Privacy Policy

1. Introduction

Lionheart Clinic ("we", "us", "our") is committed to protecting your privacy and complying with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and the obligations under the Health Practitioner Regulation National Law (AHPRA).

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information, including sensitive health information.

1.1 Who This Policy Applies To

This policy applies to:

• Patients seeking mental health services
• Parents/Guardians of child and adolescent patients
• General Practitioners (GPs) submitting referrals
• Clinicians (Psychiatrists, Psychologists, GPs) using our platform
• Teachers completing Vanderbilt ADHD assessments
• Job Applicants applying for positions at Lionheart Clinic

1.2 Contact Information

2. What Personal Information We Collect

We collect personal information that is reasonably necessary for our functions and activities as a healthcare service provider.

2.1 Patient Information

Identity and Contact Details:

• Full name, preferred name, pronouns
• Date of birth
• Email address and phone number (Australian format)
• Residential address (street, suburb, state, postcode)
• Emergency contact (name, relationship, phone number)

Medical and Health Information:

• Reason for booking (minimum 50 characters detailing your mental health concerns)
• Current medications and dosages
• Known allergies
• Previous mental health diagnoses
• Previous psychological or psychiatric treatment history
• General Practitioner (GP) details (name, practice name, phone number)

Mental Health Assessment Data:

We offer 8 validated mental health screening scales:

• PHQ-9 (Depression - Adult and Adolescent versions)
• GAD-7 (Generalised Anxiety Disorder)
• Vanderbilt ADHD Diagnostic Rating Scale (Parent and Teacher versions)
• Adult ADHD Self-Report Scale (ASRS-v1.1)
• PTSD Checklist for DSM-5 (PCL-5)

Assessment data includes:

• Your responses to each question
• Calculated scores and severity classifications
• Crisis screening flags (if PHQ-9 Question 9 indicates suicidal ideation)
• Timestamp of completion

Payment Information:

• Tokenized payment method ID from Stripe (we do NOT store your credit card number)
• Last 4 digits of card, card brand, and expiry date
• Billing address
• Payment transaction history (deposits, refunds)

3. How We Collect Your Information

We collect information directly from you through online forms, file uploads, and from third parties with your authorization (such as your GP or teachers for Vanderbilt ADHD assessments).

All uploaded files undergo strict security screening with VirusTotal's 70+ antivirus engines before permanent storage. We also collect some information automatically for security and audit purposes, including IP addresses and login timestamps.

4. Why We Collect and Use Your Information

We use your information for clinical care and treatment, booking and appointment management, mental health assessment and screening, payment processing, and administrative operations.

We do NOT use your information for third-party advertising, social media targeting, or automated decision-making without human oversight.

5. How We Share Your Information

Within Lionheart Clinic, access to your information is strictly controlled based on role (Clinical Director, assigned clinician, admin staff). We share information with your GP only when you initiate the sharing through our GP Sharing Workflow.

Third-party services we use include Stripe (payment processing), Google Calendar (clinician scheduling with patient initials only), VirusTotal (file security), and Gmail API (transactional emails).

6. Data Security and Protection

We protect your information with:

• Encryption at Rest: AES-256 encryption for all data stored in Supabase PostgreSQL (Sydney, Australia region)
• Encryption in Transit: HTTPS/TLS 1.3 for all web traffic and API calls
• Access Controls: Row-Level Security (RLS) policies ensuring users can only access their own data
• File Upload Security: Virus scanning with VirusTotal before acceptance
• Audit Logging: All actions logged and retained for 7+ years

All data is stored in Australia (Supabase Sydney region) with no cross-border transfers of health information.

7. Data Retention and Deletion

Medical Records (Indefinite Retention - AHPRA Requirement)

Once you submit a booking request, the following data becomes part of your permanent medical record and is retained for a minimum of 7 years from your last interaction:

• Booking request details and medical history
• GP referral letters
• Assessment scale results linked to bookings
• Appointment details and clinical notes
• Payment transaction records

What You CAN Delete:

• Assessment scales WITHOUT booking (within 30-day retention period)
• Your account if no booking exists
• Supporting documents uploaded before booking submission

What You CANNOT Delete:

Australian law and AHPRA regulations require us to retain:

• Booking data once submitted
• GP referral letters
• Assessment scales linked to bookings
• Appointment records
• Rejection records (permanent - AHPRA compliance)
• Crisis logs (permanent - duty of care)
• Payment transaction history
• Audit logs

8. Your Rights Under the Privacy Act 1988

8.1 Right to Access Your Information

You have the right to request access to the personal information we hold about you. Email our Privacy Officer at ken@kukitanuki.com.au with your request. We will respond within 30 days.

8.2 Right to Correct Your Information

You can update contact information directly through your patient portal. For medical information corrections, contact our Privacy Officer for clinical review.

8.3 Right to Complain

If you believe we have breached the Australian Privacy Principles, contact our Privacy Officer. If not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or 1300 363 992.

9. AHPRA-Specific Compliance

As a healthcare service provider registered with AHPRA, we maintain comprehensive medical records with minimum 7-year retention periods. All booking rejection decisions are permanently documented with detailed reasons for clinical governance and audit purposes.

Crisis Screening Protocols

If you respond to PHQ-9 Question 9 (thoughts of self-harm) with a score of 1 or higher, we immediately display crisis resources including Emergency (000), Lifeline (13 11 14), and Kids Helpline (1800 55 1800).

10. Privacy in Communications

We protect your privacy in all communications:

• No PHI in Email Subject Lines: We never include protected health information in subject lines
• Google Calendar Privacy: Only patient initials appear in clinician calendars (e.g., "SJ - New Patient"), never full names or diagnoses
• Secure Portal Links: Sensitive information accessed only via authenticated portal links

11. Minors, Parents, and Consent

For children and adolescents (ages 2-17), parents or legal guardians create accounts and complete assessments on behalf of the child. Parental consent is required for all data collection and use.

Medical records for minors are retained until age 25 OR 7 years after turning 18 (whichever is later) to ensure developmental history is available for ongoing care.

12. Cross-Border Data Transfers

All data is stored in Australia (Supabase Sydney region). There are no cross-border transfers of health information. While some third-party services (Stripe, Google) are US-based companies, payment processing occurs within Australia, and Google Calendar receives only patient initials (no PHI).

13. Updates to This Privacy Policy

For material changes to this policy, we will notify all registered users via email with 30 days' notice before changes take effect. The current version is displayed at the top of this page.

14. Consent and Agreement

When you submit a booking request, you confirm that you have read and agree to this Privacy Policy, understand the $1,300 deposit policy, consent to collection and use of your personal information, and understand that your booking data will be retained for a minimum of 7 years.

15. Contact Information and Complaints

16. Definitions and Interpretation

Personal Information

Information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Sensitive Information

A subset of personal information that includes health information, genetic information, and biometric information.

Protected Health Information (PHI)

Health information that can identify an individual (e.g., name + diagnosis). We minimize PHI in communications.

Medical Record

Any record of clinical information about a patient, including booking details, GP referrals, assessment results, and treatment plans.

17. Acknowledgment

By using Lionheart Clinic's services, creating an account, completing assessment scales, or submitting a booking request, you acknowledge that you have read, understood, and agree to this Privacy Policy.

If you have any questions or concerns about how we handle your personal information, please contact our Privacy Officer at ken@kukitanuki.com.au.

Thank you for trusting Lionheart Clinic with your mental health care.