Privacy policy

Last updated: May 2026

Entity: Prickly Health Pty Ltd ("Prickly", "we", "us", "our")

Jurisdiction: Victoria, Australia (Operating as a National Service)

At Prickly, we provide clinician-led screening for sexually transmitted infections (STIs). Because we handle highly sensitive health information, we are committed to protecting your privacy to the highest legal, ethical, and clinical standards.

This Privacy Policy outlines how we collect, use, disclose, and protect your personal and health information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable state and territory health records legislation (including the Victorian Health Records Act 2001).

1. Scope and Types of Information We Collect

To provide safe, accurate, and compliant clinical care, we must collect both Personal Information and Sensitive Information (specifically, Health Information) as defined under Section 6 of the Privacy Act 1988 (Cth).

Identity & Demographics: Legal name, preferred name, date of birth, biological sex, gender identity, and pronouns. We collect preferred names and pronouns to ensure we communicate with you respectfully.
Contact Information: Email address and mobile phone number.
Government & Healthcare Identifiers: Medicare number, Individual Healthcare Identifier (IHI), or Overseas Student/Visitor Health Cover (OSHC/OVHC) details.
Clinical Data: Answers to our digital sexual health questionnaire, clinical histories, and pathology test results.
Financial Data: Payment details processed securely at the time of requesting a screening.
GP Details: The contact details of your regular General Practitioner (only collected if you explicitly consent to sharing your results).

2. Methods of Collection and APP 2 (Anonymity)

We collect information directly from you when you complete our digital intake and consent forms. We also collect clinical results directly from our partner pathology laboratories following the processing of your samples.

Anonymity and Pseudonymity (APP 2): Under APP 2, individuals have the option of not identifying themselves or using a pseudonym. However, due to the medical and regulatory nature of pathology testing in Australia, it is impracticable and legally impermissible for Prickly to provide screening services anonymously or under a pseudonym. Our partner laboratories and clinicians require verified legal identities to issue valid Medicare-compliant pathology requests, accurately match clinical records, and process diagnostic results safely.

3. Use of Information and Clinical Governance

Your information is strictly used for the primary purpose of providing healthcare services and managing your clinical pathway.

Clinical Governance and Autonomy: Prickly utilises digital questionnaires to securely gather your health history solely for the purpose of pathology screening requests. We do not use fully automated decision-making (ADM) or AI systems to issue referrals or interpret clinical data. Every pathology request generated through our platform—and the subsequent review of every lab result—is manually assessed, verified, and actioned by an AHPRA-registered Australian clinician. In delivering this care, our clinicians exercise complete professional and clinical independence to determine if asynchronous care is appropriate and safe for your specific circumstances.
Synchronous Prescribing Policy: In strict adherence to Medical Board of Australia telehealth guidelines, Prickly does not prescribe medication or formulate treatment plans asynchronously via text, chat, or questionnaire. If your screening results indicate that clinical treatment or prescription intervention is required, all prescribing and subsequent clinical management is conducted exclusively via a real-time, synchronous telehealth consultation (video or telephone) with an AHPRA-registered practitioner.

4. Digital Architecture, Storage, and Cross-Border Transfers (APP 8)

We minimise data vulnerability by ensuring your permanent clinical files are never stored on independent, unprotected, or non-clinical databases.

Primary Clinical Storage (Halaxy): All clinical data, questionnaire responses, payment history, and medical records are hosted directly within Halaxy, an industry-leading, highly secure clinical practice management platform. All Halaxy data is stored on secure servers located physically within Australia, meeting national health privacy standards.
Administrative Processing (Google Workspace) & Transient Collection: We use Google Workspace exclusively for administrative and logistical operations (such as generating hardcopy pathology referral forms and handling inbound administrative emails). This workspace is fully HIPAA and APP compliant.
- The 24-Hour Purge Protocol: To maximise your privacy, any pathology referral data or clinical information passing transiently through our Google Workspace is entirely purged from our active administrative systems every 24 hours.
- Cross-Border Data Transfer (APP 8): While our primary clinical records remain permanently in Australia, Google Workspace infrastructure utilises secure data centres located within the European Union (EU). By using Prickly, you provide explicit consent to this limited, transient overseas processing under strict encryption protocols.

5. Disclosure to Third Parties, MHR, and Mandatory Reporting

We only share your information with the medical professionals actively involved in your care or where strictly required under Australian statutory obligations.

Pathology Partners: Necessary demographic and clinical data is transferred to our partner pathology laboratories via an industry-standard hardcopy referral form to allow your samples to be processed.
My Health Record (MHR): Prickly does not directly upload any of your consultation notes or referral data to the federal My Health Record (MHR) system. Please note that our partner pathology laboratories default to uploading your test results to MHR as part of their standard practice. However, to give you total control over your health data, we provide a prominent option within our initial clinical questionnaire to opt out of having your results uploaded to MHR by the lab.
Your Regular GP: We will not disclose your screening details or results to your regular GP unless you provide explicit, written consent.
Mandatory Notifiable Diseases: Under Australian public health laws, laboratories and clinicians are legally required to report positive cases of specific notifiable STIs (such as Chlamydia and Gonorrhoea) to state or territory health departments. These notifications are handled securely and are frequently partially de-identified. For self-test interventions requiring subsequent clinical referral (such as Syphilis), mandatory reporting is handled by the downstream practitioner ordering your formal confirmatory diagnostic testing.
Legal Compulsion: We may disclose your personal information if compelled by law, such as in response to a valid court subpoena, warrant, or statutory order.

6. Communications, Secure Delivery, and Spam Act Compliance

We handle clinical communications with maximum discretion to protect your privacy from onlookers.

Results Delivery: You will receive an email notification when your results are ready.
- Negative Results: The email will explicitly state that your results are negative to provide immediate peace of mind.
- Positive or Indeterminate Results: The email will contain neutral language stating only that a "result requires follow-up" and will provide directions on next steps. Specific diagnoses are intentionally omitted from the email body to prevent accidental privacy breaches if your device notifications are visible to third parties.
- Secure Document Delivery: To ensure complete security, detailed treatment summary letters, clinical referrals, or practitioner-to-GP communications regarding positive results are never sent via standard email. They are shared exclusively via secure, two-factor authenticated (2FA) document download links generated by Halaxy.
Routine Clinical Reminders: Because regular screening is essential to sexual health management, Halaxy will automatically generate a single email reminder three months after your request to prompt you to consider your next screen. This is a factual clinical reminder under the Spam Act 2003 (Cth) and is not classified as direct marketing. You may opt out of these reminders at any time via the unsubscribe link.
No Direct Marketing: Prickly will never use your sensitive health information for direct marketing, nor will we send you promotional materials.

7. Data Retention and Statutory Obligations

Under Australian medical record retention laws and state-based health records legislation, health service providers are legally obligated to retain clinical files for strict statutory periods. We cannot delete permanent clinical records from Halaxy upon patient request prior to the expiration of these periods:

Adult Records: Records for individuals aged 18 years or older must be retained for a minimum of 7 years from the date of the last clinical interaction.
Minor Records: For patients who access our service under the age of 18, records must be retained until the patient reaches 25 years of age, or for 7 years from the date of the last clinical interaction—whichever time period is longer.

8. Age Restrictions, Identity Verification, and Fraud Mitigation

Prickly strictly provides services to individuals aged 16 years and over.

Providing false identification or utilising another individual's healthcare identifiers compromises the integrity of the national health record system, creates significant cross-contamination risks for innocent third-party records, and constitutes a severe clinical hazard. If we discover or have reasonable grounds to suspect that a user has utilised fraudulent identity details or is under the age of 16, Prickly reserves the right to immediately terminate the service, cancel all pending pathology requests, and permanently isolate the clinical file to protect health record integrity.

9. Website Analytics and Data Minimisation

When you interact with our website, we prioritise your privacy through strict data minimisation principles. We do not use third-party advertising pixels or tracking tools that link your digital journey to your clinical identity.

Google Analytics: We may track standard, aggregated, de-identified metrics (e.g., page views, session duration) to manage website traffic and optimise server performance.
Communication Tracking: Through Halaxy, we securely monitor the delivery status of our emails to ensure you have successfully received vital clinical communications.

10. Access, Correction, and Data Quality (APP 12 & 13)

You have a legal right to request access to your personal and health information, or to request corrections if you believe the data we hold is inaccurate, incomplete, or out of date under APP 12 and 13.

How to Request: Email our administrative team at hello@prickly.health.
Verification: We will require you to verify your identity using standard identity documentation before releasing or correcting any information.
Clinical Preference: To ensure continuous, safe care, our strong clinical preference is to securely transfer your complete records directly to your nominated external healthcare practitioner rather than releasing raw files directly to you.
Fees: We do not charge administrative fees for processing access or correction requests.

11. Complaints and Data Breaches (APP 1 & NDB Scheme)

If you believe we have breached the Australian Privacy Principles, the Privacy Act 1988 (Cth), or mishandled your health records, you have the right to lodge a formal complaint.

Internal Resolution: Please direct your complaint in writing to hello@prickly.health. We commit to investigating and responding to your complaint within 30 days.
Notifiable Data Breaches (NDB) Scheme: Prickly complies fully with the federal NDB scheme under Part IIIC of the Privacy Act 1988 (Cth). In the unlikely event of a data breach that is likely to result in serious harm, we are legally committed to promptly containing the breach, assessing the risk, and notifying both you and the Office of the Australian Information Commissioner (OAIC), outlining the steps we have taken to secure your data and the actions you should take.
External Escalation: If you are unsatisfied with our internal response, you may escalate your complaint to the federal regulator:
Office of the Australian Information Commissioner (OAIC)
GPO Box 5288, Sydney NSW 2001
www.oaic.gov.au

12. Changes to this Policy

We may update this Privacy Policy periodically to reflect changes in our clinical operations, digital infrastructure, or Australian privacy legislation. The updated policy will be published on our website, and the "Last updated" date at the top of this document will be amended accordingly.