Privacy Policy

Effective date:

16 February, 2026

At Lyrebird Health ("Lyrebird"), we take your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy.

Remember that your use of Lyrebird's Services is at all times subject to our Terms of Service. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Service.

If you have a disability, you may access this Privacy Policy in an alternative format by contacting support@lyrebirdhealth.com.

Policy Owner: Puji Fernando
Effective Date: 16 February, 2026

Subsidio Pty Ltd (ABN 57 668 121 248) (we, us or our) is committed to protecting your privacy. This policy explains how we collect, use and protect your personal information. It applies to all personal information we handle, whether we collect it through our website, in person, or through other means.

Quick overview

  • We collect information you provide to us and information we gather when we interact with you
  • We use this information to provide our services and improve your experience
  • We protect your information using secure systems and processes
  • You have rights regarding your personal information, including access and correction rights

Information we collect

Basic identifying and contact details

  • Name, address, email address and phone number
  • Professional details including practice affiliation

Service related information

  • Payment and transaction details for products and services you've purchased from us
  • Your preferences for our services and your marketing preferences
  • Feedback and survey responses

Digital information

  • IP address and general location information derived from your IP address
  • Multi-factor authentication and single sign-on identifiers
  • Search and browsing behaviour
  • Website usage patterns
  • Cookie preferences

Professional information (for job applicants and workers)

  • Employment history
  • Professional experience
  • Required authorisations and licences
  • Professional registrations

Sensitive Information

We handle sensitive information with extra care and protection, and we only collect this information with your consent or when legally permitted. This includes:

  • Health information
  • Patient demographics from intake/registration forms including name, gender, date of birth, patient ID, appointment scheduling information
  • Voice data captured for real-time AI transcription
  • Patient identifiers
  • Clinical content and protected health information (PHI) from consultations
  • Individual or family medical history (to provide healthcare services and support tailored to your needs/ to ensure we can provide safe and appropriate services)
  • Treatment reports

Cultural and background information

  • Racial or ethnic origin (to provide culturally appropriate services)
  • Religious beliefs (when relevant)
  • Criminal record checks (if we need to verify your background before hiring you)
  • Professional memberships (to assess the suitability for employment)

How we collect personal information

  • Directly from you when you: when you interact with us, contact us, fill out forms.
  • Automatically when you: visit our website, use our technologies, interact with our online services.
  • From third parties: service providers, business partners, public sources, government organisations and organisations or people authorised by you.

Why we collect, hold, use and disclose personal information

We collect and use your personal information to run our business and provide our services as set out below.

AI transcription and clinical documentation

  • To provide real-time AI transcription of healthcare consultations
  • To generate clinical notes and documentation drafts for clinician review and approval
  • To deliver approved transcripts and notes to healthcare providers' EHR systems or designated endpoints
  • To populate clinical templates (discharge summaries, referral letters) based on clinician approved content
  • To link transcripts and notes to the correct patient encounters

Business operations

  • To manage our relationship with you as a customer or supplier
  • To process and deliver our products and services
  • To authenticate and manage healthcare practitioner accounts
  • To provide role-based access controls for clinical users
  • To enable secure integration with healthcare organisations' existing systems
  • To process payments for our transcription services
  • To handle your inquiries, support requests, and communications
  • To maintain accurate records for billing and administration
  • To verify your identity when required or permitted by law

Communication and support

  • To respond to your questions and support requests
  • To communicate important updates about our services
  • To handle inquiries made through our website or platforms
  • To manage your participation in surveys, feedback sessions, or events

Service improvement

  • To conduct analytics and market research
  • To improve our business operations and services
  • To develop and enhance our applications and platforms
  • To understand how our services are used

Marketing and promotions

  • To send you promotional information about our services and events
  • To inform you about products or services that may interest you
  • To manage your marketing preferences
  • To run competitions, promotions, and special offers
  • To provide additional benefits to our customers

Employment purposes

  • To assess employment applications
  • To evaluate candidate qualifications
  • To manage professional certifications and licences
  • To maintain employment records

Legal and compliance

  • To comply with our legal obligations
  • To respond to court orders or legal processes
  • To maintain required business records
  • To fulfill regulatory requirements or reporting obligations
  • To protect our legal rights and interests or as authorised by law

Our disclosures of personal information to third parties

We may disclose personal information to:

AI and technology service providers:

  • Azure OpenAI (Microsoft) for language processing
  • Deepgram and Whisper for speech-to-text conversion
  • AWS for secure cloud hosting and data storage
  • Supabase for authentication and database services

Healthcare integration partners:

  • Healthcare organisations' EHR systems (for delivering approved transcripts)
  • Webhook endpoints designated by healthcare providers
  • Integration platforms as configured by healthcare organisations

Service providers

  • IT service providers
  • Sentry and Honeycomb for system monitoring (pseudonymised data only)
  • Data storage providers
  • Web hosting and server providers
  • Payment processors
  • Marketing and advertising providers
  • Analytics providers

Professional advisers

  • Bankers
  • Auditors
  • Insurers and insurance brokers
  • Legal advisers

Business partners

  • Our existing or potential agents
  • Our business partners or contractors

Corporate transactions

If we merge with or are acquired by another company, or sell our business assets:

  • Your information may be disclosed to our advisers
  • Your information may be disclosed to the potential purchaser's advisers
  • Your information may be included in the transferred assets

Legal and regulatory bodies

  • Courts and tribunals
  • Regulatory authorities including as required for reporting obligations
  • Law enforcement officers

Other parties

  • Third parties you have authorised
  • Emergency services when necessary
  • Any other parties as required or permitted by law

Overseas disclosure

Storage and access

We store your personal information in Australia. However, your information may be accessed from or transferred to locations outside Australia in these circumstances:

  • When our service providers are located overseas
  • When we work with overseas business partners
  • When using cloud-based services or data storage solutions

Specifically, your information may be transferred overseas to:

United States:

  • Stripe for payment processing (PCI DSS compliant) - payment transaction metadata only
  • Sentry and Honeycomb for system monitoring - pseudonymised logs only, no health information
  • Segment for website analytics - non-health information usage data only

European Union:

  • Azure OpenAI for language processing - de-identified health information only for AI processing, with region-pinning where available

All other personal information, including:

  • Application databases and transcripts
  • Authentication and user data
  • Speech processing
  • Encrypted backups

remains stored in Australia (AWS Asia-Pacific Sydney region) and is not transferred overseas.

Our approach to overseas disclosure

Before disclosing your personal information overseas, we take reasonable steps to ensure that the recipient treats your information in accordance with applicable law by only sending what is necessary, requiring recipients to protect your information through contractual agreements which require the recipient to comply with the privacy standards in applicable law or through other mechanisms that provide comparable safeguards and by monitoring how recipients handle your information.

Your privacy rights and choices

Providing information

You can choose whether to provide personal information to us, however, if you don't provide certain information, we may not be able to provide some services. Let us know if you don't want to provide information and we will let you know when information is required versus optional.

Access to your information

You can request access to the personal information we hold about you and we will respond to your request within a reasonable time. We may charge a reasonable administrative fee for providing access and if we cannot provide access, we will explain why and explore alternative ways to share relevant information.

Correction rights

You can ask us to correct any information that is inaccurate, out of date, incomplete, irrelevant or misleading and we will take reasonable steps to correct your information promptly. If we cannot make the correction, we will explain why and discuss alternatives. You can ask us to add a statement to your information noting your requested correction.

Marketing communications

You can opt-out of receiving marketing communications at any time. Each marketing communication will include an unsubscribe option. You can change your marketing preferences by contacting us. We will process your request as soon as practicable.

How to contact us about your rights or to make a complaint and what happens next

Step 1: Contact our privacy officer

What to include:

  • Your full name, contact details, clear details about your request or complaint, and any relevant dates or reference numbers.

Step 2: Our response

We will:

  • Verify your identity before processing your request
  • Investigate thoroughly (for complaints) or process your request (for rights)
  • Respond to you in writing within reasonable timeframes
  • Explain what actions we will take and keep you updated on progress
  • Not charge you for making a request (except for reasonable access fees if applicable)
  • Help you understand and exercise your rights

Step 3: If you're not satisfied (complaints only)

If you're not satisfied with our response to your complaint, you can:

  • Ask for a review by our senior management, or
  • Contact external bodies:

Australian residents:
Office of the Australian Information Commissioner (Phone: 1300 363 992, Website: www.oaic.gov.au)

Protecting your information

We use multiple layers of security to protect your information.

Technical safeguards

  • Enterprise-grade encryption for data storage and transmission
  • Regular security testing and monitoring
  • Automated threat detection systems

Operational security

  • Staff training on security and privacy
  • Strict access controls based on job requirements
  • Regular security audits and incident response procedures testing

Physical security

  • Secure premises with controlled access
  • Secure disposal of physical documents
  • Equipment security protocols

Public information

Please note that any information you choose to share publicly on online platforms (such as comments or reviews) can be accessed and used by others. We cannot control or protect information that you make publicly available.

How long we keep your information

We keep your personal information only as long as we need it for the purposes we collected it, or as required by law. When we no longer need it, we securely destroy or de-identify it.

Audio Recordings

  • Default: Deleted immediately after transcription
  • If retention enabled: Maximum 6 months, then automatic deletion

Transcripts and clinical notes

  • Up to a maximum of 6 months
  • Typically deleted automatically once delivered to EHR system

System logs and monitoring data

  • Application logs: 30-90 days depending on type
  • Audit logs: Retained for compliance and security monitoring

Encrypted backups

  • Point-in-time recovery backups: 28 days
  • All backups subject to same deletion policies as primary data

User account data

  • Practitioner accounts: Retained while account is active and for reasonable period after deactivation
  • Deleted upon account closure request

Cookies and Analytics

What We Use

We use cookies, tracking pixels, and similar technologies on our website and in our emails to improve your experience and our services.

Cookies

  • Small text files stored on your device
  • Help remember your preferences
  • Enable certain website functions
  • Make your interactions with our website more efficient

Tracking Pixels

  • Tiny, invisible images in web pages and emails
  • Help us understand how you interact with our content
  • Allow us to measure email engagement
  • Enable more relevant content delivery

How we use these technologies

Essential Functions

  • Remember your login status
  • Maintain your session security
  • Store your preferences
  • Enable core website features

Analytics and Performance

  • Understand how our website is used
  • Measure page views and traffic
  • Analyse user navigation patterns
  • Identify areas for improvement

Personalisation

  • Remember your preferences
  • Tailor content to your interests
  • Improve your browsing experience
  • Provide relevant recommendations

Your control

You can manage these technologies by:

  • Adjusting your browser settings to block or delete cookies
  • Using privacy-focused browser extensions
  • Configuring your email client to block images
  • Using our cookie preference settings

Note: Blocking all cookies may affect website functionality and your user experience.

Google Analytics

We use Google Analytics to understand how people use our website. This involves cookies that collect information about your browsing activity. You can opt out of Google's advertising features through your Google account settings, browser add-ons, or your device's privacy settings. Google provides various tools and options to control how your data is used for advertising purposes. You can learn more about how Google uses your data and your available options on Google's privacy pages.

Meta advertising tools

We use Meta's advertising tools (such as Meta Pixel) to understand how our ads perform and to show you more relevant advertisements on Meta platforms like Facebook and Instagram when you visit our website or app. You can manage whether we connect information from our website with your Meta account for advertising purposes by adjusting your settings within your Meta account preferences.

Artificial Intelligence (AI) Technologies

Overview

We use artificial intelligence and machine learning technologies in our business operations and services, including AI tools provided by third parties. We only use these technologies when legally permitted and necessary for our business.

How we use AI

We may use AI technologies to:

  • Provide real-time transcription of healthcare consultations
  • Generate clinical documentation drafts for clinician review
  • Convert speech to text for medical record creation
  • Populate clinical templates with approved content
  • Conduct analysis and data processing
  • Improve and optimise our services and operations
  • Automate routine tasks and communications
  • Personalise your experience with our services
  • Support quality assurance processes

Data protection and security

We apply de-identification techniques to health information. We take a conservative approach and treat any data that has undergone de-identification as personal information for compliance purposes. Even when data is de-identified, we maintain the same privacy protections and security measures.

When we work with third-party AI providers, we ensure they handle your personal information in accordance with privacy laws through contractual requirements and appropriate safeguards.

Your rights and our commitments

Any information generated or inferred about you by AI technologies is treated as personal information, and you maintain all the rights outlined in this privacy policy. When using AI with your personal information, we commit to:

Transparency and control

  • We'll inform you when AI is used to make decisions that may significantly affect you
  • We maintain human oversight and review of significant AI-generated decisions
  • Our staff are trained to understand AI limitations and verify outputs before relying on them
  • We implement processes to verify the accuracy of AI-generated outputs
  • All AI-generated clinical content requires clinician review and approval before use

Security

  • We use appropriate technical and organisational measures to maintain the security and integrity of your personal information
  • We regularly test and monitor AI outputs for accuracy and reliability

Risk mitigation

  • We regularly assess and document risks associated with using AI to process personal information
  • We implement appropriate measures to address these risks
  • We continuously monitor AI performance and regularly review their impact

Amendments

We may update this policy at any time by posting the revised version on our website. We recommend that you review our website regularly to stay current with any policy changes.