AlayaCare’s Commitment to Privacy 

Effective as of November 1, 2021

AlayaCare’s Privacy Policies set out the key elements of how we address the privacy and security of the data and other information entrusted to us:

  • by our customers through their access and use of the AlayaCare electronic health record platform including its related mobile applications and other online services, g., our family/client portals (collectively, Services),
  • by our business partners and specific third-party providers of key services to us; and
  • by everyone else, including prospective customers, those who seek information or contact us through our Websites, and users of our software other than our corporate customers, including care providers and contractors who work with our customers.

As privacy laws and practices evolve, we may amend this Policy from time to time. While we will endeavour to give reasonable notice of such changes, we reserve the right to do so without prior notice where it is necessary (e.g., required by legal or regulatory changes). For our customers, we will communicate any changes and updates as per the notification provisions in our contracts and through the communication channels provided in our software platform.

For any questions, requests or concerns regarding privacy you can contact us anytime at privacy@alayacare.com and we’ll respond to you within 48 hours. In this Privacy Policy, AlayaCare means AlayaCare ANZ Pty. Ltd. ACN 69 116 576 517 and our related bodies corporate.

Our Privacy Policies explain what Personal Information (see our Glossary of Terms for definitions and explanations of key terms) we collect, why we collect it, how we use it, and how we take instructions regarding the protection and management of this information. For health data and other information provided to us through our Services, we have contracts with our customers that provide specific provisions relating to their use of that information in their provision of home care and home health services. This Privacy Policy supplements specific provisions in those customer contracts, however in the event of a conflict, the customer contracts will control.

AlayaCare’s SaaS Platform Privacy Policy – for Our Customers 

Overview 

This section of our Privacy Policy describes how we collect, receive, use, store, share, transfer, and process Customer Data on behalf of our customers as part of our Services.

We collect, process and store Customer Data under the direction and control of our customers. We retain no ownership of, nor do we have control over the origination or validity of the Personal Information we process on behalf of our customers. We do not request, nor do we maintain, direct relationships with individuals whose Personal Information we maintain in the databases we host and manage as part of our Services to our customers. Accordingly, we do not directly request nor collect consents nor instructions to access, correct, update or delete personal information, which requests should be made directly to our customers. We will honor and support any instructions that our customers provide us with respect to Personal Information maintained in our databases.

We cooperate with our customers and our secure infrastructure providers to ensure that there is an open and transparent approach with respect to all privacy elements of the personal information maintained by our home care and health solutions (APP 1.1). This Policy, along with our open disclosures of key elements of the security and privacy of our solutions via our Websites at http://www.alayacare.com/en-au/security-and-privacy further supports our collective approach to compliance with APP 1.1. Our customers are responsible for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent from their clients or workers prior to transferring Personal Information to AlayaCare and its software platform.

If you are a home care or home health service worker and have questions about personal or health information, either yours or a client’s, you should check with your home care/ home health agency.

Protecting Personal Information and Health-related Information 

AlayaCare is a provider of hosted, electronic health record solutions to its customers who are health care providers and subject to laws and regulations governing the use and disclosure of Personal Information. In Australia, various laws govern the collection, handling of and access to Personal Information, including health information protected under the Health Records Act 2001 (see Table 1: Applicable Privacy Laws). Throughout this Privacy Policy we refer to the Australian Privacy Principles (APP), which help to guide us in all matters of data protection and privacy (APP 1.3).

We maintain AICPA SOC 2 certification for our software platform which embodies a comprehensive set of internal practices, policies and procedures which are reviewed by trained subject matter experts who review our controls and evidence of our compliance with them. This aligns with and demonstrates our commitment to APP 1.2. More information and a copy of the certified report can be requested at http://www.alayacare.com/en-au/soc-2.

Security, Threats and Breach Notification 

AlayaCare’s software platform and the Services we deliver embody our commitment to APP 11.1 via the physical, administrative and technical security measures we have in place to protect against the loss, misuse, unauthorised access and alteration of data and Personal Information under our control. When the Services are accessed using current browser technology, Secure Socket Layer or SSL technology protects information using both server authentication and data encryption to help ensure that data is safe, secure, and available only to each specific customer. AlayaCare also implements a security methodology based on dynamic data and encoded session identifications and hosts the Service in a secure server environment which uses firewalls and other advanced technology to prevent interference or access from outside intruders. Unique usernames and passwords are also required and must be entered each time a customer logs into the Service. We are committed to educating our staff about the protection of Personal Information, and the importance of compliance with relevant privacy legislation and company policies. All employees and contractors are required to sign confidentiality agreements.

These safeguards help prevent unauthorised access, maintain data accuracy, and ensure the appropriate use of Personal Information; however, it is important to remember that no system can always guarantee 100% impenetrability. If we detect a threat to security or security vulnerability, we will contact our customers to recommend protective measures. Additionally, incidents of suspected or actual unauthorised handling of Personal Information are always directed to AlayaCare’s Legal and Compliance team, which is responsible for determining escalation and response procedures, depending on the severity and nature of the incident. Incidents involving unauthorised handling of Personal Information. If AlayaCare determines that Personal Information has been misappropriated or otherwise wrongly acquired, it will promptly issue a report to each affected customer.

For our customers who subscribe to or otherwise license Connected Services (as opposed to Embedded Technologies), it is important to note that the third parties who provide those services may have different procedures in place to protect Personal Information than the standards AlayaCare has implemented. AlayaCare cannot be responsible for their policies or their compliance with them, regardless of whether we have integrated their solutions into our Services and/or made them available to you.

Retention and Deletion 

AlayaCare will retain Personal Information: as necessary for the purposes outlined in this Policy (APP 11.2);

  • as required to manage and administer the Services;
  • as required to carry out any legal responsibilities (e.g., legal holds and other legal procedures);
  • to resolve a dispute (including enforcement of a contract); or
  • as expressly communicated to a customer at the time of collection.

For as long as a customer’s account remains active, and then until all applicable retention periods have expired, we will retain all Personal Information in a manner designed to ensure that it cannot be reconstructed or read. Following such periods, if is not feasible for us to delete or destroy such retained Personal Information, we will continue using the same safeguards of protection and security outlined in this Policy and related subordinate policies, for as long as it cannot be destroyed.

Collection of and Permitted Uses of Personal Information 

AlayaCare may collect Personal Information from its customers or from its customers’ end users directly via the use of its software platform or via other interfaces with authorised healthcare information providers, including but not limited to the following Personal Information:

  • Client demographic information
  • Client medical history
  • Remote patient monitoring data
  • Reports created by employees of our customers during care interventions with their home care clients
  • Time and attendance data (including geolocation) related to visits with home care clients
  • We may also collect system information to diagnose and debug software issues. Such information may be linked with Personal Information contained in a customer account, so it may be regarded as Personal Information.

AlayaCare does not use nor disclose Personal Information for purposes other than those for which it was collected, except with its customers’ consent (including contractual consent) or as required by law (APP 11.2).

AlayaCare will use Personal Information as required to provide ongoing direct support and maintenance services to our customers. We may also use aggregated usage information for statistical purposes, e.g., showing the total traffic through one of our servers or to evaluate and improve the features and functionality of our Services.

Sharing and Disclosure.

AlayaCare does not, in any circumstances, sell or rent Customer Data to third parties. AlayaCare will only share Personal Information to the following:

  • Third-party Service providers that facilitate our Services, provide any or all part of the Services on our behalf or help us improve the Services (for example, data storage, web analytics, mapping providers and maintenance service providers). These service providers have access to Personal Information only for purposes of performing these tasks on our behalf.
  • Law enforcement officials, governmental agencies, or other legal authorities (i) in response to their request; (ii) when permitted or required by law; (iii) to establish our compliance with applicable laws, rules, regulations, or guidelines; or (iv) or to establish, protect, or exercise our legal rights or defend against legal claims or demands.
  • Any other person whom you authorise the disclosure to pursuant your usage of the Applications.
  • We may also share with third parties certain aggregated non-personal information about our users.

Data Residency 

AlayaCare hosts each customer’s production database in Australia. AlayaCare may provide certain support Services from its headquarters in Canada, and in accordance with APP 8.1 and 8.2, AlayaCare may access Customer Data in limited circumstances and subject to approval processes, from Canada for purposes of, for example: responding to support requests; fixing software issues; adding/removing Customer Data in the event of a purchase/sale/change in management or performing simulation testing of our disaster recovery plans. Further information on data residency is set out at (http://www.alayacare.com/en-au/security-and-privacy).

AlayaCare’s General Privacy Policy – Interacting with www.alayacare.com 

This section of our Privacy Policy describes how we manage information via the Websites in our interactions with companies and individuals who are not customers. This includes prospective customers, those who seek information or contact us through our Websites, and users of our software other than our corporate customers, including care providers and contractors who work with our corporate customers.

In addition to the uses identified elsewhere in this Privacy Policy, we may use Personal Information to:

  • improve your browsing experience by personalising the Websites and to improve our Services;
  • send information or HubSpot content to you which we think may be of interest to you by post, email, or other means and send you marketing communications relating to our business;
  • promote use of our services to you and share promotional and information content with you in accordance with your communication preferences;
  • provide other companies with statistical information about our users -- but this information will not be used to identify any individual user and will only be shared on an aggregate and de-identified basis;
  • contact you about billing, account management, and other administrative matters;
  • send information to you regarding changes to our legal contracts, Privacy Policy, or other terms related to our Services;
  • investigate and help prevent security issues and abuse; and
  • meet legal and regulatory requirements.

We may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, we do not transfer your Personal Information to the third party.

You may disable the collection and use of location data through browser, operating system or device-level settings. Consent concerning location data may also be withdrawn at any time by providing us with email notice at privacy@alayacare.com.

If you receive promotional emails from us and you no longer wish to receive any such emails, you may follow the unsubscribe instructions in each of the email communications you receive.

Customer Testimonials and Comments 

We post customer testimonials and comments on our Websites, which may contain Personal Information. We obtain each customer's consent via email prior to posting the customer's name and testimonial.

As you browse the Websites, advertising cookies will be placed on your computer so that we can understand what you are interested in. Our display advertising partner then enables us to present you with retargeting advertising on other sites based on your previous interaction with AlayaCare. The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number.

Glossary of Terms 

Connected Services are certain, specified software functions or related services provided by a third-party software developer or information system provider which AlayaCare makes accessible via, and interoperable with, the AlayaCare platform.

 

Customer Data means the electronic records of clients and users of AlayaCare customers and other information which would be considered Personal Information under applicable law.

 

Embedded Technologies are certain, specified software functions or related services provided by a third-party software developer or information system provider which AlayaCare embeds into its own software platform and makes it available for subscription by our customers.

 

Personal Information is information that is used by a government authority, financial institution or insurance carrier to distinguish a person from other individuals (e.g., social insurance number, social security number, credit card information, or insurance policy number) is private. Such information can be used to identify an individual (e.g., a person who works at a healthcare facility, or a resident in a healthcare facility). Certain information may be used to contact a person directly (e.g., an email address, home mailing address or home telephone number). Depending on the statutes for each jurisdiction, the above identifiers are personal information, and it is private. An individual’s business contact information and business title are generally considered exempt from privacy laws. Information about an individual’s health, including insurance and billing information, is also considered – depending on the jurisdiction – health information, and it also is private. In Australia, the laws that primarily govern how we deal with the personal information and health information provided to us are listed in the table ‘Applicable Privacy Laws’.

 

Websites means www.alayacare.com and all AlayaCare pages that are linked to via this URL.

 

Applicable Privacy Laws 

Applicable Law 

Type of Personal Information Governed by the Law 

Jurisdiction 

Privacy Act 1988 (Cth), the Australian Privacy Principles, and all applicable Privacy Codes

Personal Information, including health information, about an identified individual, including information about a person’s private life, working information, or any related commentary.

Australia

Health Records Act 2001

Health Information that is also personal information as defined in the HRA.

Victoria

Health Records and Information Privacy Act 2002

Health information and personal information as defined in the HRIPA.

New South Wales 

Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth)

Commercial electronic messages, other than designated commercial electronic messages or those sent with consent.

Australia