Privacy Policy

Version: draft-0 · Effective: not yet effective

This Privacy Policy explains how The Dream Skin Co (“we”, “us”, “our”) handles your personal information, including sensitive health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Open and transparent management of your information

Placeholder: describe how we openly manage personal information, who is accountable, and where to find this policy.

2. What personal and health information we collect

Placeholder: list the categories of personal information we collect (identity, contact, payment, appointment, treatment) and the categories of sensitive/health information (medical history, consent records, clinical photos, treatment notes).

3. How we collect and hold your information

Placeholder: describe collection channels (in-clinic forms, online intake, phone, email) and storage (Australian-hosted Supabase / cloud infrastructure, encryption at rest and in transit, access controls).

4. Purposes of collection and use (APP 5)

Placeholder: list the primary purposes (delivering treatment, clinical record-keeping, scheduling, payment processing, regulatory compliance) and any related secondary purposes.

5. Disclosure to third parties

Placeholder: describe disclosures (treating practitioners, payment processors, scheduling/Mindbody, government bodies as required by law) and the contractual safeguards applied.

6. How we secure your information (APP 11)

Placeholder: describe administrative, technical, and physical safeguards — RLS-enforced multi-tenant database, role-based access, audit logging, encrypted backups, retention and secure destruction.

7. Accessing and correcting your information (APP 12 & 13)

Placeholder: describe how a person can request access to or correction of their personal information held by us, the timeframe for response, and any verification we may require.

8. Overseas disclosure of personal information (APP 8)

Placeholder: identify any overseas recipients (e.g. cloud sub-processors), the countries involved, and the steps we take to ensure overseas recipients comply with the APPs.

9. Retention and destruction

Placeholder: state retention periods, statutory minimums for clinical records, and how we de-identify or destroy data when no longer required.

10. Cookies and online tracking

Placeholder: describe session cookies used for authentication and any analytics, including how a user can opt out.

11. Children and minors

Placeholder: describe how consent is handled where the patient is a minor and the role of a parent/guardian.

12. Complaints and the OAIC

Placeholder: describe our internal complaints process, expected timeframes, and the right to escalate to the Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au · 1300 363 992.

13. Changes to this policy

Placeholder: describe how we version this policy and notify users. Re-acceptance is recorded against policies_versionon the user's record.

14. How to contact us

Placeholder: Privacy Officer name, postal address, phone, and email for privacy enquiries and complaints.

This document is a working draft. Final language is subject to legal review and is not binding in its current form.