Privacy Statement

The AiClinAudit collects multiple categories of data to provide educational services, facilitate sponsor partnerships, and improve healthcare practices:

1. Healthcare Professional Identity Data

• Personal Identifiers: Full name, email address, phone number (if provided)
• Professional Registration: AHPRA registration number and verification status
• Professional Details: Medical specialty, practice location, years of experience
• Account Information: User role (practitioner, admin, pharma brand manager), account creation date
• Authentication Data: Login credentials, session tokens, password reset requests
• Email Communication: Email addresses collected for sending completed audit reports and platform communications

2. Clinical Audit Data Structure

• Audit Metadata: Audit title, creation date, completion status, unique audit identifier
• Practitioner Information: Full name, AHPRA number (for verification and identification)
• Patient Cohort Data: De-identified patient profiles including age ranges, gender, clinical notes, and selection criteria
• Clinical Documentation: SOAP notes structure, transcribed content, voice-to-text metadata
• Literature Search Records: Search queries, PubMed results, AI-enhanced search metadata, processing times, and relevance scoring
• Professional Reflections: Learning outcomes, practice change intentions, clinical insights
• Pharmaceutical Sponsorship: Links to pharmaceutical company sponsors, access codes used, educational program participation
• Email Delivery Tracking: Email addresses used for report delivery, delivery status, message IDs, and timestamp records
• Audit Activity Logs: Complete audit trail of all actions, timestamps, user roles, and system interactions

3. Clinical Practice Data

• Audit Content: Clinical audit titles, objectives, methodologies, and outcomes
• Patient Cohort Information: De-identified patient demographics (age ranges, gender, conditions) and selection criteria
• Clinical Commentary: Professional observations, treatment approaches, clinical decision-making rationale
• Practice Patterns: Treatment protocols, medication choices, diagnostic approaches
• Professional Reflections: Learning outcomes, practice changes, educational insights
• Voice Recordings: Temporary audio data for transcription (deleted after processing)

4. Literature and Research Data

• Search Queries: PubMed searches, research topics, medical keywords
• Article Selections: Chosen publications, reading preferences, research interests
• Literature Analysis: Comments on research findings, clinical relevance assessments
• Evidence Evaluation: How research findings influence clinical practice
• AI Processing Metadata: LLM model usage, token consumption, processing times, parameter extraction, and relevance scoring data

5. Platform Usage Analytics

• Session Data: Login/logout times, session duration, feature usage frequency
• Navigation Patterns: Page visits, click-through rates, completion rates
• Interaction Data: Form submissions, search behavior, user preferences
• Performance Metrics: Audit completion rates, time spent on different sections
• Device Information: Browser type/version, operating system, screen resolution

6. Technical and Security Data

• Network Information: IP addresses, geolocation data (country/state level)
• Security Logs: Login attempts, security events, access patterns
• Error Reports: System errors, performance issues, crash reports
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies

7. Pharmaceutical Sponsor Integration Data

• Sponsor Codes: Pharmaceutical access codes used to access sponsored audits
• Sponsor Linking: Which audits are linked to which pharmaceutical companies
• Brand Program Data: Participation in specific pharmaceutical educational programs
• Marketing Consent: Preferences for receiving sponsor communications

8. Administrative and Compliance Data

• Audit Trails: All user actions, data modifications, access logs
• Compliance Records: CPD requirements, completion certificates, educational credits
• Support Interactions: Help desk tickets, feedback submissions, technical support requests
• Legal Acknowledgments: Terms acceptance, privacy consent, data sharing agreements
• Email Communications: Audit report delivery records, email addresses used, delivery confirmations, and communication preferences

When you participate in a sponsor-branded audit (accessed via pharmaceutical company codes), the following data may be shared with the sponsoring pharmaceutical company:

Data Shared with Sponsors

• Professional Profile: AHPRA number (as identifier), medical specialty, practice location (city/state level)
• Clinical Practice Patterns: De-identified treatment approaches, medication usage patterns, diagnostic criteria
• Educational Engagement: Audit completion rates, time spent on different sections, learning outcomes
• Literature Preferences: Research topics searched, articles reviewed, evidence evaluation
• Practice Insights: Clinical commentary (with PII redacted), professional reflections, practice change intentions
• Aggregated Patient Data: De-identified cohort demographics, condition prevalence, treatment outcomes
• Platform Usage: Feature utilization, engagement metrics, completion patterns
• Feedback and Assessments: Program evaluations, educational effectiveness ratings

Sponsor Use of Data

Pharmaceutical sponsors may use this data for:

• Medical Education: Developing targeted educational programs and resources
• Product Development: Understanding real-world clinical needs and treatment gaps
• Research and Development: Informing clinical research priorities and drug development
• Market Research: Understanding prescribing patterns and clinical decision-making
• Regulatory Submissions: Real-world evidence for regulatory filings and post-market studies
• Quality Improvement: Developing clinical guidelines and best practice recommendations
• Commercial Insights: Understanding market needs and competitive landscape

Data Retention by Sponsors

Pharmaceutical sponsors may retain shared data for up to 10 years for regulatory compliance, research purposes, and long-term educational program development. Sponsors are required to:

• Maintain data security standards equivalent to our own
• Use data only for the purposes outlined in their agreements with us
• Not attempt to re-identify de-identified data
• Comply with applicable privacy laws in their jurisdiction
• Provide data deletion upon reasonable request

PII Categories We Protect

We consider the following as PII requiring protection:

Automated PII Redaction Technology

We employ advanced AI-powered PII detection and redaction systems that:

• Real-time Scanning: All text input is scanned for PII patterns before storage
• Pattern Recognition: Identifies names, dates, addresses, phone numbers, email addresses
• Context Analysis: Uses natural language processing to identify potentially identifying information
• Voice Transcription Protection: PII redaction applied to all voice-to-text conversions
• Multi-language Support: PII detection across multiple languages and dialects
• Learning Algorithm: Continuously improves detection accuracy based on patterns

Manual Review and Quality Assurance

In addition to automated systems:

• Regular manual audits of redaction accuracy
• Staff training on PII identification and protection
• User education on avoiding PII entry
• Incident response procedures for PII exposure
• Regular system updates and improvements

Limitations and User Responsibility

Technical Security Measures

• Encryption: All data in transit and at rest is encrypted using industry-standard protocols (TLS 1.3, AES-256)
• Access Controls: Multi-factor authentication, role-based access controls, principle of least privilege
• Database Security: Encrypted databases with connection pooling and query monitoring
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Regular Security Audits: Penetration testing, vulnerability assessments, code reviews
• Monitoring: 24/7 security monitoring, automated threat detection, incident response

Administrative Security Measures

• Staff Training: Regular privacy and security training for all personnel
• Background Checks: Security clearances for staff with data access
• Data Access Policies: Strict policies governing who can access what data
• Audit Trails: Comprehensive logging of all data access and modifications
• Incident Response: Documented procedures for security breaches and data incidents

International Data Transfers

Data may be transferred to and processed in countries other than Australia for the following purposes:

• Cloud hosting and data storage (AWS, Google Cloud, Microsoft Azure)
• Pharmaceutical sponsor headquarters (US, EU, UK)
• Third-party service providers (analytics, support, security)

All international transfers comply with Australian privacy laws and include appropriate safeguards such as contractual protections and adequacy decisions.

Australian Privacy Laws

• Privacy Act 1988 (Cth): Full compliance with Australian Privacy Principles (APPs)
• Notifiable Data Breaches: Mandatory breach notification to OAIC and affected individuals
• Health Records Laws: Compliance with HRIPA 2002 and state-based health records legislation
• Telecommunications Privacy: Compliance with metadata and communications privacy laws

Healthcare Sector Compliance

• AHPRA Standards: Compliance with healthcare practitioner registration authority requirements
• Medical Board Guidelines: Adherence to professional conduct and privacy guidelines
• Clinical Trial Regulations: GCP compliance for research-related data
• Pharmaceutical Standards: Compliance with TGA and Medicines Australia industry codes

International Privacy Standards

Where applicable, we also comply with:

• GDPR: For EU-based pharmaceutical sponsors and users
• CCPA: For California-based pharmaceutical companies
• HIPAA: For US healthcare data handling requirements
• ISO 27001: Information security management standards

Retention Periods by Data Type

Data Deletion Process

When data reaches its retention limit or upon user request:

• Soft Deletion: Data marked for deletion, access removed (30-day recovery period)
• Hard Deletion: Complete removal from all systems including backups
• Partner Notification: Pharmaceutical sponsors notified of deletion requests
• Verification: Deletion confirmation provided to users upon request
• Legal Holds: Data subject to legal proceedings retained until resolution

Data Subject Rights

Under Australian privacy law and our privacy commitments, you have the following rights:

How to Exercise Your Rights

To exercise any of these rights:

1. Email us: privacy@med-ed.ai with your request
2. Include verification: Your AHPRA number and full name for identity verification
3. Specify your request: Clearly state which right you wish to exercise
4. Response timeline: We will respond within 30 days (or sooner if possible)
5. Appeals process: If unsatisfied, you can appeal to the Office of the Australian Information Commissioner (OAIC)

Limitations on Rights

Some limitations may apply to these rights when:

• Data is required for legal compliance or regulatory obligations
• Information is needed for legal claims or defense
• Data has been anonymized and cannot be re-identified
• Processing is necessary for legitimate interests that override your rights
• Pharmaceutical sponsors have separate legal obligations to retain data

Technology Service Providers

• Cloud Hosting: Vercel (data hosting and processing)
• Database Services: PostgreSQL with Prisma Accelerate (data storage)
• Authentication: Auth.js v5 (secure login)
• Analytics: Vercel Analytics (usage tracking)
• Email Services: Resend (transactional emails)
• Payment Processing: Stripe (for paid features, if applicable)

Medical and Research Services

• PubMed/NCBI: PubMed/NCBI (literature search and retrieval services)
• Medical Databases: Clinical decision support tools and drug databases
• AI/ML Services: Cohere embedding models, Llama (text processing and PII redaction)
• Voice Processing: Speech-to-text services (temporary processing only)

Pharmaceutical Partner Services

• Data Analytics Platforms: Sponsor-specific analytics and reporting tools
• Marketing Platforms: Customer relationship management systems
• Research Platforms: Clinical research and real-world evidence systems
• Compliance Systems: Regulatory and compliance reporting platforms

Data Processing Agreements: All third-party services operate under strict data processing agreements that ensure the same level of privacy protection as outlined in this statement.