Privacy Policy & APP Compliance Statement

1. Scope and Adherence to APPs

be.smart business solutions ("we", "us", "our") is dedicated to protecting clinical and health records in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). This Privacy Policy governs our operations on the US server cluster (docreport.us) serving the Australian market. We act as a contract service provider to Australian medical clinics and healthcare practitioners under APP 11.

2. Collection of Personal & Sensitive Health Information

Under the Privacy Act, health information is classified as "sensitive information" and is subject to the highest standards of regulatory protection. In the course of offering ambient clinical scribing and documentation assistance, our systems temporarily process voice recordings, dictated clinical narratives, medical templates, and billing recommendations. We collect this data solely for the primary purpose of drafting structured medical records (SOAP notes, referrals) for practitioners.

3. Zero-Trust Local Browser-Side Redaction

To guarantee that raw, identifiable patient health information does not leave your device or exit Australian jurisdiction, DocReport implements a strict browser-side compliance layer (Zero-Trust Guard) in `au-compliance.ts`:

• Patient Names & DOBs: Replaced client-side with secure placeholders (e.g. `[AU_PATIENT_NAME_1]`).
• Medicare Numbers: Any 10-digit Medicare card IDs or individual references are instantly scrubbed before transit.
• Individual Healthcare Identifiers (IHIs): 16-digit national healthcare identifiers are redacted locally in browser memory.
• Australian Contact Details: Local Australian phone numbers and email domains are stripped entirely.

Only fully anonymized clinical descriptors are transmitted to remote AI endpoints (such as Google Vertex AI) for structure and formatting. Identifying records reside strictly within your local browser's session memory.

4. Zero-Knowledge Local Encryption

When case data, clinical titles, or practice records are saved to our cloud database (Firestore), they are encrypted locally on the practitioner\'s device using a high-entropy key stored strictly in the browser\'s secure local database (`localStorage`).

We do not transmit, cache, or store this decryption key on our servers. Consequently, our global cloud servers store only unreadable, cryptographically secure ciphertexts. This guarantees absolute compliance with APP 11 regarding protection against unauthorized access, loss, or disclosure.

5. Cross-Border Data Disclosure (APP 8)

Because Australia is hosted on our premium United States cluster (`docreport.us`), data processing occurs in secure US-based Google Cloud data centers. However, because all clinical records are mathematically anonymized and encrypted client-side before any cross-border transit occurs, no protected health information (PHI) or personal details are disclosed to overseas recipients under APP 8. The server only hosts anonymous texts and encrypted blobs which are unreadable by anyone outside your practice.

6. Use and Retention of Audio Recordings

Audio recordings of consultations are processed strictly in-memory to generate clinical transcripts. Once the transcript is produced and the SOAP note drafted, the audio data is immediately destroyed in secure memory nodes. We do not store, listen to, or compile patient audio logs. Furthermore, we never use customer transcripts or clinical notes to train public or private LLMs.

7. Access, Correction, and Data Sovereignty Rights

Australian practitioners and clinics have full control over their account data. You can access, edit, export, or permanently delete your clinical notes directly from your dashboard at any time. If you delete a case record, it is purged permanently from all databases. Inquiries regarding data correction or account deletion can be directed to our support team at support@docreport.us.

8. Enquiries, Complaints, and Regulatory Liaison

If you have any questions about our privacy safeguards or believe that we have breached our obligations under the Privacy Act, you may file a formal complaint to our Privacy Officer at compliance@docreport.us. We will investigate and respond to all complaints within 30 days. If you are dissatisfied with our response, you have the right to escalate the matter to the **Office of the Australian Information Commissioner (OAIC)** at www.oaic.gov.au.