1. About This Policy
This Policy applies to all users of the Neuro Nexus platform, including patients, clinicians, administrators, and any other authorised users. It covers personal information collected through:
- the Neuro Nexus mobile application (iOS and Android);
- the Neuro Nexus clinician web portal;
- wearable device integrations (Apple Health, Fitbit, WHOOP, Garmin, Oura);
- AI-assisted features including the Nexa Assistant chat;
- any associated communications, notifications, or support services.
By creating an account or using Neuro Nexus, you agree to the collection and use of your information as described in this Policy. If you do not agree, you should not use the platform.
2. Who We Are
| Organisation | Neuro Nexus Pty Ltd |
| Trading as | Neuro Nexus |
| Jurisdiction | Australia |
| Contact | privacy@neuronexus.com.au |
| Privacy Officer | Available upon request |
Neuro Nexus is the entity responsible for the Neuro Nexus platform and acts as the data controller for personal information collected through its services. Clinicians and healthcare organisations using the platform may also hold obligations as data controllers or processors under applicable legislation, and are required to maintain their own privacy practices consistent with this Policy and applicable law.
3. Legislative Framework
We collect, hold, use, and disclose personal information in accordance with the following legislation and standards:
| Legislation / Standard | Relevance |
|---|---|
| Privacy Act 1988 (Cth) | Governs the handling of personal information by Australian organisations; establishes the Australian Privacy Principles (APPs). |
| Australian Privacy Principles (APPs) | 13 principles regulating collection, use, disclosure, storage, and access to personal information. |
| My Health Records Act 2012 (Cth) | Governs the handling of health information within Australia's national digital health record system. |
| Health Records and Information Privacy Act 2002 (NSW) and equivalent State/Territory legislation | State-level regulation of health information for patients in applicable jurisdictions. |
| Notifiable Data Breaches Scheme (Part IIIC, Privacy Act) | Requires notification to the OAIC and affected individuals of eligible data breaches involving health information. |
| Telecommunications (Interception and Access) Act 1979 (Cth) | Governs lawful interception and access to communications data. |
Where the platform is used in clinical settings, clinicians and healthcare organisations must also comply with their own professional and regulatory obligations, including those imposed by AHPRA and relevant health practitioner registration standards.
4. Information We Collect
Neuro Nexus is a healthcare application and therefore collects a broad range of personal information, including sensitive health information as defined under the Privacy Act 1988 (Cth). The categories of information collected are set out below.
4.1 Identity and Account Information
- Full name, date of birth, and gender (optional for patients)
- Email address and password (hashed and salted)
- Professional registration number (AHPRA or equivalent) for clinicians
- Organisation or practice name for clinicians
- Profile photograph (optional)
- Device identifiers and operating system information
4.2 Health and Clinical Information
This constitutes sensitive information under the Privacy Act 1988 (Cth) and is subject to heightened protections:
- Mood, energy, anxiety, sleep quality, and cravings self-assessment scores
- Responses to validated clinical questionnaires (PHQ-9, GAD-7, DASS-21, K10, and clinician-configured custom assessments)
- Journaling entries and personal reflections (private by default)
- Treatment plan data including goals, tasks, milestones, and completion status
- Appointment attendance records and therapy activity logs
- Clinician notes, clinical observations, and treatment plan updates
- Flagged high-risk indicators generated by the AI safety classification system
4.3 Biometric and Wearable Data
- Resting heart rate and heart rate variability
- Sleep duration, sleep stage data, and sleep quality indicators
- Step count, physical activity, and movement data
- Stress and recovery scores from connected wearable devices (Apple Health, Fitbit, WHOOP, Garmin, Oura Ring)
- Body temperature and other biometrics where made available by connected devices
Wearable data is collected via the Terra API (for third-party devices) and Apple HealthKit (for iOS users) with your explicit consent. You may disconnect a wearable at any time via the app Settings.
4.4 Geolocation Data
- Approximate or precise location data (with your permission) to surface nearby support services, 12-step meetings, and allied health providers via the geo-location support finder
- Location is used only in real time for this feature and is not stored persistently unless you save a search
4.5 Communications and AI Chat Data
- Messages sent to and received from the Nexa Assistant (AI chat)
- Secure messages between patients and clinicians via the platform messaging system
- Push notification interaction data
AI chat messages are processed through our AI engine and are subject to automated safety classification. Messages containing high-risk indicators (such as expressions of suicidal ideation or acute relapse risk) are flagged and surfaced to your assigned clinician. The Nexa Assistant does not replace clinical care.
4.6 Technical and Usage Data
- IP address and network information
- App usage patterns, screen visits, and feature engagement metrics
- Push notification tokens (FCM/APNs)
- Crash reports and diagnostic logs
- Timestamps for all data entry, login events, and clinical interactions (audit log)
5. How We Collect Your Information
We collect personal information in the following ways:
- Directly from you when you create an account, complete check-ins, journal, use the AI chat, connect a wearable device, or communicate through the platform.
- From your treating clinician, who may enter or configure health information, goals, appointments, and treatment plans on your behalf.
- From connected wearable devices and health platforms (Apple HealthKit, Terra API integrations), with your explicit authorisation.
- Automatically through the operation of the application, including usage analytics, device information, and push notification interactions.
- From third-party services such as mapping APIs for the geo-location support finder.
We will only collect sensitive health information with your explicit consent, or where otherwise permitted by law (for example, where necessary for the provision of a health service).
6. Why We Collect and Use Your Information
We collect and use your personal information for the following primary purposes:
| Purpose | Description |
|---|---|
| Provision of health services | Enabling clinicians to monitor patient wellbeing, manage treatment plans, detect relapse risk, and deliver continuity of care between appointments. |
| Patient engagement and recovery support | Delivering personalised treatment timelines, goal tracking, check-in reminders, and gamification features that support between-session engagement. |
| AI-assisted support | Operating the Nexa Assistant to provide 24/7 emotional support, psychoeducation, and safety flagging within defined clinical guardrails. |
| Clinical decision support | Aggregating biometric, behavioural, and self-reported data on the clinician dashboard to assist in informed treatment decisions. |
| Safety monitoring | Automated classification of AI chat and self-assessment data to identify and escalate high-risk indicators to clinicians. |
| Platform operation and improvement | Authentication, security, system performance, bug resolution, and product development. |
| Communications | Sending push notifications, appointment reminders, clinician messages, and system alerts. |
| Legal and compliance obligations | Meeting our obligations under Australian privacy, healthcare, and data security legislation. |
| Research and analytics (de-identified) | Aggregated and de-identified data may be used for clinical research, population health analysis, and platform improvement, subject to applicable ethics requirements. |
7. Disclosure of Your Information
We do not sell your personal information. We may disclose your information in the following circumstances:
7.1 Your Treating Clinician
Your clinician has access to your health data through the Neuro Nexus clinician portal, including mood check-ins, biometric data, goal progress, survey responses, flagged AI chat indicators, and treatment plan compliance. You were informed of this at onboarding and provided explicit consent.
Journal entries are private by default. You may voluntarily choose to share a journal entry with your clinician using the "Share with clinician" toggle within the app.
7.2 Service Providers and Technology Partners
We engage third-party service providers who process personal information on our behalf under contractual obligations consistent with this Policy and applicable law. Key partners include:
- OpenAI (GPT) - AI chat engine and survey processing. Data processed under applicable data processing agreements.
- Terra API - Wearable device data aggregation and normalisation.
- Neon (PostgreSQL) - Cloud database hosting.
- Expo / FCM / APNs - Push notification delivery infrastructure.
- Google Maps API - Geo-location services for the support finder.
All service providers are required to handle personal information in accordance with the Australian Privacy Principles and our contractual requirements.
7.3 Emergency and Safety Disclosures
Where the platform identifies indicators of serious risk to life or safety, including acute suicidal ideation or severe relapse risk, information may be disclosed to emergency services or other appropriate parties where required or permitted by law, or where we have a duty of care to act. In such circumstances, your clinician will be notified immediately through the platform.
7.4 Legal Requirements
We may disclose your information where required to do so by law, court order, or government authority, including under the Notifiable Data Breaches Scheme.
7.5 Organisational Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to a successor entity, subject to equivalent privacy protections being maintained.
7.6 De-identified Data
We may use and disclose de-identified and aggregated data, from which individual identity cannot reasonably be determined, for research, clinical outcomes analysis, and product development. This data is not personal information.
8. Storage and Security of Your Information
We take the security of your health information seriously and implement appropriate technical, administrative, and organisational safeguards:
| Safeguard | Implementation |
|---|---|
| Encryption in transit | All data transmitted between the app, portal, and backend is encrypted using TLS 1.2 or higher. |
| Encryption at rest | Personal and health data stored in our database is encrypted at rest. |
| Access controls | Role-based access control (RBAC) ensures patients cannot access clinician views and vice versa. All access is authenticated. |
| Biometric authentication | The mobile app supports Face ID and Touch ID for secure re-authentication after initial login. |
| Audit logging | All data access, modifications, and messaging events are logged with timestamps and are not deletable. |
| AI safety classification | All AI chat messages are subject to automated safety classification before being processed. |
| Offline data handling | Check-in and journal data captured offline is queued locally and synced securely when connectivity is restored. |
| Data minimisation | We collect only the information necessary for the purposes described in this Policy. |
Your data is stored on servers located in Australia or in jurisdictions with equivalent privacy protections, consistent with APP 8 requirements for cross-border disclosure.
9. Data Retention
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, and to comply with our legal, regulatory, and clinical obligations. Key retention principles:
- Clinical health data (check-ins, biometrics, goal progress, clinical notes, and treatment records) is retained for a minimum of 7 years from the date of last clinical interaction, consistent with healthcare record retention requirements under applicable State and Territory legislation. For patients who were minors, records are retained until the individual turns 25, or for 7 years from the date of last service, whichever is longer.
- Audit logs are retained for a minimum of 7 years and are not modifiable or deletable by users.
- Account information is retained for the duration of your account and for a period following account closure in accordance with legal obligations.
- Goal progress data, even if archived by a clinician or patient, is retained as clinical data and is not deleted.
- De-identified data may be retained indefinitely for research and analytics purposes.
Where you request deletion of your account (see Section 11), we will delete or de-identify information that is not subject to a legal retention obligation. Information we are required by law to retain will be held securely and will not be used for other purposes.
10. Your Privacy Rights
Under the Australian Privacy Principles and applicable health records legislation, you have the following rights in relation to your personal information:
10.1 Right of Access
You have the right to request access to the personal information we hold about you. You may access much of your own health data directly within the Neuro Nexus app (including your check-in history, goal progress, and journal entries). To request a full record of your information, contact us using the details in Section 13. We will respond within 30 days. A reasonable fee may apply for complex access requests.
10.2 Right of Correction
If you believe personal information we hold about you is inaccurate, incomplete, or out of date, you may request a correction. We will correct the information or, if we disagree, note your request alongside the record. Clinical records may only be corrected by or in consultation with your treating clinician.
10.3 Right to Withdraw Consent
Where processing is based on your consent (for example, wearable data integration or location access), you may withdraw consent at any time through the app Settings. Withdrawal of consent will not affect the lawfulness of processing prior to withdrawal, but may limit the functionality available to you and your treating clinician.
10.4 Right to Complain
If you believe we have breached your privacy rights, you may contact our Privacy Officer (see Section 13). If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, or with the relevant State or Territory health complaints body.
10.5 Right to Anonymity (Where Lawful)
We recognise your right under APP 2 to interact with us anonymously or using a pseudonym where lawful and practicable. However, the provision of a healthcare application requires accurate identification for clinical safety and compliance purposes. Full anonymity is not available for registered patient accounts.
11. Account and Data Deletion
You may request deletion of your Neuro Nexus account by contacting us at privacy@neuronexus.com.au or through the account settings in the app. The following applies:
- Personal account information and non-clinical data will be deleted or de-identified within 30 days of a verified deletion request.
- Clinical health data is subject to mandatory retention periods (see Section 9) and will be retained securely for the required period even if your account is deleted.
- Your treating clinician will be notified when you request account deletion, as this has clinical implications for your continuity of care.
- Audit logs cannot be deleted.
12. Children and Vulnerable Users
Neuro Nexus is designed for use by individuals aged 16 years and over. Where the platform is used by a patient under the age of 18, parental or guardian consent must be obtained by the referring clinician as part of the clinical intake process.
We recognise that many users of the platform are in active recovery and may be in vulnerable circumstances. Our platform is designed with this in mind: AI chat guardrails are configured to escalate high-risk disclosures, the app language is intentionally non-clinical and supportive, and emergency pathways are accessible from the Support tab at all times.
13. Contact Us
For any privacy-related enquiries, access requests, correction requests, or complaints, please contact our Privacy Officer:
| privacy@neuronexus.com.au | |
| Postal address | Privacy Officer, Neuro Nexus Pty Ltd, Level 10, 520 Collins Street, Melbourne Vic 3000 |
| Response time | We aim to respond to all privacy enquiries within 30 days. |
If you are not satisfied with our response, you may contact:
- Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au | 1300 363 992
- Your State or Territory health complaints authority
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, technology, or legislative requirements. When we make material changes, we will:
- Notify registered users via email or in-app notification prior to the change taking effect;
- Update the "Effective Date" at the top of this Policy;
- Where required by law, seek fresh consent.
Continued use of the Neuro Nexus platform following notification of changes constitutes acceptance of the updated Policy.
← Back to the site