Skip to main content
Open Book Clinical/Privacy Policy

Privacy Policy

Effective date: 1 June 2025 · Auburn Health Pty Ltd (trading as Open Book Clinical) · ABN 86 679 963 681

This policy is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Health information collected through this platform is treated as sensitive information under APP 3.

1. Overview

Open Book Clinical is a clinical decision-support platform operated by Auburn Health Pty Ltd (trading as Open Book Clinical). We help AHPRA-registered allied health professionals find evidence-based answers from trusted clinical sources including Cochrane, PubMed, and Australian clinical guidelines.

This Privacy Policy explains how we handle personal information — including health information — that we collect from clinicians, students, and organisations who use our platform. It covers our website at openbook-clinical.vercel.app and all associated services.

By creating an account or using our services, you agree to the collection and use of information as described in this policy.

2. What we collect

We collect the following categories of personal information:

Account information

Full name, email address, professional role, AHPRA registration number, registration renewal date, specialisation, practice type.

Required to provide the service.

Search queries

The text of clinical questions you submit. These may incidentally include patient information if you choose to include it — see Section 3.

Required to return search results.

CPD activity logs

Activity type, AHPRA category, hours, date, and any notes you add when logging CPD activities.

Required to provide CPD tracking.

Payment information

Billing email, subscription plan, Stripe customer ID. We do not store card numbers, CVVs, or bank account details — these are held exclusively by Stripe.

Required to manage paid subscriptions.

Usage data

Pages visited, features used, search counts, care plans generated. Used in aggregate to improve the platform.

Legitimate interest in service improvement.

Technical data

IP address, browser type, device type, referring URL. Collected automatically by our hosting provider.

Security and platform stability.

3. Health information and patient queries

⚠️ Important: Do not include patient names, dates of birth, Medicare numbers, or other identifying information in your search queries. Use de-identified descriptions only (e.g. "65yo male post-stroke" rather than a patient's name).

Search queries you submit may constitute health information under the Privacy Act 1988 (Cth) if they relate to the health of an identifiable individual. We treat all search query text as potentially sensitive and apply the same protections as other health information.

What we do with query text: Queries are transmitted to our AI processing pipeline to generate responses. Query text is stored in our database for up to 90 days to enable your search history feature, after which it is automatically and permanently deleted (see Section 7 — Data Retention).

What we do not do: We do not use query text to build profiles of individual patients. We do not sell or disclose query text to third parties except as required to operate the service (see Section 5). We do not use query text for advertising.

Your AHPRA number and registration details are stored solely to power the compliance tracking features of your account and are never shared with AHPRA or any third party without your explicit consent.

4. How we use your information

We use personal information we collect to:

  • Provide, operate, and improve the Open Book Clinical platform
  • Return AI-generated clinical evidence summaries in response to your queries
  • Manage your account, subscription, and billing
  • Track CPD hours and AHPRA registration renewal dates at your request
  • Send transactional emails (account confirmation, password reset, subscription receipts)
  • Send product update and engagement emails (you may opt out at any time)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with our legal obligations under Australian law

We do not use your information to make automated decisions with legal or significant effects without human review. Our platform provides decision support — clinical decisions remain entirely with the treating clinician.

5. Third-party service providers

We share personal information with the following third-party providers, each of whom processes data only as necessary to provide their service:

Supabase Inc.

Database and authentication

Data stored in AWS ap-southeast-2 (Sydney)

Privacy policy ↗

Vercel Inc.

Web hosting and edge functions

United States (with Australian edge nodes)

Privacy policy ↗

Stripe Inc.

Payment processing

United States — PCI DSS Level 1 certified

Privacy policy ↗

Postmark (Wildbit)

Transactional email delivery

United States

Privacy policy ↗

OpenAI / AI provider

AI processing of search queries

United States — queries are processed but not used for model training under our agreement

Privacy policy ↗

Where providers are located outside Australia, we take reasonable steps to ensure they are subject to substantially similar privacy protections, consistent with APP 8.

We do not sell personal information to third parties. We do not share personal information with advertisers. We do not share information with AHPRA, Medicare, or any government body except where compelled by law.

6. Data retention

We retain personal information only for as long as necessary for the purposes set out in this policy or as required by law:

Account information

Duration of account + 7 years after closure

Tax and compliance obligations

Search query history

90 days, then automatically deleted

Minimise health information retention

CPD activity logs

Until you delete them or close your account

Required for CPD tracking feature

Payment records

7 years from transaction date

Australian tax law (ITAA 1997)

Audit logs (security)

12 months

Security incident investigation

Marketing email opt-outs

Indefinitely

To honour opt-out requests permanently

Search query history is deleted automatically by a scheduled process that runs every 24 hours. You can also delete individual searches manually from your search history at any time.

7. Security

We implement the following technical and organisational measures to protect your information:

  • All data in transit is encrypted via TLS 1.2+
  • Data at rest is encrypted by our database provider (Supabase/AWS)
  • Row-level security policies ensure each user can only access their own data
  • Passwords are hashed using bcrypt — we never store plaintext passwords
  • Payment card data is never transmitted to or stored on our servers
  • Production API keys and secrets are stored as environment variables, never in source code
  • Access to production systems is restricted to authorised personnel only

No system is completely secure. If you have reason to believe your account has been compromised, please contact us immediately at privacy@openbook-health.com.

8. Your rights (APP 12 & 13)

Under the Australian Privacy Principles, you have the right to:

Access your data

Request a copy of all personal information we hold about you. We will respond within 30 days.

Correct your data

Request correction of inaccurate or out-of-date information. You can update most information directly in your account settings.

Delete your account

Request deletion of your account and associated personal information, subject to retention requirements for tax and legal records.

Opt out of marketing

Unsubscribe from non-essential emails at any time via the link in any email or by contacting us.

Data portability

Request an export of your CPD logs and search history in CSV format before account deletion.

Lodge a complaint

If you believe we have breached the APPs, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, email us at privacy@openbook-health.com. We will respond within 30 days. Identity verification may be required before we can action requests.

9. Cookies and tracking

We use strictly necessary cookies to maintain your authenticated session. These are set by Supabase Auth and are required for the platform to function. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individual users.

We use aggregate, anonymised analytics to understand platform usage. This data does not identify individual users and is not shared with third parties.

By using our platform, you consent to the use of strictly necessary cookies. If you disable cookies, you will not be able to log in.

10. Data breach response

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to any affected individual, we will:

  • Contain the breach and assess its likely impact
  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and no later than 30 days after becoming aware
  • Notify affected individuals directly where required
  • Take steps to prevent a recurrence

If you become aware of a potential security vulnerability or breach involving our platform, please disclose it responsibly to privacy@openbook-health.com.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify you by email. Your continued use of the platform after a change constitutes acceptance of the revised policy.

Previous versions of this policy are available on request.

12. Contact us

For privacy inquiries, access requests, correction requests, or complaints:

Privacy Officer — Auburn Health Pty Ltd (trading as Open Book Clinical)

Email: privacy@openbook-health.com

We aim to respond to all privacy enquiries within 5 business days, and to resolve all requests within 30 days as required by the Privacy Act.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

This policy was last updated on 1 June 2025. It is written to comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the Notifiable Data Breaches scheme. This document does not constitute legal advice.