Privacy Policy

Privacy Policy

1. Introduction

1. Introduction

At Hethena, we understand the importance of protecting your personal and sensitive health information. This Privacy Policy outlines our commitment to managing your information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and other relevant laws (including GDPR where applicable). We operate as a health service provider and this policy describes how we collect, use, disclose, and protect your data in an open and transparent way.

At Hethena, we understand the importance of protecting your personal and sensitive health information. This Privacy Policy outlines our commitment to managing your information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and other relevant laws (including GDPR where applicable). We operate as a health service provider and this policy describes how we collect, use, disclose, and protect your data in an open and transparent way.

2. The Information We Collect

2. The Information We Collect

We collect personal information and sensitive information (including health information). Categories of information include:

  • Identity and Contact Data: Name, date of birth, age, gender, address, email, and phone number.

  • Health Information: Medical history, laboratory test results (e.g., biomarkers from lab partners), and medical documents provided by you or your healthcare provider.

  • Financial and Transaction Data: Payment details processed securely via Stripe (we do not store full payment card details).

  • Profile Data: Username, password, account preferences, and details of services purchased.

  • Technical and Usage Data: IP address, browsing behaviour, device and operating system information.


We collect this information:

  • Directly from you or your clinician (e.g., when entering information into Hethena).

  • Indirectly from third parties (e.g., laboratory partners, connected health record systems, analytics services).


We do not knowingly collect information from children under 16 without parental or guardian consent.

We collect personal information and sensitive information (including health information). Categories of information include:

  • Identity and Contact Data: Name, date of birth, age, gender, address, email, and phone number.

  • Health Information: Medical history, laboratory test results (e.g., biomarkers from lab partners), and medical documents provided by you or your healthcare provider.

  • Financial and Transaction Data: Payment details processed securely via Stripe (we do not store full payment card details).

  • Profile Data: Username, password, account preferences, and details of services purchased.

  • Technical and Usage Data: IP address, browsing behaviour, device and operating system information.


We collect this information:

  • Directly from you or your clinician (e.g., when entering information into Hethena).

  • Indirectly from third parties (e.g., laboratory partners, connected health record systems, analytics services).


We do not knowingly collect information from children under 16 without parental or guardian consent.

3. How and Why We Use Your Information

3. How and Why We Use Your Information

We use your personal information to:

  • Provide Services: Analyse lab results and customer-supplied information, surface guideline-referenced considerations, and support clinicians in care planning.

  • Communicate with You: Manage appointments, provide customer support, and send important updates.

  • Operate and Improve Hethena: Use de-identified and aggregated data for analytics, product improvement, and research purposes, with safeguards to prevent re-identification.

  • Legal and Regulatory Compliance: Fulfil obligations under healthcare, privacy, and consumer laws.


Sensitive health information is only collected and used with your consent, or where directly necessary to provide a health service.

We use your personal information to:

  • Provide Services: Analyse lab results and customer-supplied information, surface guideline-referenced considerations, and support clinicians in care planning.

  • Communicate with You: Manage appointments, provide customer support, and send important updates.

  • Operate and Improve Hethena: Use de-identified and aggregated data for analytics, product improvement, and research purposes, with safeguards to prevent re-identification.

  • Legal and Regulatory Compliance: Fulfil obligations under healthcare, privacy, and consumer laws.


Sensitive health information is only collected and used with your consent, or where directly necessary to provide a health service.

4. Disclosure of Personal Information

4. Disclosure of Personal Information

We will never sell or rent your personal information. Disclosure occurs only when necessary to deliver our services, including:

  • Our staff and contractors who require access for support and maintenance.

  • Laboratories and healthcare professionals involved in your care (e.g., Healius).

  • Service providers that support our operations:

    • Stripe, Inc. (USA): Payment processing

    • Microsoft Azure (USA): Cloud hosting and storage

    • Azure OpenAI (USA): Limited AI processing (no sensitive health data)

    • Hotjar (EU): User experience analytics (no sensitive health data)

All third-party providers act under strict contractual obligations to process information only on our instructions.

We will never sell or rent your personal information. Disclosure occurs only when necessary to deliver our services, including:

  • Our staff and contractors who require access for support and maintenance.

  • Laboratories and healthcare professionals involved in your care (e.g., Healius).

  • Service providers that support our operations:

    • Stripe, Inc. (USA): Payment processing

    • Microsoft Azure (USA): Cloud hosting and storage

    • Azure OpenAI (USA): Limited AI processing (no sensitive health data)

    • Hotjar (EU): User experience analytics (no sensitive health data)

All third-party providers act under strict contractual obligations to process information only on our instructions.

4.1 Cross-Border Disclosure

4.1 Cross-Border Disclosure

Personal information may be stored or accessed outside Australia, including in the United States and the European Union. We take reasonable steps to ensure overseas recipients provide equivalent protections, through legal agreements and security measures.

Personal information may be stored or accessed outside Australia, including in the United States and the European Union. We take reasonable steps to ensure overseas recipients provide equivalent protections, through legal agreements and security measures.

5. Security

5. Security

We implement a range of measures to protect your personal information, including:

  • Encryption of data at rest and in transit

  • Role-based access controls and MFA

  • Regular monitoring, audits, and logging

  • Privacy by design (including Privacy Impact Assessments)

  • Alignment with ISO 27001 controls and the ACSC Essential Eight strategies


Despite these measures, no system is completely secure; transmission of data is at your own risk.

We implement a range of measures to protect your personal information, including:

  • Encryption of data at rest and in transit

  • Role-based access controls and MFA

  • Regular monitoring, audits, and logging

  • Privacy by design (including Privacy Impact Assessments)

  • Alignment with ISO 27001 controls and the ACSC Essential Eight strategies


Despite these measures, no system is completely secure; transmission of data is at your own risk.

6. Data Retention

6. Data Retention

We retain personal and health information only as long as necessary for providing services and meeting legal obligations. For example, medical records are retained for at least 7 years from the last entry (or until a customer turns 25, whichever is later), consistent with Australian law. When no longer required, data is securely destroyed or de-identified. Residual encrypted copies may persist temporarily in system backups.

We retain personal and health information only as long as necessary for providing services and meeting legal obligations. For example, medical records are retained for at least 7 years from the last entry (or until a customer turns 25, whichever is later), consistent with Australian law. When no longer required, data is securely destroyed or de-identified. Residual encrypted copies may persist temporarily in system backups.

7. Data Security and Governance

7. Data Security and Governance

We embed privacy and security into all projects. Privacy Impact Assessments (PIAs) are conducted for new initiatives, and internal documentation is maintained to demonstrate compliance with the APPs.

We embed privacy and security into all projects. Privacy Impact Assessments (PIAs) are conducted for new initiatives, and internal documentation is maintained to demonstrate compliance with the APPs.

8. Data Breach Response

8. Data Breach Response

In the event of an eligible data breach (likely to cause serious harm), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme. Notifications will include the nature of the breach, data involved, and steps users should take. Notices are delivered by email and/or in-app alerts.

In the event of an eligible data breach (likely to cause serious harm), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme. Notifications will include the nature of the breach, data involved, and steps users should take. Notices are delivered by email and/or in-app alerts.

9. Your Rights: Access, Correction, and Complaints

9. Your Rights: Access, Correction, and Complaints

  • Access & Correction: You may request access to, or correction of, your personal data. Please contact us using the details below; we aim to respond within 30 days.

  • Complaints: If you believe your privacy has been breached, you can lodge a complaint with us. We will acknowledge and respond promptly. If unsatisfied, you may escalate the complaint to the OAIC.

  • Access & Correction: You may request access to, or correction of, your personal data. Please contact us using the details below; we aim to respond within 30 days.

  • Complaints: If you believe your privacy has been breached, you can lodge a complaint with us. We will acknowledge and respond promptly. If unsatisfied, you may escalate the complaint to the OAIC.

10. Updates to this Policy

10. Updates to this Policy

We may update this Privacy Policy to reflect changes in law, regulation, or our practices. The “last updated” date will always be shown, and significant changes will be notified to you via email or platform alerts.

We may update this Privacy Policy to reflect changes in law, regulation, or our practices. The “last updated” date will always be shown, and significant changes will be notified to you via email or platform alerts.

11. Contact Us

11. Contact Us

For questions, access requests, or complaints, please contact our Privacy Officer: contact@hethena.com

For questions, access requests, or complaints, please contact our Privacy Officer: contact@hethena.com

Terms of Service

Privacy Policy

Copyright © Hethēna. All rights reserved.

Privacy Policy

Terms of Service

Copyright © Hethēna. All rights reserved.

Privacy Policy

1. Introduction

At Hethena, we understand the importance of protecting your personal and sensitive health information. This Privacy Policy outlines our commitment to managing your information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and other relevant laws (including GDPR where applicable). We operate as a health service provider and this policy describes how we collect, use, disclose, and protect your data in an open and transparent way.

2. The Information We Collect

We collect personal information and sensitive information (including health information). Categories of information include:

  • Identity and Contact Data: Name, date of birth, age, gender, address, email, and phone number.

  • Health Information: Medical history, laboratory test results (e.g., biomarkers from lab partners), and medical documents provided by you or your healthcare provider.

  • Financial and Transaction Data: Payment details processed securely via Stripe (we do not store full payment card details).

  • Profile Data: Username, password, account preferences, and details of services purchased.

  • Technical and Usage Data: IP address, browsing behaviour, device and operating system information.


We collect this information:

  • Directly from you or your clinician (e.g., when entering information into Hethena).

  • Indirectly from third parties (e.g., laboratory partners, connected health record systems, analytics services).


We do not knowingly collect information from children under 16 without parental or guardian consent.

3. How and Why We Use Your Information

We use your personal information to:

  • Provide Services: Analyse lab results and customer-supplied information, surface guideline-referenced considerations, and support clinicians in care planning.

  • Communicate with You: Manage appointments, provide customer support, and send important updates.

  • Operate and Improve Hethena: Use de-identified and aggregated data for analytics, product improvement, and research purposes, with safeguards to prevent re-identification.

  • Legal and Regulatory Compliance: Fulfil obligations under healthcare, privacy, and consumer laws.


Sensitive health information is only collected and used with your consent, or where directly necessary to provide a health service.

4. Disclosure of Personal Information

We will never sell or rent your personal information. Disclosure occurs only when necessary to deliver our services, including:

  • Our staff and contractors who require access for support and maintenance.

  • Laboratories and healthcare professionals involved in your care (e.g., Healius).

  • Service providers that support our operations:

    • Stripe, Inc. (USA): Payment processing

    • Microsoft Azure (USA): Cloud hosting and storage

    • Azure OpenAI (USA): Limited AI processing (no sensitive health data)

    • Hotjar (EU): User experience analytics (no sensitive health data)

All third-party providers act under strict contractual obligations to process information only on our instructions.

4.1 Cross-Border Disclosure

Personal information may be stored or accessed outside Australia, including in the United States and the European Union. We take reasonable steps to ensure overseas recipients provide equivalent protections, through legal agreements and security measures.

5. Security

We implement a range of measures to protect your personal information, including:

  • Encryption of data at rest and in transit

  • Role-based access controls and MFA

  • Regular monitoring, audits, and logging

  • Privacy by design (including Privacy Impact Assessments)

  • Alignment with ISO 27001 controls and the ACSC Essential Eight strategies


Despite these measures, no system is completely secure; transmission of data is at your own risk.

6. Data Retention

We retain personal and health information only as long as necessary for providing services and meeting legal obligations. For example, medical records are retained for at least 7 years from the last entry (or until a customer turns 25, whichever is later), consistent with Australian law. When no longer required, data is securely destroyed or de-identified. Residual encrypted copies may persist temporarily in system backups.

7. Data Security and Governance

We embed privacy and security into all projects. Privacy Impact Assessments (PIAs) are conducted for new initiatives, and internal documentation is maintained to demonstrate compliance with the APPs.

8. Data Breach Response

In the event of an eligible data breach (likely to cause serious harm), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme. Notifications will include the nature of the breach, data involved, and steps users should take. Notices are delivered by email and/or in-app alerts.

9. Your Rights: Access, Correction, and Complaints

  • Access & Correction: You may request access to, or correction of, your personal data. Please contact us using the details below; we aim to respond within 30 days.

  • Complaints: If you believe your privacy has been breached, you can lodge a complaint with us. We will acknowledge and respond promptly. If unsatisfied, you may escalate the complaint to the OAIC.

10. Updates to this Policy

We may update this Privacy Policy to reflect changes in law, regulation, or our practices. The “last updated” date will always be shown, and significant changes will be notified to you via email or platform alerts.

11. Contact Us

For questions, access requests, or complaints, please contact our Privacy Officer: contact@hethena.com

Terms of Service

Privacy Policy

Copyright © Hethēna. All rights reserved.