Privacy Policy

1. Introduction

Meghan Quinlan, trading as Nooch Nutrition (ABN 15 825 891 385), ("we", "us", or "our") is committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Health Records and Information Privacy Act 2002 (NSW).

As a health service provider, we are bound by the Privacy Act regardless of our annual turnover, and we take our obligations seriously. This policy describes how we collect, hold, use, and disclose your personal and health information.

2. What personal information we collect

We may collect the following types of information:

Personal information:

• Name, date of birth, gender
• Address, phone number, email address
• Emergency contact details
• Medicare number, private health insurance details, NDIS details

Health and sensitive information:

• Medical history and current health conditions
• Dietary information, food allergies and intolerances
• Medications and supplements
• Pathology and test results
• GP referrals and correspondence from other health professionals
• Body measurements and anthropometric data
• Mental health information where relevant to nutrition care
• Family medical history

Financial information:

• Billing details and payment information (collected and processed via Halaxy)

Website information:

• Name and email address submitted via our contact form
• Website usage data (pages visited, browser type, device information) if analytics are enabled

3. How we collect personal information

We collect personal information:

• Directly from you — during consultations (telehealth, phone, or in-person), via our website contact form, by email, phone, or other correspondence
• From third parties — from your GP or other health professionals via referrals (with your consent), from pathology providers, from Medicare or your private health insurer
• Via our website — through our contact form, and through analytics tools if enabled
• Via our booking system — through Halaxy, our third-party practice management software, when you book an appointment or receive appointment reminders

We will only collect sensitive information (including health information) with your consent, except where permitted by law.

4. Why we collect, use, and disclose personal information

We collect, hold, use, and disclose your personal information for the following purposes:

• To provide dietetic assessment, treatment, and ongoing nutrition care
• To manage your appointments and send appointment reminders (via Halaxy)
• To process payments and submit claims to Medicare, the DVA, NDIS, or private health insurers
• To communicate with other health professionals involved in your care (with your consent)
• To comply with our legal and professional obligations, including mandatory reporting requirements
• To respond to enquiries you submit via our website contact form
• To improve our website and services

We will not use your personal information for any purpose other than those described above, or a directly related purpose you would reasonably expect, unless we have your consent or are required by law.

5. How we store and protect your information

We take reasonable steps to protect your personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure.

• Clinical records are stored electronically in Halaxy, which is hosted on Australian-based servers (AWS) with 256-bit encryption and bank-grade security measures
• Website data is transmitted via SSL/TLS encryption (HTTPS)
• Access to your personal information is limited to the practitioner (Meghan Quinlan) only
• We regularly review our security practices

6. Disclosure of personal information

We may disclose your personal information to:

• Other health professionals involved in your care (with your consent)
• Medicare, the DVA, NDIS, or your private health insurer for claims processing
• Our professional supervisors (de-identified where possible)
• Government authorities where required by law (e.g., mandatory reporting obligations, court orders, subpoenas)

We will never sell, rent, or trade your personal information to third parties.

7. Third-party service providers

We use the following third-party service providers in the operation of our practice and website:

• Halaxy — practice management, online bookings, appointment reminders (SMS/email), telehealth, and payment processing. Your data is stored in Australia. Halaxy may use third-party providers for certain features (e.g., SMS delivery). See Halaxy's Privacy Policy.
• Resend — delivery of contact form submissions from our website. Resend's servers are located in the United States.
• Vercel — website hosting. See Vercel's Privacy Policy.

When you click links to external websites or social media platforms (including Instagram, Facebook, and TikTok), you leave our website and are subject to those platforms' own privacy policies. We are not responsible for the privacy practices of external websites.

8. Cross-border disclosure

Some of your personal information may be disclosed to recipients located outside Australia:

• United States — website hosting (Vercel), contact form email delivery (Resend)
• Other countries — Halaxy may use third-party SMS providers located overseas for appointment reminders

Where we disclose personal information overseas, we take reasonable steps to ensure the overseas recipient handles your information in accordance with the Australian Privacy Principles.

9. Cookies and website analytics

Our website may use cookies — small text files stored on your device — to improve your browsing experience.

• We do not use cookies to collect health information
• You can disable cookies in your browser settings, though this may affect website functionality
• If analytics tools are enabled, they collect anonymised or aggregated data about website usage (such as pages visited and general location). This data does not identify you personally.

10. Your rights — access and correction

You have the right to:

• Request access to the personal information we hold about you
• Request correction of any information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading

To make a request, please contact us using the details in Section 16 below. We will respond to your request within 30 days. We may charge a reasonable administrative fee for providing access. We will require proof of identity before releasing any information.

In certain limited circumstances, we may refuse access (for example, where providing access would pose a serious threat to someone's health or safety, or would unreasonably impact the privacy of others). If we refuse access, we will provide you with written reasons.

11. Anonymity and pseudonymity

You may interact with us anonymously or using a pseudonym where it is practicable to do so — for example, when making a general enquiry via our website or social media.

However, for clinical dietetic services, we require your identification to provide safe and effective care, to process claims, and to comply with our professional and legal obligations.

12. Retention and disposal

We retain health records for a minimum of 7 years from the date of the last entry, in accordance with NSW requirements under the Health Records and Information Privacy Act 2002. Where the patient was a child at the time of treatment, records are retained until the patient turns 25 years of age, or for 7 years after the last entry, whichever is later.

Contact form submissions are retained for 12 months and then deleted.

After the applicable retention period, records are securely destroyed or permanently de-identified.

13. Data breaches

We are committed to protecting your personal information. In the event of an eligible data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988.

14. How to make a complaint

If you believe we have breached the Australian Privacy Principles or the NSW Health Privacy Principles, you may lodge a complaint with us using the contact details in Section 16 below. We will investigate and respond to your complaint within 30 days.

If you are not satisfied with our response, you may escalate your complaint to:

• Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au — Phone: 1300 363 992
• Information and Privacy Commission NSW (IPC) — www.ipc.nsw.gov.au — Phone: 1800 472 679
• Dietitians Australia — for professional conduct matters — www.dietitiansaustralia.org.au

15. Direct marketing

We will only use your personal information for direct marketing (such as newsletters or educational content) with your express consent. You may opt out of receiving marketing communications at any time by contacting us or using the unsubscribe mechanism provided in the communication.

We will never use your health information for marketing purposes.

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated policy will be published on our website with a revised "last updated" date. We encourage you to review this policy periodically.

17. Contact us

If you have any questions about this Privacy Policy, wish to make an access or correction request, or would like to lodge a complaint, please contact us:

Nooch Nutrition Meghan Quinlan — Accredited Practising Dietitian ABN: 15 825 891 385 Newcastle, NSW 2300

You can reach us via the contact form on our website or by messaging us on Instagram (@meg_dietitian).