Privacy Policy — Figments

1. About This Policy

Figments (“we”, “us”, “our”) is a clinical practice management platform for Australian allied health practices. This Privacy Policy explains how we collect, hold, use, and disclose personal information (including health information) in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Health information is sensitive information under the Privacy Act and is afforded the highest level of protection. We treat all client data accordingly.

2. Who We Are

Figments is operated by VFP Australia (ABN 57 627 769 500), trading as Figments Health. For privacy enquiries, contact us at privacy@figments.com.au.

Figments acts as a data processor on behalf of the allied health practice (the “Organisation”) that subscribes to our platform. The Organisation is the primary data controller responsible for how client health information is collected and used within their practice.

3. What Information We Collect

Client health information (collected by practices using Figments):

Full name, date of birth, contact details
Session notes, SOAP/DAP notes, therapy goals
Voice recordings processed for AI-assisted documentation (with explicit consent)
Invoice and funding information (NDIS, private health)
Guardian / family member details for minor clients
Communication history (SMS, email reminders)

Clinician and practice information:

Name, email address, role within the practice
Authentication credentials (managed by Clerk)
Billing information (managed by Stripe — we do not store card numbers)
Usage logs and audit records

4. Cookies, IP Addresses, and Technical Data

Cookies:

We use essential cookies for authentication (managed by Clerk). These cookies are required for you to log in and use the platform. We do not use advertising or tracking cookies.

IP addresses:

We collect IP addresses when online forms are submitted, when electronic signatures are captured, and in audit logs recording access to clinical data. IP addresses are used for security, fraud prevention, and compliance purposes only.

Analytics:

We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personal data. No individual user tracking occurs.

5. How We Use Personal Information

To provide clinical practice management features to subscribed practices
To generate AI-assisted session documentation (Voice AI) where consent has been given
To send appointment reminders and follow-up communications on behalf of the practice
To process subscription billing
To maintain audit logs for compliance and security purposes
To investigate and respond to support requests

We do not use client health information to train AI models. We do not sell personal information to third parties.

6. Voice AI and Consent

Figments's Voice AI feature transcribes session recordings and generates draft clinical notes using OpenAI's API. This feature:

Is opt-in only — clients must provide explicit written consent before any recording is processed
Consent can be revoked at any time; processing stops immediately upon revocation
Audio is transmitted securely to OpenAI for transcription and is subject to OpenAI's data processing agreement
Recordings are stored in Google Cloud Storage (australia-southeast1 region)
Clinicians review and approve all AI-generated notes before they are finalised

7. Where We Store Data

We store data in Australia wherever possible:

Database: Neon serverless PostgreSQL (AWS ap-southeast-2, Sydney)
Clinical files & recordings: Google Cloud Storage (australia-southeast1, Sydney)
Application hosting: Vercel (syd1 region, Sydney)

Some data may be processed by third-party services outside Australia (see Section 8). Where this occurs, we take reasonable steps to ensure those providers maintain equivalent privacy protections under APP 8.

8. Third-Party Service Providers

We engage the following sub-processors to deliver the platform:

Provider	Purpose	Location
Clerk	Authentication & identity	USA
OpenAI	Voice AI transcription & note generation	USA
Stripe	Subscription billing	USA
Resend	Transactional email (may include appointment details and client names)	USA
Twilio	SMS reminders (may include appointment details and client names)	USA/AU
Daily.co	Telehealth video conferencing	USA
Xero	Accounting integration (client names, invoices)	Australia/USA
Google Cloud	File & recording storage	Australia
Neon	Database	Australia
Vercel	Application hosting	Australia

9. Disclosure of Information

We do not disclose personal information to third parties except:

To our sub-processors listed above, for the purpose of delivering the platform
Where required by law, court order, or regulatory authority
To protect the safety of a person in an emergency
With your explicit consent

10. Security

We take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. Security measures include:

Encryption in transit (TLS) and at rest
Application-level encryption (AES-256-GCM) for session notes, NDIS numbers, message bodies, and OAuth tokens
Role-based access controls — clinicians only access clients within their organisation
Multi-factor authentication support
Audit logging of all data access and modifications
Automatic guardian access revocation when clients turn 18

11. Data Retention

Clinical records are retained for a minimum of 7 years from the date of last service (or until a minor client turns 25, whichever is later), in accordance with state-based health records legislation. Organisations may request earlier deletion subject to applicable legal obligations.

SMS and email message records are retained for the same period as clinical records (7 years). Message content is encrypted at rest within the database. Organisations may request earlier deletion subject to applicable legal obligations.

Pending guardian user records with no active links are automatically removed after 30 days.

12. Access and Correction

Individuals have the right to access personal information we hold about them and to request correction of inaccurate information. Requests should be directed to the practice that holds your clinical records in the first instance. Platform-level access requests can be directed to privacy@figments.com.au.

We will respond to access requests within 30 days. A reasonable fee may apply for complex requests.

13. Data Breach Notification

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by Part IIIC of the Privacy Act.

14. Complaints

If you believe we have breached your privacy, please contact us at privacy@figments.com.au. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the OAIC at www.oaic.gov.au.

15. Changes to This Policy

We may update this policy from time to time. The current version will always be available at figments.com.au/privacy. Material changes will be communicated to practice administrators by email.