Version: 2026-04-20-v1 · Previous: n/a (initial AI-assisted clinical decision support disclosure). On future bumps, the previous version will be archived at content/legal/archive/privacy-policy-v<prev>.html and linked from this header.
Overview:
Thank you for using the Prescription Skin platform provided by Prescription Skin Pty Ltd (Prescription Skin), a platform that connects individuals with:
- Partner Practitioners and Associate Practitioners for the purpose of conducting telehealth consultations and, if appropriate, providing other health services related to skin conditions;
- Partner Contributors for additional support and advice within their scope of practice;
- Associate Pharmacies, enabling individuals to have prescriptions filled and delivered to them.
Your privacy is of utmost importance to us, and we are committed to protecting it in accordance with the Privacy Act 1988 (Cth) (Privacy Act), which includes the Australian Privacy Principles (APPs) and any related privacy codes.
This Policy outlines our practices regarding the collection, use, disclosure, and storage of your personal information. It also informs you about how you can access and manage your information. This Policy applies to our obligations when handling information in Australia.
Key aspects of our privacy practices include:
- Collection of personal and sensitive information necessary for providing our services
- Use and disclosure of information to facilitate telehealth consultations and prescription fulfillment
- Secure storage and protection of your information
- Your rights to access and correct your personal information
- Our approach to data breaches and complaints handling
We encourage you to read this Policy carefully. If you have any questions or concerns about our privacy practices, please don't hesitate to contact us using the details provided at the end of this Policy.
By using our platform, you consent to the collection, use, and disclosure of your personal information as described in this Policy. We may update this Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons.
Consent:
By providing personal information, you consent to us collecting, using, storing and disclosing your personal information in accordance with this Policy or as required or permitted by law. If you continue using our services, then we will treat your use as your consent to us handling your personal information in accordance with this Policy.
We will generally obtain consent from the owner of personal information to collect their personal information. Consent will usually be provided in writing; however, sometimes it may be provided orally or may be implied through a person's conduct. We endeavour to only ask for your personal information if it is reasonably necessary for the activities that you are seeking to be involved in.
What personal information do we collect and why do we collect it?
About our users
|
Information collected |
Why we collect it |
How we collect it |
|
|
|
About our general users that may not have subscribed to our Service but interact with us
|
Information collected |
Why we collect it |
How we collect it |
|
|
About contractors or prospective staff members (including health practitioners)
|
Information collected |
Why we collect it |
How we collect it |
|
|
About associate pharmacies or prospective associate pharmacies and their representatives
|
Information collected |
Why we collect it |
How we collect it |
|
|
If you choose not to provide information as requested, we may not be able to service your needs. For example, it will not be possible for us to provide you with our service if you want to remain anonymous or use a pseudonym.
We sometimes receive unsolicited personal information. In circumstances where we receive unsolicited personal information we will usually destroy or de-identify the information as soon as practicable if it is lawful and reasonable to do so unless the unsolicited personal information is reasonably necessary for, or directly related to, our functions or activities.
Sensitive information
Prescription Skin may collect sensitive information from you. Sensitive information includes details about your racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health information, or biometric information.
The types of sensitive information we may collect include:
- Details regarding your medical history, symptoms, or any health information contained in documents you upload, particularly related to skin conditions. If you consent to providing this information, we will only use it to facilitate our services and enable your use of our platform. We may use recordings of consultations for training and quality assurance purposes.
- Personal identifying details such as your Medicare card number and details of any concession cards you may hold.
You provide sensitive information when you enter it onto our platform or have a consultation with a Partner Practitioner or Associate Practitioner. By entering your health information, you consent to Prescription Skin:
- Collecting and handling it in accordance with this Privacy Policy;
- Sharing it with Partner Practitioners, Associate Practitioners, Partner Contributors, and Associate Pharmacies who have agreed to our terms for the purpose of providing our services to you, facilitating the practitioner's provision of their services to you, and ensuring ongoing continuity of care;
- Sharing it with our Associate Pharmacies if you elect to have your prescriptions filled by them for the purpose of dispensing and delivering your prescription medicines.
If you do not agree to these terms, you should not provide us with your sensitive information. We are committed to protecting your sensitive information and will only use it for the purposes specified in this Privacy Policy.
Disclosing your personal information
Prescription Skin may disclose your personal information to the following third parties:
- Our business or commercial partners;
- Partner Practitioners and Associate Practitioners who have agreed to our terms;
- Associate Pharmacies who have agreed to our terms;
- Partner Contributors who provide additional support within their scope of practice;
- Our professional advisers, dealers, and agents;
- Third parties and contractors who provide services to us, including customer support, IT services, data storage, webhosting and server providers, marketing and advertising organisations, and payment processing service providers;
- Payment system operators and debt-recovery functions;
- Third parties that collect and process data, such as Shopify, Google Analytics, or other third parties; and
- Any third parties you authorise to receive information held by us.
We may also disclose your personal information if required, authorised, or permitted by law.
Google Analytics: We use Google Analytics Advertising Features, including Remarketing Features, Advertising Reporting Features, Demographics and Interest Reports, Store Visits, and Google Display Network Impression reporting. We and third-party vendors use first-party cookies (such as Google Analytics cookies) and third-party cookies (such as Google advertising cookies) together.
You can opt out of Google Analytics Advertising Features using the Google Analytics Opt-out Browser add-on. To opt out of personalised ad delivery on the Google content network, visit http://www.google.com/ads/preferences. For permanent opt-out, install their plugin. For mobile devices, follow these instructions: On Android, open Google Settings and select "ads" to control settings. On iOS 6 and above, use Apple's advertising identifier.
Overseas disclosure: We may send information to third parties located outside Australia for providing our services. These third parties are located in the United States (for AI-assisted clinical decision support - see the AI-assisted clinical decision support and overseas data handling section for details and your right to decline), the United Kingdom, and the European Union. Disclosure is made to the extent necessary to perform our functions or activities related to skin health services.
Using your personal information for direct marketing
From time to time, and in support of our future development and growth, we may use your personal information to contact you to promote and market our products and services.
You can opt-out from being contacted for direct marketing purposes by contacting us at info@prescriptionskin.com.au or by using the unsubscribe facility included in each direct marketing communication we send. Once we receive a request to opt out from receiving marketing information, we will stop sending such information within a reasonable amount of time.
Security
Prescription Skin takes all reasonable steps to protect personal information under our control from misuse, interference and loss, and from unauthorised access, modification or disclosure. We hold your personal information electronically in secure databases operated by our third-party service providers.
We protect the personal information we hold through multiple layers of security, including:
- Encrypted browsing through HTTPS;
- Storing authentication details, such as passwords, in hashed or non-reversible formats;
- Active monitoring of errors and logs using industry-level tooling;
- Operating within a secure cloud environment;
- Relying on TLS security to interact with the databases.
Our servers are hosted with Shopify. We utilise their provided security functionality and monitoring to detect and prevent persistent access to unauthorized services. Server access and deployment are limited to revocable access keys that can only be regenerated on a master account. Access to servers can only be gained by using industry-standard encryption keys that are generated and regularly updated, including when employees leave Prescription Skin.
User logs redact certain types of sensitive information, such as passwords, before they are logged to prevent user information leaking to third parties.
Servers and databases are limited to internal access only to prevent public database access, unless it relates to certain whitelisted services or for monitoring and troubleshooting purposes.
While we take reasonable steps to ensure your personal information is protected, security measures over the internet can never be guaranteed. The transmission and exchange of information is carried out at your own risk.
We encourage you to play an important role in keeping your personal information secure by maintaining the confidentiality of any passwords and account details used on our website. Additionally, given the sensitive nature of skin-related health information, we recommend you take extra precautions when accessing your account in public or shared spaces.
Prescription Skin is committed to maintaining the security and confidentiality of your personal and health information. If you have any concerns about the security of your information, please contact us immediately at help@prescriptionskin.com.au.
Accessing or correcting your personal information
If you would like to access your personal information, please contact us using the details below. In certain circumstances, we may not be able to give you access to your personal information, in which case we will write to you to explain why we cannot comply with your request.
We try to ensure any personal information we hold about you is accurate, up-to-date, complete and relevant. If you believe the personal information we hold about you should be updated, please contact us using the details below and we will take reasonable steps to ensure it is corrected if appropriate. Please note, in some situations, we may be legally permitted to not correct your personal information. If we cannot correct your information, we will advise you as soon as reasonably possible and provide you with the reasons for our refusal and any mechanism available to complain about the refusal.
Destroying or de-identifying personal information
We destroy or de-identify personal and sensitive information when we no longer need it unless we are otherwise required or authorised by law to retain the information. This includes adhering to any applicable National or State laws that require the retention of personal and sensitive information, including but not limited to health information.
Cookies
We may use cookies on our website from time to time. Cookies are text files placed in your computer's browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personally identifiable information. However, they do recognise you when you return to our online website and allow third parties, such as Google and Facebook, to cause our advertisements to appear on your social media and online media feeds as part of our retargeting campaigns. If and when you choose to provide our online website with personal information, this information may be linked to the data stored in the cookie.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.
Free Skin Assessment - Photo Handling
When you submit photos through our free skin assessment tool:
- Encryption: All photos are encrypted using AES-256-GCM encryption at rest and stored on servers located in Australia (Railway Sydney region).
- Access: Your photos are accessed only by (1) our AI analysis system to prepare a draft assessment, and (2) the AHPRA-registered medical practitioner who reviews and approves your report. Every access is logged in an immutable audit trail.
- AI Processing: Your photos are transmitted to our AI clinical decision support provider for analysis (currently Anthropic, processed in the United States). The AI produces a structured draft assessment which is then reviewed by a registered practitioner before delivery to you. See the AI-assisted clinical decision support and overseas data handling section for the complete list of providers, what we strip before sending, what is sent unmodified, and your right to decline AI-assisted processing.
- Retention (Leads): If you submit a free assessment but do not proceed to a paid consultation, your photos are automatically deleted after six (6) months. You may request immediate deletion at any time via the link provided in your assessment confirmation email.
- Retention (Patients): If you proceed to a consultation and become a patient, your assessment photos become part of your clinical record and are retained for a minimum of seven (7) years from your last contact, as required by Australian healthcare record retention requirements.
- Deletion on request: You may request deletion of your photos at any time by clicking the deletion link in your confirmation email or by contacting us at hello@prescriptionskin.com.au. Deletion is permanent and irreversible.
- Audit trail: All photo access events - including AI analysis, practitioner review, and deletion - are recorded in an append-only audit log with accessor identity, timestamp, and access reason. This log is retained for seven (7) years.
AI-assisted clinical decision support and overseas data handling
This section reflects our AI-assisted clinical decision support practices as of 20 April 2026. Current consent version: 2026-04-20-v1. See content/legal/CONSENT_VERSION_HISTORY.md in our public repository for the full change history.
Prescription Skin uses AI-based clinical decision support tools to help our practitioners review patient information efficiently. This section explains which providers we use, what data is sent to them, what we do to limit the data sent, and your rights to decline.
Providers and where data is processed
We use the following AI service provider for AI-assisted clinical decision support:
- Anthropic (Claude API) - used for chat-message safety review, clinical summarisation, intake analysis, and formula recommendation second-opinion. Anthropic processes the data we send to it in the United States. Anthropic's API Terms specify that data submitted via the API is not used to train their models and is not retained beyond the request lifecycle.
If we add additional AI providers (for example, an additional vendor for second-opinion analysis), we will update this section, bump the consent version, and ask you to review and re-confirm your consent before any further AI-assisted processing of your information occurs.
Because your information is processed in the United States, by consenting to AI-assisted processing you also consent to your information being transferred and processed overseas. Australian Privacy Principle 8.1 limits the protections that apply to information once it leaves Australia; we have selected our provider on the basis of contractual data-handling protections (no training-use, no retention beyond request) but we cannot guarantee equivalence with Australian legal protection.
What we remove before sending to AI providers
Before sending your information to an AI provider, we remove the following structured identifiers:
- Your name
- Your date of birth
- Your email address
- Your residential or postal address
- Your phone number
- Your Individual Healthcare Identifier (IHI)
- Your Medicare number
What is sent to AI providers
The following information is sent to AI providers as you provided it, so that the AI can produce a clinical summary that is useful to your practitioner:
- An internal patient identifier (a database key that does not directly identify you outside our systems)
- Clinical fields you have completed in your intake (for example, skin type, condition history, medication history)
- Free-text responses you have provided in your intake
- Photographs you have uploaded
Free-text responses and photographs are sent unmodified because removing detail from them would prevent the AI from producing a useful clinical summary. You should be aware that free-text responses can sometimes contain identifying detail (for example, the name of a referring practitioner or a specific suburb) and that photographs can be re-identifying. We do not strip these fields beyond the structured-identifier removal listed above.
What AI is used for at Prescription Skin
- Chat-message safety review: AI scans messages between you and our care team to detect potential safety issues (for example, mention of a serious adverse reaction) so that a practitioner is alerted promptly.
- Formula recommendation second-opinion: AI ranks formula options based on your skin profile to assist your prescriber. Your prescriber makes the final clinical decision and may override the AI recommendation.
- Internal marketing-content review: AI reviews drafts of marketing and educational content before publication to check for compliance issues. This use does not involve patient data.
All AI outputs in the clinical pathway are reviewed by an AHPRA-registered medical practitioner before any clinical action is taken. AI does not make autonomous treatment or prescribing decisions.
Declining AI-assisted processing
You can decline AI-assisted processing of your information at any time. Two ways to do this:
- Email privacy@prescriptionskin.com.au
- Submit a request through our Privacy Request form
If you decline:
- Future AI-assisted processing of your information is blocked. Your case is flagged for manual review by your practitioner.
- Manual review means your practitioner will review your intake and clinical information without AI assistance. This may take longer than an AI-assisted review.
- Historical AI outputs remain in your clinical record. Any AI outputs already produced for you (for example, a previous AI-assisted formula recommendation that was already reviewed and approved by your practitioner) remain part of your clinical record. We retain clinical records for a minimum of seven (7) years from your last contact with our service, as required by Australian healthcare record-keeping standards and Australian Privacy Principle 12.
- You retain access to the patient portal. You can continue to access the patient portal, communicate with your practitioner, pay for subscriptions, and receive treatment. Only AI-assisted processing of your information is disabled.
Behavioural Analytics
We use Microsoft Clarity to understand how visitors interact with our website. Clarity collects behavioural data including scroll depth, click patterns, and session recordings. This data helps us improve our website and content. Clarity does not collect personal health information, and session recordings are anonymised. You can opt out of Clarity tracking via your browser's Do Not Track setting.
SEO and Content Performance
We use Google Search Console and content analysis tools (Surfer SEO) to monitor how our content performs in search results and to improve the quality of our educational content. These tools process aggregated, non-personally-identifiable data about page performance. No personal health information is shared with these services.
Links to other websites
Our website may contain links to other party's websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.
Making a complaint
If you believe your privacy has been breached or you have a complaint about our handling of your personal information, please contact us using the details below.
We take privacy complaints seriously. If you make a complaint, we will respond within 5 days to acknowledge your complaint. We will try to resolve your complaint within 30 days. When this is not reasonably possible, we will contact you within that time to let you know how long we will take to resolve your complaint.
We will investigate your complaint and write to you to explain our decision as soon as practicable.
If you are not satisfied with our decision, you can refer your complaint to the Office of the Australian Information Commissioner by phone on 1300 363 992 or online at www.oaic.gov.au.
Changes
We may, from time to time, amend this Policy. We will notify you of any changes to this Policy and any changes to this Policy will be effective immediately upon the posting of the revised Policy on our website. By continuing to use the services following any changes, you will be deemed to have agreed to such changes.