Plain-language summary↑
This website, drsophia.ai, is operated by Dr Sophia AI Pty Ltd, an Australian company. It collects very little about you. If you browse, we record anonymised analytics (Google Analytics 4, with IP anonymisation, processed in the United States) and standard technical logs. If you submit the contact form, we collect your name, work email, organisation and role, your message, and the segment you select. A person reads your enquiry and replies, normally within one business day. We do not add you to a marketing list, and we do not sell your information.
This website holds no clinical records, no patient data, and no payment details. Please do not include patient information in your message. Clinical data is handled on the platform, not on this website: customer clinical data is hosted in Australia (AWS Sovereign Cloud, AU-East), does not leave Australia, and is governed by each customer's signed agreement rather than by this policy.
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. You can ask to access, correct, or delete your information at safety@drsophia.ai. If our answer does not satisfy you, you can complain to the Office of the Australian Information Commissioner.
1. What we collect↑
This policy explains how Dr Sophia AI Pty Ltd (ACN 675 911 010) ("Dr Sophia AI", "we", "us", "our") handles personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We separate website-visitor data from clinical-use data because the two are collected differently, stored differently, and governed by different instruments.
1.1 Website-visitor data
We collect the following through drsophia.ai:
- Contact form submissions. Name, work email address, organisation and role, your message, and the segment you select (GP clinic, healthcare services provider, insurer, or other). Submissions are triaged manually by our team. The form uses a hidden anti-spam field (a honeypot) rather than a third-party CAPTCHA service, so no CAPTCHA provider receives your data.
- Email correspondence. Messages you send to our public addresses, and our replies.
- Analytics data. Aggregated usage data collected by Google Analytics 4 with IP anonymisation enabled: pages visited, session duration, referral source, device and browser type, and approximate location at city level.
- Technical log data. Our hosting and content-delivery provider records IP addresses, user-agent strings, and request timestamps to deliver the site securely and to prevent abuse.
- Cookie preferences. A record of the choices you make through the "Manage cookies" control.
1.2 Clinical-use data (platform customers)
The Dr Sophia AI platform (Sophia Core, Sophia Decision, Sophia Assist, and Sophia Guard) processes clinical information on behalf of healthcare organisations, healthcare services providers, and insurers under signed customer agreements. This includes deployments operating under the Rose AI Clinician identity. Clinical-use data is collected by the customer organisation, not by this website, and it is governed by the customer agreement and the platform documentation behind it, not by this policy. Where the platform holds clinical information, access is controlled through single sign-on (SAML and OIDC) and role-based access control, data is encrypted with AES-256 in transit and at rest, and integration uses HL7 FHIR. If you are a patient of an organisation that uses the platform, your first point of contact is that organisation, which remains the custodian of your records.
1.3 What we do not collect on this website
- No clinical records and no patient data. Nothing on this website collects, stores, or transmits clinical information. Do not include patient details in the contact form or in email to our public addresses.
- No payment data. The website sells nothing and takes no payments.
- No account credentials. There is no visitor login on drsophia.ai.
- No advertising or remarketing trackers. We run no advertising pixels and no cross-site tracking.
- No marketing-automation profiles. Form submissions are read and answered by a person; we do not build automated profiles from them.
2. Why we collect it↑
APP 3 permits us to collect personal information only where it is reasonably necessary for our functions or activities. APP 6 requires us to use and disclose it only for the primary purpose of collection, unless you consent or an exception under the Privacy Act applies. The table below states the purpose for each data type.
| Data type | Purpose | Legal basis |
|---|---|---|
| Contact form submission (name, work email, organisation and role, message, segment) | To respond to your enquiry, route it to the right person, and arrange a discovery call if you request one | APP 3 (collection); APP 6 (use for the primary purpose) |
| Email correspondence | To answer you and to keep an accurate record of the exchange | APP 3 (collection); APP 6 (use for the primary purpose) |
| Analytics data (anonymised) | To understand aggregate site usage and improve content and structure | APP 3 (collection); APP 6 (use for the primary purpose) |
| Technical log data | To deliver the site securely, maintain performance, and prevent abuse | APP 3 (collection); APP 6 (use for the primary purpose) |
| Cookie preferences | To remember and honour your choices | APP 3 (collection); APP 6 (use for the primary purpose) |
We do not use website-visitor data for direct marketing.
3. Sharing and subprocessors↑
We do not sell personal information. We share website-visitor data only with the service providers that operate the website and our correspondence, listed below.
| Subprocessor | Service | Data handled | Country of processing |
|---|---|---|---|
| Cloudflare, Inc. | Website hosting and content delivery (CDN) | Technical log data, security telemetry | Global edge network (requests are served from the nearest data centre) |
| Google LLC (Google Analytics 4) | Website analytics | Anonymised usage data, with IP anonymisation enabled | United States |
| Microsoft Corporation (Microsoft 365) | Business email | Contact form submissions, email correspondence | Australia (United States as a potential secondary region) |
| Amazon Web Services (AWS) | Platform hosting for clinical deployments | Customer clinical data, under customer agreements only | Australia (AU-East) |
We may also disclose personal information to our professional advisers under confidentiality obligations, and to regulators, courts, or law enforcement where the law requires it.
3.1 International transfers (APP 8)
Some website services process data outside Australia: analytics in the United States, and content delivery across a global edge network. Business email is hosted on Microsoft 365 in the Australian region, so it is processed in Australia by default; the United States may apply only as a secondary Microsoft region. Before we disclose personal information to an overseas recipient, we take steps that are reasonable in the circumstances, as APP 8 requires, to ensure the recipient handles it consistently with the Australian Privacy Principles, including contractual data-protection terms with the providers listed above. Clinical data is not part of these flows: see clause 4.
4. Data residency↑
Australian customer clinical data is hosted in Australia (AWS Sovereign Cloud, AU-East). Clinical data does not leave Australia.
That is the platform's residency commitment. Clinical data held on the platform is encrypted with AES-256 in transit and at rest, and every platform decision carries an audit trail anchored on Hedera Hashgraph.
Website-visitor data is different, and we state it plainly:
- Website analytics are processed by Google Analytics 4 in the United States, with IP anonymisation enabled.
- The website is delivered through a global content-delivery network, so technical log data may be processed outside Australia.
- Business email is hosted on Microsoft 365 in the Australian region, so it is processed in Australia by default, with the United States as a potential secondary region.
Website-visitor data is not clinical data. No clinical information is collected on, or transmitted through, drsophia.ai.
5. Retention and deletion↑
We keep personal information only for as long as it is needed for the purpose it was collected for, or for as long as the law requires.
| Data type | Retention period | Notes |
|---|---|---|
| Contact form submissions | 24 months after last contact | Kept while an enquiry or commercial conversation is active |
| Email correspondence | 7 years where it evidences a commercial arrangement | Statutory record-keeping obligations may apply |
| Analytics data | 14 months (GA4 retention setting) | Held in aggregate, anonymised form |
| Technical log data | 30 days | Security and abuse-investigation window |
| Cookie preferences | Until you clear your cookies, or after 12 months | Stored in your browser |
5.1 How to request deletion
Email safety@drsophia.ai with the subject line "Deletion request". We will verify that the request comes from the email address concerned, delete the information we are not legally required to retain, and confirm the outcome within 30 days. Where the law requires us to retain a record, we will tell you what is retained and why. If your information was processed by the platform through one of our customer organisations, direct your request to that organisation; we support our customers in meeting such requests under the customer agreement.
6. Your rights↑
The Privacy Act 1988 (Cth) gives you the right to access the personal information we hold about you (APP 12) and the right to ask us to correct it (APP 13). In addition, we honour the following requests for website-visitor data.
- Access. A copy of the personal information we hold about you.
- Correction. Correction of information that is inaccurate, out of date, incomplete, or misleading.
- Deletion. Deletion of information we are not legally required to retain (see clause 5).
- Objection. A stop on a particular use of your information, including any future direct marketing.
- Portability. A copy of the information you have provided to us, in a structured, machine-readable format.
There is no charge for making a request. Where the Privacy Act permits us to decline a request, we will give our reasons in writing.
6.1 How to complain, and the path to the OAIC
- Contact the Privacy Officer. Email safety@drsophia.ai with the details of your concern. We will acknowledge your complaint within 7 days.
- We investigate and respond. We will investigate and give you a written response within 30 days.
- Escalate to the OAIC. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC), online at oaic.gov.au or by phone on 1300 363 992.
7. Cookies↑
drsophia.ai uses a small number of cookies. There are no advertising cookies on this site.
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
| _ga | Google Analytics 4 | Distinguishes visitors for aggregate analytics | 24 months |
| _gid | Google Analytics 4 | Distinguishes visitors within a short analytics window | 24 hours |
| Preference cookies | drsophia.ai | Remember your cookie and display choices | 12 months |
Google Analytics 4 processes analytics data in the United States with IP anonymisation enabled, so full IP addresses are not stored with analytics records. You can change your cookie choices at any time through the "Manage cookies" control in the footer of every page, and you can block or delete cookies in your browser settings. The site remains usable with analytics cookies disabled.
8. Changes to this policy↑
When we change this policy, we will post the updated version on this page, revise the "Last updated" date and version number in the meta row above, and record the change in the version history table below. For material changes, we will place a dated notice at the top of this page for 30 days. We do not operate a marketing list, so we do not send change notifications by email. The version history table is the audit trail of this document.
9. Contact↑
- Postal address: Dr Sophia AI Pty Ltd, Regus Suite 118, 121 King William Street, Adelaide CBD, SA 5000
- ACN: 675 911 010
| Address | Use it for |
|---|---|
| safety@drsophia.ai | Access, correction, deletion, and portability requests, privacy questions, complaints, and legal notices |
| info@drsophia.ai | General enquiries |
We respond to privacy requests and complaints within 30 days. If our response does not resolve your concern, you can escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992. Clause 6 sets out the steps.