Australian Privacy Act 1988 (Cth)

Privacy Policy

Version 2026-05-24 · Effective 24 May 2026

1. Overview

Janet Cares is operated by Work Healthy Australia Pty Ltd(ABN 30 094 368 162) (“we”, “us”, “our”, “WHA”). We are the data controller for the purposes of the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Janet Cares is a personal health optimisation platform. It calculates a member’s biological age estimate, produces a five-domain wellness assessment, and delivers personalised supplement recommendations and a coaching experience via the Janet AI. The platform serves individual members (B2C) and, where a corporate employer has arranged access, members of a corporate wellness programme (B2B).

This Privacy Policy describes what personal information we collect, why we collect it, how we use and protect it, and your rights in relation to it. By creating an account or using the Service you agree to this policy. If you do not agree, do not use the Service.

A formal APP 5 collection notice is available at /legal/collection-notice. Plain-language data-handling commitments are at /legal/data-handling. The wearable-data Privacy Impact Assessment is at /privacy/wearable.

2. Information we collect

2.1 Account identifiers

Email address — collected at signup via Supabase Auth. Used for login, transactional email, and account verification.
Full name — collected at signup. Stored encrypted (AES-256-GCM) on our database. Used to personalise your experience and to identify you to any nominated clinician.
Date of birth — collected during onboarding. Stored encrypted. Used to compute biological age and contextualise risk scores.
Mobile phone number — optional; collected during onboarding. Stored encrypted. Used for SMS reminders only if you explicitly opt in under the Spam Act 2003 (Cth).
Postal address — optional; collected during onboarding. Being migrated to encrypted storage. Used to contextualise regional health norms.

2.2 Sensitive health information

The following is sensitive information under APP 3.3. We collect it only with your explicit consent and use it solely to deliver the core service:

Medical history, current medications, and known allergies (including criticality and reaction type).
Family health history — parental and grandparental conditions, causes of death, and onset ages.
Cancer history — personal and family; including type and onset age.
Lifestyle factors — smoking status, alcohol use, exercise frequency, sleep patterns, diet quality, and stress levels.
Biometric measurements — height, weight, resting heart rate, and blood pressure.
Sex assigned at birth and gender identity.

These fields are collected via the onboarding questionnaire and stored in a de-identified JSONB structure in our database. PII fields are stored separately and never mixed into the questionnaire response object.

2.3 Uploaded documents

You may upload medical documents — blood work panels, imaging reports, genetic test results, microbiome analyses, and other pathology. Uploaded files are:

Stored in encrypted Supabase storage (Sydney region, ap-southeast-2).
Analysed by the Janet AI (Anthropic Claude) to extract structured findings — biomarker names, values, reference ranges, test dates, and the name of the ordering clinician. Patient-identifying information (your name, date of birth, Medicare number, etc.) is explicitly prohibited from appearing in any extracted output.
Never shared with third parties beyond the named processors in section 6.

2.4 Wearable and device data

If you configure a wearable sync workflow (Apple Health or Android Health Connect), we receive seven fields per sync:

Sleep duration and deep sleep percentage
Step count and active calories
Resting heart rate and heart rate variability (HRV)
Date of measurement

We do not access GPS location, raw accelerometer data, audio, photos, or any other sensor data. See the Wearable Privacy Impact Assessment for full detail on this data flow.

You may use third-party utility apps installed on your own device — such as Health Auto Export (iOS) or a Health Connect relay (Android) — to transmit your wearable data to us. These apps are operated by their own vendors and we have no contractual relationship with them. We recommend reviewing each app’s privacy policy before installing. Data they transmit to us is governed by this privacy policy from the point we receive it.

2.5 Computed outputs

Biological age estimate and longevity score
Domain risk scores (cardiovascular, metabolic, cognitive, musculoskeletal, oncological)
Supplement protocol and coaching recommendations
Biomarker trends and status classifications

2.6 Conversation history

Messages you exchange with the Janet AI are stored in our database, linked to your account. They are used to maintain conversation continuity and to allow your nominated clinician to review your coaching history.

2.7 Technical and billing data

IP address and browser user-agent — captured at the time of consent acceptance for audit-trail purposes only.
Session authentication tokens — managed by Supabase Auth; never stored in our application layer.
Stripe billing identifiers — subscription plan, billing cycle, and payment status. Payment card details go directly to Stripe and are never stored on our servers.
Error telemetry — application error reports including stack traces and the URL that caused the error, collected via Sentry. Sentry is configured to mask personally identifiable request parameters.

3. How we use your information

We use your information only for the purposes for which it was collected or purposes you would reasonably expect:

Delivering the core service — computing your biological age estimate, calculating your wellness scores, producing personalised supplement recommendations, and powering Janet AI coaching.
Clinician review — making your data available to any registered clinician you nominate as part of your care team. Access is gated on your explicit consent and recorded in our audit trail.
Transactional communications — welcome email, password reset, program-delivery notifications, and appointment confirmations, sent via Resend.
Service improvement and safety — error tracking via Sentry to identify and fix bugs; cost monitoring to maintain service availability.
Legal and regulatory obligations — maintaining clinical records as required by AHPRA records-keeping standards (minimum 7 years from last service for adults).

We do not use your data to train AI models. We do not sell, rent, or share your personal information with any third party other than the named processors in section 6. Where you participate in a corporate wellness programme, only de-identified aggregate cohort signals are shared with your employer — never your individual identifiable data.

4. Data security

Encryption in transit — all data between your device and our servers is encrypted using TLS 1.3.
Encryption at rest — PII fields — your full name, date of birth, phone number, and postal address are encrypted at rest using AES-256-GCM before being written to the database. The encryption key is held separately from the database.
Encryption at rest — files — uploaded documents are stored in Supabase Storage, which applies server-side encryption (AES-256) to all objects.
Row-level security (RLS) — our database enforces RLS on every table. Your records are never readable by another member. Clinicians can read only the patients who have explicitly granted them access. Admin access is scoped to staff accounts and is audited.
Audit trails — every consent acceptance, care team access grant/revoke, role change, and wearable sync request is recorded in immutable append-only audit tables. These records cannot be modified or deleted.
Service-role key isolation — the database key that bypasses row-level security is used only in server-side administrative functions (webhooks, risk engine writes, PDF generation). It is never sent to the browser.

5. Data residency

System	Data held	Region
Supabase (primary database & file storage)	All patient data — profiles, health records, uploads, risk scores, audit logs	ap-southeast-2 (Sydney, Australia)
Vercel (application hosting)	No patient data stored; serves the application code	Global CDN; server-side functions run in Australia
Anthropic Claude API	Your uploaded document is sent for analysis; extracted structured data is returned. See section 6 for APP 8 cross-border disclosure.	United States

6. Third-party services and sub-processors

We use the following third-party processors to run the Service. Each is bound by a written data-processing arrangement:

Vendor	Purpose	Data sent	Region	DPA
Supabase	Database, file storage, authentication	All patient data	AU (ap-southeast-2)	supabase.com/dpa
Anthropic	LLM inference (Janet AI analysis of uploads)	Your uploaded document (PDF or image). Patient-identifying output is prohibited at the system prompt level.	US	anthropic.com/legal/aup
Stripe	Payment processing and subscription management	Name and email for billing; payment card data goes directly to Stripe — never to our servers	US	stripe.com/au/legal/dpa
Resend	Transactional email delivery	Your email address and the content of transactional emails	US/EU	resend.com/legal/dpa
Vercel	Application hosting and serverless compute	HTTP request data (processed transiently; not stored by Vercel)	Global	vercel.com/legal/dpa
Sentry	Application error tracking and diagnostics	Error reports including stack traces and page URLs; personally identifiable request parameters are masked	US	sentry.io/legal/dpa

APP 8 — Cross-border disclosure

Anthropic, Stripe, Resend, Vercel, and Sentry process data outside Australia (primarily in the United States). By creating an account you acknowledge this cross-border disclosure. We take reasonable steps to ensure that each overseas recipient is bound by privacy obligations comparable to the APPs (via the DPAs listed above), but you should be aware that overseas privacy laws may differ from the Privacy Act 1988.

Data sent to Anthropic for document analysis consists of the document you uploaded and a system prompt. We do not send your name, date of birth, or contact details to Anthropic. The system prompt contains an explicit prohibition against including patient-identifying information in any output.

7. Your rights

Under the Australian Privacy Act 1988 and the APPs you have the following rights:

Access — you may request access to your personal information at any time. You can download a complete export of everything we hold about you from your Account page. Alternatively, email privacy@workhealthyaus.com.au.
Correction — if you believe any information we hold about you is inaccurate, incomplete, or out of date, you can update it from your Account page or email us.
Deletion (erasure) — you can permanently delete your account and all associated personal data from your Account page. Clinical records created under AHPRA obligations may be retained in de-identified form for the minimum regulatory period (7 years for adults). Audit records (consent log, care team log) are retained to support regulatory compliance and cannot be erased.
Wearable data — you can delete wearable sync data by source (Apple Health, Android Health, manual entry) at /account/data/wearables without affecting any other data.
Withdrawal of consent — where we rely on your consent to process sensitive health information, you may withdraw consent at any time. Withdrawal will affect the features available to you but will not affect the lawfulness of prior processing.
Complaints — if you believe we have breached the APPs, please contact us at privacy@workhealthyaus.com.au in the first instance. If the complaint is not resolved to your satisfaction within 30 days you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Note for EU and UK residents

If you access the Service from the European Union or United Kingdom, you may have additional rights under the GDPR or UK GDPR (including the right to data portability and the right to object to processing). Please contact privacy@workhealthyaus.com.au to exercise these rights. We are actively reviewing our obligations under European data protection law as part of an ongoing compliance programme.

8. Cookies

We use only strictly necessary cookies required to operate the Service:

Authentication session cookie — set by Supabase Auth to maintain your logged-in session. This cookie is HTTP-only, Secure, and SameSite=Lax. It is deleted when you sign out.
MFA trust cookie — set when you mark a device as trusted after multi-factor authentication. Cryptographically signed and expires after 30 days.

We do not use advertising cookies, tracking pixels, or third-party analytics scripts that set cookies. We do not use Google Analytics, Meta Pixel, or any behavioural advertising technology.

9. Data retention

Data category	Retention period	Basis
Health records and questionnaire data	7 years from last service (adults); until age 25 for minors	AHPRA records-keeping requirements
Personal identifiers (name, DOB, phone, address)	Duration of account; deleted on erasure request	Service delivery
Consent records and audit logs	Indefinite (append-only)	AHPRA audit trail; legal compliance
Wearable sync data	Duration of account unless deleted earlier via /account/data/wearables	Service delivery
Uploaded documents (raw files)	Duration of account; deleted on account erasure	Service delivery
Billing records	7 years	Tax and financial reporting obligations

10. Changes to this policy

We will notify you of material changes to this policy by email and by displaying a notice in the Service at least 30 days before the change takes effect. The version and effective date at the top of this page record when this version was last updated. Continuing to use the Service after the effective date constitutes acceptance of the revised policy.

11. Contact

Privacy enquiries, access or correction requests, and complaints should be directed to:

Work Healthy Australia Pty Ltd
Privacy Officer
privacy@workhealthyaus.com.au

← Plain-language data handling commitments