Privacy Policy

Last updated: 9 July 2026

1. About this policy

XpressOT (“we”, “us”, “our”) is an Australian software service that assists occupational therapists in preparing clinical documentation, including assistive technology supporting letters, functional capacity assessments, and progress (SOAP) notes, and in checking draft reports for compliance. This Privacy Policy explains how we collect, use, disclose, and protect personal information, including health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Information we collect

We collect the following types of information:

  • Account information: name, email address, AHPRA registration number, practice name, practice address, and phone number.
  • Client identifying information: entered by the practitioner, including the client’s full name, date of birth, home address, NDIS number, funding type, and referrer details.
  • Client health information: entered by the practitioner, including diagnoses, medications, ADL assessments, functional observations, social history, and assessment findings. This information is entered by and remains under the control of the practitioner.
  • Usage data: page views, feature interactions, and error logs used to improve the service.
  • Billing information: processed by Stripe. XpressOT does not store credit card numbers.

Because XpressOT is used by AHPRA-registered practitioners acting in their professional capacity, it is not practicable for us to deal with users anonymously or under a pseudonym (Australian Privacy Principle 2). We store client NDIS numbers where a practitioner enters them, but we do not adopt, use, or disclose government-related identifiers as our own identifier for any individual (APP 9).

3. How we use your information

  • To provide and operate the XpressOT service, including generating letters and storing your client data for reuse.
  • To process subscription payments via Stripe.
  • To send transactional emails (account confirmations, billing receipts). We do not send marketing emails without consent.
  • To diagnose technical issues and improve service reliability.

4. Health information

Client health information entered into XpressOT is classified as sensitive information under the Privacy Act 1988. It is collected by the practitioner, on behalf of their practice, for the purpose of generating clinical correspondence. XpressOT processes this information solely as a data processor on the practitioner's instruction. Practitioners are responsible for obtaining appropriate consent from their clients for the use of their health information in clinical documentation software, and for ensuring the accuracy, currency, and completeness of the client information they enter (Australian Privacy Principle 10).

5. Data storage and security

All data is stored using Supabase, hosted on AWS ap-southeast-2 (Sydney, Australia). We use industry-standard encryption in transit (TLS 1.2+) and at rest. Access to your data is restricted to authenticated users only. We do not sell your data or your clients' data. We disclose information only to service providers required to operate XpressOT — some of which are located overseas. See section 11 for the full list of overseas processors and the countries involved. Section 6 describes how long we retain your information and when it is destroyed.

6. Data retention and destruction

We retain personal information only for as long as it is needed to provide the service, and destroy or de-identify it when it is no longer required (Australian Privacy Principle 11.2). Specific retention periods:

  • Reports and client records: retained while your account is active. When you delete a report it is hidden immediately and permanently erased 90 days later.
  • Account and client profiles: retained while your account is active, and erased when you delete your account (see section 8).
  • Security and audit logs: retained for up to 12 months, then automatically deleted.
  • Operational records (rate-limiting and payment-event logs): retained for short operational windows (1 to 30 days) and then automatically deleted.

When you delete your account, we erase your account and client data, cancel and remove your billing record with our payment processor, and scrub residual identifiers from our audit logs, retaining only a minimal, de-identified record that the deletion occurred.

7. AI-generated content

Report content is generated using the Anthropic Claude API. Clinical data entered in the wizard is sent to Anthropic's API for the purpose of generating the document. Anthropic's API is subject to their own privacy policy. We use API access without training data opt-in, meaning your data is not used to train Anthropic's models. Practitioners must review all generated documents before use and remain responsible for their clinical accuracy.

8. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your account and associated data.
  • Complain about a breach of your privacy rights.

To exercise any of these rights, contact us at privacy@xpressot.com.au. We will acknowledge your request or complaint within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC), see section 13.

9. Cookies

We use session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or an in-app notice at least 14 days before they take effect.

11. Overseas disclosure

Some personal information is disclosed to, or processed by, third-party service providers located overseas. Under Australian Privacy Principle 8, we take reasonable steps to ensure these providers handle your information consistently with the APPs.

  • Supabase Inc (USA / AWS) — database hosting and authentication. Data is stored on AWS infrastructure in the Asia-Pacific region (ap-southeast-2, Sydney); Supabase personnel and support systems are based in the USA.
  • Anthropic PBC (USA) — AI letter generation. Clinical data entered in the wizard is sent to the Anthropic Claude API to generate the letter. Data is not used to train Anthropic models.
  • Stripe Inc (USA) — payment processing. Billing information is handled by Stripe under their own privacy policy.
  • Vercel Inc (USA) — cloud hosting and deployment of the XpressOT web application.
  • Resend Inc (USA) — transactional email delivery (account confirmations, billing receipts).
  • Sentry Inc (USA/EU) — error monitoring and performance logging. No client health information is transmitted: clinical data and personal identifiers are redacted from error logs before they leave our servers.

12. Notifiable data breaches

XpressOT is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). Where we suspect an eligible data breach may have occurred, we will assess it expeditiously and within 30 days. If we determine there has been an eligible data breach that is likely to result in serious harm to any individual, we will:

  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable after we conclude there has been an eligible data breach.
  • Notify affected individuals directly where reasonable and practicable.
  • Take immediate steps to contain the breach and reduce any resulting harm.

To report a suspected data breach or security vulnerability, contact us immediately at privacy@xpressot.com.au.

13. Contact

For privacy enquiries or complaints, contact:
XpressOT
Email: privacy@xpressot.com.au
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

© 2026 XpressOT · Privacy Policy · Terms of Service · Security