Privacy Policy

This Privacy Policy applies to personal information collected, used, stored or disclosed through:

• the Dorsum web application;
• our website;
• our AI transcription, clinical documentation and workflow tools;
• our integrations with electronic medical record systems, radiology providers, pathology providers and other third-party clinical systems;
• support, onboarding, billing and customer communications;
• custom integration tools or plugins used to support authorised workflows; and
• any other product or service that links to this Privacy Policy.

This Privacy Policy applies to clinicians, clinic administrators, practice staff, patients whose information is processed by authorised users, and internal Dorsum personnel.

• Dorsum provides clinical workflow software, AI transcription, clinical documentation tools, external investigation access, and EMR integration services.
• We collect personal information only where reasonably necessary to provide, secure, maintain and improve our services.
• We may process sensitive health information, including patient notes, audio recordings, investigation details, demographic details and clinical documentation, when this information is entered, uploaded, synced or authorised by our customers and users.
• We do not sell personal information to third parties.
• We do not use patient data or customer clinical data to train general AI models, unless expressly agreed in writing.
• We disclose personal information only where required to provide our services, support our platform, meet legal obligations, protect security, or where otherwise permitted by law.
• We use administrative, technical and organisational measures to help protect personal information, including encryption, access controls and role-based permissions.

The personal information we collect depends on how you use Dorsum.

Account and user information

When a user creates or is invited to a Dorsum account, we may collect:

• name;
• email address;
• password hash;
• role or permissions;
• clinic, practice or organisation details;
• professional title;
• registration number or provider identifier;
• billing or subscription status;
• login and account activity.

Clinical and patient information

When authorised users use Dorsum, we may collect and process patient or clinical information, including:

• patient names and demographic details;
• consultation notes;
• dictations;
• audio recordings;
• transcripts;
• letters and clinical documents;
• referrals;
• medications, allergies and past medical history;
• investigation details;
• radiology and pathology information;
• EMR data synced or accessed through integrations;
• any other information entered, uploaded, dictated, imported or generated by users.

This information may include sensitive health information.

Integration information

Some Dorsum services connect with third-party clinical systems, including EMRs, investigation providers and other healthcare platforms. Where authorised by a customer or user, we may collect or process information required to provide these integrations, such as appointment data, patient context, clinical documents, EMR identifiers, provider details and workflow metadata.

Some integrations may require custom technical tools or plugins to support authorised workflows. These tools are designed to operate only for Dorsum-related purposes and to process the minimum information reasonably necessary to provide the relevant integration.

Technical and usage information

We may collect technical and usage information, including:

• IP address;
• browser type;
• device information;
• operating system;
• login times;
• user actions within the platform;
• error logs;
• server logs;
• diagnostic information;
• audit and security logs;
• performance and reliability data.

We may use tools such as LogRocket or similar services to help identify bugs, diagnose issues and improve platform reliability. Where these tools process personal information, we treat that information in accordance with this Privacy Policy.

Support and customer service information

We may use Intercom or similar support platforms to manage support tickets, customer communications, onboarding, product assistance and service updates.

When you contact us through support channels, we may collect and process information such as your name, email address, organisation, role, message history, support requests, technical details and any information you choose to provide.

Users should avoid including unnecessary patient information in support messages unless it is required to resolve the issue and they are authorised to disclose it.

Payment information

Payments and subscription billing may be handled by Stripe or another payment provider. We may collect subscription, invoice and payment status information. Card numbers and full payment details are handled by the payment provider and do not reach our servers.

Communications information

When you contact us, request support, book a demo, complete onboarding, respond to emails, or otherwise communicate with us, we may collect:

• name;
• email address;
• organisation;
• role;
• phone number;
• communication history;
• support requests;
• information you choose to provide.

Website and marketing information

When you visit our website, we may collect information through cookies, analytics tools and similar technologies, including:

• website usage data;
• pages visited;
• browser and device information;
• referral source;
• marketing engagement data.

You may control cookies through your browser settings, although some website functionality may not work properly if cookies are disabled.

We may collect personal information:

• directly from users;
• from clinics, practices, hospitals or other customers;
• from authorised EMR or clinical system integrations;
• from radiology, pathology or other investigation providers where authorised;
• from uploaded documents, audio files or clinical records;
• through support, onboarding, sales or billing communications;
• automatically through technical logs and usage records;
• from third-party service providers where required to operate our services.

Where it is reasonable and practicable, we collect personal information directly from the individual. However, because Dorsum provides services to healthcare organisations, patient information is often provided to us by clinicians, practices or systems acting under their own legal and clinical obligations.

We collect, use and process personal information to:

• provide Dorsum’s clinical workflow platform;
• provide AI transcription and clinical documentation functionality;
• generate drafts, summaries, letters and other clinical outputs;
• integrate with EMRs and other clinical systems;
• retrieve, display, organise or sync external investigations;
• authenticate users and protect accounts;
• manage subscriptions, billing and payments;
• configure accounts, templates and workflows;
• provide onboarding, training and technical support;
• manage support tickets and customer communications;
• maintain, secure and improve the platform;
• detect bugs, faults, unauthorised use or security issues;
• comply with legal, regulatory and professional obligations;
• communicate with users about product updates, maintenance and service status;
• respond to complaints, disputes, legal claims or regulatory requests.

We may also use aggregated or de-identified information to improve our services, develop product functionality, monitor performance and understand usage trends. We do not treat aggregated or de-identified information as personal information where it can no longer reasonably identify an individual.

Dorsum uses artificial intelligence and related technologies to provide transcription, documentation, summarisation and workflow automation features.

Clinical information may be processed by Dorsum and selected service providers for the purpose of delivering these features. We take reasonable steps to ensure that service providers process information only as required to provide services to us and subject to appropriate confidentiality, security and data handling obligations.

Unless expressly agreed in writing, Dorsum does not use patient data or customer clinical data to train general AI models.

AI-generated outputs are intended to assist clinicians and authorised users. Users remain responsible for reviewing, editing and approving clinical documentation before use.

Where the GDPR applies, we may process personal data on one or more of the following legal bases:

• performance of a contract;
• consent;
• legitimate interests;
• compliance with legal obligations;
• provision of health or clinical services, where applicable;
• establishment, exercise or defence of legal claims.

Where we process personal data on behalf of a customer, such as a clinic or healthcare organisation, we may act as a processor or service provider. Where we determine the purposes and means of processing, we may act as a controller.

Dorsum may process sensitive information, including health information, where it is reasonably necessary to provide our services, where authorised by our customers or users, where required or permitted by law, or where another lawful basis applies.

We do not intentionally collect sensitive information unrelated to the provision of our clinical services.

Users must only enter, upload, sync or disclose patient information into Dorsum where they have authority to do so.

We may disclose personal information to third parties where reasonably necessary to provide, support, secure or improve our services.

This may include disclosure to:

• cloud hosting providers;
• database and infrastructure providers;
• AI, transcription and processing providers;
• payment processors such as Stripe;
• support and customer communication providers such as Intercom;
• analytics, logging and error monitoring providers;
• email, communication and support providers;
• EMR, radiology, pathology or other clinical system providers where integrations are configured or authorised;
• professional advisers, including lawyers, accountants, insurers and auditors;
• regulators, courts, government agencies or law enforcement where required or permitted by law;
• a purchaser or successor entity if we sell, restructure or merge all or part of our business.

We only disclose the minimum amount of personal information reasonably necessary for the relevant purpose.

We do not sell personal information to third parties for their own marketing purposes.

Dorsum may integrate with third-party platforms, including EMRs, investigation providers, communication providers and other clinical systems.

Where a user or customer configures Dorsum to connect with a third-party platform, we may send, receive, display or store personal information as required for that integration to function.

Third-party platforms may have their own privacy policies, terms and security practices. Dorsum is not responsible for the privacy practices of third-party platforms that are not operated or controlled by us.

We may disclose or transfer personal information to service providers located outside Australia where reasonably necessary to provide our services.

Where we transfer personal information overseas, we take reasonable steps to ensure that the information is handled consistently with applicable privacy laws.

Where GDPR applies, we will take appropriate steps to support lawful international transfers, which may include standard contractual clauses, adequacy decisions or other lawful transfer mechanisms.

We take privacy and security seriously. We use a range of administrative, technical and organisational measures to help protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

These measures may include:

• encryption in transit and at rest;
• role-based access controls;
• account authentication;
• access logging and monitoring;
• internal confidentiality obligations;
• restricted employee and contractor access;
• secure cloud infrastructure;
• backup and disaster recovery processes;
• security review processes;
• incident response processes;
• data breach response procedures.

No method of transmission or storage is completely secure. While we take reasonable steps to protect personal information, we cannot guarantee that unauthorised access, disclosure or misuse will never occur.

We retain personal information only for as long as reasonably necessary for the purposes for which it was collected, unless a longer period is required or permitted by law.

Patient and clinical data retention may be configured by each clinic or customer. The default deletion period for certain patient data may be thirty days, unless otherwise configured or agreed.

Operational logs may be retained for up to twelve months.

Backups may be retained for up to thirty days.

Support messages and support ticket records may be retained for as long as reasonably necessary to provide support, maintain service history, resolve disputes, comply with legal obligations and improve customer service, unless a shorter retention period is required by law or agreed with a customer.

Where a customer stops using Dorsum, we may delete, return or de-identify personal information within a reasonable period, unless we are required or permitted to retain it for legal, regulatory, security, backup, dispute resolution or legitimate business purposes.

If data has already been deleted in accordance with retention settings, it may not be recoverable.

We may use business contact information to send information about Dorsum products, updates, events or services that may be relevant to users or customers.

You can opt out of marketing communications at any time by using the unsubscribe function in the communication or by contacting us.

We do not send marketing communications in breach of the Spam Act 2003 (Cth).

Dorsum does not use automated decision-making to make decisions that produce legal or similarly significant effects about individuals.

Dorsum may use automated processing to assist with transcription, summarisation, documentation, data retrieval and workflow automation. These outputs are intended to support users and should be reviewed by authorised clinicians or staff before being relied upon.

You may request access to, correction of, or deletion of personal information that we hold about you, subject to applicable legal exceptions.

Where GDPR applies, you may also have rights to:

• restrict processing;
• object to processing;
• data portability;
• withdraw consent where processing is based on consent;
• lodge a complaint with a supervisory authority;
• not be subject to certain automated decisions.

Where we process personal information on behalf of a clinic, practice or healthcare organisation, we may need to refer requests relating to patient records or clinical data to that customer.

To make a request, contact us using the details below.

We maintain processes for responding to suspected or actual data breaches.

Where required by law, including under the Notifiable Data Breaches scheme in Australia or applicable GDPR obligations, we will notify affected individuals, customers, regulators or supervisory authorities.

You may choose not to provide personal information. However, if required information is not provided, we may not be able to create an account, provide access, deliver support, process billing, enable integrations or provide Dorsum services.

If you have a privacy concern or complaint, please contact us first so we can try to resolve it.

We will aim to respond within a reasonable period.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner.

OAIC contact details:

• Phone: 1300 363 992
• Website: oaic.gov.au
• Address: GPO Box 5218, Sydney NSW 2001

If GDPR applies, you may also lodge a complaint with your local data protection authority.

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, services or legal obligations.

The updated version will be published on our website or within our services with a new “Last updated” date.

Your continued use of Dorsum after an updated Privacy Policy is published means the updated Privacy Policy applies to your use of our services.

For privacy questions, requests or complaints, please contact: