Privacy Policy

Markoste Privacy Policy

Effective Date: July 25, 2025

Last Updated: May 19, 2026

1. Introduction

Markoste Pty Ltd ("we," "us," or "our") operates the Markoste platform, an AI-powered clinical workflow hub designed specifically for pharmacists in Australia. We are committed to protecting your privacy and the privacy of your patients in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) scheme, and the Essential Eight cybersecurity framework.

This Privacy Policy explains how we collect, use, disclose, and protect personal information and health information when you use our services.

2. Information We Collect

2.1 Personal Information

  • Account Information: Name, email address, phone number, pharmacy or organisation details, professional registration numbers
  • Payment Information: Subscription plan selection and billing details processed securely via Stripe (we do not store card numbers)
  • Usage Data: Platform interactions, feature usage patterns, session logs
  • Technical Data: IP addresses, browser information, device identifiers (for security purposes only)

2.2 Health Information

  • Audio Recordings: Deleted from cloud storage immediately after transcription processing is complete, with an automatic safety-net cleanup that removes any remaining files within 24 hours
  • Transcripts: Voice-to-text conversion of consultations, automatically deleted from cloud storage within 24 hours
  • Clinical Summaries: AI-generated summaries in SOAP notes, referral letters, or patient notes format
  • Patient Data: Patient demographics, medical history, and medication information stored in your patient files
  • Clinical Intervention Data: Records of clinical interventions, assessments, and ACOP governance activities
  • Medication Information: Drug names, dosages, interaction data, and MIMS product information lookups
  • Residential Care Data: RMMR/HMR review data, resident tracking, and Medicare claims information

2.3 Automatically Collected Information

  • System performance metrics
  • Error logs and debugging information
  • Security audit trails

3. How We Use Your Information

3.1 Primary Purposes

  • Scribe (Transcription and Summarisation): Converting audio consultations to text and generating structured clinical notes using our AI processing pipeline
  • Drug Interaction Checking: Real-time interaction and safety checks powered by the MIMS Australia database
  • Patient File Management: Uploading, parsing, and storing patient documents including medication extraction from PDFs
  • PharmCal (Task Management): Calendar scheduling, task tracking, and daily reminder services
  • RMMR/HMR Residential Hub: Pipeline management for residential medication management reviews, resident tracking, report generation, and Medicare claims
  • ACOP Governance: Clinical intervention tracking, risk assessment, quarterly reporting, and aged care quality compliance
  • Analytics: Usage dashboards, organisation metrics, and facility-level reporting
  • Compliance Support: Maintaining audit trails and records for regulatory requirements

3.2 Secondary Purposes

  • Platform improvement and feature development
  • Security monitoring and fraud prevention
  • Customer support and technical assistance
  • Legal compliance and regulatory reporting

4. Information Sharing and Disclosure

4.1 We Do Not Sell Personal Information

We never sell, rent, or trade personal or health information to third parties.

4.2 Permitted Disclosures

We may share information only in the following circumstances:

  • With Your Consent: When you explicitly authorize disclosure
  • Service Providers: Third-party processors bound by strict confidentiality agreements:
    • Google Cloud Platform (backend hosting, database, and file storage in australia-southeast1)
    • Amazon Web Services Bedrock (AI inference, ap-southeast-2 Sydney region) β€” processes identified patient health information solely for the purpose of generating clinical documentation as directed by the practising pharmacist. Patient data is not used to train AI models and is not retained by the AI service provider.
    • Cloud GPU Processing (audio transcription and AI inference)
    • Supabase (user authentication, row-level security, and audit logging)
    • Vercel (frontend hosting and edge delivery)
    • MIMS Australia (drug interaction database and product information)
    • Stripe (payment processing - PCI DSS compliant, no card data stored by us)
    • Resend (transactional email delivery)
    • Google reCAPTCHA v3 (bot and abuse protection)
  • Legal Requirements: When required by Australian law or court order
  • Emergency Situations: To prevent serious threat to health or safety

4.3 International Transfers

Some data processing occurs through international service providers. We ensure:

  • Data residency controls where possible (australia-southeast1 region)
  • Adequate protection through contractual safeguards
  • Compliance with APP 8 (cross-border disclosure requirements)

5. Health Professionals and Patient Data

Pharmacists and other health professionals who use the Markoste platform (β€œSubscribers”) are the primary APP entities responsible for the patient health information they input into the platform. Markoste Pty Ltd acts solely as a contracted service provider, processing that information on behalf of Subscribers for the purpose of clinical documentation. Subscribers are responsible for ensuring their use of the platform is consistent with their own obligations under the Privacy Act 1988 (Cth), applicable state health records legislation, and their professional registration requirements, including obtaining any necessary patient consent for the use of AI-assisted documentation tools.

6. Data Security and Protection

6.1 Technical Safeguards

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access with unique user IDs
  • Network Security: VPC peering and private IP database access
  • Key Management: Google Cloud KMS for encryption key management

6.2 Organizational Safeguards

  • Regular security audits and penetration testing
  • Staff training on privacy and security protocols
  • Incident response procedures
  • Third-party security assessments

6.3 Data Minimization

  • Audio recordings deleted from cloud storage immediately after transcription, with automatic cleanup within 24 hours
  • Transcription results automatically deleted from cloud storage within 24 hours
  • Identified patient health information is processed only for the specific purpose for which it was collected, and access is restricted to the treating pharmacist and authorised platform functions
  • Minimal data collection principle

7. Data Retention and Deletion

7.1 Retention Periods

  • Audio Recordings: Deleted from cloud storage immediately after transcription, with automatic cleanup within 24 hours
  • Transcription Results: Automatically deleted from cloud storage within 24 hours
  • Patient Files: Retained until user deletion or account closure
  • RMMR/HMR and ACOP Data: Retained until user deletion or account closure
  • Account Information: Retained for duration of service relationship
  • Payment Records: Retained as required by Australian tax law
  • Audit Logs: Retained for 7 years for compliance purposes

7.2 User-Initiated Deletion

Users can request deletion of their data through:

  • In-platform deletion tools
  • Contact form on our website
  • Email to mark@markoste.com.au

8. Your Rights Under Australian Privacy Law

8.1 Access Rights (APP 12)

You have the right to:

  • Request access to your personal information
  • Receive a copy of your data in a portable format
  • Understand how your information is being used

8.2 Correction Rights (APP 13)

You can:

  • Request correction of inaccurate or incomplete information
  • Add a statement if we cannot agree on corrections
  • Have corrections shared with third parties where appropriate

8.3 Other Rights

  • Anonymity and Pseudonymity: Where practicable under APP 2
  • Complaint Rights: Lodge complaints with us or the Office of the Australian Information Commissioner (OAIC)
  • Opt-out Rights: Withdraw consent for certain data processing activities

9. Cookies and Tracking

We use essential cookies only for:

  • Session management and authentication
  • Security monitoring
  • Platform functionality

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings.

10. Children's Privacy

Markoste is designed for use by licensed healthcare professionals. We do not knowingly collect personal information from individuals under 18 years of age.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will:

  • Notify users of material changes via email and platform notifications
  • Post the updated policy with a new effective date
  • Maintain previous versions for reference

12. Contact Information

12.1 Privacy Officer

  • Email: mark@markoste.com.au

12.2 Complaints

If you have privacy concerns:

  • Contact us first: mark@markoste.com.au
  • OAIC Complaint: If unresolved, contact the Office of the Australian Information Commissioner
    • Website: www.oaic.gov.au
    • Phone: 1300 363 992
    • Email: enquiries@oaic.gov.au

13. Definitions

  • De-identification: Process of removing or obscuring personal identifiers
  • Health Information: Information about an individual's health, disability, or healthcare services
  • Personal Information: Information about an identifiable individual
  • Processing: Any operation performed on personal information

Markoste Pty Ltd

ABN: 29 698 051 017

www.markoste.com.au