AI & Data Processing Supplement

This supplement forms part of, and should be read together with, the Infraworx Privacy Policy. Where any inconsistency exists between the two documents, the specific terms of this supplement prevail in relation to the AI-powered services described below.

Effective date: 25 April 2026
Last updated: 1 May 2026

1. Purpose and scope

This supplement explains how Infraworx Pty Ltd (ABN 95 119 297 488) collects, uses, stores, and shares personal information specifically in connection with:

  • Our free online audits (Automation Audit, SEO Audit, Bookkeeping ROI Audit)
  • Our AI-powered chatbot
  • Consultation bookings made via the site
  • Email marketing relating to these services
  • Any AI-powered workflow we operate on your behalf under a paid engagement

It does not change our Privacy Policy’s terms for any other activity (such as general website browsing, managed IT support, or cloud backup services) — those continue to be governed by the main Privacy Policy.

2. Information we collect through these services

When you use our AI-powered services we may collect:

  • Contact information — your name, work email, phone number, and company name
  • Business context — industry, company size, role, current tools and software in use, operational challenges you describe
  • Audit inputs — the website URL, company materials, or other information you voluntarily provide so we can generate your audit
  • Chatbot transcripts — the full text of conversations you have with our chatbot, including any information you type into it
  • Engagement data — email opens, link clicks, form submission timestamps, booking activity, and similar interaction metadata
  • Technical data — IP address, approximate geographic location (country/state, not precise), browser type, device type, referring URL

Our forms and chatbot are designed to collect business and operational context only — not sensitive information as defined in section 6 of the Privacy Act 1988 (Cth). Please do not enter racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal record, or financial account numbers into our forms or chatbot.

Health-related information is treated under a separate posture for medical, allied health, dental, and other health-service practices — see Section 2A below.

2A. Medical, allied health, and health-related information

We work with medical practices, allied health providers, dental practices, specialist clinics, and other health-service organisations through our Medical AI Audit and related engagements. This section sets out exactly how we handle health-related information that may be submitted through those channels.

What we do NOT collect

The Medical AI Audit form (and any related intake form) is built to collect practice-level operational context only:

  • Your role and the type of practice (general practice, allied health, specialist, etc.)
  • Approximate practice size (number of clinicians, support staff)
  • Practice management software (PMS) in use — Best Practice, MedicalDirector, Genie, Clinic to Cloud, Halaxy, etc.
  • The administrative or operational pain point you want help with (e.g. recall workflow, online booking pressure, after-hours triage, reception handover)

We do not ask for, and you should not submit:

  • Patient names, dates of birth, Medicare numbers, IHI, or any patient identifiers
  • Patient health records, clinical notes, scripts, pathology, imaging, or My Health Record extracts
  • Identifiable Medicare or PBS billing data
  • Information that identifies any individual patient by inference (e.g. “Mrs J Smith of postcode 2060 with condition X”)
  • Photographs of clinical screens, EMR exports, or any document containing patient-identifiable information

If a practice manager inadvertently includes patient-identifiable information in a free-text field, we will work with you to redact it from our systems and confirm the redaction with you by email.

What we do collect (and how we treat it)

Free-text descriptions of administrative pain points may incidentally reference health concepts at a category level — for example “chronic disease recall workflow” or “women’s health screening reminders”. We treat any such category-level health reference as sensitive information under APP 3 even though it does not identify a patient, and we apply the following protections to it:

  • Consent (APP 3.3) — by submitting the audit form, you consent to your free-text input being used solely to generate your audit report and to inform any follow-up consultation you request.
  • Use limitation (APP 6) — your input will not be used for any secondary purpose (advertising lookalike modelling, training third-party AI models, or sale to data brokers — none of which we do).
  • Storage and access (APP 11) — your input is stored on our self-hosted Australian infrastructure (n8n + EspoCRM) and is accessible only to staff working on your audit.
  • LLM processing — your input is sent to a Large Language Model provider for analysis (see Section 4). We disable model training opt-in flags where available, and we do not send patient-identifying details. The free-text submitted is sent as-is.
  • Retention — your full audit submission is retained for 90 days under our medical-vertical retention rule (shorter than the general 24-month rule in Section 6), then permanently deleted unless you become a paying client.
  • Data residency — your audit input is stored at rest in Australia. It transits to LLM provider regions (United States or European Union) only at the moment of audit generation, and is not retained by the LLM provider beyond the API call (subject to the provider’s standard log-retention terms — typically 30 days for abuse-monitoring purposes only).

Health Records and APP — how the obligations divide

The Privacy Act 1988 (Cth) and applicable state and territory health records legislation (including the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic), and the Health Records (Privacy and Access) Act 1997 (ACT)) both govern health information. Where Infraworx is engaged on a paid basis to operate AI workflows that handle health information, we will enter into a written data-handling agreement with you that addresses:

  • The roles of each party as APP entity and (where applicable) Health Service Provider
  • Storage location (Australian-region hosting, with named data centres)
  • Sub-processors and their compliance posture
  • Breach notification timelines (within our 72-hour APP scheme commitment, see Section 8)
  • Audit rights and exit data return / destruction

The free Medical AI Audit is a scoping conversation, not an engagement to handle patient information. No patient information should reach us at the audit stage, and our systems are not configured to receive or store it.

Strict guardrails on what AI does in any medical engagement

Even on paid engagements, we maintain hard guardrails — encoded in our workflow design and reviewed by senior staff:

  • AI handles administrative scaffolding only: recall lists, reminder messaging, simple reschedules, intake form parsing, reception handover summaries
  • AI does not generate or modify clinical content, diagnostic suggestions, prescribing recommendations, or any output that influences a clinician’s clinical decision
  • AI does not access My Health Record, ePA records, prescribing software, or pathology systems
  • Every patient-facing AI output (e.g. an SMS reminder draft) is reviewed by a human staff member at the practice before send, unless your practice has documented and signed off on a specific exception in the data-handling agreement
  • Clinicians remain responsible for clinical content and patient relationships at all times

How to ask us to delete your audit submission

Under APP 13 you may at any time email privacy@infraworx.com.au and ask us to delete your audit submission. We will action the deletion within 30 days and confirm by reply email.

3. How we use this information

We process the information above for the following purposes:

  • To generate and deliver the audit or report you requested
  • To route your enquiry to the right specialist at Infraworx
  • To respond to your consultation booking and related follow-up
  • To enable our chatbot to answer your questions
  • To send you related information about our services, where you have opted in or where Australian law otherwise permits
  • To improve our services (using anonymised or aggregated data only)
  • To comply with our legal and tax obligations (for example, keeping engagement records for audit purposes)

4. Third-party service providers we use

We use the following third-party service providers to operate our AI-powered services. All providers are bound by written agreements or their published data processing terms. Where a provider is located outside Australia, we take reasonable steps as required by Australian Privacy Principle 8 to ensure the provider complies with privacy standards substantially similar to the Australian Privacy Principles.

ProviderWhat they do for usWhat data they processLocation
Large Language Model (LLM) providersGenerates AI-powered analysis that appears in your audit report. We select between multiple providers depending on the task, cost, and performance profile required.Your audit input (business context, website URL, form responses). For Medical AI Audit submissions, the free-text pain-point field is sent as-is — see Section 2A for the full medical-information posture. We do not send payment card numbers, patient identifiers, patient health records, or other identifiable sensitive information.Primarily United States and European Union, varying by provider
Brevo (formerly Sendinblue)Transactional and marketing email deliveryYour name, email address, audit PDF attachments, email interaction metadataEuropean Union (primarily Paris, France)
SmartleadCold-outreach email infrastructure for business developmentPublicly available business contact details used for B2B outreachUnited States
DataForSEOSEO data APIs used by our SEO auditThe website URL being audited. No personal information.Globally distributed edge infrastructure
EspoCRMCustomer relationship managementContact details, engagement history, meeting notesSelf-hosted on our Australian infrastructure
CloudflareContent delivery, analytics, authentication (Cloudflare Access), secure tunnel routingIP address, request metadata, authentication eventsGlobal edge network (no single jurisdiction)
n8nWorkflow orchestration — our in-house automation engineAll data as it flows between the services aboveSelf-hosted on our Australian infrastructure
Tally.soOnline form collection for our audit intake formsEverything you type into our formsEuropean Union (Ireland)

We update this list as our service providers change. The current named list of LLM providers we use rotates based on the task at hand; if you would like to know the current list of LLM providers we rely on for your specific audit, please email privacy@infraworx.com.au and we will tell you.

5. Cross-border disclosures (Australian Privacy Principle 8)

Several of our service providers are located outside Australia (United States and European Union). By submitting information through our AI-powered services, you acknowledge that your personal information will be disclosed to those overseas recipients for the purposes described in this supplement. We take reasonable steps under APP 8 to ensure the recipient handles the information consistently with the Australian Privacy Principles.

If you do not want your data disclosed overseas in this way, please do not submit it through our AI-powered services. We can usually discuss your situation by phone or email instead — contact privacy@infraworx.com.au.

6. How long we keep your data

  • Audit submissions and generated reports — retained for 24 months from submission, then deleted or fully anonymised
  • Engagement records (emails, meeting notes, call logs) — retained for 12 to 24 months after your last interaction with us
  • Chatbot transcripts — retained for 12 months
  • Email marketing list — retained while you’re subscribed, and permanently suppressed within 30 days of you unsubscribing
  • Customer and tax records — for paid customers, retained for 7 years from the end of the relevant financial year, to meet Australian Taxation Office retention obligations, then purged
  • Cloudflare logs and technical data — retained per Cloudflare’s standard terms (typically 30 days)

7. Your rights (Australian Privacy Principles)

Under the Privacy Act 1988 (Cth) you have the following rights in relation to the information we hold about you:

  • Access (APP 12) — you can ask for a copy of the personal information we hold about you. We aim to respond within 30 days.
  • Correction (APP 13) — if any information is inaccurate, incomplete, or out of date, you can ask us to correct it. We aim to act within 30 days.
  • Deletion — you can request deletion of your personal information. We will comply within 30 days unless we are legally required to keep it (for example, records we must keep under tax law).
  • Opt-out of marketing — every marketing email contains a one-click unsubscribe link. You can also email privacy@infraworx.com.au and ask to be removed.
  • Complaints — if you are unhappy with how we have handled your personal information, please contact us first at privacy@infraworx.com.au. If the matter is not resolved, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

8. Data breach response

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner as soon as practicable — usually within 72 hours of becoming aware of the incident.

Our internal breach response includes detection, containment, risk assessment, notification where required, and remediation steps to prevent recurrence.

9. Cookies and analytics

Our site uses cookies and similar technologies for:

  • Essential function — signing you in to Cloudflare Access-protected tools (for internal users) and remembering your preferences
  • Privacy-respecting analytics — Cloudflare Web Analytics, which does not use cookies or track individual users, and does not sell data to third parties
  • Google Analytics 4 (if enabled) — used in anonymised mode with IP truncation and no advertising cookies

We do not use third-party advertising cookies. You can disable cookies in your browser settings, though some features of our site may not function correctly without them.

10. AI-generated content

Portions of our audit reports, chatbot responses, and suggestions are generated by AI systems. While we design our workflows so that every substantive recommendation is reviewable by a human before it affects your business, you should:

  • Treat AI-generated analysis as professional-grade guidance, not final advice
  • Verify significant decisions with a qualified professional (accountant, lawyer, IT consultant, etc.) where your business depends on them
  • Understand that AI systems can make mistakes, particularly on edge cases

Our staff are available to review any AI-generated output with you and to explain the reasoning behind any recommendation.

11. Changes to this supplement

We will update this supplement when our services, providers, or retention practices change. The “Last updated” date at the top of this page always reflects the current version. Where a change is material and affects you, we will also notify active users by email before it takes effect.

12. Contact us

For any question about this supplement or how we handle your personal information:

Email: privacy@infraworx.com.au
Post: Privacy Officer, Infraworx Pty Ltd, 122 Arthur Street, North Sydney NSW 2060
Phone: 1300 277 211

13. Disclaimer

This supplement describes our privacy practices and does not constitute legal advice. For advice on how Australian privacy law specifically applies to your circumstances, please consult a qualified legal professional.