Wollongong coastline

Privacy Policy

PRIVACY POLICY

INTRODUCTION

This document sets out the privacy policy of GasLedger Pty Ltd (ACN 697 034 469 / ABN 14 697 034 469) (referred to in this privacy policy as ‘we’, ‘us’, or ‘our’).

We do not provide medical services or act as a healthcare provider. We provide a software platform called GasLedger that facilitates communication and clinical workflow between healthcare practitioners and patients (SaaS Platform). We do not provide medical advice, diagnosis, or treatment. All clinical decisions are made by the relevant healthcare practitioner. For further information, please see our SaaS Terms here.

In this policy, “we”, “us” and “our” refers to GasLedger (formerly ‘Gas at the Gong’), as the provider of the SaaS platform, and “you” may refer to either a healthcare practitioner, healthcare facility representative or a patient whose information is collected through the platform. Where “you” is a healthcare practitioner or healthcare facility, this policy also applies to personal information collected in connection with your account, use of the platform, and business relationship with us.

The Privacy Act 1988 (Cth) (Privacy Act) requires entities bound by the Australian Privacy Principles to have a privacy policy. We take our privacy obligations seriously and we’ve created this privacy policy to explain how we store, maintain, use and disclose personal information. We will only collect, use and disclose sensitive information with your consent or as otherwise permitted under the Privacy Act.

We are committed to preventing serious invasions of privacy and ensuring the protection of your personal information. If you are a healthcare practitioner using our platform, you may also provide professional and practice-related information, which we handle in accordance with the Australian Privacy Principles.

Where we collect personal information (including sensitive health information) on behalf of healthcare practitioners, we do so as a service provider to those practitioners, and they remain responsible for the collection and use of that information in accordance with applicable privacy laws.

By providing personal information (including sensitive information) to us, you consent to our storage, maintenance, use and disclosing of personal information in accordance with this privacy policy.

We may change this privacy policy from time to time by posting an updated copy on our website and we encourage you to check our website regularly to ensure that you are aware of our most current privacy policy.

TYPES OF PERSONAL INFORMATION WE COLLECT

The personal information we collect may include the following:

  • name
  • mailing or street address
  • email address
  • telephone number and other contact details
  • date of birth
  • gender
  • credit card or other payment information
  • sensitive health information about you or a patient (such as medical history (including respiratory, cardiac, and other conditions), current medications, allergies, dental history, anaesthetic history (including previous complications or family history of complications), proposed procedure or treatment, surgical history, Medicare number, health fund details, pregnancy status, height, weight) as set out below
  • for healthcare practitioners and healthcare facilities: name, professional details, practice address, contact details, billing information, account credentials, Medicare provider number, profile photograph, billing rates and verification information (including HPI-I and AHPRA registration details for verification purposes)
  • theatre list CSV uploads including patient demographics and procedure details
  • information about your business or personal circumstances
  • information in connection with client surveys, questionnaires and promotions
  • your device identity and type, I.P. address, geo-location information, page view statistics, advertising data and standard web log information
  • information relating to clinical workflows, task management and communications within the platform (including cover requests, task assignments, status updates and related notes)
  • information about third parties

any other information provided by you to us via our website or our online presence, or otherwise required by us or provided by you.

HOW PERSONAL INFORMATION IS COLLECTED

We will collect your personal information in a lawful and fair way. We will only collect your personal information where you have consented to it, or otherwise in accordance with the law.

How we collect information from you

We may collect personal information where you:

  • complete a pre-operative questionnaire with us or one of our partner medical practitioners (including via SMS links)
  • create an account or are registered to use our product by a healthcare practitioner or facility
  • have your information entered, uploaded, or managed by a healthcare practitioner or authorised clinical staff member within a clinical service, practice group, or healthcare facility using our platform
  • when healthcare practitioners or healthcare facilities register for or use our SaaS platform, including account creation, onboarding, identity verification, and subscription management
  • contact us through our website
  • receive goods or services from us
  • submit any of our online inquiry forms
  • communicate with us via email, telephone, SMS, social applications (such as LinkedIn or Facebook) or otherwise
  • interact with our website, social applications, services, content and advertising

invest in our business or enquire as to a potential purchase in our business.

How we collect information from third parties

Where possible, we collect your personal information directly from you. However, there may be occasions when we collect personal information (including sensitive information) about you from someone else. This includes healthcare practitioners, medical practices, healthcare facilities, and authorised clinical staff who input or manage patient information within the platform as part of your care, as well as integrated third-party clinical systems (including but not limited to RXPad, PRODA, Eclipse, and other FHIR-enabled systems).

Specifically, we ingest theatre booking lists provided by medical rooms and hospitals via CSV file, which securely pre-fills patient names, dates of birth and procedures into our platform to generate patient questionnaires.

How you provide information for someone else

If you are providing personal and/or sensitive information on behalf of someone else, you must have the consent of that person to provide their personal and/or sensitive information to us to be collected, used, and disclosed in accordance with this privacy policy. We reserve the right to request evidence of this consent.

If you are providing personal and/or sensitive information on behalf of someone under the age of 18 (Minor), you must be that Minor’s parent or legal guardian and you must provide consent for the Minor’s personal and/or sensitive information to be collected, used and disclosed in accordance with this privacy policy.

How we collect information from cookies

We may also collect personal information from you when you use or access our website or our social media pages. This may be done through use of web analytics tools, ‘cookies’ or other similar tracking technologies that allow us to track and analyse your website usage. Cookies are small files that store information on your computer, mobile phone or other device and enable and allow the creator of the cookie to identify when you visit different websites. If you do not wish information to be stored as a cookie, you can disable cookies in your web browser.

We use Cloudflare KV for caching and performance, and Firebase Auth for user authentication.

We may use Google Analytics to collect and process data, including when you use third party websites or apps. To find out more see How Google uses data when you use our partners’ sites or apps.

USE OF YOUR PERSONAL INFORMATION

We collect and use personal information for the following primary purposes:

  • to provide goods, services or information to you
  • to provide and operate our SaaS platform, including facilitating pre-operative patient intake, clinical workflow management, task coordination and structured clinical data output
  • to enable healthcare practitioners to access, review and use patient information for clinical and administrative purposes (including assessing risk and planning anaesthetic approaches)
  • to verify the identity, professional registration, and eligibility of healthcare practitioners to use the platform, including where applicable AHPRA registration details or other professional identifiers provided by the practitioner, for identity and professional verification purposes only and not for regulatory assessment by us
  • to manage our contractual and billing relationship with healthcare practitioners and healthcare facilities
  • for record keeping and administrative purposes
  • to provide information about you to our contractors, employees, consultants, agents or other third parties for the purpose of providing goods or services to you
  • to improve and optimise our service offering and customer experience
  • to comply with our legal obligations, resolve disputes or enforce our agreements with third parties
  • to send you administrative messages, reminders, notices, updates, security alerts, and other information requested by you

to consider an application of employment from you.

We may also use your personal information for:

  • secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use and consistent with the reasonable expectations of healthcare practitioners and patients using the platform
  • such purposes where we reasonably believe that use of your personal information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent
  • any other purpose for which we receive consent from you

any other purpose which is permitted or required under applicable privacy laws.

For healthcare practitioners and healthcare facilities, we may collect and process billing and administrative data, including Medicare Benefits Schedule (MBS) item codes, health fund rebate calculations, payment reconciliation data, and invoice processing and handoff information (Provider Billing Data).

Provider Billing Data is collected and handled in accordance with the Australian Privacy Principles and the safeguards described in this policy. While such information may be associated with a patient or episode of care, it is treated as administratively distinct from patient health information and is used primarily for billing, reconciliation, and practice management purposes within the platform.

HOW WE DISCLOSE YOUR PERSONAL INFORMATION

DISCLOSURE

Your personal information is not made generally available to all users of the platform. Access is restricted to healthcare practitioners who are involved in your care and who are members of the relevant clinical service, practice group, or healthcare facility where your procedure or treatment is being conducted.

Access is granted only where necessary for clinical, administrative or perioperative workflow purposes.

We respect your privacy, and we will take reasonable steps to keep your personal information confidential and protected. We may disclose your personal information to:

  • your nominated healthcare practitioner and other healthcare practitioners who are part of the same clinical service, practice group, or healthcare facility responsible for your care or procedure, where such disclosure is reasonably necessary for your pre-operative assessment, anaesthetic management, treatment, or related clinical workflow activities carried out through the platform
  • other healthcare providers involved in your care, including those providing covering, assisting, or continuity-of-care services within the same clinical service, practice group, or healthcare facility, or to whom you are referred or from whom a referral is received
  • our professional advisors such as lawyers, accountants and auditors
  • our related entities

any third parties you have consented personal information to be disclosed to.

We do not disclose patient information to other users of the platform unless they are involved in your care or authorised by the relevant healthcare practitioner. Our databases utilise strict Row-Level Security (RLS) to ensure that access is provider-scoped. This means patient data is exclusively accessible by the specific treating anaesthetist or their authorised cover providers, and is completely segregated from other practitioners on the platform.

We may also disclose your personal information to third-party service providers and contractors where reasonably necessary to enable us to provide our goods and services to you or to operate our business. These may include providers of customer relationship management systems, cloud storage and hosting services, information technology support, data processing, payment processing, marketing services, and debt collection services.

Such third parties may include, but are not limited to, Supabase, Cloudflare, Google, Apple, Firebase Storage, Firebase Cloud Functions and Google Cloud. A full DPA register is available upon request.

We take care to work with such third parties who we believe maintain an acceptable standard of data security and require them not to use your personal information for any purpose except for those activities we have asked them to perform on our behalf.

We will not otherwise disclose your personal information unless:

  • you have consented to us disclosing your personal information for particular circumstances
  • as needed in an emergency or in investigation suspected criminal activity
  • we are required to disclose under a subpoena, court order or other mandatory reporting requirements
  • we reasonably believe that disclosure of your information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent
  • it is reasonably necessary for the establishment, exercise or defence of a legal claim

it is otherwise authorised or required by law.

GOVERNMENT DIGITAL HEALTH SYSTEMS AND INTEGRATIONS

We may collect, use and disclose personal information (including, where applicable, health information and healthcare identifiers) to and from government-operated or government-regulated digital health systems as functionality becomes available within our platform. These systems may include, but are not limited to, Services Australia (including PRODA), the Healthcare Identifiers Service, My Health Record, the Australian Immunisation Register (AIR), and other systems governed by the Australian Digital Health Agency (ADHA) or successor bodies.

Such collection, use and disclosure will occur only where reasonably necessary to:

  • verify the identity and registration of healthcare practitioners
  • facilitate clinical care, coordination, or continuity of care
  • enable billing, claiming or health service administration

comply with applicable legal and regulatory requirements.

We will only connect to and interact with these systems in accordance with applicable laws (including the Privacy Act 1988 (Cth), Healthcare Identifiers Act 2010 (Cth), and My Health Records Act 2012 (Cth)) and any relevant participation agreements, access controls, and consent requirements. Where required, access to or disclosure of your information via these systems will be subject to your consent or the authorisation of your treating healthcare practitioner.

storage of YOUR PERSONAL INFORMATION

To provide a secure, high-performance platform, we utilise global, enterprise-grade cloud infrastructure providers. As a result, your personal information will be transferred and stored overseas.

Specifically, our primary databases (Supabase PostgreSQL) are hosted in Tokyo (Japan), our authentication services (Firebase) are hosted in the United States, and our Content Delivery Network (Cloudflare) operates globally.

By providing your personal information, you consent to this cross-border transfer. Japan and the United States both possess privacy frameworks considered adequate by Australian regulators.

We take strict, reasonable steps to protect your personal information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure. All cross-border data transfers are protected by Data Processing Agreements featuring Standard Contractual Clauses. Furthermore, all data is encrypted at rest and encrypted in transit.

When you communicate with us through a social media service such as Facebook or Twitter, the social media provider and its partners may also collect and hold your personal information overseas.

SENSITIVE INFORMATION

Collection of sensitive information

We may collect sensitive information about you during the course of providing you our goods and services. We collect and process this information solely as a technology service provider to healthcare practitioners. We will only collect this sensitive information where you consent to such collection and either directly provide us with this information or it is provided by a referring health care provider.

Where sensitive information is collected via the platform by or on behalf of a healthcare practitioner, that practitioner is responsible for obtaining any necessary consents for the collection and use of that information for clinical purposes, including ensuring they have obtained all necessary consents from patients prior to inputting data into the platform.

Types of sensitive information we collect

The sensitive information we collect may include the following:

  • health information, history and reports, including patient information such as medical history, medications, allergies, surgical history, anaesthetic history, dental history, family history, pregnancy status, weight, height and other health information required pre-anaesthetic
  • referring health care provider and associated referral letters
  • private health fund and private health insurance cover details
  • Medicare number, healthcare identifiers or concession card or other entitlement details

any other sensitive information provided by you or a third party to us via our website or platforms, or otherwise provided by you or a third party to us.

How we use your sensitive information

Your sensitive information will only be used for the purpose of:

  • providing you with our goods and services
  • facilitating clinical assessment, pre-operative evaluation and preparation by healthcare practitioners using our platform
  • complying with our legal obligations, resolving disputes or enforcing our agreements with you
  • sending you messages, reminders, notices, updates, security alerts, and other information requested by you

any other purpose which is permitted or required under applicable privacy laws.

How we disclose your sensitive information

Your sensitive information will only be disclosed to third parties for the purpose of:

  • providing patient information to the nominated healthcare practitioner, and other healthcare practitioners involved in your care within the relevant clinical service, practice group, or healthcare facility, via the platform for clinical and perioperative purposes

any other purpose which is permitted or required under applicable privacy laws.

How you can withdraw consent

If you wish to withdraw your consent to our collection, use or disclosure of your sensitive information, please contact us using the contact details set out below. We will deal with all such requests within a reasonable timeframe.

MARKETING

We may at times send you marketing communications which will be done in accordance with the Spam Act 2003 (Cth) (Spam Act).

If we do, we may use email, SMS, social media, phone or mail to send you direct marketing communications.

Where consent is needed, we will ask you for your consent before sending you marketing communications, except where you:

  • have explicitly opted-in to receiving email marketing from us in the past

were given the option to opt-out of email marketing when you initially signed up for one of our platforms and you did not do so.

You can, at any time, opt out of receiving marketing materials from us by using the opt-out facility provided (e.g., an unsubscribe link on emails we send you) or by contacting us via the details provided at the end of this privacy policy. We will implement such a request as soon as possible, however, cannot guarantee that such a response will be immediate.

DE-IDENTIFIED INFORMATION

The information we collect may have analytical, educational, or commercial value to us. Where we have de-identified the information we have collected, we reserve the right to process and distribute such information, provided that such information has been irreversibly de-identified and cannot reasonably be used to re-identify any individual.

DATA BREACHES

In the event of a data breach involving personal information that is likely to result in serious harm, we will comply with our obligations under the Privacy Act. This may include notifying affected individuals and the Office of the Australian Information Commissioner (OAIC), where required. We will assess suspected data breaches in accordance with our formal Breach Response Procedure and the Notifiable Data Breaches scheme and take reasonable steps to mitigate harm where possible.

SECURITY

We take reasonable steps to ensure your personal information is secure and protected from misuse or unauthorised access. Our information technology systems are password protected, and we use a range of administrative and technical measures to protect these systems. This includes role-based authentication, quarterly rotated API keys, and encrypted secrets. However, we cannot guarantee the security of your personal information.

LINKS

Our website may contain links to other websites. Those links are provided for convenience and may not remain current or be maintained. We are not responsible for the privacy practices of those linked websites and we suggest you review the privacy policies of those websites before using them.

REQUESTING ACCESS OR CORRECTING YOUR PERSONAL INFORMATION

If you wish to request access to the personal information we hold about you, please contact us using the contact details set out below including your name and contact details. We may need to verify your identity before providing you with your personal information. In some cases, we may be unable to provide you with access to all your personal information and where this occurs, we will explain why. We will deal with all requests for access to personal information within a reasonable timeframe.

If you think that any personal information we hold about you is inaccurate, please contact us using the contact details set out below and we will take reasonable steps to ensure that it is corrected.

You also have the right to request the deletion of your personal data. Deletion requests are processed through an automated 30-day retention cycle, after which your data is permanently removed from our databases.

COMPLAINTS

If you wish to complain about how we handle your personal information held by us, please contact us using the details set out below including your name and contact details. We will investigate your complaint promptly and respond to you within a reasonable timeframe.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) by visiting www.oaic.gov.au.

healthcare practitioners

Healthcare practitioners, medical practices, and healthcare facilities that use our platform are independent entities responsible for their own compliance with applicable privacy laws, including the collection, use, and disclosure of patient information.

We provide a software platform that facilitates secure storage, processing, and workflow management of patient information on behalf of these healthcare providers.

Nothing in this policy should be interpreted as creating a doctor–patient relationship between us and any patient whose information is processed through the platform.

CONTACT US

For further information about our privacy policy or practices, or to access or correct your personal information, or make a complaint, please contact us using the details set out below:

Name: Privacy Officer, GasLedger Pty Ltd

Email: drclintjohnson@gmail.com

Address: Unit 23, 4 Bank Street, Wollongong NSW 2500

Our privacy policy was last updated on 20.04.2026

← Home