Privacy Policy

1. About This Policy

Exora is a personal health data platform that helps you organize your medical records using artificial intelligence. You upload your medical documents, and our AI extracts and structures the health information for your personal use.

This privacy policy explains how Exora Health Pty Ltd (“Exora”, “we”, “us”, “our”) collects, uses, stores, and protects your personal information when you use the Exora platform (our mobile app and web app at app.exora.au).

We are bound by the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Health information is classified as sensitive information under the Act, and we treat it with additional care.

Exora is not a medical device, healthcare provider, or clinical decision support system. Information provided by Exora, including AI-generated summaries and structured health records, is for your personal reference only and does not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional for medical decisions.

2. What We Collect

Account information: Your name, email address or phone number, date of birth, and optional fields such as biological sex and gender identity. Your PIN is stored as a secure hash only - we never see or store the raw PIN. If you verify your identity through ConnectID, we receive your verified legal name and date of birth from your bank.

Health information: Medical documents you upload (PDFs, images, scans) and the clinical data our AI extracts from them, including conditions, medications, allergies, vital signs, laboratory results, procedures, and immunization records. This is sensitive information under the Privacy Act and is only collected with your express consent.

Chat and voice data: Messages you send to our AI health assistant, photos you share in chat for analysis, and voice recordings used for transcription. Photos shared in chat are stored on our servers alongside your chat history and are deleted when you delete the chat session or your account. Voice audio is transcribed to text and stored locally on your device for up to 7 days, then automatically deleted. We do not retain voice recordings on our servers.

Device information: A unique identifier generated by the app (not a hardware device ID), your device name, platform (iOS or Android), app version, and push notification token if you enable notifications.

What we do not collect: Location data, contacts, browsing history, advertising identifiers, biometric data (Face ID and Touch ID are processed entirely on your device), or payment information.

3. How We Collect It

Directly from you: When you create an account, set up profiles, upload documents, send chat messages, take photos, or use voice input.

Automatically from your device: Device identifiers, platform information, and push notification tokens are collected when you use the app.

From your documents via AI processing: When you upload a medical document, our AI reads it and extracts structured health information. This processing is initiated by you and serves the primary purpose of organizing your health data.

From identity verification providers: If you choose to verify your identity, ConnectID returns your verified name and date of birth from your bank. This only happens when you initiate the process.

From external health data sources: In future, we may enable you to connect Exora to external health data sources such as government health records or pathology providers. If we do, you will initiate and authorize each connection yourself, and you will be able to disconnect at any time. We will update this policy before launching any such integration.

4. Why We Use It

We collect your information to provide you with a personal, AI-powered health data platform. Specifically:

• Providing the service: Storing, organizing, and displaying your health records; processing your documents through our AI pipeline; powering the AI health assistant
• Account management: Authentication, device management, push notifications (with your permission)
• Sharing: Enabling you to share your health data with people and healthcare providers you choose
• Identity verification: Verifying your identity when you choose to use ConnectID
• Service improvement: Using aggregated, de-identified usage patterns to improve the platform (we do not use individual health data for this purpose)
• Legal compliance: Meeting our obligations under Australian law

What we never use your data for: Advertising, sale to third parties, AI model training, data mining, or commercial profiling. We do not send marketing messages unless you explicitly opt in.

When you upload a medical document, you consent to its processing by our AI systems to extract, structure, and organize your health data. We also send necessary service communications (authentication codes, security alerts, policy updates) via email or SMS - these are not marketing.

5. Who We Share It With

People you choose: You control who sees your health data. You can share specific records with family members, carers, or healthcare providers through Exora’s sharing features. You choose the permission level and can revoke access at any time. All sharing actions are logged.

Service providers: We use the following providers to operate Exora:

• Supabase - database and file storage (data hosted in Sydney, Australia)
• Google Cloud Platform - document processing and AI services (processing in Sydney, Australia; AI API calls may route outside Australia - see Section 6)
• Google AI (Gemini) - processes your document text, chat messages, photos, and voice
• Anthropic (Claude) - processes your document text and chat messages
• OpenAI - processes your document text and chat messages
• Vercel - hosts our API routes (stateless transit layer; data is stored in Australia)
• ConnectID - identity verification (Australia only)
• Expo - push notification delivery routing
• Resend - email delivery for authentication messages (receives your email address only)
• Twilio - SMS delivery for authentication messages (receives your phone number only)

Authentication delivery providers (Resend, Twilio) receive only your email or phone number for delivering login codes. They do not receive health data.

Who cannot access your data: Other Exora users (unless you share with them), advertisers, data brokers, insurance companies, or employers. We may disclose your personal information if required by law or legal process (such as a court order). If we receive a legal request for your data, we will notify you before disclosing it unless we are legally prohibited from doing so.

6. Where Your Data Is Stored and Processed

Stored in Australia. Your health records, documents, and account data are stored in Sydney, Australia, using Supabase (on AWS ap-southeast-2) and Google Cloud Platform (australia-southeast1).

AI processing may involve overseas services. When our AI processes your documents, the text content is sent to third-party AI providers including Google (Gemini API), Anthropic (Claude API), and OpenAI. These companies are headquartered in the United States. We may change, add, or remove AI providers based on quality, reliability, and cost. Under their commercial API terms:

• These providers do not use your data to train their AI models
• They may temporarily retain API data (up to 30 days) for safety and abuse monitoring
• Data is processed and returned to us; it is not stored long-term by these providers

We rely on contractual protections under each provider’s commercial terms of service as our safeguard under APP 8 of the Privacy Act. If a provider breaches the APPs in handling your data, Exora remains accountable under section 16C of the Privacy Act.

Our API routes are hosted on Vercel, which may process requests through servers in multiple regions during transit. All data is stored in Australia - Vercel acts as a stateless transit layer only.

All infrastructure providers maintain standard operational logs (including IP addresses and request metadata) for security monitoring and debugging, subject to their own retention policies.

7. How We Protect Your Information

We employ the following measures to protect your information:

• Encryption: All data is encrypted in transit (TLS) and at rest by our infrastructure providers
• Access controls: Row-Level Security on all clinical database tables ensures you can only access your own data
• User-isolated storage: Each user’s documents are stored in their own folder
• Authentication: Login via one-time codes sent to your email or phone - no passwords to breach
• Biometric unlock: Face ID and Touch ID are processed on your device; biometric data never leaves your device
• Session security: Authentication tokens are rotated on every use
• Audit logging: All data access and modifications are logged
• Infrastructure certification: Our database provider (Supabase) maintains SOC 2 Type II certification

No system is completely secure. If we ever experience a data breach affecting your personal information, we will notify you and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme.

8. How Long We Keep It

While your account is active: Your health data, documents, and chat history are retained for as long as your account exists. You can delete individual records at any time.

When you delete your account: All data is removed from live systems immediately and becomes inaccessible. Your account enters a 30-day recovery window during which you can reactivate by signing back in. After 30 days, an automated process permanently deletes all your data, including health records, documents, processing data, chat history, and storage files.

What survives deletion: Audit log entries are retained for 7 years after account deletion for compliance purposes. These logs contain user identifiers, timestamps, and records of data changes. They are not anonymised. Aggregated processing metrics (which do not contain health data) are also retained.

Backup retention: Automated database backups are kept for 7 days on a rolling basis. Uploaded documents are stored in file storage and retained for as long as your account is active. They are not included in database backups and are permanently deleted when your account is deleted.

AI provider retention: Our AI providers (Google, Anthropic, and OpenAI) may retain API data for up to 30 days for safety monitoring under their commercial API terms.

Local device data: Voice recordings stored on your device are automatically deleted after 7 days. Cached session data is cleared when you sign out.

9. Artificial Intelligence

What our AI does. When you upload a medical document, our AI reads the full content of that document - including any names, dates, and other personal details it contains - to identify health information (conditions, medications, allergies, vital signs, lab results, procedures, immunizations) and organize it into your structured health record. Our AI chat assistant can answer questions about your health data. You can also send photos for AI analysis and use voice input that is transcribed by AI.

AI providers. We use AI services from Google (including Google Cloud Vision for document scanning and Google Gemini for health data extraction, chat, and voice), Anthropic (Claude for document processing and chat), and OpenAI (for document processing and chat). We may change, add, or remove providers based on quality, reliability, and cost. The current list of providers and what data each receives is in Section 5.

Your data and AI training. Your health data is not used to train AI models. Our AI providers process your data solely to return results to you, under their commercial API terms. Providers may temporarily retain data for safety monitoring (see Section 8). We do not currently use your data to train or improve Exora’s own AI systems. In future, we may offer you the opportunity to contribute de-identified data to improve our systems. Any such use would require your separate, explicit consent.

AI accuracy. AI-extracted information may contain errors, omissions, or misinterpretations. Data quality indicators shown in the app reflect processing confidence and do not constitute clinical validation. Medical codes are AI-assigned and have not been verified by a healthcare professional. Always verify important health information with your healthcare provider and against your original documents.

No automated decisions. Our AI organizes and summarizes your health information. It does not make medical decisions, diagnoses, or treatment recommendations. No automated decisions are made by our systems that affect your legal rights or interests. Using Exora does not create a doctor-patient or healthcare provider relationship.

Emergencies. Exora is not designed for medical emergencies. If you are experiencing a medical emergency, call 000 (Australia) or your local emergency number immediately.

10. Your Rights

Under the Australian Privacy Principles, you have the right to:

Access your data. You can view all your health data in the app. To request a full copy of your personal information, contact us at hello@exora.au. We will respond within 30 days.

Correct your data. You can edit your profile information in the app. For AI-extracted health records, you can add notes, delete inaccurate records, or re-upload corrected documents. If you believe any other information we hold is inaccurate, contact us and we will correct it.

Delete your data. You can delete individual records in the app, or delete your entire account from Settings. Account deletion removes all your data (see Section 8 for details).

Control sharing. You choose who to share your health data with, what to share, and for how long. You can revoke access at any time.

Withdraw consent. You can withdraw your consent for health data processing at any time by deleting your data or your account.

Complain. See Section 14.

11. Children and Young People

Exora requires a minimum age of 14 to create an independent account in Australia. This aligns with the age at which individuals gain control of their own My Health Record.

Parents and guardians can manage health records for children of any age through dependent profiles on their account. The parent or guardian declares their authority when creating a dependent profile and controls all data and sharing for that profile.

We do not knowingly allow children below the minimum age for their region to create independent accounts. If we discover an account was created by someone under the minimum age, we will work with the child’s parent or guardian to resolve the situation, which may include closing the account or migrating data to a parent-managed dependent profile.

12. Cookies and Tracking

We do not use advertising cookies, tracking pixels, or cross-site tracking.

Our web app uses essential cookies only for authentication and session management. These are necessary for the app to function and do not track you across other websites.

We do not currently use analytics or crash reporting tools. If we add these in future, we will update this policy.

13. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements.

Material changes (changes to what data we collect, how we use it, or who we share it with): We will give you at least 14 days advance notice via in-app notification and/or email before the changes take effect.

Minor changes (clarifications, formatting, correcting errors): We may update the policy without advance notice.

The date at the top of this policy indicates when it was last updated. Previous versions are available on request by contacting hello@exora.au. Continued use of Exora after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account before they take effect.

14. Complaints

If you have a concern about how we handle your personal information:

Step 1 - Contact us. Email our Privacy Officer at hello@exora.au. We will acknowledge your complaint within 5 business days.

Step 2 - Investigation. We will investigate your complaint and provide a substantive response within 30 days. If we need more time, we will let you know.

Step 3 - Escalation. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Online complaint form: www.oaic.gov.au/privacy/privacy-complaints
• Post: GPO Box 5288, Sydney NSW 2001

15. Contact Us

Exora Health Pty Ltd
ABN 16 690 025 462

Privacy Officer: hello@exora.au

For questions about this privacy policy, how we handle your data, or to exercise any of your rights, contact us at the email address above.

See also our Terms of Service for the rules governing your use of Exora.

This privacy policy is governed by the laws of Australia.