as marketing communications relating to our clinics, programs, products, subscription services, events, and services offered by Naia Health or its affiliated or successor entities.

Marketing communications may include email, SMS, digital advertising, remarketing, or targeted advertising campaigns conducted through platforms such as Google, Meta, or other digital service providers. These providers may use cookies, tags, or de-identified data to deliver advertising, subject to their own privacy frameworks.

By agreeing to this Privacy Policy, you consent to receive marketing communications from Naia Health until you opt out in accordance with this clause.

You may opt out of receiving marketing communications at any time by emailing support@naiahealth.com.au or by using the unsubscribe function in our messages. Opting out of marketing communications will not affect your ability to receive essential clinical, operational, or administrative communications required for your care or for the operation of the clinic.

To the fullest extent permitted by law, your consent to receive marketing communications is taken to be ongoing unless and until you opt out.

15. Storage, Retention, and Security

Naia Health uses secure digital and physical systems to collect, store, and protect information. We implement reasonable and proportionate technical, administrative, and physical safeguards — including encryption, role-based access controls, secure transmission protocols, audit logging, and continuous system monitoring — to prevent unauthorised access, alteration, misuse, loss, or disclosure of data.

All records are stored within secure servers and systems operated by Naia Health or approved service providers that maintain privacy and security protections consistent with Australian law and industry best practice.

Your records will be retained for the duration of your relationship with Naia Health and any affiliated, holding, or successor entity, and for as long as is reasonably necessary to:

  • provide or coordinate current, future, or potential healthcare, rehabilitation, or insurance services;

  • comply with applicable professional, regulatory, or legal record-keeping obligations;

  • support clinical, operational, or research continuity; or

  • protect the legitimate business, legal, and evidentiary interests of Naia Health and its affiliates.

Where legally permissible, Naia Health may securely retain information indefinitely to support long-term continuity of care, retrospective analysis, compliance, or the ongoing development of healthcare and insurance models.

When data is no longer required for these purposes, it will be securely destroyed or permanently de-identified in accordance with applicable privacy and health-record legislation.

16. Disclosure When Legally Compelled

Naia Health may disclose personal or health information if required or lawfully authorised under Australian law, including by court order, subpoena, warrant, statutory authority, or regulator (such as AHPRA, Medicare, or the Office of the Australian Information Commissioner).

Any such disclosure will be limited strictly to the information reasonably necessary to comply with the legal requirement.

Where legally permissible, we will take reasonable steps to notify you of the disclosure and provide context regarding the nature of the request.

Naia Health will verify the validity of all compulsory disclosure demands before releasing information and will object, narrow, or seek legal review where the scope appears excessive or outside lawful authority.

All disclosures are recorded and subject to internal audit and legal oversight.

17. Data Breach Notification

In the event of an actual or suspected data breach involving personal or health information, Naia Health will promptly assess the situation in accordance with the Notifiable Data Breaches Scheme under the Privacy Act 1988 (Cth).

If the breach is determined to be likely to result in serious harm to any individual, Naia Health will:

  • notify affected individuals as soon as reasonably practicable;

  • notify the Office of the Australian Information Commissioner (OAIC) in the prescribed form; and

  • take immediate steps to contain, investigate, and mitigate the impact of the breach.

Where a breach involves third-party service providers, Naia Health will coordinate the response and require those providers to take appropriate remedial action consistent with this Policy and Australian privacy law.

Notification obligations will not apply where remedial actions eliminate any risk of serious harm or where disclosure is restricted by law enforcement, national security, or court order.

Naia Health reserves the right to determine, in its sole discretion and in accordance with legal standards, the scope, timing, and manner of any notification.

To the extent permitted by law, Naia Health accepts no liability for unauthorised access, disclosure, or misuse of data that occurs despite the implementation of reasonable security safeguards.

18. Access and Correction

You may request access to, or correction of, your personal or health information by contacting support@naiahealth.com.au Requests will be acknowledged within a reasonable timeframe and processed in accordance with the Privacy Act 1988 (Cth) and, where applicable, the Health Records and Information Privacy Act 2002 (NSW).

Naia Health reserves the right to:

  • verify your identity before providing access or making corrections;

  • refuse access or correction where legally permitted, including where disclosure would unreasonably impact the privacy of others, pose a serious threat to health or safety, or prejudice legal or investigative processes; and

  • provide access through summary reports or practitioner review rather than direct record release, where appropriate for clinical or legal reasons.

If access or correction is refused, you will be provided with written reasons and information on how to request a review of the decision. Naia Health may charge a reasonable administrative fee to cover costs of locating, compiling, or providing copies of records.

19. Withdrawal of Consent

You may withdraw consent for future use or disclosure of your personal information by submitting a written request to support@naiahealth.com.au.

Withdrawal of consent will apply prospectively only and will not affect any use, disclosure, or processing of information that has already occurred in accordance with this Privacy Policy or as required for lawful purposes.

Naia Health may continue to retain, use, and disclose your information — including identified and de-identified data — where necessary to:

  • provide or coordinate ongoing or future healthcare, insurance, or rehabilitation services;

  • meet legal, regulatory, or professional obligations;

  • maintain accurate medical and administrative records;

  • protect public health or safety; or

  • support de-identified research, quality assurance, or lawful business operations.

Complete deletion or removal of data may not be technically or legally feasible in all cases. Where data cannot be fully deleted, it will be securely archived or de-identified in accordance with Australian law and this Policy.

20. Limitation of Liability

To the maximum extent permitted by law, Naia Health, its holding, parent, subsidiary, and successor entities, and all associated directors, officers, employees, and contractors shall not be liable for any loss, damage, claim, liability, cost, or expense (including without limitation, indirect, incidental, special, punitive, or consequential damages, loss of profits, loss of opportunity, or reputational harm) arising out of or related to:

  • the collection, use, storage, disclosure, transfer, or processing of personal or health information in accordance with this Privacy Policy;

  • any unauthorised access, disclosure, alteration, or destruction of data despite reasonable safeguards;

  • interruptions, errors, or failures in third-party systems, software, or communication platforms used by Naia Health;

  • the use of digital tools, AI systems, or automated analytics employed in the delivery or management of services; or

  • any international storage or lawful transfer of data conducted under this Policy.

Nothing in this clause limits liability that cannot lawfully be excluded under the Privacy Act 1988 (Cth), the Health Records and Information Privacy Act 2002 (NSW), or other applicable legislation.

21. Severability

If any provision of this Privacy Policy is held to be invalid, unlawful, or unenforceable by a court or regulator of competent jurisdiction, such provision will be severed to the extent necessary to render the remaining provisions valid and enforceable.

The remaining terms will continue in full force and effect and shall be interpreted to give effect to the original intent of the Policy as closely as possible.

Any invalid or unenforceable provision shall be replaced automatically with a valid, enforceable term that most closely reflects the purpose and intent of the original provision, consistent with applicable law.

22. Policy Updates

Naia Health may amend, update, or replace this Privacy Policy at any time to reflect legal, technological, operational, or organisational changes, or to accommodate new services, partnerships, or business models.

Any revised version will be published on our website and will take effect immediately upon publication, unless otherwise stated.

By continuing to engage with Naia Health or use its services after any update, you acknowledge and agree to be bound by the revised Policy.

Where material changes are made that affect the way your personal information is handled, reasonable steps will be taken to notify you — such as through email, clinic notices, or updated consent materials — in accordance with Australian law.

23. Governing Law

This Privacy Policy, and any dispute, claim, or proceeding arising out of or in connection with it, including its existence, validity, interpretation, performance, or termination, shall be governed by and construed in accordance with the laws of New South Wales, Australia, without regard to any conflict-of-law principles.

You irrevocably submit to the exclusive jurisdiction of the courts of New South Wales, and any courts of appeal therefrom, for the resolution of all disputes arising in connection with this Policy or the handling of your information.

To the fullest extent permitted by law, you waive any objection to such venue, including on the grounds of forum non conveniens or equivalent, and agree that proceedings shall not be brought in any other jurisdiction.

If Naia Health operates or holds entities in other jurisdictions, this clause shall continue to apply, and any foreign entity shall rely on the governing law and venue of New South Wales for dispute resolution.

24. Contact

If you have any questions, concerns, or requests relating to this Privacy Policy or how your information is handled, please contact us at:

Email: support@naiahealth.com.au