Back to More
Ohja

Privacy Policy

Last updated: 23 April 2026 · Version 8

Healthcare Grade

Privacy Act 1988 + APPs

Encrypted

TLS 1.3 + AES-256

AI-Protected

De-identified before AI

Australian Hosted

Clinical data in Sydney

1. Introduction

Ohja Health Pty Ltd ("Ohja", "we", "us", or "our") is committed to protecting your privacy and handling your personal and health information responsibly. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Ohja Patient Portal ("Portal").

We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme, and applicable state and territory health records legislation. Where we use artificial intelligence (AI) in your care, we follow the AHPRA guidance Meeting your professional obligations when using artificial intelligence in healthcare (June 2024) and the Office of the Australian Information Commissioner (OAIC) guidance on AI and the APPs (October 2024).

This policy applies to patients receiving surgical and post-operative care through Ohja-supported practices.

2. Information We Collect

We only collect information that is reasonably necessary for your care. Categories include:

2.1 Personal Information

  • Name, date of birth, gender
  • Contact details (email, phone, postal address)
  • Emergency contact information
  • Medicare number and private health insurance details (where relevant to billing)

2.2 Health Information

  • Medical and surgical history, current conditions
  • Medications, supplements, and allergies
  • Imaging and pathology reports
  • Patient-reported outcome questionnaire responses
  • Communications with your healthcare team via the Portal
  • Surgical procedure details and outcomes
  • Recovery progress and milestone completion
  • Wound photographs uploaded during recovery
  • Scribe consultation transcripts (de-identified)

2.3 Genetic Information (where provided)

Where relevant to your care, your clinician may discuss genetic testing — most commonly ApoE genotyping for cardiovascular and cognitive risk assessment, or pharmacogenomic testing to guide medication selection. Genetic information is treated as health information under the Privacy Act and handled with the same protections as your other clinical data described in this policy.

Insurance and discrimination protections: Australian life insurers are subject to a moratorium on the use of adverse genetic test results, being legislated as a permanent ban (Treasury Laws Amendment Bill 2024). We never share your genetic results with insurers, employers, or other non-clinical third parties without your separate written consent. We recommend discussing the implications of genetic testing (including the right not to know certain results) with your clinician before testing.

2.4 Wearable Device Connections

Wearable connections are currently offered through our longevity / preventive medicine service. Surgical-care patients are not asked to connect wearables but the same disclosures apply if you do.

You may choose to connect third-party wearable devices and health platforms (such as WHOOP, Oura, or — where supported — Garmin, Apple Health) to share data with your clinician. When you connect a device:

  • You authorise Ohja to access specific categories of data via a secure OAuth connection
  • We request access only to health metrics relevant to your care (sleep, recovery, heart rate variability, activity) and not to your profile or social graph
  • Authorisation tokens are stored encrypted. You can revoke access at any time through Portal settings or directly through the third-party platform
  • Wearable data, once ingested, becomes part of your clinical record. Disconnecting a device stops future ingestion but does not automatically delete already-ingested historical data — that data is retained as part of the medical record (see Section 8)
  • Your relationship with the wearable vendor is governed by their own terms of service. Ohja is not responsible for vendor-side practices
  • Wearable data is consumer-grade. Your clinician interprets it in clinical context; we do not treat it as medical-grade measurement
  • Connecting a device is optional and not required to use the Portal

2.5 Technical Information

  • Login timestamps and session information (security and audit)
  • Device type and browser information (compatibility)
  • IP address (security monitoring)
  • Portal usage patterns (pages visited, features used) for service improvement

3. How We Use Your Information

We use your information for the primary purpose of providing your care. Specifically, we use it to:

  • Provide healthcare services: enable your surgeon and care team to manage your surgical care
  • Track your recovery: monitor your progress and provide personalised guidance
  • Provide a conversational health assistant: answer questions about your procedure and recovery, drawing only on content your surgeon has approved
  • Facilitate communication: allow secure messaging between you and your healthcare providers
  • Send reminders: notify you about appointments, questionnaires, and recovery milestones
  • Comply with legal obligations: meet healthcare record-keeping requirements

4. AI and Your Data

The Portal uses artificial intelligence to assist your clinician and to power a conversational health assistant. We are committed to transparency about exactly how AI is used in your care.

Your Identity is Protected from AI

Before any information is sent to Anthropic for AI processing, we apply automated de-identification. Your name, phone number, address, date of birth, Medicare number, and other direct identifiers are replaced with anonymous placeholders using Microsoft Presidio. After the AI responds, the placeholders are restored for display to you and your clinician.

This applies across every AI touch point we use:

  • Your messages to the AI health assistant
  • Document text and page images you upload
  • Your pre-consult brief, health report, and any draft referral letters prepared for your clinician
  • Back-office synthesis and coherence logic that runs between your intake and your report
  • Search index entries used to look up clinical references

De-identification is not zero-risk (quasi-identifiers such as a rare condition combined with an age and a suburb could still re-identify in principle). We therefore layer additional safeguards: per Anthropic's published API policies, your inputs are not used to train Anthropic's models. We are also finalising a contractual zero-retention arrangement (so inputs are not logged or retained at all) ahead of pilot launch. In addition we apply audit logging, de-identification verification on every request, and clinician review of every AI-generated clinical artefact before it reaches you.

Human-in-the-Loop: Your Clinician Stays in Charge

  • Every AI-generated clinical artefact (your pre-consult brief, health report, treatment recommendations) is reviewed and approved by your AHPRA-registered clinician before it reaches you
  • AI is decision-support, not decision-maker. Your clinician retains professional responsibility for your care
  • The conversational health assistant is the only AI surface that talks directly to you. It draws only on content your clinician has approved, includes safety triggers that escalate concerning content to your clinician, and is not a substitute for clinical advice
  • You may request that any specific AI-generated insight be reviewed by your clinician before influencing your care

AI Provider, Location, and Contractual Safeguards

  • AI provider: Anthropic, PBC (Claude language model), United States
  • What we send: de-identified clinical text, biomarker values, and lifestyle data — never direct identifiers, never raw genetic data
  • Contractual posture: per Anthropic's published API policies, your inputs are not used to train Anthropic's models. A formal zero-retention arrangement (inputs not logged at all) is being finalised in writing ahead of pilot launch.
  • Cross-border consent: see Section 11 — by accepting this policy you consent to disclosure of de-identified clinical data to Anthropic in the United States

Your AI Privacy Rights

  • Right to be informed: we tell you when AI is used in your care (this section)
  • Right to human review: request that any AI-generated output be reviewed by your clinician before it influences your care
  • Right to opt out of AI processing: you may withdraw consent to AI processing at any time. Because AI is integral to how we deliver longevity care, this means we cannot continue to provide Portal-based services. We will help you transition to a non-AI care pathway and provide a copy of your records.
  • Right to challenge AI outputs: if you disagree with an AI-generated insight or recommendation, raise it with your clinician — your record will be annotated with your concern
  • Right to know about automated decisions: see Section 5 below for our automated decision-making disclosure

AI Quality Improvement (Optional, Off by Default)

With your separate, opt-in consent, de-identified consultation patterns may be used to improve the quality and accuracy of our clinical communication tools. Only abstract reasoning patterns are extracted (your clinician's approach to certain conditions, communication style preferences). No patient-identifiable information is retained in this process. This consent is off by default and can be withdrawn at any time from your Portal settings.

5. Automated Decision-Making

Under reforms to the Privacy Act 1988 commencing in late 2026, we are required to disclose any use of automated systems that significantly affect you. We are building this disclosure now to meet best practice ahead of the requirement.

The Portal uses automated systems to:

  • Compute clinical indices (e.g. recovery milestone tracking) from your inputs using published formulas
  • Group similar issues, suggest investigations, and draft summaries to support your clinician
  • Apply safety filters to the conversational health assistant (escalating mentions of self-harm, severe symptoms, or emergencies)

No automated system makes a final decision about your care. All clinical decisions — diagnoses, prescriptions, referrals, treatment plans — are made by your AHPRA-registered clinician with the benefit of automated support. You have the right to request that any specific automated output be reviewed by a human and to challenge any output you disagree with.

6. Sharing Your Information

We share your information only where necessary for your care or as required by law:

  • Your healthcare providers: your clinician, their practice staff, and other members of your care team
  • Referring or co-managing providers: with your specific consent, relevant clinical information may be shared with other healthcare providers in your care (e.g. your GP, allied health, co-managing specialists). You can revoke this consent at any time.
  • Service providers (sub-processors): see Section 11 for the named list — each is bound by a Data Processing Agreement and confidentiality obligations
  • Joint Registry (with your separate consent): if you have a joint replacement, surgical outcome data may be submitted to the Australian Orthopaedic Association National Joint Replacement Registry (AOANJRR)
  • De-identified research (with your separate, opt-in consent): de-identified data may be used for medical research if you specifically consent
  • Legal requirements: when required by law, court order, mandatory reporting obligations, or to protect safety

We Never:

  • Sell your personal or health information
  • Share your information for marketing purposes (yours or third parties') without explicit consent
  • Share your identifiable data for purposes unrelated to your healthcare
  • Share your genetic information with insurers, employers, or other non-clinical third parties

7. Data Security

We protect your information through layered security controls:

  • Encryption: all data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • De-identification: direct identifiers automatically removed before AI processing using Microsoft Presidio, with verification on every request
  • Access controls: row-level security ensures only authorised personnel see your record; clinician access scoped to their practice
  • Audit logging: AI interactions and sensitive data access are logged for security monitoring and accountability
  • Australian primary infrastructure: your clinical record is hosted on enterprise cloud infrastructure in Sydney, Australia (Supabase, region ap-southeast-2)
  • Independent security assessments: we conduct regular code reviews and engage independent security testing pre-pilot and annually

Notifiable Data Breaches Commitment

Under the Notifiable Data Breaches scheme (Privacy Act 1988 Pt IIIC), if we become aware of an eligible data breach affecting your information we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and within 30 days at the latest. We aim for 72 hours wherever possible. Our notification will tell you what happened, what data was involved, what we are doing in response, and what you should do.

8. Data Retention

We retain your health information in accordance with Australian healthcare record-keeping requirements:

  • Adult clinical records: minimum 7 years from the date of last service
  • Records of minors: until the patient turns 25 years old
  • AI conversation logs: retained as part of the clinical record for audit + safety review
  • Wearable data: retained as part of the clinical record (disconnecting a device stops future ingestion but does not delete already-ingested data)
  • Some records may be retained longer for legal, regulatory, or clinical reasons

If you request account deactivation, your Portal access will be removed. Clinical records created during your care are retained by your healthcare provider as required by Australian law. Where technically possible and lawful (e.g. a non-clinical address change you wish to delete entirely), we will remove the data. Where retention is mandatory we will tell you and explain the basis.

9. Your Rights

Under Australian privacy law and our policies, you have the right to:

  • Access (APP 12): view your personal and health information through the Portal at any time, or request a structured export by contacting us. We will respond within 30 days.
  • Correction (APP 13): update non-clinical details directly. Clinical records can be annotated but not deleted (medical-legal requirement); your annotation will be visible alongside the original record.
  • Withdraw consent: withdraw any optional consent at any time from Portal settings. Withdrawal of core consents (e.g. to AI processing) means we cannot continue to provide Portal services; we will help transition you to a non-AI care pathway.
  • Disconnect wearable devices: revoke any wearable connection at any time
  • Request human review of AI outputs: at any time
  • Request deactivation: request that your Portal access be removed
  • Lodge a complaint: see Section 13

10. Optional Consents

During onboarding you may be asked for the following optional consents. They are opt-in and default to off. You can change them at any time from Portal settings.

Joint Registry (AOANJRR)

If you have a joint replacement, you may consent to your surgical outcome data being submitted to the Australian Orthopaedic Association National Joint Replacement Registry. This helps track implant safety and improve outcomes for future patients.

De-identified Research

You may consent to your de-identified data being used for medical research approved by an Australian human research ethics committee (HREC). De-identified data has direct identifiers removed; we use industry-standard techniques but no de-identification is risk-free, particularly in small cohorts.

Service Improvement and AI Quality

You may consent to anonymous usage patterns and de-identified clinician communication patterns being used to improve the Portal experience and the quality of our AI tools. No patient-identifiable information is retained.

11. Overseas Disclosure (Sub-processors)

Your primary clinical record is stored in Australia (Supabase, Sydney). To deliver the service we share certain information with the following overseas providers, each bound by a Data Processing Agreement and reasonable steps under APP 8:

ProviderCountryPurpose / Data type
Anthropic, PBCUnited StatesAI processing of de-identified clinical content. Direct identifiers (name, DOB, contact details, Medicare number) replaced with placeholders before sending and restored on the response. Per Anthropic's published API policies, inputs are not used for model training; a formal zero-retention arrangement is being finalised ahead of pilot. See Section 4.
Voyage AIUnited StatesSearch indexing of de-identified text only. Not retained.
Vercel Inc.United States (primary), global edgeApplication hosting; transient request processing only. No clinical data stored.
Resend Inc.United StatesEmail delivery (your email + message content)
Twilio Inc.United StatesSMS delivery (your phone + message content)
Wearable platforms (WHOOP, Oura, Garmin, Apple Health where supported)United StatesWhere you authorise a wearable connection, health metrics are retrieved from these vendors' servers. Data stored in Australia after retrieval.

Cross-border consent (APP 8): Where we have taken reasonable steps to ensure overseas recipients comply with the APPs (through contractual safeguards), we remain accountable under s 16C of the Privacy Act for any breach by them. By accepting this Privacy Policy, you also acknowledge that you have been informed of these overseas disclosures and consent to them.

12. Cookies and Tracking

The Portal uses essential cookies to maintain your login session and remember your preferences. We do not use advertising or third-party tracking cookies.

We may use first-party analytics to understand how the Portal is used. This data is aggregated and does not identify individual users.

13. Complaints and Contact

If you have questions about this Privacy Policy, want to exercise a right, or wish to make a complaint, please contact our Privacy Officer:

Ohja Health Pty Ltd — Privacy Officer

Email: privacy@ohja.health

Website: www.ohja.health

We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner (OAIC)

Phone: 1300 363 992

Web: www.oaic.gov.au/privacy/privacy-complaints

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by prompting you to re-acknowledge the policy at next sign-in. The version and date at the top of this page show when it was last updated.

Ohja Health Pty Ltd · ABN pending · privacy@ohja.health