Privacy Policy

Routiq acts as a Processor. We handle personal information on behalf of our customer clinics, who are the Controllers (the APP entities with primary accountability under the Privacy Act) for their patient records. Clinics own the relationship with their patients and remain responsible for obtaining consent to contact, for the accuracy of clinical records, and for responding to patient privacy requests under APP 12 and APP 13.

We process personal information only on the documented instructions of the customer clinic — via this policy, the Customer DPA, the Master Services Agreement, and the clinic’s configuration inside app.routiq.ai. Where a subprocessor handles data on our behalf, they receive the same flow-down instructions.

3.1 From clinics and their staff

• —Business-account details — clinic name, ABN, business address, subscription tier
• —Admin-user details — staff name, work email, role, authentication credentials and MFA state
• —Billing contact and payment method (tokenised via Stripe)
• —Support correspondence and product feedback voluntarily submitted

3.2 From patients, via the clinic’s practice-management system

• —First name, surname, mobile phone number and email address
• —Date of birth (where surfaced by the clinic’s system)
• —Appointment metadata — practitioner, appointment type, date, time, status
• —Marketing and communication consent state — opt-in/opt-out flags, preferred channel
• —Conversation content — inbound and outbound SMS/WhatsApp message text exchanged via the Routiq-managed channel
• —Technical metadata required to operate the service — delivery receipts, timestamps, device-identifier hashes

3.3 What we do NOT collect

By design, Routiq’s integrations do not ingest, and our systems do not store, the following categories. This exclusion is enforced at the integration layer — API calls either don’t request these fields or strip them before persistence.

• —Clinical notes, SOAP notes or treatment records
• —Diagnoses, test results, imaging or prescriptions
• —Referral letters
• —Medicare numbers, DVA numbers, private-health-fund claim details
• —Credit-card numbers or other payment-instrument data (billing is tokenised via Stripe)
• —Healthcare identifiers from My Health Record

We use personal information strictly to deliver the contracted service to the customer clinic. Specifically:

• —Patient reactivation campaigns — appointment reminders, rebooking prompts and reactivation outreach on the clinic’s behalf, based on configuration and recorded consent state.
• —AI Reception Assistant — handling inbound patient enquiries, booking, rescheduling and cancellations. Administrative, not clinical — see §11.
• —Reporting to the clinic — service-usage metrics and campaign outcomes for the clinic’s own review.
• —Service operation and support — authentication, billing, security monitoring, troubleshooting, incident response, and complying with legal or regulatory obligations that bind Routiq.

We do not sell, rent or trade personal information. We do not market to patients in our own name — outbound messages are sent on behalf of the subscribing clinic. We do not build or operate profiling systems that target individual patients for purposes unrelated to their clinic relationship.

We engage third parties to deliver specific parts of the service. Every subprocessor that stores, processes or transmits data on our behalf is listed below. If a provider is not on this list, it has not been approved to receive Routiq-held data.

We give customer clinics at least 30 days’ advance written notice before a new or replaced Tier 1 subprocessor processes their data, with a reasonable objection window. Tier 2 and Tier 3 changes are disclosed in the quarterly register pass. The authoritative, versioned register is published at /trust.

Primary storage of patient records, appointments and integration credentials is in Australia (Supabase on AWS ap-southeast-2, Sydney). Some processing occurs outside Australia. We disclose each cross-border flow rather than minimise it.

• —Chatwoot Cloud (United States) — patient name, phone number and inbound/outbound SMS/WhatsApp message content. SOC 2 Type II certified, GDPR-compliant, AES-256 at rest via AWS KMS. The Routiq ↔ Chatwoot DPA is pending execution with a target date of 2026-05-01. Interim compensating controls: Chatwoot’s SOC 2 Type II posture, AES-256 at rest, TLS 1.2+ in transit, payload-minimised transmission. Once executed the DPA will include Standard Contractual Clauses for the Australia → US transfer.
• —Anthropic — Claude API (United States) — minimised prompt payload (patient first name, appointment metadata, conversational turn). Excludes DOB, full address, government identifiers, clinical notes, billing data. Commercial DPA signed with a contractual no-training-on-API-data clause.
• —OpenAI (United States) — audio bytes for Whisper speech-to-text (not retained on the API tier); narrow condition-tagging text. API-tier DPA signed with no-training-on-customer-data clause.
• —Sentry (EU — Frankfurt) — stack traces and error context, PII-scrubbed client-side before transmission. SOC 2 Type II and ISO 27001.
• —PostHog (United States) — anonymised staff-side UI telemetry with IP truncation. No patient data.
• —Resend (United States) — transactional email to clinic owners. No patient communications.
• —Stripe (United States) — clinic billing contact, card-on-file token, subscription state. No patient data. PCI DSS Level 1, SOC 1/2/3, ISO 27001.
• —Slack (United States) — PII-scrubbed internal operational alerts. No patient data.
• —GitHub (United States) — source code, build logs, issues. No patient data.
• —Cloudflare (edge-global) — TLS termination, WAF, DNS. Request headers and WAF telemetry only; no patient data at rest. ISO 27001, SOC 2 Type II, PCI DSS.

Under APP 8 of the Privacy Act 1988 (Cth) the clinic Controller remains responsible for ensuring any disclosure of personal information to an overseas recipient complies with APP 8.1. The contractual arrangements above — and the Subprocessor Register published at /trust — are intended to give the Controller the information needed to meet that obligation.

Retention is governed by ROUTIQ-ISMS-02 (Data Classification, Handling & Retention) §5, summarised below. Deletion targets apply from the trigger; where a statutory record-keeping obligation binds us, the longer period applies.

On termination of the customer subscription we provide a machine-readable export on request within 30 days, and delete Customer Data from the primary production database and object storage within 90 days. Backups are purged on the next rotation cycle (30 days) after primary deletion. A written deletion certificate is provided on request.

Routiq does not currently hold SOC 2 Type II or ISO/IEC 27001 certification. We invest in compensating controls: a full ISMS policy suite (access control, cryptography, incident response, AI use, and more), inherited assurance from our SOC 2 Type II and ISO 27001 certified subprocessors (see §5), an annual OWASP ASVS v4.0.3 Level 2 self-assessment, and contractual breach-notification commitments to customers. Our certification roadmap is aligned with commercial milestones and detailed contractually in our Customer DPA, available on request at support@routiq.ai.

Technical controls include TLS 1.2+ in transit, AES-256 at rest, application-layer AES-256-GCM encryption of integration credentials, role-based access control with mandatory MFA on production-admin consoles, and logged access and mutation.

To report a suspected vulnerability, email support@routiq.ai. Our responsible-disclosure policy is at /security.

In the event of an eligible data breach involving personal information, we comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. This means we will:

• —Promptly assess suspected breaches to determine if they are likely to result in serious harm (s 26WH assessment, within 30 days of awareness)
• —Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required (s 26WK)
• —Notify affected customer clinics so they can take appropriate steps with their patients
• —Take all reasonable steps to contain and remediate the breach

Under our Customer DPA, we provide customers with an initial holding notification within 24 hours, a detailed written notification within 72 hours, weekly status updates until closure, and a post-incident report within 30 days of closure.

Under the Australian Privacy Principles you have rights including:

• —Access (APP 12): request access to the personal information we hold about you
• —Correction (APP 13): request correction of information that is inaccurate, out of date or incomplete
• —Anonymity and pseudonymity (APP 2): deal with us anonymously or under a pseudonym where practicable
• —Complaint: complain about our handling of your personal information to us, and subsequently to the OAIC

How to exercise. Email support@routiq.ai with the nature of your request. We acknowledge within five business days and respond within a reasonable period, generally within 30 days.

Patient rights — the clinic is the primary contact. If you are a patient of a clinic that subscribes to Routiq, your primary privacy relationship is with that clinic. Requests for access, correction, deletion or complaint should be directed to the clinic in the first instance. We will cooperate promptly where the clinic needs our assistance.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.

Parts of our service use large-language-model and speech-to-text AI — specifically Anthropic’s Claude API and OpenAI’s Whisper. These are used for three administrative functions:

• —AI Reception Assistant — interpreting inbound patient messages and drafting or sending responses (booking, rescheduling, answering routine questions).
• —Reactivation message drafting — composing outbound reminder/reactivation copy for human review before send, where the clinic has configured human-in-the-loop.
• —Campaign targeting tags — categorising clinic-staff snippets for audience selection. No clinical notes are sent.

No clinical decisions are automated. The Reception Assistant is positioned and operated as an administrative tool. It does not diagnose, triage clinically, recommend treatment, make medication decisions, or perform any AHPRA-reserved act. If a patient message contains a clinical-urgency indicator (e.g. chest pain, suicidal ideation, severe bleeding) the system escalates to a human clinic staff member with a standardised handover and does not auto-reply with clinical content.

No training on your data. Our Anthropic and OpenAI contracts prohibit training on inputs or outputs derived from our customers’ use of the service.

Customer opt-outs. Clinics can disable specific AI-dependent features — e.g. turn off AI-drafted reactivation while keeping AI-assisted booking — from the admin settings in app.routiq.ai. A description of the AI processing applied to any specific feature is available on request to support@routiq.ai.

Allied-health clinics routinely treat patients under 18. Where a clinic’s records include under-18 patients, that data is handled under the clinic’s consent framework and the applicable state health-records regime. Routiq does not directly market to children and does not knowingly collect personal information from a child other than via a clinic’s instruction.

We use a limited set of cookies for essential site function, security and analytics. The Cookie Policy describes each cookie, its vendor, its purpose and how to manage your preferences. Routiq does not run ad-retargeting cookies.

We notify customer clinics at least 30 days in advance of any material change to this policy — including a new category of personal information, a new subprocessor handling patient data, or a change in retention. Notice is given to the clinic’s nominated privacy contact and by updating this page. Non-material changes (editorial, clarifying) are published without notice. The "Last updated" stamp at the top of this page reflects the current version.

If you have any questions about this Privacy Policy or our data practices: