Skip to content
Sign In

Privacy

Data Privacy and Security

1. Introduction

Echo-Health ("we," "us," or "our") is a product of Visualisation Hub Pty Ltd, trading as echo-health.ai. We are committed to safeguarding the privacy and security of personal and health information. This Privacy Policy outlines how we collect, use, disclose, store, and protect personal information in accordance with:

  • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);

  • The Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs); and

  • The General Data Protection Regulation (EU) 2016/679 (GDPR), where applicable.

By using our services, you consent to the collection and use of information as outlined in this policy. For the purposes of this policy:

  • Echo-Health acts as a data processor (under GDPR) or service provider on behalf of healthcare providers who are data controllers.

  • We operate in compliance with applicable local regulations in Australia and New Zealand.

2. Data Minimisation and Purpose Limitation

We collect only the information necessary to provide our services. Echo-Health avoids collecting directly identifiable personal information (e.g., names, dates of birth, Medicare or NHI numbers) unless specifically required for a lawful purpose.

We do collect and process de-identified consultation transcripts and healthcare metadata to:

  • Facilitate transcription and documentation services;

  • Deliver summaries and reminders to patients;

  • Generate analytical insights for clinical teams.

All processing is purpose-specific and proportionate to our service delivery.

3. Consent and Transparency

Healthcare providers are responsible for obtaining informed consent from their patients regarding the use of Echo-Health. We provide supporting documentation and resources to assist providers in meeting their privacy obligations under the APPs and NZ Privacy Act.

Where Echo-Health processes personal data directly (e.g. via website contact forms or customer onboarding), we will seek direct, informed, and voluntary consent. Consent may be withdrawn at any time, subject to legal or contractual obligations.

4. De-Identification and Data Handling

All personally identifiable information is automatically redacted during transcription. We do not retain identifiable data such as names, dates of birth, or government health identifiers.

Additional safeguards include:

  • De-identification by design;

  • Clustering of transcript metadata;

  • Controls to prevent re-identification of individuals.

5. Data Security and Infrastructure

Echo-Health leverages secure, cloud-based infrastructure and modern technology platforms to deliver services across Australia and New Zealand. While our technology partners may change over time, we ensure all platforms meet strict privacy, encryption, and access control standards. Security measures include:

  • TLS encryption in transit;

  • AES-256 encryption at rest;

  • Multi-factor authentication (MFA);

  • Strict role-based access controls (RBAC);

  • Centralised logging and anomaly detection.

Our infrastructure includes geo-redundant data storage and point-in-time recovery for resilience.

6. Communications and Third-Party Services

Echo-Health integrates with carefully selected third-party services to support secure communications and clinical system interoperability. These providers may change from time to time based on performance, compliance, and strategic alignment. All providers:

  • Are subject to rigorous due diligence;

  • Operate under binding Data Processing Agreements (DPAs);

  • Offer compliance with GDPR, APPs, and NZ Privacy Principles.

We do not allow unauthorised access or third-party on-selling of personal or health data.

7. Use of De-Identified Data

We may use de-identified data to:

  • Improve service performance and delivery;

  • Train and evaluate internal models (without using personal data);

  • Generate predictive analytics and performance metrics;

  • Produce reports for clinical partners, regulators, or research bodies (in anonymised form).

We never use identifiable data for these purposes without explicit consent.

8. Data Retention and Disposal

Data is retained only as long as necessary to fulfil the purpose for which it was collected, or as required by law. Healthcare providers may set custom retention schedules.

When no longer needed, data is:

  • Deleted securely using cryptographic erasure; or

  • Fully de-identified using irreversible methods.

9. International Data Transfers

Some of our infrastructure providers may store or process data outside of Australia or New Zealand. In all such cases, we:

  • Use providers that offer Standard Contractual Clauses (SCCs) or equivalent safeguards;

  • Retain legal and operational control over all transferred data;

  • Maintain contractual and technical protections consistent with GDPR requirements.

10. Access, Correction, and Data Subject Rights

You have the right to:

  • Access any personal information we may hold about you;

  • Request correction of inaccurate or outdated information;

  • Request deletion of data (where applicable);

  • Lodge a complaint or request explanation about how your data has been used.

Requests can be made through: security@echo-health.ai. We respond within 30 days, or sooner as required under applicable legislation.

11. AI Model Governance and Safeguards

All Large Language Model (LLM) processing is conducted in secured, closed environments. Key safeguards include:

  • Clinical sign-off of all patient-facing documents;

  • Version control and audit trails for model updates;

  • No use of any data for training commercial LLMs;

  • Human-in-the-loop oversight of AI outputs.

Echo-Health is not a decision-making system. Final clinical responsibility rests with the healthcare provider.

12. Children’s Data

Echo-Health is not designed to directly engage with children under 18. Where services are provided to child patients via a healthcare provider, consent must be obtained from a parent or legal guardian in accordance with local law.

13. Regulatory Status and SaMD Disclaimer

Echo-Health is not classified as a Software as a Medical Device (SaMD) under the TGA or Medsafe guidance. The platform supports clinical documentation and communication only. All clinical decisions remain the responsibility of the treating healthcare provider.

14. Complaints and Regulator Contact

If you have a complaint about this policy or our data handling, please contact us first at security@echo-health.ai. If you are not satisfied with our response, you may contact:

Australia: Office of the Australian Information Commissioner (OAIC)
www.oaic.gov.au

New Zealand: Office of the Privacy Commissioner (NZ)
www.privacy.org.nz

15. Updates to This Policy

We may update this policy periodically. When material changes are made, we will notify healthcare providers and users via email or system notice. Continued use of the service following an update constitutes acceptance of the new terms.

16. Acceptance

By using Echo-Health, you confirm that you have read and understood this Privacy Policy and agree to its terms.