Privacy Policy

Privacy Policy – Lister Health

1. Introduction

Lister Health Pty Ltd (ABN 75 540 445 705) ("Lister Health", "we", "us" or "our") is committed to protecting your privacy and managing personal information in an open and transparent way. This Privacy Policy outlines how we collect, hold, use, and disclose personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to personal information collected in connection with our AI scribe service "Lister", which assists healthcare practitioners by transcribing and summarising patient and client encounters.

2. What personal information we collect

We may collect and hold the following types of personal information:

• Health information: audio recordings of consultations, medical conditions, medications, symptoms, diagnoses, and treatment plans.
• Personal identifiers: names, dates of birth, contact details (if included in the consultation).
• Professional information: healthcare provider details such as name, clinic location, and practitioner ID.
• Device and technical data: IP address, device type, operating system, browser type, and access times (used for service monitoring and security).

We do not collect government identifiers (e.g. Medicare numbers) unless explicitly provided by the healthcare provider during a recorded consultation.

3. How we collect personal information

We collect personal information:

• Directly from healthcare practitioners who use our app.
• From audio recordings made during healthcare consultations, with patient consent.
• From interactions with our website or mobile app (such as usage and log data).

All information is collected with the intent of providing our core services and improving the experience for our users.

4. How we hold and protect personal information

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, including:

• Encryption of audio and text data in transit and at rest.
• Secure storage within Australian data centres (Google Cloud and AWS).
• Role-based access control and audit logging for internal staff access.
• Routine security testing and vulnerability assessments.

Recordings and transcripts are stored only for as long as necessary to provide services, after which they are securely deleted or de-identified unless the healthcare provider requests longer retention for clinical purposes.

5. Purposes for which we collect, hold, use and disclose personal information

We collect, hold, use, and disclose personal information for the following purposes:

• To transcribe and summarise patient consultations using AI services.
• To assist healthcare providers in preparing referral letters and clinical documentation.
• To improve and develop our product and services (using de-identified or aggregated data only).
• To comply with legal obligations, including under healthcare regulations.

We will not use or disclose personal information for secondary purposes unless required or authorised by law, or with the individual's consent.

6. Disclosure to third parties and overseas recipients

We disclose personal information to the following third-party service providers, strictly within Australia:

• Google Cloud (Gemini) for transcription of consultation audio, hosted in Australian data centres.
• Amazon Web Services (AWS) for use of Claude AI for summarisation, hosted in Australian data centres.

No personal information is disclosed outside Australia. We do not sell or trade personal information to any third party.

7. Access and correction

Individuals have the right to request access to personal information we hold about them and to request its correction if they believe it is inaccurate, out of date, incomplete, irrelevant, or misleading.

To make such a request, contact us using the details in Section 10. We will respond within a reasonable timeframe and may require identity verification before releasing any information.

8. Complaints

If you believe we have breached the APPs or mishandled your personal information, you can lodge a complaint by contacting us directly.

We will:

• Acknowledge your complaint within 5 business days.
• Investigate and respond within 30 days.
• Notify you of the outcome and any remedies.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

9. Anonymity and pseudonymity

You may contact us anonymously or using a pseudonym for general inquiries. However, full use of our services requires identification, especially where clinical information is involved.

10. Contact details

For access requests, corrections, complaints or other privacy inquiries, please contact:

Privacy Officer – Lister Health
Email: henry@lister.health

11. Updates to this Privacy Policy

We may update this policy from time to time to reflect changes in our operations or legal requirements. The most current version will be published on our website. A version history will be maintained below.