Privacy Policy

1. Introduction

Moirai Health Pty Ltd (ABN pending) (“Moirai”, “we”, “us”, or “our”) operates the moirai.health platform and related services. Moirai provides clinical AI governance infrastructure for healthcare practices, enabling them to document, monitor, and demonstrate responsible oversight of AI-assisted clinical decision-making.

This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies to all users of the Moirai platform, our website at moirai.health, and any related services.

By accessing or using our platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

When you create an account, we collect your full name, email address, professional role or title, and authentication credentials. If you sign up on behalf of a healthcare practice, we also collect your relationship to that practice.

2.2 Practice Information

We collect information about your healthcare practice, including practice name, Australian Business Number (ABN), registered address, contact details, practice type, and the number of practitioners. This information is necessary to configure your governance environment and generate compliance documentation.

2.3 AI Tool Metadata

Moirai records metadata about the AI tools your practice uses in clinical settings. This includes tool names, vendor information, TGA classification, intended clinical use, risk levels, deployment dates, and compliance status. This is governance metadata only and does not include any patient data, clinical images, diagnostic outputs, or protected health information (PHI).

2.4 Governance Documents

We store governance artefacts you create or upload, including AI use policies, evidence documents, audit logs, risk assessments, compliance checklists, and generated reports. These documents relate to your practice’s governance framework and do not contain patient health information.

2.5 Usage and Analytics Data

We automatically collect information about how you interact with the platform, including pages visited, features used, session duration, browser type, device information, IP address, and referring URLs. We use this data to improve platform performance and user experience.

2.6 Payment Information

Payment card details and billing information are collected and processed directly by our payment processor, Stripe. We do not store full credit card numbers on our servers. We retain billing contact details, invoice history, subscription plan, and payment status.

2.7 Important: No Patient Health Information

Moirai is designed to manage governance metadata, not patient data. Our platform does not collect, store, process, or have access to any patient health information (PHI), medical records, clinical images, diagnostic reports, or Medicare data. If you inadvertently upload documents containing PHI, please contact us immediately at privacy@moirai.health so we can assist with its removal.

3. How We Collect Information

3.1 Directly From You

We collect personal information directly when you create an account, complete onboarding, register AI tools, upload governance documents, configure practice settings, submit a contact or support request, or subscribe to a paid plan.

3.2 Automatically Through Technology

We use cookies, local storage, and similar technologies to collect usage data. Our analytics provider (PostHog) captures product usage events, session replays, and feature flag evaluations. Our error tracking service (Sentry) collects technical error data to help us diagnose and resolve issues. You can manage cookie preferences through your browser settings.

3.3 From Third-Party Services

We receive information from third-party services that integrate with our platform. Supabase Auth provides authentication data when you sign in (including email address and profile information). Stripe provides payment confirmation and subscription status. We do not purchase personal information from data brokers.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the service: Configuring your governance environment, generating compliance reports, maintaining your AI tool registry, and delivering CAIOS readiness assessments.
• Account management: Authenticating your identity, managing your subscription, processing payments, and administering your practice organisation.
• Platform improvement: Analysing usage patterns to improve features, fix bugs, optimise performance, and develop new functionality.
• Communication: Sending transactional emails (account verification, password resets, billing receipts), product updates, regulatory alerts relevant to your practice, and onboarding guidance. You may opt out of non-essential communications at any time.
• Security and fraud prevention: Detecting and preventing unauthorised access, abuse, or other harmful activity on the platform.
• Legal compliance: Meeting our obligations under applicable Australian laws, including the Privacy Act 1988, tax law, and any lawful requests from regulators or law enforcement.
• Aggregated insights: Producing de-identified, aggregated benchmarks on AI governance maturity across the healthcare sector. Individual practices are never identified in aggregated data.

5. Legal Basis for Processing

Under the Australian Privacy Principles, we collect and process your personal information on the following bases:

• APP 3 — Collection: We only collect personal information that is reasonably necessary for our functions and activities as a clinical AI governance platform. We collect information by lawful and fair means, directly from you wherever practicable.
• APP 5 — Notification: This Privacy Policy serves as our notification to you about the collection and handling of your personal information, including the purposes of collection, the entities to whom we disclose information, and how you can access or correct your data.
• APP 6 — Use and Disclosure: We use and disclose your personal information only for the primary purpose for which it was collected, or for a directly related secondary purpose that you would reasonably expect.
• Contractual necessity: Processing required to perform our obligations under our Terms of Service, including providing the platform, processing payments, and delivering governance reports.
• Consent: Where required, we obtain your consent before collecting or using personal information — for example, for marketing communications or optional analytics features. You may withdraw consent at any time.
• Legal obligation: We may process personal information where required by Australian law, including responding to lawful requests from regulators, courts, or law enforcement agencies.

6. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

6.1 Sub-Processors

We use trusted third-party service providers to operate the platform. Each sub-processor is bound by contractual obligations to protect your data and process it only as instructed by us.

6.2 Legal Requirements

We may disclose personal information if required to do so by law, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect our rights or property, prevent fraud, or protect the safety of our users or the public.

6.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our platform before your information is transferred and becomes subject to a different privacy policy.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent. For example, if you choose to participate in a CAIOS Assurance Review, relevant governance data may be shared with authorised reviewers.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services. Specific retention periods are as follows:

• Account and practice data: Retained for the duration of your subscription, plus 90 days after account closure to allow for reactivation. After this period, data is permanently deleted unless a longer retention period is required by law.
• Governance documents and audit logs: Retained for 7 years after creation to support medico-legal defence and regulatory compliance requirements. You may request earlier deletion, but we recommend retaining these records given their potential evidentiary value.
• Billing records: Retained for 7 years in accordance with Australian tax law (Taxation Administration Act 1953).
• Analytics data: Automatically anonymised or deleted after 24 months.
• Error and performance logs: Automatically purged after 90 days.

Upon account termination, you may request a full export of your governance data in a machine-readable format before deletion. To request data export or deletion, contact privacy@moirai.health.

8. Data Security

We take the security of your information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption via Supabase’s managed PostgreSQL infrastructure.
• Row Level Security (RLS): Database access is enforced at the row level, ensuring that each practice can only access its own data. RLS policies are applied to every table containing practice-scoped information.
• Access controls: Platform access is governed by role-based permissions. Administrative access to infrastructure is restricted to authorised personnel and protected by multi-factor authentication.
• Monitoring and alerting: We use Sentry for real-time error tracking and performance monitoring. Anomalous activity triggers automated alerts for investigation.
• SOC 2 readiness: Our infrastructure and processes are designed with SOC 2 principles in mind. Our sub-processors (Supabase, Vercel) hold SOC 2 Type II certification. We are actively working toward our own formal certification.
• Incident response: We maintain an incident response plan and will notify affected users and the Office of the Australian Information Commissioner (OAIC) of any eligible data breach in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

While we implement industry-standard safeguards, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any vulnerabilities or breaches.

9. Your Rights Under Australian Privacy Law

Under the Australian Privacy Principles, you have the following rights in relation to your personal information:

• Right of access (APP 12): You may request access to the personal information we hold about you. We will respond to your request within 30 days. Access may be provided via a data export from your account settings or by contacting our privacy team.
• Right of correction (APP 13): You may request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Many corrections can be made directly through your account settings. For other corrections, contact us and we will respond within 30 days.
• Right to complain: If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us. We will acknowledge your complaint within 5 business days and provide a written response within 30 days.
• Right to complain to the OAIC: If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.
• Opt-out of marketing: You may opt out of receiving marketing communications from us at any time by clicking the unsubscribe link in any email or by contacting us. We will process your opt-out request within 5 business days. Transactional communications (billing, security alerts, service changes) are not affected by opt-out requests.
• Account deletion: You may request deletion of your account and associated personal information by contacting us. Deletion will be processed in accordance with the retention periods described in Section 7.

To exercise any of these rights, contact us at privacy@moirai.health. We may need to verify your identity before processing your request.

10. International Data Transfers

Our primary database is hosted by Supabase in Sydney, Australia (AWS ap-southeast-2 region), ensuring that your core governance data is stored within Australian jurisdiction.

However, some of our sub-processors operate infrastructure outside Australia, primarily in the United States and the European Union (see the sub-processor table in Section 6). When personal information is transferred overseas, we take reasonable steps to ensure it is protected in accordance with APP 8 (Cross-border disclosure of personal information). These steps include:

• Selecting sub-processors with verified security certifications (SOC 2 Type II, ISO 27001, or equivalent).
• Entering into data processing agreements that impose obligations equivalent to the Australian Privacy Principles.
• Minimising the categories of personal information transferred overseas to what is strictly necessary for the sub-processor to perform its function.
• Regularly reviewing the security practices and compliance status of our sub-processors.

11. Children’s Privacy

Moirai is a business-to-business platform designed for use by healthcare professionals and practice administrators. Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@moirai.health.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the “Last updated” date at the top of this page.
• For material changes, we will notify you by email to the address associated with your account and/or by displaying a prominent notice within the platform.
• Where required by law, we will obtain your consent before applying material changes to the way we handle your personal information.

We encourage you to review this policy periodically. Your continued use of the platform after the effective date of a revised policy constitutes acceptance of the changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days.