Privacy Policy | Clinara

Clinara is a trading name of Comet Apps Pty Ltd. We provide AI-assisted consultation documentation tools for aesthetic clinics and handle personal information in line with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

The clinic's role and Clinara's role

When a clinic uses Clinara to record and document consultations, the clinic has the primary relationship with the client and is responsible for obtaining informed consent before any recording takes place. The clinic decides what to record, who can access it within their team, and how long to keep it.

Clinara stores and processes that information on the clinic's behalf to provide the service. Both Clinara and the clinic are APP entities under the Australian Privacy Act and each has direct obligations under the APPs in respect of the personal information we hold. Nothing in this policy limits the rights you have to deal with Clinara directly.

Clinara provides optional tools to support a clinic's consent workflow (for example an in-app consent checkbox on the kiosk and recorder). These tools assist the clinic but do not replace the clinic's responsibility to obtain and manage informed consent from its clients.

What we collect

Default position on access. Clinara stores and processes consultation information so that the clinic can use the service, but our staff do not have routine access to the personal information clinics capture. Our administrative tools apply technical access controls that prevent Clinara operators from reading consultation audio, transcripts, treatment notes, coaching narratives, follow-up email content, client records, and consent records. These controls are implemented in code (database queries on administrative surfaces are restricted to an allow-list of non-clinical fields) and are verified by automated tests as part of every release.

Automated processing (for example sending audio to our transcription provider and generating draft notes with our AI provider) runs on the clinic's instructions to deliver the service. Beyond that automated path, if a clinic specifically permits Clinara to access a particular recording or session (for example to investigate a transcription issue raised through support, or to assist with a data subject request), we will only do so to the extent the clinic permits, only for the specific purpose requested, and that access is recorded in our audit log.

Depending on how Clinara is used, we may collect:

Client identifiers (for example name and contact details)
Consultation audio recordings and transcripts
Consultation notes, coaching outputs, and follow-up content
User account and clinic administration information
Technical and security data (logs, diagnostics, audit events)

Sensitive information

Consultation audio, transcripts, and notes may include personal details such as skin concerns, treatment preferences, or other information that could be considered sensitive information under APP 3. The clinic is responsible for obtaining informed consent from each client before recording a consultation, and Clinara handles this information on the clinic's behalf in reliance on that consent. Clinara applies its own technical and organisational safeguards when storing and processing sensitive information.

How we collect information

We collect personal information:

Directly from you: when you create an account, configure your clinic, or contact us.
From clinic practitioners: when they record consultations and use documentation tools on behalf of their clients.
Automatically: through server logs, cookies, and similar technologies when you use the platform.

How we use information

Operate consultation recording and transcription workflows
Generate AI-assisted notes and coaching insights
Support clinic operations, quality assurance, and training
Maintain security, prevent misuse, and investigate incidents
Meet legal and regulatory obligations

Disclosure and sharing

We do not sell personal information. We share personal information only with the following categories of recipients, and only to the extent necessary to deliver the service:

Cloud infrastructure: hosting, storage, and compute (e.g. AWS, Vercel, MongoDB Atlas)
AI processing: transcription and language model providers (e.g. AWS Transcribe, AWS Bedrock)
Authentication: identity and access management (e.g. Clerk)
Email delivery: transactional and notification emails
Error monitoring: application diagnostics and error tracking

Where providers process personal information on our behalf, we apply contractual and technical safeguards.

Data residency and cross-border disclosure

Clinara configures core processing in Australia (ap-southeast-2), including AWS Transcribe, AWS Bedrock, and AWS S3, with Vercel functions pinned to Sydney (syd1) and MongoDB Atlas in Sydney.

Some service providers may process limited data outside Australia, including in the United States (for example, authentication services and error monitoring). In accordance with APP 8, where personal information is disclosed to an overseas recipient, we take reasonable steps to ensure the recipient handles the information consistently with the APPs. This includes contractual obligations and technical controls such as encryption in transit and at rest.

Cookies and tracking

We use cookies and similar technologies to support authentication, remember preferences, and collect usage analytics. These include:

Essential cookies: required for authentication and session management.
Analytics cookies: help us understand how the platform is used so we can improve the experience.

You can manage cookie preferences through your browser settings, though disabling essential cookies may affect platform functionality.

De-identification and AI improvement

We do not use identifiable consultation data to train general-purpose AI models. Where data is used for product improvement or quality assurance, it is aggregated or de-identified so that individuals cannot reasonably be re-identified.

Retention and deletion

We retain personal information only for as long as needed to fulfil the purpose for which it was collected, or as required by law. Specific retention practices include:

Audio recordings: retention is configurable by clinic, and recordings are automatically deleted after the configured period.
Account data: retained while the account is active and for a reasonable period after closure to support any outstanding obligations.
Logs and diagnostics: retained for a limited period for security and troubleshooting, then automatically purged.

Clinics may request deletion of their data by contacting us at the address below.

Security

We apply technical and organisational controls including access controls, encryption in transit and at rest, logging, and monitoring. No method of transmission or storage is perfectly secure, but we continuously improve our safeguards.

Your privacy rights

Under the APPs, individuals may:

Request access to personal information we hold about them (APP 12).
Request correction of personal information that is inaccurate, out-of-date, or incomplete (APP 13).

You can exercise these rights directly with Clinara by contacting us at the address below, and we will respond in accordance with the APPs. For personal information collected during a consultation, the clinic that recorded it usually holds the most direct context (including consent records, the consultation itself, and any treatment notes), so where appropriate we may also work with the clinic to respond to your request.

Notifiable Data Breaches

If an eligible data breach occurs, we will notify affected individuals and the Australian Information Commissioner in accordance with Australia's Notifiable Data Breaches scheme, and support impacted clinics to meet their own obligations.

Complaints

If you have a concern about how we handle personal information, please contact us first so we can try to resolve it. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Contact

For privacy enquiries or requests, contact privacy@clinara.ai.