Summary: Qliva stores all health data in Australia (AWS Sydney). We never sell your data. We never use patient information for advertising. All AI-generated clinical content requires practitioner sign-off before it affects a patient record.
1. Introduction
Qliva ("Qliva", "we", "us" or "our") is a brand and entity operating under Helix Longevity Pty Ltd ("Helix Longevity"). It operates a clinical practice management platform (the "Platform") designed for integrative, longevity and regenerative medicine clinics in Australia.
We are committed to protecting the privacy of all individuals whose personal information we handle. This Privacy Policy explains how we collect, use, disclose and protect personal information — including sensitive health information — in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use the Platform.
2. Who We Are
Qliva operates as an entity under Helix Longevity Pty Ltd, an Australian proprietary company. The Platform is a multi-tenant software-as-a-service (SaaS) product used by healthcare clinics ("Clinic Customers") to manage patient records, clinical notes, appointments, pathology, prescribing, billing and related services.
In operating the Platform, Qliva acts as both:
(a) a controller of personal information relating to our Clinic Customers and their staff (practitioners, administrators); and
(b) a processor of personal and health information on behalf of Clinic Customers, who are themselves responsible for the health information of their patients ("End Patients").
If you are an End Patient and have questions about how your health information is handled, please contact your clinic directly.
3. Information We Collect
We collect different categories of information depending on your relationship with us.
Clinic Customer and practitioner information: name, email address, phone number, practice name and address, Australian Business Number (ABN), AHPRA registration number, professional credentials, billing information (processed via Stripe), and usage data relating to your use of the Platform.
End Patient information (collected and stored on behalf of Clinic Customers): full name, date of birth, sex, contact details (address, phone, email), Medicare number, DVA number, health fund details, emergency contact details, medical history, current medications, allergies, clinical notes (including SOAP notes and AI-assisted drafts), pathology results, prescription records, wearable health data (sleep, HRV, activity — where the patient has connected a device), consent records, appointment history, telehealth session metadata, and any documents uploaded to the Platform.
Technical and usage information: IP addresses, browser type, device identifiers, pages viewed, actions taken within the Platform, error logs, and session data. This information is collected automatically for security, debugging and product improvement purposes.
We do not knowingly collect personal information from children under 18 without the consent of a parent, guardian or the clinic managing that patient's care.
4. How We Collect Information
We collect personal information directly from you when you: sign up for a Qliva account; complete onboarding or setup wizards; enter patient records into the Platform; upload pathology results or clinical documents; submit forms or complete electronic consents; contact our support team; or respond to surveys.
We also collect information automatically through cookies, server logs and analytics tools as you interact with the Platform.
For End Patient wearable data, we collect information via OAuth-authorised connections to third-party services (Garmin, Oura, WHOOP, Withings) only after the patient has explicitly authorised the connection in their patient portal.
5. How We Use Your Information
We use personal information to: provide and operate the Platform; create and manage your account; process subscription payments via Stripe; send transactional emails (appointment reminders, pathology request links, prescription notifications) via Resend; send SMS messages (appointment reminders, patient communications) via ClickSend; enable telehealth consultations via Daily.co; provide customer support; maintain the security and integrity of the Platform; comply with our legal and regulatory obligations; and improve the Platform based on aggregated, de-identified usage data.
We use sensitive health information solely to provide the clinical features of the Platform on behalf of Clinic Customers. We do not use patient health information for advertising, profiling, or any secondary purpose without explicit consent.
AI-assisted features (including consult note drafting via the Claude API and pathology result interpretation) process clinical information only within Australia-based infrastructure where possible. Where third-party AI processing occurs, data is de-identified prior to transmission to the extent practicable. All AI-generated output is presented as a draft for practitioner review — it is never auto-applied to a patient record without human sign-off.
6. Disclosure of Your Information
We do not sell, rent or trade personal information to third parties.
We share information only with trusted service providers who assist us in operating the Platform, including: Supabase (database hosting and authentication, AWS ap-southeast-2, Sydney); Stripe (payment processing); Resend (transactional email); ClickSend (SMS); Daily.co (video telehealth); Anthropic (AI API — de-identified data only); Sentry (error monitoring — de-identified stack traces); and UptimeRobot (uptime monitoring — no personal data transmitted).
All third-party processors are bound by contractual obligations to handle information securely and only for the purposes we specify.
We may disclose personal information: if required by law, court order or regulatory authority; to protect the rights, property or safety of Qliva, our customers or the public; or with your explicit written consent.
We do not transfer personal or health information outside Australia except where strictly necessary for the operation of a specific third-party service listed above, and only where adequate protections are in place.
7. Data Storage and Security
All personal and health information is stored on Supabase infrastructure located in the AWS ap-southeast-2 region (Sydney, Australia), ensuring compliance with Australian data sovereignty requirements.
We implement multiple layers of security including: TLS encryption in transit; AES-256 encryption at rest; Row Level Security (RLS) policies enforcing strict tenant isolation at the database level; multi-factor authentication for platform accounts; HTTP Strict Transport Security (HSTS); regular security audits; and automated uptime and error monitoring.
Access to personal information is restricted to authorised personnel on a need-to-know basis. All access is logged in a tamper-evident audit trail.
Despite our security measures, no electronic transmission or storage system is 100% secure. If you become aware of any security issue, please contact us immediately at support@qliva.com.au.
8. Data Retention
We retain personal information for as long as it is necessary to provide the Platform, comply with our legal obligations and resolve disputes.
Patient health records are retained for a minimum of seven (7) years from the date of the last service, or for the period required by applicable Australian health records legislation (whichever is longer). For records relating to children, the retention period extends to at least seven years after the person reaches the age of 18.
When a Clinic Customer's subscription ends, we retain their data for 90 days to facilitate data export. After that period, data is permanently deleted unless we are required by law to retain it longer.
All deletions within the Platform are soft-deletes — records are marked as deleted and become inaccessible, but are retained in the database for the applicable retention period before permanent purging.
9. Your Privacy Rights
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:
(a) Access the personal information we hold about you — we will respond to access requests within 30 days.
(b) Correct personal information that is inaccurate, out of date, incomplete or misleading.
(c) Know whether we hold personal information about you.
(d) Make a complaint if you believe we have breached the APPs.
If you are an End Patient, please contact your clinic directly to exercise these rights in relation to your health records. The clinic is the data controller for your health information; Qliva processes it on their behalf.
To exercise your rights in relation to information Qliva holds directly (e.g. as a Clinic Customer or practitioner), please contact us at support@qliva.com.au.
11. Notifiable Data Breaches
Qliva complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
In the event of an eligible data breach that is likely to result in serious harm to individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, and no later than 30 days after we become aware of the breach.
We maintain an internal incident response plan to detect, contain and respond to data breaches promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify Clinic Customers via email and display a notice in the Platform. The revised policy will take effect 14 days after notification, unless a longer notice period is required by law.
We encourage you to review this policy periodically. Continued use of the Platform after the effective date of any changes constitutes acceptance of the updated policy.
13. Contact and Complaints
For privacy enquiries, access requests or to lodge a complaint, please contact our Privacy Officer:
Email: support@qliva.com.au
We will acknowledge your enquiry within 5 business days and aim to resolve it within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.
Have a question about your privacy or want to exercise your rights under the Privacy Act?
Contact our Privacy Officer →