7.1 Ownership of Data: You retain ownership of any data you input into Hethena or provide to us in the course of using the Service. For example, if you (or your customer) provide medical history information, lab results, or any other personal data, that data remains owned by you or the individual from whom it originated. Hethena does not claim ownership of your raw personal or customer information.

7.2 License to Use Data: In order to operate the Service, you grant Hethena a limited, worldwide, royalty-free license to use, reproduce, and process the data you provide solely for the purposes of: (a) providing the Hethena services to you and any end-users (for example, using the data to generate reports, perform analyses, or integrate with lab systems), (b) maintaining and improving the Service (such as troubleshooting issues, training algorithms with appropriate safeguards, or enhancing features), and (c) as otherwise required by law or permitted by these Terms. This license extends to trusted third-party contractors or subprocessors we utilize to deliver the Service (for instance, cloud hosting providers or lab integration services), but always in compliance with our privacy and security commitments. We will not use your personal data for any purpose unrelated to providing or improving Hethena without your consent.

7.3 Data Storage Location: Your data will be stored securely, primarily on servers located in Australia. We aim to store health data within Australia to comply with local regulations and keep data close to its source. In some cases, non-health personal data (like account information or support emails) may be stored or backed up on cloud infrastructure that could include overseas locations or service providers. However, we will not disclose personal information to overseas recipients except in compliance with APP 8 (Cross-border disclosure of personal information) – for example, we will ensure the recipient is subject to laws or contractual obligations upholding similar privacy protections, or we will seek your consent where required.

7.4 Data Retention: We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Health records may be kept for a period consistent with medical record-keeping obligations (for example, under state law, health records are often kept for a minimum number of years). If you discontinue use of Hethena or request deletion of your data, we will take reasonable steps to delete or de-identify the personal information we hold about you, except to the extent we are required to retain it for legal, regulatory, or internal compliance purposes. (For example, we might retain transactional records for accounting, or minimal information to confirm that you had an account, for fraud prevention, etc.)

7.5 Anonymised Data for Research and Improvement: We recognize the value of medical data in advancing research and improving healthcare. Hethena may use de-identified and aggregated data for research, analytics, and product improvement. This means that after removing or irreversibly anonymising personal identifiers (so that the data is no longer about an identifiable individual), we may analyze data trends to improve our algorithms, publish insights about usage (for example, to understand how often certain recommendations are used), or contribute to scientific or clinical research. Any such use of data will not identify you or any individual customer. For clarity, de-identified data means information that is no longer reasonably capable of identifying a person, consistent with OAIC guidelines on de-identification. By using Hethena, you consent to our use of de-identified data for these purposes. If we ever wish to use identifiable health data for research that is outside the scope of providing the service, we will seek appropriate consent or ethics approval as required by law.

7.6 Data Access and Control: You have certain rights to access and control your personal data. For example, if you are an individual whose personal information is held in Hethena (such as a customer user), you have the right to request access to that information and to request corrections if it is inaccurate, in accordance with the Privacy Act and applicable law. If you wish to access or correct your data, you (or your healthcare provider who input the data) can contact us. We will respond to data access requests within a reasonable time. There may be exceptions in which we cannot provide certain data (for example, if giving access would unreasonably impact someone else’s privacy or if we are legally prevented from disclosing it), but we will inform you if any such exception applies.

7.7 User Responsibilities for Data: If you are a healthcare provider using Hethena, you are responsible for obtaining any necessary consents from customers to input their data into the platform and to use Hethena as part of their care. You should also ensure that any data you submit is accurate and that you have the right to provide it. You agree not to upload any personal information to Hethena that is not needed for the platform’s intended use (for example, don’t use Hethena to store unrelated personal files). If you inadvertently submit someone else’s personal information without authorization, you must inform us so we can delete it. You also agree that you will not use Hethena to store or share highly sensitive identifiers like government-issued IDs, credit card numbers, or other data outside of health context, except where specifically requested by the Service for identity verification or payment processing (which have their own protections).

7.8 Data Backup: We perform regular backups of data on the Hethena platform to prevent loss of information. In the event of any system failure or data corruption, we will strive to restore data from the latest backup. However, we encourage healthcare provider users to maintain their own copies or records of critical data (such as exporting customer reports or notes) as needed for their professional record-keeping, since Hethena is a supplemental tool and not an official medical records system of record. We are not liable for rare cases of data loss (see Section 11), but rest assured we follow best practices to minimize this risk, including off-site backups and redundancy in line with the Essential Eight strategies (daily backups and tested restoration).

7.9 Data Portability: If you choose to stop using Hethena and need your data, please contact us. We can assist in providing your data in a common format (for example, a CSV export of your input data or PDF copies of reports) where feasible, so that you can transition to an alternative solution. Some data (especially if de-identified or aggregated) may not be portable in a meaningful way, but we will do our best to accommodate reasonable requests.

7.10 Confidentiality: We consider your personal and health data confidential. Our staff and any partners are bound by confidentiality obligations. We will not disclose your identifiable information to any third party except as described in these Terms, our Privacy Policy, or with your explicit consent. Typical disclosures include: sharing necessary info with a lab to process a test (with your consent by using that feature), providing data to your healthcare provider if you are a customer user, or legal disclosures if required (see 7.11). We do not sell personal data to marketers or unrelated third parties.

7.11 Legal Compliance and Disclosures: We may disclose personal information if we are required to do so by law, court order, or regulatory requirement (for example, in response to a subpoena, or to report notifiable diseases or adverse events as mandated by health regulations). We may also disclose information if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Where lawful and practical, we will attempt to notify you of such disclosures.