Privacy Policy

Last updated: February 2026

StatX Analytics Pty Ltd (ABN 60 679 369 898), trading as SimpleRef Australia ("SimpleRef", "we", "us", "our"), is committed to protecting the privacy of your personal and health information. This Privacy Policy explains how we collect, use, store, and disclose information through our cloud-based referral management platform ("the Service") operated from Sydney, Australia.

By using the Service, you agree to the collection and use of information in accordance with this policy. This policy should be read alongside our Terms of Service.

1. Information We Collect

1.1 Practice and Account Data

When you register for SimpleRef, we collect information about your practice including practice name, address, ABN, and contact details. We also collect personal information about account holders such as name, email address, phone number, and professional role.

1.2 Referral and Patient Data

The Service processes referral information entered by your practice, which may include patient names, dates of birth, Medicare numbers, DVA numbers, Individual Healthcare Identifiers (IHIs), contact details, referring doctor information, clinical notes, and uploaded documents such as referral letters and diagnostic reports.

1.3 Usage and Analytics Data

We automatically collect technical information when you use the Service, including browser type, device information, IP address, pages viewed, and feature usage patterns. This data is collected via Firebase Analytics and Google Analytics and is used to improve the Service.

2. How We Store Your Data

All data is stored on Google Cloud infrastructure in Sydney, Australia. Some sub-processors may process limited non-clinical data overseas — see Section 4 for details.

• Encryption at rest: All data is encrypted using AES-256 via Google Cloud's default encryption. Application-level AES-256-GCM encryption is used for sensitive credentials and backups.
• Encryption in transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher.
• Tenant isolation: Each practice's data is logically isolated using Firestore subcollections with server-side security rules. One practice cannot access another practice's data.
• Backups: Daily automated backups are maintained to ensure data recoverability.

3. How We Use Your Data

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process and track referrals on behalf of your practice
• Send transactional notifications (e.g., referral status updates, appointment reminders)
• Provide customer support
• Analyse usage patterns to improve features and performance
• Comply with legal obligations

4. Data Sharing and Disclosure

We do not sell your data. We do not share your personal or patient information with third parties for their marketing purposes.

We may share data only in the following limited circumstances:

• Within your practice: Data is accessible to authorised users within your practice based on their assigned role (Super Admin, Admin, Staff, Shared Staff, or Doctor).
• Infrastructure providers: We use Google Cloud (Firebase) to host and process data. Google acts as a data processor under our instructions and is bound by appropriate data processing agreements.
• Payment processing: Billing information is processed by Stripe. We do not store your full credit card details on our servers.
• Legal requirements: We may disclose information if required by law, regulation, court order, or governmental authority.

5. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide the Service. If you cancel your subscription, your data will remain accessible for export for 30 days after termination. After that period, we will delete your data from our active systems within 90 days, except where we are required by law to retain it (e.g., financial records for tax compliance).

You may request deletion of your data at any time by contacting us at privacy@simpleref.com.au. We will process deletion requests within 30 business days.

6. Australian Privacy Law Compliance

6.1 Privacy Act 1988 (Cth) and Australian Privacy Principles

SimpleRef is designed to comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). We collect only the personal information reasonably necessary to provide the Service, we are transparent about how we handle it, and we take reasonable steps to protect it from misuse, interference, loss, and unauthorised access.

6.2 My Health Records Act 2012

Where the Service interacts with or processes data related to the My Health Record system, we comply with the obligations set out in the My Health Records Act 2012 (Cth) and associated regulations. We do not access, modify, or store My Health Records data without appropriate authorisation.

6.3 Notifiable Data Breaches Scheme

In the event of a data breach that is likely to result in serious harm, we will comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. We will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required. We maintain an incident response plan to ensure prompt detection, containment, and notification of eligible data breaches.

7. Cookies and Analytics

SimpleRef uses cookies and similar technologies for essential functions such as authentication and session management. We also use Firebase Analytics and Google Analytics to understand how the Service is used. These tools may set cookies on your device to collect anonymised usage data.

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of the Service.

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information (subject to legal retention requirements)
• Complain to the OAIC if you believe we have breached the APPs

To exercise any of these rights, please contact us at privacy@simpleref.com.au.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

10. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

• Email: privacy@simpleref.com.au
• Entity: StatX Analytics Pty Ltd (ABN 60 679 369 898), trading as SimpleRef Australia
• Location: Sydney, Australia