Privacy Policy – Handling and Transfer of Patient Information via API Integration

1. Purpose

Zynatek Pty Ltd ("we", "our", "us") is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs).

This policy explains how we collect, use, disclose, and safeguard general patient information transferred via API integration between Patient Management Software (PMS) and our external systems.

2. Types of Information Collected

We may collect and process general patient information, including:

• Full name
• Date of birth
• Contact details (phone, email, address)
• Appointment dates and history
• Communication preferences

We do not collect or store sensitive health information (e.g. clinical notes, medical records, diagnostic data).

3. How Information is Collected

Information is collected via secure API integrations from authorised Patient Management Software platforms, used by healthcare providers who have obtained consent from their patients or have a legal basis for sharing data.

All data transfers are:

• Encrypted using industry-standard protocols (e.g. HTTPS, TLS)
• Logged and auditable
• Access-controlled and time-limited

4. Purpose of Use and Disclosure

We use the information collected to:

• Deliver automated appointment reminders, confirmations, and follow-ups
• Support patient communications and engagement
• Enhance administrative workflows for healthcare providers

We will only use or disclose patient information:

• For the purposes for which it was collected
• With patient consent
• As required or permitted by law (e.g. under APP 6, APP 8)

5. Storage and Security

We take reasonable steps to protect personal information from:

• Misuse, interference and loss
• Unauthorised access, modification or disclosure

Security measures include:

• Role-based access controls
• Secure API tokens and authentication
• Regular vulnerability assessments
• Encrypted storage (if applicable)

Data is hosted in secure Australian-based cloud infrastructure unless otherwise notified and agreed in accordance with APP 8 (Cross-border Disclosure of Personal Information).

6. Disclosure to Third Parties

We do not disclose patient information to any third party unless:

• Required by law
• The third party is a contracted service provider subject to strict confidentiality and APP-compliant obligations
• The disclosure is authorised by the healthcare provider or patient

We do not sell or trade personal information.

7. Access and Correction

In accordance with APP 12 and APP 13, patients have the right to:

• Access their personal information
• Request corrections to inaccurate, out-of-date or incomplete information

Requests must be made through the patient's healthcare provider who maintains the original record. We will support providers in responding to such requests.

8. Data Retention and Disposal

We only retain personal information for as long as necessary to fulfil the intended purpose or as required by law. When no longer required, data is securely deleted or de-identified.

9. Complaints and Concerns

If you believe your privacy has been breached, please contact our Privacy Officer using the details below. We take complaints seriously and will investigate in accordance with the OAIC guidelines.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

10. Contact Us

Genigh Griffin

Privacy Officer

11. Updates to this Policy

We may revise this policy periodically to reflect changes in technology, operations or legislation. The most recent version will always be available at [dentalfloai.com.au].