Privacy Policy
Effective Date: 21 April 2026 · Last reviewed: 21 May 2026
Introduction
Metabolic Physio ("we," "us," or "our") is committed to protecting the privacy of your personal information and sensitive health information. This Privacy Policy outlines how we collect, use, store, disclose, and protect your information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
As an AHPRA-registered physiotherapy practice, we are bound by strict professional and legal obligations regarding the handling of health information. We take these obligations seriously and have implemented robust measures to ensure your information remains secure and confidential.
By engaging our services, you consent to the collection and use of your information as described in this policy. We encourage you to read this document carefully and contact us if you have any questions.
1. Information We Collect
1.1 Personal Information
We collect personal information necessary to identify you and provide our services, including but not limited to:
- •Full name
- •Date of birth
- •Residential address
- •Email address
- •Telephone number
- •Medicare number (for rebate processing)
- •Emergency contact details
1.2 Sensitive Health Information (Special Category Data)
Under the Privacy Act 1988, health information is classified as "sensitive information" (also referred to as "Special Category" data) and is afforded additional protections. We collect this Special Category health data for the sole purpose of generating your personalised metabolic health report — a comprehensive analysis of your metabolic health to inform your physiotherapy management.
The sensitive health information we collect includes:
- •Medical history and current health conditions
- •Symptoms and presenting concerns
- •Current medications and supplements
- •Blood chemistry results (comprehensive blood panels)
- •Functional pathology results, including Organic Acids Test (OAT) data
- •Consultation notes and clinical observations
- •Treatment protocols and recommendations provided
- •Progress notes and follow-up records
1.3 Third-Party Laboratory and Imaging Data Sharing
To facilitate pathology testing and body composition imaging, we share only the necessary minimum data with the following third-party providers:
i-Screen (Blood Chemistry)
Data shared: Name, date of birth, contact details, and referring practitioner information
Data received: Blood chemistry panel results (50+ biomarkers)
Commercial model: Scott Dunford is registered as your "requesting practitioner" under i-Screen's Practitioner T&Cs. Metabolic Physio receives no commission from i-Screen; any client-discount is passed through to you in full.
NutriPath (Organic Acids Test & Cellular Energy Test)
Data shared: Name, date of birth, contact details, and referring practitioner information
Data received: Organic Acids Test (OAT) results, Cellular Energy Test results, and other functional pathology data
Commercial model: Scott Dunford is the registered practitioner. Metabolic Physio receives no commission from NutriPath; any client-discount is passed through in full.
DEXA Imaging Partner (Body Composition)
Data shared: Name, date of birth, contact details, and referring practitioner information
Data received: DEXA body composition scan results including visceral adipose tissue (VAT), bone mineral density (BMD), lean mass index, and regional body composition data
Partner Dietitian (Meal Plan Add-on)
Data shared: Only if you select the dietitian add-on and give explicit consent: your dietitian intake responses (dietary preferences, allergies, budget, household, goals) together with a practitioner-prepared summary of the relevant biomarker, DEXA and OAT findings
Data received: A structured meal plan prepared by the credentialed partner dietitian, merged into your patient handout
Commercial model: The dietitian is engaged under a revenue-share arrangement; Metabolic Physio also charges a data-coordination fee. The meal plan is the dietitian's professional work; Scott Dunford does not provide dietary advice. Your dietitian intake is stored by Metabolic Physio (Supabase, Australian-accessible) until the plan is delivered.
You will be asked to provide consent for these providers to share your results with Metabolic Physio before any testing or imaging is ordered, and a separate explicit consent before any data is shared with the partner dietitian. All providers are Australian-based and subject to Australian privacy law. You may withdraw this consent at any time.
1.4 Supabase (Database)
When you submit any intake form or become a member, the following may be stored in our Supabase database (hosted in Sydney, Australia): (a) name, email, phone, date of birth and a mapping to your Cliniko record (to prevent duplicate patient records and power the member portal); (b) pending booking metadata and any selected add-ons; (c) your dietitian intake responses if you select the meal-plan add-on; (d) continuity-email scheduling metadata. Supabase holds the same row-level security controls and encryption-at-rest protections as our primary clinical vault. Detailed clinical results (lab reports, consultation notes, treatment protocols) remain in Cliniko.
2. How We Collect Information
We collect information through the following methods:
- •Directly from you: Through intake forms, consultations, emails, and telephone communications
- •From third-party laboratories: Pathology results from i-screen and NutriPath with your consent
- •From referring practitioners: If you are referred by a GP or other healthcare provider, we may receive relevant clinical information with your consent
- •During telehealth consultations: Information discussed during video consultations is documented in your clinical record
We will only collect sensitive health information with your consent, except in circumstances permitted by law (such as emergencies where consent cannot be obtained).
3. Purpose of Collection
We collect your personal and health information solely for the following purposes:
- •Providing physiotherapy services: To conduct metabolic assessments, analyse pathology results, and develop personalised health and movement protocols
- •Clinical record-keeping: To maintain accurate health records as required by law and professional standards
- •Appointment management: To schedule consultations, send reminders, and manage your care
- •Billing and Medicare claims: To process payments and submit Medicare rebate claims on your behalf (with your authorisation)
- •Communication: To contact you regarding your care, follow-up recommendations, or appointment changes
- •Legal and regulatory compliance: To meet our obligations under healthcare legislation and professional registration requirements
We will not use your information for purposes beyond those stated above without your explicit consent, except where required or permitted by law.
4. Data Storage and Security
4.1 Practice Management System
All clinical records and personal information are stored using Cliniko, a practice management system that is fully compliant with the Australian Privacy Principles (APP) and the Privacy Act 1988 (Cth).
Sensitive Health Data Stored in Cliniko:
- • Date of birth and personal identifiers
- • Blood chemistry results and panel data
- • Organic Acids Test (OAT) results
- • DEXA body composition scan results (VAT, BMD, lean mass)
- • Clinical notes and consultation records
- • Your personalised metabolic health report
Cliniko provides the following security measures:
- •Australian-hosted servers: All data is stored on secure servers located within Australia, ensuring compliance with Australian privacy law
- •End-to-end encryption: Data is encrypted both in transit and at rest using industry-standard encryption protocols
- •Two-Factor Authentication (2FA): Access to patient records requires multi-factor authentication
- •Regular security audits: The platform undergoes ongoing security assessments and updates
- •Automatic backups: Data is regularly backed up to prevent loss
4.2 Additional Security Measures
In addition to our practice management system, we implement the following security measures:
- •Secure, password-protected devices for accessing patient information
- •TLS-secured email transport (Resend) for transactional and intake communications — please do not include sensitive health details in unsolicited emails
- •Secure video consultation platforms for telehealth appointments
- •Restricted access—only authorized personnel can access your records
4.3 Data Breach Response
In the unlikely event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.
5. Disclosure of Information
5.1 When We May Disclose Your Information
We may disclose your information in the following circumstances:
- •With your consent: To other healthcare providers involved in your care (e.g., your GP, referring practitioners)
- •Medicare: To process Medicare rebate claims on your behalf
- •Legal requirements: Where required by law, court order, or regulatory authority
- •Emergency situations: To protect your health or safety, or the health and safety of others
5.2 Cross-Border Data Processing
Your health information is primarily stored on Australian servers. However, in limited circumstances, de-identified or partial data may be processed by overseas service providers as part of our clinical workflows:
- •AI-Assisted Lab Report Analysis: Extracted text from pathology reports may be processed by Anthropic (United States) to assist with structured data extraction. Only biomarker names and numeric values are transmitted — no patient names, dates of birth, or contact details are sent. We use API endpoints contracted not to use submitted data for model training.
- •Website Chatbot: Our website chatbot uses AI processing by Anthropic (United States). Conversations with the chatbot are not linked to your clinical records and are not used to make clinical decisions about you.
- •Payment Processing (Stripe): Card payments are processed by Stripe, Inc. (United States). We never see or store your full card number. Stripe handles cardholder data under PCI-DSS Level 1 compliance.
- •Transactional & Marketing Email (Resend): Email delivery — booking confirmations, intake notifications, newsletter — is handled by Resend, Inc. (United States). Emails contain your name and email address; clinical content in transactional emails is limited to service names and high-level next steps.
- •Website Hosting (Vercel): This website is hosted on Vercel, Inc. (United States). Standard request data (IP address, user-agent, page accessed) may be processed during page loads and serverless function execution.
- •Supplement Dispensary (Vital.ly): Where you choose to order practitioner-recommended supplements, your name and email are shared with Vital.ly Pty Ltd (Australia) so an order link can be issued. Ordering is always optional and requires your active consent at the point of recommendation. Metabolic Physio retains a standard practitioner margin on Vital.ly orders (Terms §7.7).
- •Tyro Health (Medicare claiming): Where Medicare CDMP rebates apply, claim data is processed by Tyro Health Pty Ltd (Australia) and Services Australia. Only the data required to process the claim is shared.
- •Website Analytics (Google Analytics & Google Tag Manager): We use Google Analytics 4 (property G-5NZ22H8HK7) and Google Tag Manager (container GTM-5GNJL89K), provided by Google LLC (United States), to measure aggregated traffic and form-conversion patterns. IP address, page accessed, device, and a randomised analytics cookie ID are processed only after you accept cookies via the consent banner. We do not send personally identifiable information to Google.
- •Advertising Measurement (Meta Pixel): The Meta Pixel (ID 1669407157582846), provided by Meta Platforms, Inc. (United States), measures the performance of social-media advertising. Page views and conversion events fire only after you accept cookies. We do not send health information to Meta.
- •Telehealth Video (Coviu via Cliniko): Video and audio for telehealth consultations are delivered by Coviu Global Pty Ltd (Australia), embedded in our Cliniko practice-management system. Calls are end-to-end encrypted and are not recorded by default. Recording requires the prior written consent of both parties (Telehealth Consent §6).
- •Contact-Form Processing (Web3Forms): Our /contact page submits directly to Web3Forms Pte Ltd (Singapore). The name, email, phone (optional) and message you supply are transmitted to Web3Forms and forwarded to our practice inbox. Please do not include sensitive health details in the contact form — book an intake instead.
- •Site Performance (Vercel Speed Insights): Anonymised page-load timings and route data are collected by Vercel, Inc. (United States) via Speed Insights. No IP address or personal identifier is stored against the timings.
In accordance with Australian Privacy Principle 8, we have taken reasonable steps to ensure these overseas processors handle data consistently with the APPs. Your identifiable health records are not disclosed to overseas recipientswithout your express, informed consent.
6. Access and Correction Rights
6.1 Your Right to Access
Under Australian Privacy Principle 12, you have the right to request access to the personal and health information we hold about you. To request access:
- •Submit a written request to scott@metabolicphysio.com.au
- •We will verify your identity before providing access
- •We will respond to your request within 30 days
- •A reasonable fee may apply for providing copies of records
6.2 Your Right to Correction
Under Australian Privacy Principle 13, if you believe the information we hold about you is inaccurate, incomplete, out-of-date, or misleading, you have the right to request correction. To request a correction:
- •Submit a written request detailing the information you believe is incorrect
- •We will investigate and respond within 30 days
- •If we agree, we will correct the record and notify any third parties to whom we have disclosed the information
- •If we disagree, we will provide written reasons and advise you of your right to request a statement of your claim be attached to the record
6.3 Exceptions to Access
In limited circumstances, we may refuse access to certain information if permitted by law—for example, if providing access would pose a serious threat to your health or safety, or would unreasonably impact the privacy of others. If access is refused, we will provide written reasons and advise you of your options.
7. Data Retention
We retain your health records in accordance with legal requirements and professional standards:
- •Adult patients: Health records are retained for a minimum of 7 years from the date of last consultation
- •Patients under 18: Records are retained until the patient turns 25 years of age, or 7 years from the last consultation—whichever is longer
- •Financial records: Retained for 7 years as required by Australian tax law
After the required retention period, records are securely destroyed using methods that ensure complete and irreversible deletion (e.g., secure digital deletion for electronic records, shredding for any physical documents).
8. Website and Cookies
Our website may use cookies and similar technologies to improve your browsing experience. Cookies are small text files stored on your device that help us understand how visitors use our site.
- •We do not collect sensitive health information through our website without your explicit action (e.g., submitting a form)
- •Analytics data is used only to improve website functionality and user experience
- •You can disable cookies through your browser settings, though some website features may not function correctly
9. Complaints Process
9.1 Lodging a Complaint with Us
If you believe we have breached your privacy or mishandled your personal information, you may lodge a complaint directly with us:
Email: scott@metabolicphysio.com.au
Subject Line: Privacy Complaint
Please include details of your concern, the approximate date of the incident, and your preferred method of contact. We will acknowledge your complaint within 7 days and provide a response within 30 days.
9.2 Escalating to the OAIC
If you are not satisfied with our response, or if you prefer to lodge a complaint directly with the regulator, you may contact the Office of the Australian Information Commissioner (OAIC):
Office of the Australian Information Commissioner
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5218, Sydney NSW 2001
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make changes:
- •The updated policy will be published on this page with a new "Effective Date"
- •For significant changes, we may notify you directly via email
- •Your continued use of our services after changes are published constitutes acceptance of the updated policy
11. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your information, please contact us:
Metabolic Physio
Privacy Officer: Scott Dunford
Email: scott@metabolicphysio.com.au
ABN: 11 503 543 399
AHPRA Registration: PHY0002271516
Metabolic Physio | AHPRA Registered Physiotherapy Practice
This Privacy Policy complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
← Return to Home