Freia Privacy Policy

1. Introduction

Freia Health Pty Ltd ("Freia", "we", "our", "us") is committed to protecting the privacy, confidentiality, and security of all personal information and personal health information ("PHI") processed through our platform.

Freia operates as a clinical decision-support and patient engagement system used by healthcare professionals within partnered clinics. Our purpose is to help clinicians deliver personalised, evidence-based care while empowering patients to implement and track their treatment plans.

This Privacy Policy explains how we collect, use, disclose, store, and protect information in accordance with:

• the Privacy Act 1988 (Cth),
• the Australian Privacy Principles (APPs),
• the OAIC Notifiable Data Breach Scheme, and
• any relevant state or territory health privacy laws.

By using Freia, you agree to this Privacy Policy.

2. Information We Collect

We collect only the information required to support clinical care, system functionality, and performance improvement.

a. Personal Information

• Name, date of birth, gender, contact details
• Medicare number (if applicable)

b. Personal Health Information (PHI)

• Treatment plans, clinical notes, and assessments entered by your clinician
• Lab results, physiological measures, or pathology data uploaded by your clinic
• Data you enter (e.g. check-ins, lifestyle logs, photos)
• Metrics from integrated systems or wearables (where authorised)

c. Technical & Usage Data

• Device type, operating system, browser, IP address
• Session logs, interactions, and feature usage patterns
• Error logging and crash analytics

d. Cookies & Tracking Technologies

For web and dashboard components, Freia may use:

• cookies,
• analytics tools (e.g. PostHog, LogRocket),
• session identifiers,

to improve usability, troubleshoot issues, and optimise performance.

Freia does not collect PHI directly from consumers outside a clinical relationship.

3. How Information Is Collected

Information may be collected:

• directly from clinicians using Freia,
• from patient interactions (logging data, check-ins, confirmations),
• from integrated EHRs, wearables, or laboratory systems (with authorisation),
• automatically through device and platform analytics.

4. How We Use Your Information

Freia uses personal information and PHI for the following purposes:

1. Clinical Care Support

To assist clinicians in delivering personalised, evidence-based guidance.

2. Patient Engagement

To deliver reminders, nudges, and support aligned with your clinical plan.

3. Platform Operations

To maintain system reliability, security, and usability.

4. Research & Quality Improvement

To develop de-identified insights that improve outcomes and clinician efficiency.

5. Safety, Compliance & Audits

To meet legal, regulatory, and professional obligations.

Identifiable data is never used for marketing, profiling, or advertising.

5. Legal Basis for Processing

Freia processes personal information and PHI under the following lawful bases:

• provision of clinical care under the direction of your treating clinic,
• patient consent, obtained by your clinician or within Freia where applicable,
• legitimate interests in maintaining platform safety, performance, and improvement,
• legal obligations relating to healthcare practice and record retention.

6. Secondary Use of Data

Freia may use de-identified and aggregated information for:

• clinical research,
• product development,
• improving algorithms and insights,
• system analytics.

All secondary use complies with applicable privacy and ethical review standards.

Identifiable data is never sold or shared for commercial purposes.

7. Disclosure of Information

Freia discloses identifiable information only to:

• your treating clinic,
• trusted service providers operating under binding data protection agreements,
• parties legally entitled to request information (e.g. court orders),
• emergency services where required to prevent serious harm.

Freia does not transfer personal health information outside Australia unless:

• necessary for service delivery, and
• subject to equivalent privacy and security protections.

7A. Third-Party Service Providers & Authentication

Freia uses trusted third-party service providers to support essential platform functionality, including user authentication, identity management, and account security.

These providers (such as Clerk) may process limited personal information such as name, email address, login credentials, IP address, and device information solely for the purpose of securely managing access to the Freia platform.

Third-party service providers do not have access to personal health information unless explicitly required for service delivery and governed by contractual data protection obligations.

8. Security and Data Storage

Storage

Personal health information and clinical records are stored within Australian data centres.

Certain limited personal information (such as authentication and security metadata) may be processed or stored by trusted service providers located overseas, including in the United States or Europe.

Where this occurs, Freia takes reasonable steps to ensure overseas recipients handle personal information in accordance with the Australian Privacy Principles.

Protection

Freia employs industry-standard security measures, including:

• TLS 1.2+ encryption in transit
• AES-256 encryption at rest
• Role-based access controls and multi-factor authentication
• Logical data segregation
• Daily encrypted backups
• Intrusion detection systems
• Continuous system monitoring
• Annual independent penetration testing

Disaster Recovery

• Encrypted backups in redundant Australian facilities
• Tested restoration protocols

Retention

• Data retained only as required for clinical care and legal obligations
• Secure deletion or irreversible de-identification in accordance with AS/NZS ISO/IEC standards

9. Consent & Withdrawal

Clinicians are responsible for obtaining patient consent for data use within Freia.

Patients may withdraw consent for non-essential features such as wearable integrations or notifications.

Withdrawal from Freia does not affect mandatory clinical record retention requirements.

10. Access and Correction

Patients and clinicians may request:

• access to personal information, or
• correction of inaccurate information.

Requests may require identity verification.

11. Rights of Children / Minors

Where Freia is used for a patient under 18:

• parental or guardian consent is required,
• access may be limited according to clinical policy,
• data is handled in accordance with applicable youth privacy standards.

12. Data Breach Notification

Freia complies with the Notifiable Data Breach (NDB) Scheme.

If a data breach is likely to result in serious harm, Freia will notify:

• affected individuals, and
• the Office of the Australian Information Commissioner (OAIC),

as required by law.

13. Policy Updates

This Privacy Policy is reviewed annually.

Updated versions will be published at www.freia.com.au/privacy.

14. Contact & Complaints

Freia Health Pty Ltd

11/201 Varsity Parade, Varsity Lakes QLD 4227

support@freia.com.au

If you are not satisfied with our response, you may contact:

Office of the Australian Information Commissioner (OAIC)
www.oaic.gov.au

15. Information Governance

Freia operates under a formal information governance framework overseen by a designated Privacy Officer and Data Protection Lead.

All secondary data uses, research initiatives, and platform changes undergo privacy and security review prior to implementation.