Legal
How we collect, use, and protect your information
UNCAPT Pty Ltd (ABN 15 641 190 552) ("UNCAPT", "we", "our", "us") is committed to protecting the privacy of individuals who interact with MIA and our related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with:
Where state-based health records legislation imposes stricter requirements than the federal APPs (for example, regarding retention, transfer, or access), we comply with the stricter standard.
MIA is a clinical intelligence system developed in partnership with the University of Sydney's Brain and Mind Centre.
UNCAPT is an APP entity under the Privacy Act. Where MIA is deployed within a healthcare provider's platform, both UNCAPT and the healthcare provider hold obligations to individuals under Australian privacy law. Specifically:
We do not rely on our role as a service provider to limit our direct responsibilities to individuals whose data we process. We take our obligations seriously and are accountable for the information we hold.
If we receive personal information that we did not solicit (for example, a patient contacts us directly rather than through their healthcare provider), we will assess whether the information could have been collected under APP 3. If not, we will destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.
We use personal information for the following purposes:
We may use contact information provided by healthcare professionals, partner organisations, and pilot participants to send relevant updates about MIA, including product updates, research findings, and partnership opportunities.
We will only do so where:
Opt-out: Every communication we send will include a clear and simple way to opt out of future communications. You can also opt out at any time by contacting privacy@uncapt.com. We will process opt-out requests within 5 business days.
We do not use patient health information for direct marketing purposes under any circumstances.
We recognise that health information is sensitive information under the Privacy Act and is afforded additional protections under both the APPs and state-based Health Privacy Principles. We only collect health information where:
Health information processed by MIA is handled in accordance with the Australian Privacy Principles, applicable state and territory health records legislation (including the Health Privacy Principles where they apply), and our contractual obligations to the deploying healthcare provider.
We do not collect health information directly from patients without the involvement of a healthcare provider or an approved research program.
We do not use identifiable patient data, clinical recordings, or session transcripts to train, fine-tune, or improve MIA's underlying AI models. Your data remains yours. Clinical data processed by MIA is used solely for the purpose of providing the clinical service to the deploying healthcare provider.
MIA generates structured clinical reasoning outputs (e.g., assessment logic, care plan rationale, scoring pathways) as part of its normal operation. We retain de-identified versions of these reasoning outputs to enable continuous improvement of MIA's clinical knowledge base.
This de-identified reasoning may be reviewed and refined by qualified clinical experts (including researchers at the Brain and Mind Centre) as part of an ongoing expert feedback cycle. This process ensures MIA's clinical reasoning remains accurate, current, and aligned with best practice.
We recognise that under the Privacy Act, information is "personal information" if an individual is reasonably identifiable. We apply de-identification processes consistent with the OAIC's De-identification and the Privacy Act guidance and the De-Identification Decision-Making Framework published by the OAIC and CSIRO's Data61.
Our de-identification process includes:
We acknowledge that mental health data carries heightened re-identification risk. Clinical narratives — even without names — may contain specific life events, family details, or rare conditions that could enable "jigsaw re-identification."
To mitigate this risk, our de-identification of clinical reasoning outputs specifically:
If at any point we determine that de-identified data carries a non-trivial re-identification risk, we treat that data as personal information and apply the full protections of the APPs.
MIA's clinical outputs are designed to be explainable. Where MIA generates a recommendation, it provides the reasoning pathway so that a clinician can understand why a suggestion was made and can review, edit, or override the output. MIA is a decision-support tool — it suggests, clinicians decide.
We are committed to the principles set out in the OAIC's guidance on privacy and AI, including:
We do not sell, rent, or trade personal information. We use and disclose personal information only for the primary purpose for which it was collected, or for a directly related secondary purpose that the individual would reasonably expect. Specifically, we may disclose information to:
We use the following third-party service providers ("sub-processors") to deliver MIA. All sub-processors are contractually required to maintain security and privacy standards consistent with this policy and the Australian Privacy Principles.
| Provider | Purpose | Data Location | Clinical Data? |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure, compute, storage, databases | Australia East | Yes |
| Private inference provider | Private model inference (AI processing) | Australia | Yes (in transit) |
| Google Analytics | Website analytics (if enabled) | See Google's terms | No |
Important: All sub-processors that handle clinical data are located in Australia. No clinical or health information is transferred to or processed in any country outside of Australia.
This list is kept current. If we add a new sub-processor that handles personal or clinical data, we will update this page and, where required by contract, notify affected partners in advance.
All clinical data is hosted on infrastructure located in Australia. We implement comprehensive security measures including:
We take reasonable steps to ensure that the personal information we hold is accurate, up-to-date, complete, and relevant for the purposes for which it is used. For clinical data, accuracy is critical to patient safety. Our measures include:
All clinical and personal data for Australian clients is currently processed and stored exclusively within Australia. We do not transfer clinical data outside of Australia.
As we expand to serve clients in other jurisdictions (e.g., Canada), we will deploy localised infrastructure in those regions to ensure data remains within the relevant jurisdiction. Our architecture is designed for data sovereignty — each deployment region keeps data local.
In the event that any cross-border transfer becomes necessary, we will ensure that the recipient is subject to a law or binding scheme that is substantially similar to the APPs, or we will take reasonable steps to ensure the overseas recipient handles the information in accordance with the APPs, as required by Australian Privacy Principle 8.
We retain personal information only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law. When data is no longer needed, it is securely deleted or de-identified in accordance with the standards described in Section 5.3.
For clinical data processed on behalf of healthcare providers, retention periods are determined by the provider's policies and the applicable health records legislation. We are aware that minimum retention periods under state law may include:
We will not delete clinical data at a partner's request if doing so would breach applicable minimum retention requirements. We work with deploying healthcare providers to ensure their data retention settings comply with their legal obligations.
Contact information provided through partnership enquiries or pilot access requests is retained for the duration of the business relationship and for a reasonable period afterward (up to 2 years), unless you request earlier deletion.
De-identified clinical reasoning outputs (as described in Section 5.2) may be retained indefinitely, as they contain no personal information and serve the ongoing improvement of clinical quality. These outputs are subject to periodic re-identification risk assessments as described in Section 5.3.
UNCAPT complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, as introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017.
We recognise that mental health information is inherently high-risk: a breach involving mental health data is likely to meet the "serious harm" threshold due to the sensitive and stigmatised nature of mental health conditions. We therefore treat any suspected breach involving health information with the highest level of urgency.
If we become aware of an eligible data breach (or suspected breach), we will:
Our target initial response time for suspected data breaches is 24 hours. We maintain a documented incident response plan, which is tested regularly. For full details, see our Security page.
UNCAPT does not adopt, use, or disclose government-related identifiers (such as Medicare numbers, Individual Healthcare Identifiers, or tax file numbers) as its own identifiers. Where such identifiers are processed as part of clinical data provided by a healthcare provider, they are handled solely for the clinical purpose directed by the provider and are subject to the same protections as all health information under this policy.
Under the Australian Privacy Principles and state-based health records legislation, you have specific rights regarding the personal and health information we hold.
If you are a healthcare professional, researcher, or partner, you may contact us directly to request access (APP 12) or correction (APP 13) of your business contact information (e.g., name, email, role). We will respond to these requests within 30 days.
For health information and clinical reasoning outputs processed by MIA:
Primary channel: Because clinical data is processed by MIA at the direction of your healthcare provider, we recommend that patients first contact their treating clinician or healthcare clinic to request access to or correction of their records. The clinician is best placed to provide the necessary clinical context and support.
Our role as holder: If you contact us directly for access to clinical data, we will:
Correction of AI outputs: If you believe a clinical output generated by MIA is inaccurate, you have the right to request a correction. As MIA is a decision-support tool, clinicians have the ability to review, edit, and override any MIA output before it becomes part of your permanent medical record.
In limited circumstances (for example, where a clinician determines that access would cause significant distress or harm in a mental health context), access may be refused or provided via an intermediary (such as a different medical practitioner). If we or the healthcare provider refuse access or correction, we will provide you with a written notice explaining the reasons (unless it is unreasonable to do so) and the mechanisms available to complain.
To lodge a request for access or correction, or to discuss how your data is handled, please contact:
UNCAPT Privacy Officer
Email: privacy@uncapt.com
If you are not satisfied with our response or the way your request was handled, you may lodge a formal complaint with the Office of the Australian Information Commissioner (OAIC).
MIA is designed for use in clinical settings that include young people and adolescents (consistent with the Brain and Mind Centre's youth mental health research). MIA is not intended for unsupervised use by individuals under 16 years of age.
Where MIA is used in clinical settings involving minors, consent is managed by the deploying healthcare provider in accordance with applicable legislation, including relevant state and territory laws regarding the capacity of young people to consent.
For the MIA consumer research program (conducted with the University of Sydney), participation by individuals under 18 requires parental or guardian consent as part of the ethics-approved consent process.
We may update this Privacy Policy from time to time. Material changes will be communicated via our website and, where relevant, directly to partners and deploying healthcare providers. The "Effective" date at the top indicates the latest revision.
For questions about this Privacy Policy or our data practices:
UNCAPT Pty Ltd
Privacy Officer
Email: privacy@uncapt.com
ABN: 15 641 190 552
For security-related concerns, please contact security@uncapt.com.