Introduction
This Privacy Policy explains how we, Power Diary (ABN 14 147 141 188) protect the privacy of personal information. Power Diary provides internet-based software used to manage health practices and other appointment-based businesses. We are firmly committed to protecting the privacy and confidentiality of personal information and maintain robust physical, electronic and procedural safeguards to protect personal information in our care.
We’ve tried to make this Privacy Policy as easy to read as possible. After all, it’s your information and you deserve to know what we do to protect it, and all the rights you have. If there is anything you’re not sure of though, please contact our Data Protection Officer by emailing [email protected], and we’d be happy to answer any questions.
Definitions
We use a bunch of different terms in this policy. To make sure it’s clear what we are talking about, here are some definitions:
- Personal Data means data about a living individual that allows them to be identified from that data. It may be provided directly by a user or indirectly by a user about their client (for example, a health practitioner entering data about their patient). Personal information does not include “aggregate” information, which is data we collect about a group or category of products, services or people from which individual identities have been removed.
- Usage Data is data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- Cookies are small pieces of data stored on a User’s device.
- Data Processor means the person or entity that processes data on behalf of a data controller. According to GDPR and for the purposes of this policy, Power Diary is considered to be the data processor.
- Data Controller means a person or entity who determines the purposes for which and the manner in which any personal data are, or are to be, processed. As part of using Power Diary you are likely to store personal data about your clients (or patients) in your Power Diary account. According to GDPR and for the purpose of this Privacy Policy, you, our customer and user, are considered to be the Data Controller of the data given to us to set up and manage a Power Diary account.
- Sub Processors (or Service Providers) means a person or entity who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process data more effectively.
- User (also referred to as our Customer) is the individual using our Service either directly or indirectly. The User is also referred to as the Data Subject and is any individual who can be identified via the Personal Data.
How we collect your data
Personal Data
While using our Service, we may ask users to provide us with certain personally identifiable information that can be used to contact or identify an individual (“Personal Data”). Personally identifiable information may include, but is not limited to: name, email address, telephone numbers, address, credit card details, cookies and information about that individual’s activities when directly linked to that person such as information about his or her use of the Power Diary website or services. Personal information can also include demographic information such as date of birth, gender, geographic area and preferences when such information is linked to other personal information that identifies an individual.
Where possible, we allow you to interact with us anonymously or by using a pseudonym. However, for most of our functions and activities, we will generally need your name and contact information and enough information about the matter to help you use the service effectively. If you choose not to provide your personal data, some functions and features on our websites and software may not be available and we may not be unable to provide you with all our services.
We don’t recommend it, but you can opt-out of receiving emails about new features and similar announcements by clicking on the ‘opt-out’ link or instructions in the email. Users cannot opt-out of receiving transactional emails or notifications relating to their account status, security announcements or other communication that might be essential to the operation of their account.
Of course, users that cease to use Power Diary, and all business with us is concluded (for example they have closed their practice and their Power Diary account), can opt-out of all communications from us.
Our users also enter personal data about their clients. This data can include sensitive information such as health records, and may include, but is not limited to: name, email address, telephone numbers, address, credit card details, insurance details, personal preferences, condition and treatment details. This data may also relate to minors and other vulnerable individuals who may be clients of Power Diary customers.
Usage Data
We may also collect information on how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as users’ computer Internet Protocol address (IP address), browser type, browser version, the pages of our Service that they visit, the time and date of their visit, the time spent on those pages, unique device identifiers and other diagnostic data.
Tracking & Cookies Data
We use cookies and similar tracking technologies to track the activity on our Service and hold certain information.
Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to a user’s browser from a website and stored on their device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyse our Service.
Users can instruct their browser to refuse all cookies or to indicate when a cookie is being sent. However, if they do not accept cookies, they may not be able to use some or all of our Service.
Examples of Cookies and Pixels we use: session cookies (we use these cookies to operate our Service), pixels to understand the user journey and ensure we are not serving ads inappropriately (eg Facebook pixels), and preference cookies (we use these cookies to remember users’ preferences and various settings). Please refer to our Cookie Notice for more inforation.
How we use your data
We treat all information we collect directly or indirectly as strictly confidential. We do not rent, lease nor make available its customer lists or any other information contained in customer accounts (including client details), to third parties. We will not reveal, disclose, sell, distribute, rent, license, share or pass onto any third party (other than those who are contracted or supply services to us including spam filter operators) any personal information that may have been provided to us directly, or stored in a customer’s account unless we have express consent to do so, other than in the circumstances set out in this policy.
Service Provision
First and foremost we use the personal data we collect and hold to operate our web site and deliver our services. We use personal information to provide customers with: online appointment booking services, client management utilities, telehealth functionality, billing and credit control, and more.
Communication
We may use personal data to contact users with information about new features or announcements, to update users on the status of their account, to issue invoices, receipts, payment reminders, to provide training information, operational communications (like security updates), to send marketing communications, to seek feedback, or communicate other information that may be relevant.
Customer Support
We use personal data to provide assistance with the resolution of any technical support issues and to assist users with using our service.
Analysis and Development
We may also use data to improve the Power Diary service or product, analyse trends, and for monitoring the usage of the service, to detect, prevent and address technical issues.
Human Resources Data
We collect and process your personal data for the purposes of managing employment candidate applications and recruitment-related activities, as well as for organizational planning purposes.
We may use your personal data in relation to the evaluation and selection of applicants for recruitment purposes including scheduling and conducting interviews, tests, evaluations, and assessing results for candidate selection.
Legal Basis for processing under GDPR and UK GDPR
We will process your personal information lawfully, fairly and in a transparent manner. Power Diary’s legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it.
Power Diary may process your Personal Data because:
- You have given us permission to do so (consent);
- The processing is in our legitimate interests and it’s not overridden by your rights;
- To comply with the law.
When we process personal data for purposes that are in our legitimate interests, we have carried out a Legitimate Interest Assessment to confirm what these interests are, to consider what effect the processing has on individuals, and to check if our interests in processing could be outweighed by individuals’ interests.
Location of Your Data
Unless otherwise stated in this Privacy Policy, your data will not be stored outside of Australia, Canada, the UK or the USA.
How your data might be shared
Power Diary will not disclose any personal data uploaded to our servers to anyone else without permission, except for the following reasons;
Legal or Moral Requirement
In rare circumstances, where permitted or required by law, requested and needed for a client’s emergency treatment in exceptional circumstances, or for the prevention of immediate risk of loss of life or serious harm; to various regulatory bodies and law enforcement officials and agencies to protect against fraud and for related security purposes, we will share the personal data necessary.
Processors and Sub-Processors
In order to deliver Power Diary’s platform and operate as a business, we collaborate with third-party vendors who can be categorised as either Processors or Sub-Processors, depending on our role as a controller or processor. In all cases, we provide only the minimum amount of personal data that is needed to perform the service and take reasonable steps to ensure these parties have appropriate data protection safeguards in place.
A list of our processors is as follows:
| Processors | ||
|---|---|---|
| Clickup | US | Product tracking feature requests |
| Cloudflare | US | Content delivery network |
| CookiePro | US | Cookie consent management |
| First Promoter | RO | Affiliate program management |
| Google Workspace | US | Company email, collaborative work |
| HR Partner | AU | HR management |
| Jira | US | Product issue tracking |
| Mailchimp | US | Email delivery |
| OpenVPN Cloud | US | VPN service |
| OptinMonster | US | Marketing campaign management |
| Securepay | AU | Payment gateway |
| SiteGround | SG | Hosting service |
| Skype | US | Video calls |
| Slack | US | Internal communication |
| Stripe | EU | Payment gateway |
| Tugboat Logic | US | Governance, risk and compliance platform |
| Xero | NZ | Accounting Platform |
| Zoom | US | Video calls |
A list of our sub-processors is as follows:
| Sub-processors | ||
|---|---|---|
| Amazon Web Services | AU, UK | Infrastructure |
| DropBox | US | Data transfer, file hosting service |
| Google Calendar API | US | API integration feature |
| Mailchimp API | US | API integration feature |
| Medicare API | AU | API integration feature |
| MessageMedia | AU | Text messages (SMS) |
| NewRelic | EU | Application performance monitoring |
| Physitrack API | UK | API integration feature |
| Sendgrid | US | Email delivery |
| Stripe API | EU | API integration feature |
| Twilio | US | Telehealth P2P video calls |
| Tyro API | AU | API integration feature |
| Xero API | US | API integration feature |
Corporate Transactions
In the unlikely event that Power Diary is involved in a merger, acquisition or asset sale, Personal Data may be shared during negotiations and ultimately transferred as part of the completed transaction. However all data remains subject to the promises made in this Privacy Policy unless, of course, the customer agrees to be subject to new Privacy Policy terms.
International Data Transfers
Power Diary operates internationally and we may share, transfer and process data in countries other than the country you live in. These countries may have different laws but rest assured that when we share personal data to a third party, we take all reasonable steps to ensure that personal data remains protected in the manner you would expect. For individuals in the European Economic Area (EEA), your data may be transferred outside of the EEA in certain conditions. Please refer to Appendix 2: For individuals based in the UK, European Economic Area, and Switzerland for further information.
Keeping your data secure
Power Diary will take reasonable steps to protect the personal information we hold from any misuse, interference, loss, and unauthorised access, modification or disclosure.
Security Precautions
Power Diary has an extensive range of security measures in place to protect personal information from unauthorised access, use, or loss. Our servers are maintained in a controlled and secured environment and access is restricted to only those who need it in order to provide the service.
Your Role
Our users also have an important role to play in keeping data secure. You are responsible for maintaining the confidentiality of your account details and password. Your passwords protect your personal information and you are responsible for any activities that occur in your account or in respect of your use of this service. Please let us know immediately if you suspect that the security of your password or account has been compromised in any manner.
Protecting Your Clients
You are responsible for making sure that your clients’ / patients’ privacy and associated rights are respected. As your Data Processor, we will take care to protect the privacy of your clients and will process their Personal Data in accordance with the terms of our agreement with you, and under your lawful instruction. Power Diary may provide options for you to integrate with various third-party systems however we do not control how, nor take responsibility for, the manner in which other systems manage personal data. You must assess for yourself the suitability of utilising third-party services in your context.
Links to Other Sites
Our service may contain links to other sites that are not operated by Power Diary. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Exemptions
Note that this policy refers to customer and user data and where applicable, the employee records exemption in the Privacy Act and any other applicable exemptions in the Privacy Act or other legislation will apply.
How we retain your data
We will retain Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will also retain and use Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Your rights to your data
We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. If you are a resident of the European Economic Area (EEA), you have certain data protection rights, and we extend these rights to all users.
In certain circumstances, you have the following data protection rights:
- The right to access, update or to delete the information we have on you.
- The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
- The right to object. You have the right to object to our processing of your Personal Data.
- The right of restriction. You have the right to request that we restrict the processing of your personal information.
- The right to data portability. You have the right to be provided with a copy of your Personal Data in a structured, machine-readable and commonly used format.
- The right to withdraw consent. You also have the right to withdraw your consent at any time where Power Diary relied on your consent to process your personal information.
If you wish to be informed about what Personal Data we hold about you and if you want it to be removed from our systems, please email [email protected]. Please note that we may ask you to verify your identity before responding to such requests. (If you are a patient or client of a business that uses Power Diary you will need to contact that business directly to discuss and evoke your protection rights.)
If you live in the EEA, you have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).
Changes to this policy
From time to time, we may review and update this Privacy Policy. Revised versions will be updated on this website and be effective once posted.
How to contact us
We welcome your feedback. If you have any questions or concerns about our Privacy Policy or our privacy practices, if you would like to make a request for information, or if you believe that we have not complied with this policy, the Privacy Act, or other privacy obligations, please contact us at:
Data Protection Officer
[email protected]
If you would prefer to speak by telephone, please email us with your contact details and concerns, and we will respond in a timely manner.
Power Diary treats your privacy seriously and any complaints will be assessed by an appropriate person with the aim of resolving any issue in an efficient and timely manner.
Appendix 1: For individuals based in Australia
Under the Privacy Act 1988 (No. 119, 1988) (as amended) (‘the Privacy Act’) you have the right to lodge a complaint if you think your information has been mishandled.
If you would like to exercise your rights or have a data-protection related question, please contact us. You can contact the Powe Diary Data Protection Officer at [email protected].
If you are not happy with our handling of your privacy concerns, you can also contact the Office of the Australian Information Commissioner (OAIC).
Appendix 2: For individuals based in the UK, European Economic Area, and Switzerland
Under the General Data Protection Regulation (GDPR) (EU) 2016/679 and The Data Protection Act 2018 (UK GDPR 2018) please note the following:
Power Diary as a Controller of Personal Information – When we determine the purposes and means of processing, we act as a data controller of personal information collected or processed.
Processing – We process your personal information on one or more of the following legal bases:
- Where we have a legitimate business interest to perform our contractual obligations, to provide our products, to respond to requests from you, to provide customer support, or provide you with information about our products;
- As necessary to comply with relevant law and legal obligations, including to respond to lawful requests and orders; or
- When applicable with your consent.
When we process personal data using legitimate business interests as a legal basis, we have carried out a Legitimate Interest Assessment to confirm these interests and consider the effect the processing has on individuals.
Information retention – Please see the “How we retain your data” section above for more information about data retention.
Your Rights – You have certain rights in relation to how your data is handled. Please see the Your rights to your data section above for more information. You also have a right to complain with our principal supervisory authority in the EU, the Irish Data Protection Commission, here https://www.dataprotection.ie/ or in the UK, here https://ico.org.uk/.
Consent – When you consent to our processing of your personal information for a specified purpose, you may withdraw your consent at any time. We will stop any further processing of your data for that purpose.
Cookies – Please refer to our Cookie Notice here https://www.powerdiary.com/eu/cookie-notice/.
Transfers outside of the EEA – When we transfer your personal information outside the EEA, we do so following the terms of this Privacy Notice and the requirements of the GDPR and other applicable data protection laws.
Questions and Contacts
If you like to exercise your rights or have a data-protection-related question, please contact us. You can contact the Power Diary Data Protection Officer at [email protected]
EU and UK Representative – We have appointed EU and UK Representatives as our point of contact with supervisory authorities or data subjects. Please contact for EEA [email protected] and [email protected].
Appendix 3: For individuals based in California, US
These additional state-specific privacy disclosures are required by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CCPR). They are effective as of December 30, 2022:
Categories of personal information collected – The personal information that we may collect, or may have collected from consumers in the preceding twelve months, falls into the following categories established by the California Privacy Rights Act, depending on how you engage with the Power Diary Website Products:
- identifiers, such as your name, alias, address, phone numbers, or IP address, your Power Diary log-in information, or a government-issued identifier;
- personal information as described in subdivision (e) of Section 1798.80 of the California Civil Code, such as a credit card number or other payment information;
- characteristics of protected classifications under California or US federal law, such as age, race, or gender, for example if we conduct user surveys or analysis;
- commercial information, such as purchase activity;
- internet or other electronic network activity information, including content interaction information, such as content downloads, streams, and playback details;
- biometric information, such as your voice or appearance, for example if you choose to participate in a demonstration of a speech or image recognition service;
- geolocation data, which may in some cases constitute precise geolocation information, such as the location of your device or computer, for example if you enable location services to enhance your experience through event applications we offer;
- audio, visual, electronic or other similar information, including when you communicate with us by phone or otherwise;
- professional or employment-related information, for example data you may provide about your business;
- inference data, such as information about your preferences; and
- education information, such as information about enrollment status, fields of study, or degrees, honors, and awards received.
We collect this information from you automatically through your interaction with the Power Diary Website Products or from third parties. Please see the How We Collect Your Data section.
We collect this information for the business and commercial purposes described in the How We Use Personal Information.
Categories of personal information disclosed for a business purpose – The personal information that we may have disclosed about consumers for a business purpose in the preceding twelve months fall into the following categories established by the California Privacy Rights Act, depending on how you engage with the Power Diary Website Products:
- Identifiers, such as your name, address, or phone numbers;
- personal information as described in subdivision (e) of Section 1798.80 of the California Civil Code, such as a credit card number or other payment information, for example if we use a third party payment processor;
- information that may reveal your age, gender, race, or other protected classifications under California or US federal law, for example if we conduct user surveys or analysis using a third party service provider;
- commercial information, such as the details of a product or service you purchased if a third party service provider is assisting to provide that product or service to you;
- Internet or other electronic network activity information, such as if we use a third party service provider to help us gather reports for analysing the health of our devices and services;
- biometric information, for example if you choose to participate in a demonstration of certain Power Diary services facilitated by a third party service provider;
- geolocation data, which may constitute precise geolocation data;
- audio, visual, electronic or other similar information, for example if a third party service provider reviews recordings of customer support phone calls for quality assurance purposes;
- professional or employment-related information;
- education information, for example if we facilitate employment or internship recruitment activities; and
Your Data Rights – You may have certain data rights under the California Privacy Rights Act or Virginia Consumer Data Protection Act, including requesting information about the collection of your personal information by us, accessing your personal information, correct or requesting the deletion of your personal information.
If you like to exercise your rights or have a data-protection-related question, please contact us at [email protected].
Additionally, you may have the right to appeal the denial of any of these rights by submitting the notice provided to you if we deny a data request.
To ensure the security of your Power Diary Platform, we will generally ask you to verify your request using the contact information you have already provided. Suppose you are an authorised agent requesting on behalf of a consumer under the California Privacy Rights Act. In that case, we may ask you to provide information verifying you have the proper authority to request on behalf of the consumer, or we may ask the consumer to verify their identity with us directly.
No sale or sharing of personal information – We do not sell or share consumers’ personal information, as those terms are defined under the California Privacy Rights Act.
California Privacy Rights Act Sensitive Personal Information Disclosure – The categories of data we collect and disclose for business purposes include “sensitive personal information” as defined under the California Privacy Rights Act. We do not use or disclose sensitive personal information for any purpose not expressly permitted by the California Privacy Rights Act.
California Privacy Rights Act Retention Disclosure – We keep your personal information to enable you to use the Power Diary Services for as long as it is required to fulfil the purposes described in this Privacy Notice, as permitted or required by law or otherwise communicated to you.
California Privacy Rights Act Non-Discrimination Statement – We will not discriminate against consumers for exercising their rights under the California Privacy Rights Act.
Appendix 4: For individuals based in Canada
Under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) please note the following:
Your Rights. Subject to applicable law, you have the right to-
- ask whether we hold personal information about you and request copies of such personal information and information about how it is processed;
- request that inaccurate personal information is corrected;
- request deletion of personal information that is no longer necessary for the purposes underlying the processing processed based on withdrawn consent, or processed in non-compliance with applicable legal requirements; and
- lodge a complaint with us regarding our practices related to your personal information.
If you wish to do any of these things, please contact us at [email protected].
If you are not happy with our handling of your privacy concerns, you can also file a complaint with the Office of the Privacy Commissioner of Canada (OPC)
Appendix 5: For individuals based in South Africa
Under the South African Protection of Personal Information Act, 2013 (POPIA) please note the following:
Controller of Personal Information – When Power Diary is the product provider, we act as a data controller of personal information collected or processed.
Your Rights. Subject to applicable law, you have the right to-
- request that inaccurate personal information is corrected;
- request deletion of personal information that is no longer necessary for the purposes underlying the processing, processed based on withdrawn consent, or processed in non-compliance with applicable legal requirements;
- object, at any time to the processing of your personal information for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications from Power Diary which is prohibited unless you give consent to receive such direct marketing;
- object, at any time (at which point we will cease processing of your personal information), to the processing of your personal information if you feel the processing of that personal information is not necessary for protection of your legitimate interest/s; proper performance of a public law duty by a public body; or pursuance of the legitimate interests of Power Diary or of a third party to whom the information is supplied; and
- to submit a complaint to the Information Regulator of South Africa regarding interference with the protection of your personal information.
If you wish to do any of these things and are a Power Diary South African customer, please contact us at [email protected].
The Information Regulator Contact Details – The Information Regulator of South Africa is located at JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001. P.O. Box 31533, Braamfontein, Johannesburg, 2017. You may direct general enquiries by email to: [email protected]. You may direct complaints by email to: [email protected].
Last updated: 10th June 2023
