Privacy Policy

Last updated: 18 May 2026

1. About this policy

XpressOT (“we”, “us”, “our”) is an Australian software service that assists occupational therapists in preparing assistive technology supporting letters. This Privacy Policy explains how we collect, use, disclose, and protect personal information, including health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Information we collect

We collect the following types of information:

  • Account information: name, email address, AHPRA registration number, practice name, practice address, and phone number.
  • Client health information: entered by the practitioner into the letter wizard, including diagnoses, medications, ADL assessments, functional observations, and social history. This information is entered by and remains under the control of the practitioner.
  • Usage data: page views, feature interactions, and error logs used to improve the service.
  • Billing information: processed by Stripe. XpressOT does not store credit card numbers.

3. How we use your information

  • To provide and operate the XpressOT service, including generating letters and storing your client data for reuse.
  • To process subscription payments via Stripe.
  • To send transactional emails (account confirmations, billing receipts). We do not send marketing emails without consent.
  • To diagnose technical issues and improve service reliability.

4. Health information

Client health information entered into XpressOT is classified as sensitive information under the Privacy Act 1988. It is collected by the practitioner, on behalf of their practice, for the purpose of generating clinical correspondence. XpressOT processes this information solely as a data processor on the practitioner's instruction. Practitioners are responsible for obtaining appropriate consent from their clients for the use of their health information in clinical documentation software.

5. Data storage and security

All data is stored using Supabase, hosted on AWS ap-southeast-2 (Sydney, Australia). We use industry-standard encryption in transit (TLS 1.2+) and at rest. Access to your data is restricted to authenticated users only. We do not sell your data or your clients' data. We disclose information only to service providers required to operate XpressOT — some of which are located overseas. See section 10 for the full list of overseas processors and the countries involved.

6. AI-generated content

Letter content is generated using the Anthropic Claude API. Clinical data entered in the wizard is sent to Anthropic's API for the purpose of generating the letter. Anthropic's API is subject to their own privacy policy. We use API access without training data opt-in, meaning your data is not used to train Anthropic's models. Practitioners must review all generated letters before use and remain responsible for their clinical accuracy.

7. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your account and associated data.
  • Complain about a breach of your privacy rights.

To exercise any of these rights, contact us at privacy@xpressot.com.au.

8. Cookies

We use session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or an in-app notice at least 14 days before they take effect.

10. Overseas disclosure

Some personal information is disclosed to, or processed by, third-party service providers located overseas. Under Australian Privacy Principle 8, we take reasonable steps to ensure these providers handle your information consistently with the APPs.

  • Supabase Inc (USA / AWS) — database hosting and authentication. Data is stored on AWS infrastructure in the Asia-Pacific region (ap-southeast-2, Sydney); Supabase personnel and support systems are based in the USA.
  • Anthropic PBC (USA) — AI letter generation. Clinical data entered in the wizard is sent to the Anthropic Claude API to generate the letter. Data is not used to train Anthropic models.
  • Stripe Inc (USA) — payment processing. Billing information is handled by Stripe under their own privacy policy.
  • Vercel Inc (USA) — cloud hosting and deployment of the XpressOT web application.
  • Resend Inc (USA) — transactional email delivery (account confirmations, billing receipts).
  • Sentry Inc (USA/EU) — error monitoring and performance logging. No client health information is transmitted: clinical data and personal identifiers are redacted from error logs before they leave our servers.

11. Notifiable data breaches

XpressOT is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to any individual, we will:

  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable and no later than 30 days after becoming aware of the eligible data breach.
  • Notify affected individuals directly where reasonable and practicable.
  • Take immediate steps to contain the breach and reduce any resulting harm.

To report a suspected data breach or security vulnerability, contact us immediately at privacy@xpressot.com.au.

12. Contact

For privacy enquiries or complaints, contact:
XpressOT
Email: privacy@xpressot.com.au
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

© 2026 XpressOT · Privacy Policy · Terms of Service