How we handle your information.

Sohma House Pty Ltd, trading as Sohma House, located at 17 Anderson St, Manunda QLD 4870, is the entity responsible for the collection and handling of your personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

As a health service provider, Sohma House is subject to the Privacy Act regardless of annual turnover. The small business exemption under section 6D does not apply to organisations providing a health service.

Cameron Rosin (Practice Manager) acts as Privacy Officer for the purposes of this policy. Enquiries regarding your personal information should be directed to cam@sohma.house.

In accordance with APP 3, we collect only personal information that is reasonably necessary for our functions or activities as a health service provider.

Personal information (as defined in section 6 of the Privacy Act): name, date of birth, residential address, phone number, email address, emergency contact details, and next of kin.

Health information (as defined in section 6FA): diagnoses, medications, treatment plans, consultation notes, pathology results, referral letters, intake questionnaire responses (approximately 120 fields covering medical history, lifestyle, and treatment goals), allergies, mental health assessments, vitals, and cannabis prescribing records including SAS-B applications, TGA approvals, product details, and titration schedules.

Government identifiers: Medicare number, Individual Reference Number (IRN), DVA number, concession card number, and Customer Reference Number (CRN). These are collected and used in accordance with the restrictions in APP 9.

Website form data: Information voluntarily submitted through booking forms, contact enquiry forms, studio booking forms, class registration forms, and practitioner application forms. Data collected varies by form but may include name, email, phone number, company name, qualifications, and free-text enquiry or application content.

Technical data collected via website: IP address (processed by Cloudflare for web application security), Cloudflare Turnstile verification tokens (bot detection on forms), and partial address strings sent to the Google Maps Places API for address autocomplete. Form draft data may be temporarily stored in your browser's session storage to prevent data loss during the booking process; this is cleared when you close the tab.

Personal information is collected for the following purposes in accordance with APP 3 and APP 6:

• Primary purpose: Provision of healthcare services, including clinical assessment, diagnosis, prescribing, treatment planning, and coordinated care within the Sohma House care team.
• Directly related secondary purposes: Appointment scheduling and reminders, billing and Medicare claims processing, clinical correspondence (referrals, prescriptions to dispensing pharmacies), and quality improvement of clinical services.
• Legal and regulatory obligations: TGA reporting for SAS-B prescribing under the Therapeutic Goods Act 1989, mandatory reporting obligations under applicable state and federal legislation, and retention of clinical records as required by health records legislation.

Information is not collected or used for marketing, research (without separate ethics approval and consent), or any purpose unrelated to the patient's healthcare.

Use of personal and health information is governed by APP 6.1 — information is used only for the primary purpose for which it was collected, or for a directly related secondary purpose that the individual would reasonably expect.

Within the Sohma House care team, clinical information is shared between treating practitioners as part of the clinic's coordinated care model. This constitutes use for the primary purpose of healthcare provision and is covered by the consent obtained at patient registration.

Appointment reminders and clinical follow-up communications are sent via email or SMS. Patients may opt out of non-essential communications at any time without affecting their clinical care.

Billing information is disclosed to Medicare Australia and relevant health funds for claims processing, in accordance with APP 6.2(b) (required or authorised by law) and APP 6.2(e) (reasonably necessary for enforcement of criminal law or revenue protection).

Disclosure of personal information is governed by APP 6.2. Sohma House discloses personal and health information only in the following circumstances:

• Within the care team: For the primary purpose of providing coordinated healthcare, as consented to at registration.
• Dispensing pharmacies: Prescription details are transmitted to the patient's nominated pharmacy for fulfilment. This is a primary purpose disclosure.
• TGA (SAS-B): Patient name, clinical condition, and proposed treatment are submitted to the Therapeutic Goods Administration as required under the Therapeutic Goods Act 1989. This is a disclosure required by law under APP 6.2(b).
• Medicare Australia / DVA: Billing and claims information is disclosed as authorised under relevant Commonwealth legislation.
• External healthcare providers: Records are disclosed to external practitioners (including the patient's regular GP) only with the patient's documented consent, in accordance with APP 6.1(a).
• Legal authorities: Disclosure under APP 6.2(b) where required by court order, subpoena, or mandatory reporting obligations under applicable state and federal legislation.
• Serious threat to life or health: Disclosure under APP 6.2(c) where reasonably necessary to prevent or lessen a serious threat to the life, health, or safety of any individual, or to public health or safety.

The following third-party service providers process personal or health information on behalf of Sohma House:

Clinical data storage (Australia):

• Halaxy (Australia) — Practice management, appointment scheduling, and patient demographic records. Halaxy is an Australian health technology company subject to the Privacy Act.
• Google Cloud Healthcare API (FHIR R4, Australian region) — Clinical intake data stored as FHIR QuestionnaireResponse resources.
• SurrealDB on Fly.io (Sydney) — Primary application database storing patient records, appointments, clinical notes, and billing information.
• Fluree on Fly.io (Sydney) — Append-only immutable audit ledger recording all access to patient records.

Website infrastructure (global):

• Cloudflare (Global, headquartered in US) — Web application firewall, CDN, DDoS protection, and Zero Trust authentication for staff access. See Cross-Border Data section below.
• Google Maps Places API — Address autocomplete on website forms. Google receives partial address text entered by the user. No health information is transmitted.

Communications (US-based delivery):

• Postmark (US) — Transactional email delivery for appointment confirmations, reminders, and intake form links. Patient name and appointment details included in emails. Clinical records are not sent via email.
• Google SMTP (fallback) — Secondary email delivery if Postmark is unavailable.

APP 8 requires that before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient handles the information in accordance with the APPs.

Cloudflare, Inc. (US) — Website traffic passes through Cloudflare's global edge network, which may include nodes outside Australia. This constitutes transit-layer processing, not storage. Cloudflare's data processing addendum and Standard Contractual Clauses provide contractual safeguards consistent with APP 8 obligations. No health information is stored by Cloudflare; clinical data is served from Australian-hosted application servers.

Google LLC (US) — The Google Maps Places API processes partial address strings entered by users for autocomplete purposes. This data is not health information and contains no clinical content. Google's terms of service and data processing agreements apply.

Postmark (Wildbit LLC) (US) — Transactional email delivery for appointment confirmations, reminders, and intake form links. Email content includes patient name, appointment date/time, and practitioner details. Postmark's data processing addendum provides contractual safeguards. Clinical records, diagnoses, and treatment details are not included in automated emails.

All health information at rest — clinical records, intake data, consultation notes, prescribing records — is stored exclusively on Australian-hosted infrastructure (Fly.io Sydney region, Google Cloud australia-southeast1 region, and Halaxy's Australian infrastructure).

In accordance with APP 11, Sohma House implements the following technical and organisational security measures:

Encryption in transit: All data transmission uses TLS (Transport Layer Security). API communications between internal services are encrypted.

Encryption at rest: Sensitive data fields (including SMS messages, clinical handover notes, staff communication, and authentication tokens) are individually encrypted at rest using authenticated encryption with industry-standard algorithms and key derivation.

Role-based access control (RBAC): Four-tier access model — Reception, ClinicalPro, AdminOps, and SuperAdmin — with field-level visibility restrictions enforced at both the API and user interface layers.

Multi-factor authentication: Staff access requires authentication through Cloudflare Zero Trust (identity verification) with additional session verification. Session tokens have an 8-hour lifetime with automatic screen lock on inactivity.

Immutable audit trail: All access to patient records is logged to both the primary database and a separate append-only ledger (Fluree). Audit entries include the staff member, the record accessed, the action taken, the timestamp, and the originating IP address. Audit records cannot be modified or deleted.

User interface controls: Protected health information is rendered using masked display components (blur-on-load with click-to-reveal) that generate audit events on each reveal. Clipboard operations auto-expire after 30 seconds.

Pseudonymisation: Internal telemetry and analytics use cryptographically pseudonymised patient identifiers, ensuring no personally identifiable information appears in operational monitoring.

Clinical records are retained in accordance with federal and Queensland state health records legislation:

• Adult patients: Minimum 7 years from the date of the last clinical entry.
• Patients treated as minors: Minimum 7 years from the date the patient turns 18 (i.e., until age 25), or 7 years from the last entry, whichever is longer.
• Deceased patients: Minimum 7 years from the date of death.
• Records involved in known complaints, legal proceedings, or regulatory investigations: Retained indefinitely until the matter is fully resolved, after which standard retention periods apply.

Audit trail records (access logs, consent events, clinical actions) are retained in the immutable ledger for the same period as the associated clinical records and cannot be selectively deleted.

At the expiry of the retention period, records are destroyed securely in accordance with APP 11.2. Digital records are purged from all storage systems. Paper records (if any) are shredded.

Consent is obtained at patient registration and documented in the clinical platform. Consent covers:

• Collection and use of personal and health information for the primary purpose of healthcare provision.
• Sharing of clinical information within the Sohma House care team for coordinated care.
• Submission of information to the TGA for SAS-B applications (where applicable).
• Disclosure of prescription details to dispensing pharmacies.
• Contact for appointment reminders, follow-up, and clinical communications via email and SMS.

Withdrawal of consent: Patients may withdraw consent for non-essential uses (appointment reminders, care team information sharing) at any time by contacting the Practice Manager. Withdrawal is prospective — it does not require deletion of information collected or disclosed prior to the withdrawal date.

Consent for legally mandated disclosures (TGA reporting under the Therapeutic Goods Act 1989, mandatory reporting obligations) cannot be withdrawn while the patient continues to receive treatment through those pathways. A patient who wishes to withdraw consent for TGA disclosure may discontinue SAS-B treatment; their existing records and prior TGA submissions are retained as required by law.

Withdrawal of consent for care team sharing is documented and implemented in access controls. The treating GP will discuss the clinical implications of limiting information sharing, as it may affect the quality of integrated care.

Right of access (APP 12): Individuals may request access to personal information held about them. Requests should be directed to the Practice Manager and will be responded to within 30 days. Access may be refused in limited circumstances set out in APP 12.3, including where access would pose a serious threat to the life, health, or safety of any individual. Reasons for refusal are provided in writing.

Right of correction (APP 13): Individuals may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Corrections to factual data (demographics, contact details, medication lists) are made promptly. Clinical opinions and professional judgments documented by treating practitioners are not subject to patient-directed correction, though the patient's disagreement may be noted in the record.

Complaints: Complaints regarding the handling of personal information should be directed to the Practice Manager in the first instance. Sohma House will investigate and respond within 30 days. If the complainant is not satisfied with the outcome, they may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Sohma House complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

Where an eligible data breach occurs — or there are reasonable grounds to suspect one has occurred — Sohma House will:

• Conduct a reasonable and expeditious assessment within 30 days of becoming aware of the breach.
• If the breach is likely to result in serious harm to any affected individual, notify the OAIC and all affected individuals as soon as practicable.
• Provide affected individuals with a description of the breach, the types of information involved, and recommended steps to mitigate potential harm.

All staff are required to report any suspected privacy breach to the Practice Manager immediately. The clinic maintains a data breach response plan that is reviewed annually.

This policy is reviewed annually, after any notifiable data breach, or when relevant privacy legislation changes. The current version is always available at sohma.house/privacy.

Material changes to the collection, use, or disclosure of health information will be communicated to affected patients via the contact details on file. Continued use of Sohma House services after notification of changes constitutes acceptance of the revised policy.

The Privacy Officer for Sohma House is Cameron Rosin (Practice Manager). All enquiries, access requests, correction requests, and complaints regarding the handling of personal information under this policy should be directed to: