Last updated: 9 July 2026
XpressOT (“we”, “us”, “our”) is an Australian software service that assists occupational therapists in preparing clinical documentation, including assistive technology supporting letters, functional capacity assessments, and progress (SOAP) notes, and in checking draft reports for compliance. This Privacy Policy explains how we collect, use, disclose, and protect personal information, including health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
We collect the following types of information:
Because XpressOT is used by AHPRA-registered practitioners acting in their professional capacity, it is not practicable for us to deal with users anonymously or under a pseudonym (Australian Privacy Principle 2). We store client NDIS numbers where a practitioner enters them, but we do not adopt, use, or disclose government-related identifiers as our own identifier for any individual (APP 9).
Client health information entered into XpressOT is classified as sensitive information under the Privacy Act 1988. It is collected by the practitioner, on behalf of their practice, for the purpose of generating clinical correspondence. XpressOT processes this information solely as a data processor on the practitioner's instruction. Practitioners are responsible for obtaining appropriate consent from their clients for the use of their health information in clinical documentation software, and for ensuring the accuracy, currency, and completeness of the client information they enter (Australian Privacy Principle 10).
All data is stored using Supabase, hosted on AWS ap-southeast-2 (Sydney, Australia). We use industry-standard encryption in transit (TLS 1.2+) and at rest. Access to your data is restricted to authenticated users only. We do not sell your data or your clients' data. We disclose information only to service providers required to operate XpressOT — some of which are located overseas. See section 11 for the full list of overseas processors and the countries involved. Section 6 describes how long we retain your information and when it is destroyed.
We retain personal information only for as long as it is needed to provide the service, and destroy or de-identify it when it is no longer required (Australian Privacy Principle 11.2). Specific retention periods:
When you delete your account, we erase your account and client data, cancel and remove your billing record with our payment processor, and scrub residual identifiers from our audit logs, retaining only a minimal, de-identified record that the deletion occurred.
Report content is generated using the Anthropic Claude API. Clinical data entered in the wizard is sent to Anthropic's API for the purpose of generating the document. Anthropic's API is subject to their own privacy policy. We use API access without training data opt-in, meaning your data is not used to train Anthropic's models. Practitioners must review all generated documents before use and remain responsible for their clinical accuracy.
Under the Australian Privacy Principles, you have the right to:
To exercise any of these rights, contact us at privacy@xpressot.com.au. We will acknowledge your request or complaint within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC), see section 13.
We use session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
We may update this policy from time to time. Material changes will be notified via email or an in-app notice at least 14 days before they take effect.
Some personal information is disclosed to, or processed by, third-party service providers located overseas. Under Australian Privacy Principle 8, we take reasonable steps to ensure these providers handle your information consistently with the APPs.
XpressOT is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). Where we suspect an eligible data breach may have occurred, we will assess it expeditiously and within 30 days. If we determine there has been an eligible data breach that is likely to result in serious harm to any individual, we will:
To report a suspected data breach or security vulnerability, contact us immediately at privacy@xpressot.com.au.
For privacy enquiries or complaints, contact:
XpressOT
Email: privacy@xpressot.com.au
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).
© 2026 XpressOT · Privacy Policy · Terms of Service · Security