Privacy Policy

Introduction

Holyland Medical Pty Ltd ABN 37 692 644 367 (We, Us, Our) provides a digital infrastructure (Platform) that facilitates online medical consultations between patient users (You, Your) and independent medical practitioners (Medical Practitioner).

This Privacy Policy applies to Your use of the Platform and sets out how We handle Your personal information (including Your health and sensitive information) (Personal Data) in accordance with the European General Data Protection Regulation (GDPR), privacy laws in Australia (including the Privacy Act 1988 (Cth) and the Australian Privacy Principles), and to the extent applicable, any other privacy and data protection laws in the jurisdiction in which You and Our Medical Practitioners are located.

By using Our Platform or providing Us with Your Personal Data, You agree to Our collection, use, handling and disclosure of Your Personal Data in accordance with this Privacy Policy. If You do not agree, You must immediately cease use of the Platform.

Data controller

We act as a data controller in relation to the Personal Data that We collect and process for the operation, administration, security and improvement of the Platform and for the purposes described in this Privacy Policy. Medical Practitioners may act as separate or joint controllers in relation to Personal Data processed in connection with the Consultation.

Collection and use of Personal Data

Personal Data refers to information that identifies You or that could reasonably be used, either alone or in combination with other information, to identify You, and includes any information about Your physical or mental health.

Personal Data includes information that You provide to Us and information that We collect when You access or use the Platform.

We may collect the following Personal Data from You when You use the Platform to book, manage and/or attend an online consultation with a Medical Practitioner to obtain a second medical opinion about Your medical condition (Consultation):

  • Your name, contact email address and phone number, country in which You are located (including time zone), and language spoken;
  • Your health data, including Your date of birth, sex, height and weight, medical history, and symptoms;
  • any documents that You upload to Our Platform, including any medical records, reports, referrals, pathology results, imaging, scans, test results, specialist letters, treatment plans, prescriptions, identity documents, questionnaires, forms, or other information or documentation (Patient Uploaded Records);
  • Your payment information for the purpose of processing the Consultation fees;
  • details of Your interactions with Us; and/or
  • information about Your use of the Platform (including through cookies and analytics tools).

We will only collect Personal Data which is reasonably necessary for, or directly related to, Our functions and activities. We will only collect health data or any other special categories of data under the GDPR with Your consent or where collection is authorised by law.

We may use Your name and email address for direct marketing where We have Your express or inferred consent to do so. We will never use Your health data or any other special categories of data under the GDPR for direct marketing purposes. You may withdraw Your consent to direct marketing at any time by using the unsubscribe mechanism in any marketing communications or by contacting Us using the details specified at clause 13 of this Privacy Policy.

Legal basis for processing Your Personal Data

For the purposes of the GDPR and any other applicable privacy and/or data protection laws, We process Personal Data on one or more of the following legal bases:

  • where processing is necessary for the performance of a contract with You, including providing You with access to the Platform, facilitating Your Consultation with a Medical Practitioner and processing Your payment of the Consultation fee;
  • where processing is necessary for Our legitimate interests, including responding to enquiries, and administering, maintaining, security and improving the Platform, preventing fraud, and protecting the rights and safety of Platform users and Our business;
  • where processing is necessary to comply with Our legal obligations;
  • where You have provided Your consent, including for direct marketing communications; and
  • where processing is otherwise permitted or required by applicable law.

Where We process Your health data or any other special categories of data under the GDPR, We do so only where permitted by applicable law, including where such processing is necessary for the provision of healthcare, medical diagnosis or treatment by a Medical Practitioner on the Platform.

Disclosure of Personal Data

We may disclose Your Personal Data to the following categories of recipients where necessary to operate the Platform and facilitate Your access to the Platform:

  • the Medical Practitioner, as necessary to provide You with the Consultation;
  • payment service providers, including Stripe (https://stripe.com/au/privacy), who process payments made through the Platform as an independent controller;
  • technology and infrastructure providers, including Microsoft Azure, who provide cloud hosting, IT infrastructure, security and related services to support the operation of the Platform;
  • communications and Consultation service providers, including Daily.co (https://www.daily.co/legal/privacy/) and Mailjet (https://www.mailjet.com/legal/privacy-policy/), who facilitate delivery of the Consultation and related communications;
  • analytics and performance providers, who assist Us in understanding Platform usage and improving Our Services; and
  • professional advisers and regulatory authorities, where required for legal, regulatory, insurance or dispute resolution purposes.

We do not sell Your Personal Data to any third party.

Overseas Disclosure

As the Platform operates internationally, Your Personal Data may be disclosed to or accessed by, recipients located outside Australia, including in the European Union.

Where We disclose Personal Data to overseas recipients, We take reasonable steps to ensure that these recipients handle Your Personal Data in accordance with the GDPR and the Australian Privacy Principles, including entering into appropriate contractual safeguards such as Standard Contractual clauses (SCCs) approved by the European Commission.

Security, storage and retention of Personal Data

We take reasonable steps to protect Your Personal Data from misuse, interference, loss and unauthorised access, modification or disclosure.

We implement appropriate technical and organisational security measures, which may include encryption, secure access controls, time-limited secure access links for Your Medical Practitioner to access Patient Uploaded Records, audit logging, and regular security reviews and assessments.

Your Personal Data is stored using reputable third-party cloud infrastructure providers, including Microsoft Azure, with data hosted in the West Europe region (Netherlands).

We retain Your Personal Data only for as long as is necessary to fulfil the purpose for which it was collected, or as required to comply with any legal, regulatory or professional obligations. At the conclusion of the applicable retention period, Your Personal Data is securely deleted or de-identified.

Access and correction and other rights

You may request access to any of Your Personal Data at any time, including to request that We correct or update any Personal Data that is incorrect, inaccurate or out of date.

Where the GDPR applies to the processing of Your Personal Data, You may also have additional rights, including:

  • the right to request erasure of Your Personal Data;
  • the right to restrict processing;
  • the right to object to processing;
  • the right to data portability in certain circumstances;
  • the right to withdraw consent where processing is based on consent; and/or
  • the right not to be subject to automated decision-making, where applicable.

You also have the right to lodge a complaint with a supervisory authority in the European Union.

If You wish to exercise any of these rights, please contact Us using the details specified at clause 13 of this Privacy Policy.

Cookies and analytics

We use cookies when You use the Platform to enable essential functionality, improve performance, enhance user experience, and to perform analytics. Where required by law, We will ask for Your consent before placing or accessing any cookies on Your device that are not strictly necessary for the operation of the Platform.

You may manually configure Your browser to refuse cookies or delete existing cookies from Your hard drive. However, by deleting, disabling or refusing to accept cookies You may obstruct Your ability to experience the full functionality of the Platform.

Complaints and concerns

If You have a privacy concern or complaint, please contact Us in the first instance at holylandmedical@gmail.com. We will respond within a reasonable timeframe, and in any event within 30 days (or such shorter period as may be required by applicable law).

If You are not satisfied with Our response, You may make a complaint to the Privacy Commissioner via the Office of the Australian Information Commissioner (OAIC).

If You are located in the European Union, You also have the right to lodge a complaint with Your local data protection supervisory authority.

Changes to Our Privacy Policy

We may review and update this Privacy Policy from time to time. Where We make material changes to this Privacy Policy, We will take reasonable steps to notify You (e.g. by email or by posting a notice on Our Platform).

Contact details

For questions, concerns or complaints relating to Your Personal Data please contact Us via the details below:

  • Privacy Officer:
  • Data Protection Officer:
  • EU Representative:

Last updated: 29.06.2026