Closed beta · waitlist BrainScribe is pre-launch. AHPRA-registered specialists practising in Australia — join the first cohort
BrainScribeai
Legal

Privacy Policy

Version 2026-05 · Last updated 20 May 2026
Pre-launch draft. BrainScribe is in closed beta. This policy is published in draft so beta practitioners can review it before participating. The binding version will be reissued at the date of first commercial use; any material changes will be communicated to beta participants in advance.

BrainScribe is built for clinicians who work with sensitive health information every day. We take that responsibility seriously. This policy explains what we collect, why we collect it, how we protect it, and your rights under Australian privacy law.

1. Who we are

BrainScribe Pty Ltd (ABN to be issued upon incorporation; this draft policy is provided pre-commercial-launch for transparency during the closed beta) operates the BrainScribe platform — a clinical neuropsychology reporting tool for AHPRA-registered practitioners in Australia. References to "BrainScribe", "we", "us", and "our" in this policy refer to BrainScribe Pty Ltd.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. Because we handle health information as part of our core service, we treat all patient-related data as sensitive information under APP 3.

Privacy Officer contact:
Email: privacy@brainscribe.health
Post: Privacy Officer, BrainScribe Pty Ltd, c/o The Brain & Mind Clinic, Shop 3, 1 Hospital Boulevard, Southport QLD 4216 Australia

2. What information we collect

There are two distinct groups of people whose data we handle: practitioners (you, the account holder) and patients or clients (the individuals whose assessments you document using the platform).

2a. Practitioner and account data

When you create and use a BrainScribe account, we collect:

  • Full name, professional title, and email address
  • AHPRA registration number and specialty
  • Practice or clinic name, address, and contact details
  • Billing information (processed by our payment provider; we do not store full card details)
  • Account preferences and notification settings

2b. Patient and client data

Patient data is entered into the platform by you, the practitioner. We do not collect it directly from patients. This data may include:

  • Patient name, date of birth, and referral details
  • Assessment scores, percentiles, and norm-referenced results
  • Observations, clinical notes, and history recorded during the assessment
  • Report drafts and final exported documents
  • Any other information you choose to enter into the platform
Data controller and processor roles. For patient data, you (the practitioner) are the data controller — you decide what is collected and why. BrainScribe acts as a data processor, handling that data only on your instruction and for the purpose of providing the service. Your obligations to your patients under the Privacy Act, AHPRA standards, and applicable health records legislation remain with you.

2c. Usage and technical data

We also collect information about how the platform is used:

  • Log data: IP addresses, browser type, pages visited, timestamps
  • Platform analytics: feature usage, report generation events, session duration
  • Error and diagnostic data to identify and fix technical problems

This data is used in aggregate and is not linked to individual patient records.

3. How we use your information

We use the information we collect only for the following purposes:

  • Service delivery: generating report drafts, looking up normative data, managing your account and assessments
  • Account management: authentication, billing, support, and communications about your account
  • Platform improvement: understanding how features are used so we can fix problems and build better tools (using aggregated, de-identified analytics)
  • Safety and security: detecting fraud, preventing unauthorised access, and maintaining platform integrity
  • Legal compliance: meeting our obligations under Australian law, including responding to lawful requests from regulators or courts
We do not use your data for advertising. We do not sell practitioner or patient data to third parties. We do not use patient data to train AI or machine learning models without your explicit, opt-in consent. Full stop.

4. Sensitive health information (APP 3)

Patient assessment data is sensitive information under the Privacy Act. Under APP 3, we collect and handle sensitive information only with consent and only for the purpose for which it was provided.

Practically, this means:

  • Patient data is used only to generate and store the assessment record and report that you create
  • Access to patient data is limited to you and, where you have authorised it, other members of your practice
  • No BrainScribe staff member accesses patient data in identifiable form except where necessary to resolve a support issue you have specifically raised, and only with your knowledge
  • Patient identifiers are separated from clinical content before any model-assisted processing. The mapping between identifiers and clinical records is held securely and only you hold the link

4a. Planned — session recordings, transcripts and scheduling

Planned for closed beta. The integrated session described on the integrated session page — appointment scheduling, electronic consent, browser-based video, audio-only or audio + video recording, and identified-speaker transcript — is on the closed-beta build path, not yet operating. This section describes how that data will be governed when those features land, so the data-handling commitments are visible up front.

When session recordings and transcripts land in the platform, the following commitments will apply:

  • Recording is consent-gated. Audio and video recording (in any combination) requires a signed consent.video_recording object before any capture occurs. Audio-only and audio + video are governed by the same consent with a captured mode flag.
  • Transcription has its own consent. A signed consent.transcript object is required before any model-assisted processing of the recording runs. A client may consent to recording but not to transcription; in that case, recording will be retained as raw media without a transcript layer.
  • Recordings attach to the assessment record. Audio and video material is part of the same assessment record the report is composed from. Access is scoped to the clinician (and, on Practice tier, the practice members the clinician has authorised).
  • Identifier separation extends to the transcript. Identifiers are substituted out of transcript text before any model-assisted routing into report sections. The clinician sees the un-substituted transcript on their screen; the automation sees only the tokenised content.
  • Withdrawal is a first-class action. Telehealth consent, recording consent and transcript consent are each independently revocable. Withdrawal of any one does not affect the others; the underlying consent object remains on the record with a withdrawal timestamp for audit purposes.
  • No cross-border processing. Session recordings, transcripts and the model-assisted processing that derives report sections from them will remain within Australian-standard infrastructure.

The commercial relationship behind the video and recording layer follows a publisher-licence-style integration pattern — a named partnership where the practitioner's consent and the underlying telehealth infrastructure operate under BrainScribe's terms. That partnership is on the roadmap, not in place today.

5. How we store and protect your data

All BrainScribe data is stored on Australian infrastructure. We use Amazon Web Services in the ap-southeast-2 (Sydney) region. Data does not leave Australian jurisdiction except as described in Section 9 below.

We apply the following security controls:

  • Encryption at rest: all data is encrypted using AES-256
  • Encryption in transit: all connections use TLS 1.2 or higher
  • Access controls: role-based permissions; staff access is least-privilege and logged
  • Authentication: multi-factor authentication is available and encouraged for all accounts
  • Vulnerability management: regular security reviews and penetration testing
  • Incident response: a documented incident response procedure, including notification obligations under the Notifiable Data Breaches scheme (see Section 14)

No security measure is perfect. If you become aware of any unauthorised access to your account or patient data, please contact us immediately at privacy@brainscribe.health.

6. Data retention

Practitioner account data
Retained for the life of your account and for seven years following account closure. The seven-year period reflects standard medico-legal record-keeping expectations in Australia and our obligations under applicable law.
Patient and assessment data
Retained for the life of your account. If you close your account, patient data is deleted within 30 days of closure unless you request earlier deletion or export. You can also delete individual patient records from within the platform at any time.
Usage and log data
Retained for 12 months, then deleted or de-identified.

Where law requires us to retain data for a longer period, we will do so but will restrict access and use during that extended retention period.

7. Sharing your information

We share data only where necessary to operate the platform. The categories of recipients are:

  • Infrastructure sub-processors: AWS (hosting, storage, compute — Sydney region)
  • Email delivery: a transactional email provider for account notifications (these receive only practitioner email addresses, not patient data)
  • Payment processing: a PCI-DSS compliant payment provider. They receive billing details; we receive a payment token only
  • Customer support tools: where you contact us for support, communications may be logged in our support system

All sub-processors are engaged under data processing agreements that prohibit them from using BrainScribe data for their own purposes.

We do not share your data with:

  • Advertisers or data brokers
  • AI model training platforms (without your explicit consent)
  • Other BrainScribe customers
  • Any party for commercial benefit

We may disclose data if required to do so by law, court order, or lawful request from a regulatory authority. Where we are legally permitted to do so, we will notify you of such a request before complying.

8. Your rights — access and correction

Under the Australian Privacy Principles, you have the right to:

  • Access (APP 12): request a copy of the personal information we hold about you
  • Correction (APP 13): request that inaccurate, out-of-date, incomplete, or misleading information be corrected

To make an access or correction request, email privacy@brainscribe.health with "Privacy Request" in the subject line. We will respond within 30 days of receiving your request, as required under the APPs. If we cannot fulfil your request (for example, because disclosure would affect another person's privacy), we will explain why in writing.

There is no charge for making a reasonable access request. If we need to provide a large volume of information, we may charge a reasonable fee for retrieval costs — we will advise you of any fee before proceeding.

Note on patient data: If you are a patient and your practitioner has used BrainScribe to document your assessment, your right of access to that clinical record sits with your practitioner. We recommend contacting them directly in the first instance. We can assist if the practitioner directs us to do so.

9. Overseas disclosure (APP 8)

Our primary data storage and processing occurs in Australia (AWS ap-southeast-2, Sydney). Some sub-processors — such as our email delivery provider or support tooling — may have infrastructure or staff outside Australia.

Where we disclose personal information to an overseas recipient, we take steps required under APP 8 to ensure that recipient handles the information in a manner consistent with the APPs. This is achieved through contractual data processing agreements that bind overseas sub-processors to equivalent privacy protections.

Patient clinical data is not transferred outside Australia except where necessary to deliver the core service, and only where the protections described above are in place. We will update this section if our sub-processor arrangements change materially.

10. Cookies and analytics

We use a small number of cookies and similar technologies to operate the platform:

  • Session cookies: essential for keeping you logged in. These expire when you close your browser or log out.
  • Preference cookies: remembering your platform settings (e.g., display preferences). These persist until you clear them.
  • Analytics: we use privacy-respecting analytics to understand aggregate usage patterns. This does not involve third-party advertising trackers. IP addresses collected for analytics are anonymised.

You can disable non-essential cookies through your browser settings. Disabling session cookies will prevent you from logging in.

11. Children's data

BrainScribe is a professional platform directed at registered healthcare practitioners. It is not intended for use by individuals under 18 years of age as account holders.

Practitioners may enter assessment data relating to paediatric patients in the course of clinical work. This data is handled as sensitive health information (Section 4 above) and subject to all the same protections. The practitioner, as the clinician responsible for the child's assessment, holds the data controller obligations for that data and is responsible for ensuring appropriate consent or authorisation is in place under applicable child privacy and health records law.

12. Contact our Privacy Officer

If you have a question, concern, or complaint about how we handle your personal information, please contact our Privacy Officer:

Email: privacy@brainscribe.health
Subject line: "Privacy enquiry" or "Privacy complaint"
Post: Privacy Officer, BrainScribe Pty Ltd, [Address placeholder], Australia

We will acknowledge your complaint within five business days and aim to resolve it within 30 days. If we need more time, we will let you know.

If you are not satisfied with our response, you have the right to complain to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

13. Changes to this policy

We may update this policy from time to time to reflect changes in the law, our practices, or our services. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify active account holders by email at least 14 days before the change takes effect
  • For significant changes affecting how we handle sensitive health information, we will seek your acknowledgement before the change applies to your account

Continuing to use BrainScribe after a policy change takes effect constitutes acceptance of the updated terms.

14. Notifiable Data Breaches

BrainScribe is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we experience a data breach that is likely to result in serious harm to affected individuals, we are required to:

  • Notify the OAIC as soon as practicable
  • Notify affected individuals directly, or publish a statement on our website if direct notification is not practicable

We maintain a documented incident response procedure aligned to these obligations. In the event of a breach, our first priority is to contain it, assess the scope, and notify affected individuals promptly and clearly.

If you suspect a breach involving your account or patient data, contact us immediately at privacy@brainscribe.health. We treat all such reports with urgency.