Skip to content
Thrivix Clinic Launch in
-- Days
:
-- Hrs
:
-- Min
:
-- Sec
25% off your first consultation for early bookings
Book a Consultation Login

D & S Group Pty Ltd (ACN 693 328 013) trading as Thrivix

Privacy Policy

[email protected]

Effective Date: 01/04/2026

Version 1.2

1. Purpose

This Privacy Policy ("Policy") outlines how we collect, use, store, disclose, and protect your personal information, including sensitive and health information, in accordance with:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • My Health Records Act 2012 (Cth)
  • Applicable State and Territory health privacy laws

We are committed to safeguarding your privacy and complying with all relevant legislation while providing telehealth services, regenerative therapies (e.g., peptides, TRT, HRT), and e-commerce products.

2. Scope

This Policy applies to all individuals who interact with us, including patients, website visitors, telehealth users, store purchasers, contractors, and employees. It covers all methods of personal information collection, whether electronic, verbal, or written, via our Platform (website, telehealth tools, Clinic Management System) or in-person.

3. Definitions

  • Personal Information: Information or an opinion about an identifiable individual, recorded in any form, including names, contact details, or other details from which a person's identity can reasonably be ascertained.
  • Sensitive Information: A subset of personal information that includes racial or ethnic origin, political opinions, religious beliefs, sexual preferences, criminal records, or membership in professional/trade associations.
  • Health Information: Information about your health, disabilities, or use of health services, including pathology results, hormone levels, or medical history.
  • Third-Party Website Visitors: Individuals who visit the clinic's website but are not current patients or users of our services.
  • Telehealth: Video or audio consultations provided via our Platform.
  • Clinic Management System (CMS): Our secure system for managing consultations, prescriptions, and patient records.
  • Designated Pharmacy Partner: A third-party pharmacy we use for prescription fulfilment.

4. What Information We Collect

We may collect the following types of personal information:

For Patients:

  • Full name, date of birth, gender
  • Contact details: phone number, email, residential address
  • Medicare number, private health insurance details
  • Medical history, current health status, referrals, pathology results, prescriptions (for regenerative therapies like TRT/HRT)
  • Payment and billing details
  • Telehealth session records (e.g., video/audio, chat logs, device info) and usage data

Website Visitors:

  • Technical Data: IP address, browser type, operating system, device information, and website usage data.
  • Purchase details: Shipping address, payment info (processed securely)
  • Personal Data: Any personal information you choose to provide through contact forms, newsletter sign-ups, or online queries.

5. How We Collect Information

We collect personal information through various methods, including:

  • Direct interactions with patients during consultations, via telehealth platforms, phone calls, or emails.
  • Online forms, such as appointment booking or contact forms on our website.
  • Automatic collection through cookies and similar technologies when you visit our website.
  • Third-party referrals from other healthcare providers, insurers, or authorised representatives.

Anonymous or Pseudonym Use

Due to the nature of healthcare services, you are generally not able to remain anonymous or use a pseudonym when accessing our services. We are required to verify your identity for clinical safety, accurate record-keeping, lawful prescribing, and compliance with Australian health legislation.

6. Legal Basis for Collection

We collect personal information:

  • With your consent
  • When necessary for the performance of healthcare services
  • To comply with legal obligations
  • To pursue legitimate interests (e.g., improving services)

7. How We Use Your Information

For Patients:

We use your personal information for the following purposes:

  • To provide healthcare services, including telehealth consultations, diagnosis, treatment, and follow-up care.
  • To communicate with you regarding appointments, treatment plans, and health-related information.
  • To process payments, including Medicare and private health insurance claims.
  • To comply with legal and regulatory obligations, such as reporting notifiable diseases or responding to court orders.
  • To improve our services, telehealth platforms, and website functionality.
  • To provide you with updates about our services, appointment reminders, or health-related information. You can opt out of receiving these communications at any time by following the "unsubscribe" instructions included in the communication or by contacting us directly. We will not use your health information for direct marketing without your explicit consent.

For Website Visitors:

We use your information to:

  • Respond to your inquiries or requests made through our website.
  • Analyse website usage and improve user experience.
  • Manage our website's functionality and security.

Direct Marketing

We will only use or disclose your health information for direct marketing purposes where you have provided explicit consent. You may opt out of receiving marketing communications at any time by contacting us or using the unsubscribe function in any marketing email.

Secondary Use of Health Information

We will not use your health information for secondary purposes (including marketing or analytics) without your explicit consent, unless required or authorised by law.

8. Disclosure of Information

We do not sell or rent your personal information to third parties. We may share your personal information in the following circumstances:

  • Healthcare Providers: With your consent, we may share your health information with other healthcare providers involved in your care.
  • Third-Party Service Providers: We may share your information with third-party service providers who assist us in delivering our services.
    • Telehealth platform providers
    • Clinic management software providers (e.g. Halaxy)
    • Payment processors (e.g. Stripe)
    • Pathology laboratories
    • Partner pharmacies for prescription fulfilment
    • IT hosting and cloud storage providers
  • Authorised prescribing practitioners and partner pharmacies, strictly for the purpose of safe and lawful prescribing and medication fulfilment.
  • My Health Record: We do not access or upload any information to the My Health Record system.
  • Legal Requirements: We may disclose your information where required or authorised by law (e.g., to comply with a subpoena or court order).
  • Regulatory Authorities: We may disclose your information to regulatory authorities as required for compliance with health regulations.
  • Overseas Disclosure of Information: We do not intentionally disclose personal or health information to overseas recipients. However, some of our third-party service providers (including payment processors such as Stripe, cloud hosting providers, and clinic management systems) may store or process data using infrastructure located outside Australia. Where this occurs, we take reasonable steps to ensure that such providers are bound by the Australian Privacy Principles or equivalent safeguards.

9. Data Security Measures

We implement the following measures to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure:

  • Encryption: All personal information is encrypted during transmission over the internet using secure socket layer (SSL) technology.
  • Access Controls: Access to your personal information is restricted to authorised personnel who need it to perform their duties.
  • Secure Storage: All digital data is stored on secure servers protected by firewalls and regularly updated security software.
  • Regular Audits: We conduct regular security audits and assessments to identify and mitigate potential vulnerabilities.
  • Multi-Factor Authentication (MFA): Employees must use MFA to access systems containing sensitive information.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website to improve your browsing experience, analyse traffic, and support the functionality and security of our online services. These tools help us understand how visitors use our website and enable us to deliver a more personalised and efficient user experience.

What Are Cookies?

Cookies are small text files that are placed on your device (computer, tablet, or mobile) by websites you visit. They are widely used to make websites work, improve efficiency, and provide reporting information.

Types of Cookies We Use:

  • Strictly Necessary Cookies: These are essential for the operation of our website and enable basic features such as page navigation, secure access, and session management. Our website cannot function properly without these cookies.
  • Performance and Analytics Cookies: These collect anonymised information about how visitors use our website, such as which pages are visited most often or if error messages occur. This data helps us improve website performance and user experience.
  • Functionality Cookies: These remember your preferences and settings (such as language, location, or login details) to provide enhanced, more personalised features.
  • Third-Party Cookies: In some cases, we may use third-party services (such as embedded videos or social media plug-ins) which may place cookies on your device. These providers are responsible for how they use cookies, and we recommend reviewing their privacy policies.

Managing Your Cookie Preferences

You can choose to accept, decline, or customise your cookie preferences through your browser settings or by using a cookie management tool (where available on our website). Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline them or notify you when a cookie is set.

Please note that disabling certain cookies may affect the functionality or performance of our website and limit your ability to access some services or features.

Consent and Transparency

Where required by law, we will seek your consent before placing non-essential cookies on your device. By continuing to use our website after seeing a cookie notice, you are deemed to consent to the use of cookies as described in this Policy.

11. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, and for legitimate operational or business requirements.

Our retention practices take into account the type of information held, its sensitivity, applicable laws and regulatory requirements, and the risks of unauthorised use or disclosure.

We comply with applicable State and Territory health records legislation, which often requires longer retention periods than the general Privacy Act.

Retention of Health Records

In accordance with legal obligations and professional standards, we retain patient health records for the following minimum periods:

  • Adult Patients: At least 7 years from the date of the last consultation or entry in the record.
  • Child Patients: Until the patient turns 25 years of age, or for 7 years from the date of the last entry, whichever is longer.
  • Deceased Patients: Health records are retained in accordance with the above timelines unless a longer period is necessary for legal or clinical reasons.

Retention of Website and Technical Data

Data collected from website visitors, such as cookies, IP addresses, and analytics, is retained for up to 2 years, or longer if required for legal, technical, or business continuity purposes.

Other Records

Administrative, financial, or communication records (such as email correspondence, appointment logs, or billing records) are retained in line with legal retention obligations, typically between 5 to 7 years, depending on the nature of the document.

Secure Disposal

Once personal information is no longer required, we securely dispose of or de-identify it in accordance with industry standards and applicable law. This includes:

  • Secure deletion of electronic records
  • Shredding of physical documents
  • Use of data destruction services certified for handling sensitive information

We conduct regular reviews of our data holdings to ensure information is not retained longer than necessary.

12. Your Rights

As part of our commitment to transparency and data protection, you are entitled to exercise a number of rights under the Privacy Act 1988 (Cth) and relevant health privacy laws. These rights are designed to give you control over how your personal and health information is collected, used, and maintained.

You have the right to:

  • Request access to your Personal Information;
  • Request correction or updating of your information;
  • Request deletion of your data where no longer required;
  • Object to processing for marketing purposes;
  • Request a portable copy of your data where technically feasible;
  • Withdraw consent (where consent is the basis for processing).

How to Exercise Your Rights

To submit a request regarding any of the rights listed above, please contact us in writing using the contact details provided at the beginning of this Privacy Policy. We may request verification of your identity to ensure that your information is not disclosed to or altered by an unauthorised individual.

We aim to respond to all valid requests within a reasonable timeframe, typically within 30 days. There is no charge for submitting a request; however, we may charge a reasonable administrative fee for the provision of physical copies or for excessive, repetitive, or manifestly unfounded requests.

If you are not satisfied with our response, you have the right to escalate your concern to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

13. Data Breach Notification

We take data security seriously and have implemented appropriate technical and organisational measures to protect personal information. However, in the event of a data breach, we will comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth) and take swift action to mitigate any potential harm.

A data breach may include the unauthorised access to, disclosure of, or loss of personal information that we hold. If we have reasonable grounds to believe that a data breach is likely to result in serious harm to any individuals whose information is involved, we will:

  • Promptly assess the breach to determine its nature, scope, and potential impact in accordance with our internal data breach response plan;
  • Contain the breach where possible, and take immediate steps to prevent further unauthorised access or disclosure;
  • Notify affected individuals as soon as practicable, including details of the breach, the types of information involved, recommended steps they should take, and how we are responding;
  • Notify the Office of the Australian Information Commissioner (OAIC) by submitting a Notifiable Data Breach Statement through the prescribed process;
  • Document the breach and all steps taken in response, in compliance with our obligations under the Privacy Act;
  • Review our policies, procedures, and security safeguards to prevent recurrence and improve future responses.

Where we determine that a data breach does not meet the threshold for notification but may still carry risks, we will take proactive steps to inform affected individuals where appropriate.

We are committed to acting transparently, responsibly, and promptly to minimise the impact of any data breach and to uphold the privacy and trust of our patients, clients, and stakeholders.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our privacy practices, legal obligations, or service offerings. The updated version will be published on our website and will take effect from the Effective Date listed at the beginning of this Policy.

We encourage you to review this Policy periodically to stay informed about how we handle your personal information. Where material changes are made that may impact your rights, we will take reasonable steps to bring these changes to your attention, such as through notices on our website or direct communication where appropriate.

Your continued use of our services following the Effective Date of an updated Policy indicates your acceptance of the changes.

15. Privacy Policy Complaints and Enquiries

If you have any questions, concerns, or complaints regarding this Privacy Policy or how your personal information is handled, we encourage you to contact us directly using the contact form on our website.

We take all privacy-related enquiries seriously and are committed to resolving complaints in a timely and respectful manner. Upon receiving a complaint, we will:

  1. Acknowledge your enquiry within a reasonable timeframe;
  2. Investigate the circumstances of your concern;
  3. Provide a written response outlining the outcome of our investigation and any steps taken to address the issue.

All complaints will be handled in accordance with our obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and, where applicable, relevant health privacy legislation.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

16. NOTICE OF PRIVACY PRACTICES – Protected Health Information (PHI)

This Notice describes how Thrivix ("we", "us", or "our") may use and disclose Protected Health Information (PHI) about you, your rights regarding that information, and our legal duties. PHI is any information that identifies you and relates to your past, present, or future physical or mental health, healthcare, or payment for healthcare.

1. How We May Use and Disclose Your PHI

We may use and disclose your PHI without your authorisation for the following purposes:

  • Treatment: To provide you with telehealth consultations, prescribe medications (including peptides, TRT, and HRT), coordinate care with pharmacies (e.g., IWG), and manage follow-up.
  • Payment: To process payments for consultations and prescriptions, bill third parties, and handle insurance or funding claims where applicable.
  • Health Care Operations: For quality improvement, training, accreditation, compliance (including Legit Script certification), risk management, and internal audits.
  • Other permitted uses: As required or permitted by law (e.g., public health reporting, court orders, or emergencies).

Any other use or disclosure of your PHI requires your written authorisation, which you may revoke at any time (except to the extent action has already been taken).

2. Your Rights Regarding Your PHI

You have the following rights:

  • Right to inspect and copy: You may request to inspect or obtain a copy of your PHI. We will respond within 30 days (or 60 days in limited circumstances).
  • Right to amend: You may request that we amend inaccurate or incomplete PHI. We will respond within 60 days.
  • Right to request restrictions: You may request restrictions on certain uses or disclosures of your PHI (e.g., for treatment or payment). We are not required to agree to all requests.
  • Right to confidential communications: You may request that we communicate with you in a specific manner or at a specific location (e.g., by encrypted email only).
  • Right to an accounting of disclosures: You may request a list of disclosures of your PHI made in the previous six years (subject to certain exceptions).
  • Right to receive this Notice: You are entitled to a copy of this Notice at any time.

How to exercise these rights: Submit your request in writing to [email protected]. We will provide instructions and any required forms.

3. How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us at:

Privacy Officer
Thrivix (D & S Group Pty Ltd)
Unit 2, 8 Curren Street, Oakleigh East VIC 3166
Email: [email protected]

You may also file a complaint with the Office of the Australian Information Commissioner (OAIC) or any other applicable regulator. We will not retaliate against you for filing a complaint.

4. Our Legal Duties

We are required by law to:

  • Maintain the privacy of your PHI;
  • Provide you with this Notice of our legal duties and privacy practices;
  • Abide by the terms of the Notice currently in effect; and
  • Notify you if we become aware of a breach of your unsecured PHI.

We reserve the right to change this Notice at any time. Any revised Notice will be posted on our website and will apply to all PHI we maintain.