aurii
Privacy

Privacy commitments.

The full privacy policy is being prepared by our legal counsel before pilot launch. The substantive commitments below apply during the placeholder period and will carry into the final policy.

What Aurii is.

Aurii is an operating layer for Australian private-hospital specialists. The platform records clinical encounters, generates discharge letters, submits MBS claims, issues ePrescriptions, and surfaces aurii.ai suggestions for the specialist to accept, edit, or dismiss. The specialist remains the decision-maker on every clinical action.

What we collect.

  • Clinical data. Patient identifiers, encounter notes, results, prescriptions, and letters that the specialist creates inside the platform.
  • Account data. User name, email, role, MFA factors, device-bound credentials, and audit metadata for sign-in events.
  • Usage data. Audit log entries for clinical actions, billing events, and security events. Used for medico-legal record-keeping and security monitoring.
  • Voice audio. When dictation or ambient capture is used in an encounter, audio is uploaded to a transcription provider with a written PHI processing arrangement, transcribed, and the audio is retained alongside the transcript for the audit trail.

Where it lives.

  • Production data resides in Microsoft Azure Australia East (Sydney). Backups in Australia Southeast (Melbourne).
  • Encryption at rest with customer-managed keys per data class (clinical, audio, audit) via Azure Key Vault. Encryption in transit on every network hop.
  • Access requires email plus TOTP MFA, with WebAuthn biometric on supported devices.
  • Audit log is append-only and hash-chained. Retention is 7 years, the conservative reading of AHPRA and state record-keeping standards.

When we share.

  • Inside the platform. Records are scoped to the tenant (a single specialist for the Solo tier, or a hospital tenant). Cross-tenant access is enforced at the database row level and is auditable.
  • With clinical recipients. Discharge letters and secure messages route to the recipients the specialist selects (referrers, GPs, allied health) over Medical Objects or equivalent secure channels.
  • With sub-processors. Transcription (AssemblyAI, AU/EU routing), inference (Anthropic, AU/EU routing), payments (Stripe, AU entity), email (SendGrid). Each sub-processor operates under a written agreement and a defined data scope.
  • With regulators on lawful request. TGA, AHPRA, OAIC, or court-ordered access. We notify the affected tenant where lawfully able to.

Your rights.

  • Access and correction rights under the Australian Privacy Principles. Requests are routed through your tenant administrator for hospital tenants, or directly to us for Solo specialists.
  • Notifiable-breach reporting to the OAIC within the statutory window. Affected tenants are notified at the same time.
  • Account closure: data export available before closure, retained as required by clinical record-keeping rules afterwards.

Privacy contact

Privacy queries: privacy@aurii.com.au. The mailbox forwards to our privacy lead during the placeholder period.