Privacy Policy

Effective Date: 20 February 2026

Introduction

Metabolic Physio ("we," "us," or "our") is committed to protecting the privacy of your personal information and sensitive health information. This Privacy Policy outlines how we collect, use, store, disclose, and protect your information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

As an AHPRA-registered physiotherapy practice, we are bound by strict professional and legal obligations regarding the handling of health information. We take these obligations seriously and have implemented robust measures to ensure your information remains secure and confidential.

By engaging our services, you consent to the collection and use of your information as described in this policy. We encourage you to read this document carefully and contact us if you have any questions.

1. Information We Collect

1.1 Personal Information

We collect personal information necessary to identify you and provide our services, including but not limited to:

  • Full name
  • Date of birth
  • Residential address
  • Email address
  • Telephone number
  • Medicare number (for rebate processing)
  • Emergency contact details

1.2 Sensitive Health Information (Special Category Data)

Under the Privacy Act 1988, health information is classified as "sensitive information" (also referred to as "Special Category" data) and is afforded additional protections. We collect this Special Category health data for the sole purpose of generating your personalised "Metabolic Blueprint" — a comprehensive analysis of your metabolic health to inform your physiotherapy management.

The sensitive health information we collect includes:

  • Medical history and current health conditions
  • Symptoms and presenting concerns
  • Current medications and supplements
  • Blood chemistry results (comprehensive blood panels)
  • Functional pathology results, including Organic Acids Test (OAT) data
  • Consultation notes and clinical observations
  • Treatment protocols and recommendations provided
  • Progress notes and follow-up records

1.3 Third-Party Laboratory and Imaging Data Sharing

To facilitate pathology testing and body composition imaging, we share only the necessary minimum data with the following third-party providers:

i-Screen (Blood Chemistry)

Data shared: Name, date of birth, contact details, and referring practitioner information

Data received: Blood chemistry panel results (50+ biomarkers)

NutriPath (Organic Acids Test)

Data shared: Name, date of birth, contact details, and referring practitioner information

Data received: Organic Acids Test (OAT) results and functional pathology data

DEXA Imaging Partner (Body Composition)

Data shared: Name, date of birth, contact details, and referring practitioner information

Data received: DEXA body composition scan results including visceral adipose tissue (VAT), bone mineral density (BMD), lean mass index, and regional body composition data

You will be asked to provide consent for these providers to share your results with Metabolic Physio before any testing or imaging is ordered. All providers are Australian-based and subject to Australian privacy law. You may withdraw this consent at any time.

2. How We Collect Information

We collect information through the following methods:

  • Directly from you: Through intake forms, consultations, emails, and telephone communications
  • From third-party laboratories: Pathology results from i-screen and NutriPath with your consent
  • From referring practitioners: If you are referred by a GP or other healthcare provider, we may receive relevant clinical information with your consent
  • During telehealth consultations: Information discussed during video consultations is documented in your clinical record

We will only collect sensitive health information with your consent, except in circumstances permitted by law (such as emergencies where consent cannot be obtained).

3. Purpose of Collection

We collect your personal and health information solely for the following purposes:

  • Providing physiotherapy services: To conduct metabolic assessments, analyze pathology results, and develop personalized health and movement protocols
  • Clinical record-keeping: To maintain accurate health records as required by law and professional standards
  • Appointment management: To schedule consultations, send reminders, and manage your care
  • Billing and Medicare claims: To process payments and submit Medicare rebate claims on your behalf (with your authorization)
  • Communication: To contact you regarding your care, follow-up recommendations, or appointment changes
  • Legal and regulatory compliance: To meet our obligations under healthcare legislation and professional registration requirements

We will not use your information for purposes beyond those stated above without your explicit consent, except where required or permitted by law.

4. Data Storage and Security

4.1 Practice Management System

All clinical records and personal information are stored using Cliniko, a practice management system that is fully compliant with the Australian Privacy Principles (APP) and the Privacy Act 1988 (Cth).

Sensitive Health Data Stored in Cliniko:

  • • Date of birth and personal identifiers
  • • Blood chemistry results and panel data
  • • Organic Acids Test (OAT) results
  • • DEXA body composition scan results (VAT, BMD, lean mass)
  • • Clinical notes and consultation records
  • • Your personalised Metabolic Blueprint

Cliniko provides the following security measures:

  • Australian-hosted servers: All data is stored on secure servers located within Australia, ensuring compliance with Australian privacy law
  • End-to-end encryption: Data is encrypted both in transit and at rest using industry-standard encryption protocols
  • Two-Factor Authentication (2FA): Access to patient records requires multi-factor authentication
  • Regular security audits: The platform undergoes ongoing security assessments and updates
  • Automatic backups: Data is regularly backed up to prevent loss

4.2 Additional Security Measures

In addition to our practice management system, we implement the following security measures:

  • Secure, password-protected devices for accessing patient information
  • Encrypted email communications for sharing sensitive information
  • Secure video consultation platforms for telehealth appointments
  • Restricted access—only authorized personnel can access your records

4.3 Data Breach Response

In the unlikely event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

5. Disclosure of Information

5.1 When We May Disclose Your Information

We may disclose your information in the following circumstances:

  • With your consent: To other healthcare providers involved in your care (e.g., your GP, referring practitioners)
  • Medicare: To process Medicare rebate claims on your behalf
  • Legal requirements: Where required by law, court order, or regulatory authority
  • Emergency situations: To protect your health or safety, or the health and safety of others

5.2 No Overseas Disclosure

Your health information is stored on Australian servers and is not disclosed to overseas recipients without your express, informed consent. If a situation arises where overseas disclosure may be necessary (which is not anticipated in the normal course of our services), we will seek your explicit consent beforehand and inform you of the relevant privacy protections (or lack thereof) in the recipient country.

6. Access and Correction Rights

6.1 Your Right to Access

Under Australian Privacy Principle 12, you have the right to request access to the personal and health information we hold about you. To request access:

  • Submit a written request to scott@metabolicphysio.com.au
  • We will verify your identity before providing access
  • We will respond to your request within 30 days
  • A reasonable fee may apply for providing copies of records

6.2 Your Right to Correction

Under Australian Privacy Principle 13, if you believe the information we hold about you is inaccurate, incomplete, out-of-date, or misleading, you have the right to request correction. To request a correction:

  • Submit a written request detailing the information you believe is incorrect
  • We will investigate and respond within 30 days
  • If we agree, we will correct the record and notify any third parties to whom we have disclosed the information
  • If we disagree, we will provide written reasons and advise you of your right to request a statement of your claim be attached to the record

6.3 Exceptions to Access

In limited circumstances, we may refuse access to certain information if permitted by law—for example, if providing access would pose a serious threat to your health or safety, or would unreasonably impact the privacy of others. If access is refused, we will provide written reasons and advise you of your options.

7. Data Retention

We retain your health records in accordance with legal requirements and professional standards:

  • Adult patients: Health records are retained for a minimum of 7 years from the date of last consultation
  • Patients under 18: Records are retained until the patient turns 25 years of age, or 7 years from the last consultation—whichever is longer
  • Financial records: Retained for 7 years as required by Australian tax law

After the required retention period, records are securely destroyed using methods that ensure complete and irreversible deletion (e.g., secure digital deletion for electronic records, shredding for any physical documents).

8. Website and Cookies

Our website may use cookies and similar technologies to improve your browsing experience. Cookies are small text files stored on your device that help us understand how visitors use our site.

  • We do not collect sensitive health information through our website without your explicit action (e.g., submitting a form)
  • Analytics data is used only to improve website functionality and user experience
  • You can disable cookies through your browser settings, though some website features may not function correctly

9. Complaints Process

9.1 Lodging a Complaint with Us

If you believe we have breached your privacy or mishandled your personal information, you may lodge a complaint directly with us:

Email: scott@metabolicphysio.com.au

Subject Line: Privacy Complaint

Please include details of your concern, the approximate date of the incident, and your preferred method of contact. We will acknowledge your complaint within 7 days and provide a response within 30 days.

9.2 Escalating to the OAIC

If you are not satisfied with our response, or if you prefer to lodge a complaint directly with the regulator, you may contact the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner

Website: www.oaic.gov.au

Phone: 1300 363 992

Email: enquiries@oaic.gov.au

Post: GPO Box 5218, Sydney NSW 2001

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make changes:

  • The updated policy will be published on this page with a new "Effective Date"
  • For significant changes, we may notify you directly via email
  • Your continued use of our services after changes are published constitutes acceptance of the updated policy

11. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your information, please contact us:

Metabolic Physio

Privacy Officer: Scott Dunford

Email: scott@metabolicphysio.com.au

ABN: 11 503 543 399

AHPRA Registration: PHY0002271516

Metabolic Physio | AHPRA Registered Physiotherapy Practice

This Privacy Policy complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

← Return to Home