Privacy Policy

This Privacy Policy applies to personal information collected or processed through Olyva's services, including:

• AI-powered voice receptionist systems
• Web-based administrative dashboards
• Website interactions
• Integration with healthcare practice management systems (PMS)
• Cloud-based infrastructure supporting the Olyva platform

The policy applies to:

• Patients and Callers — individuals contacting healthcare providers using Olyva-enabled systems.
• Healthcare Clients — medical practices, clinics, and healthcare staff using Olyva services.
• Website Visitors — individuals visiting Olyva websites or digital platforms.

If you are a patient, the clinic you contacted holds the primary relationship with you and is the first point of contact for questions about your information. We will support the clinic in responding.

Personal Information

Information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined under the Privacy Act 1988 (Cth).

Sensitive Information

A subset of personal information that includes health information and other sensitive data categories defined under the Privacy Act. Sensitive information is subject to a higher level of protection.

Healthcare Provider

A clinic, medical practice, or health organisation that has entered into a service agreement with Olyva.

Service Provider (Sub-processor)

A third party we engage to help operate the platform (for example, cloud hosting or voice-technology providers), which handles personal information only on our instructions and for the purpose we engage it.

Eligible Data Breach

A data breach likely to result in serious harm to affected individuals under the Notifiable Data Breaches (NDB) scheme.

Olyva operates as a technology infrastructure provider and service provider supporting healthcare providers. In data-protection terms, the healthcare provider is the entity that decides how patient information is used (the custodian/controller), and Olyva handles that information on the provider's behalf.

Healthcare providers remain the primary custodians of patient medical records.

Olyva processes personal information only to the extent necessary to perform administrative functions, such as appointment scheduling and enquiry handling, and does so in accordance with the instructions of the healthcare provider.

Olyva does not provide clinical services, medical advice, diagnosis, or treatment recommendations.

Olyva uses artificial intelligence technology to power automated voice reception services for healthcare providers.

When individuals contact a clinic that uses Olyva services, they may interact with an AI-powered voice system designed to assist with administrative tasks, including:

• Appointment booking
• Appointment changes or cancellations
• General clinic enquiries
• Call routing

Callers are told whenever they ask that they are speaking with an automated AI assistant, and, where calls are recorded, are notified of the recording. If a caller prefers not to continue with the AI assistant, the call can be escalated to, or handled by, clinic staff.

The AI system supports administrative processes and does not provide medical advice or clinical decision-making. Human clinic staff remain responsible for all medical care and clinical interactions.

To provide our services, Olyva may process limited personal information necessary to support administrative interactions. This may include:

A caller's reason for contacting a clinic is often health information, which is sensitive information under the Privacy Act.

We collect and handle health information only:

• where it is reasonably necessary for the healthcare provider to provide a health service to the individual, and the individual is contacting the clinic to obtain that service; and/or
• with the individual's consent; and/or
• where another exception under the Privacy Act applies (such as a permitted health situation).

We do not use health information for any purpose other than delivering the clinic's administrative service, and we never use it for marketing.

Calls interacting with the Olyva AI receptionist may be temporarily processed, transcribed, or recorded for the purposes of:

• enabling appointment booking and enquiry handling
• improving system accuracy
• maintaining service quality
• supporting system troubleshooting and security monitoring

Where recordings or transcripts are retained, they are protected using appropriate technical and organisational safeguards. Olyva seeks to minimise the storage of identifiable audio data wherever possible.

Olyva systems are designed primarily to support administrative workflows.

We do not intentionally collect or store detailed clinical records, diagnostic results, or comprehensive medical histories. Callers should provide only the information required for appointment scheduling or general enquiries.

All clinical information remains within the healthcare provider's Practice Management System (PMS).

Olyva adopts a Privacy-by-Design architecture, meaning our systems are built to minimise the collection and retention of personal information.

Where possible:

• data is processed transiently during interactions
• personal identifiers are not permanently stored beyond what is needed for the service
• information is transmitted directly to the healthcare provider's PMS

Internal logs used for system monitoring use de-identified, pseudonymised, or masked data, and we keep patient-identifying details out of operational alerts and notifications.

Olyva handles personal information under the Privacy Act on the following bases:

• providing the administrative services requested by healthcare providers
• supporting healthcare appointment administration
• ensuring system security and reliability
• complying with legal obligations

For general personal information, we collect and use it as reasonably necessary to provide the administrative service the healthcare provider has engaged us to deliver. For sensitive (health) information, we rely on the bases set out in section 7.

Callers are informed at the start of a call that they are interacting with an automated assistant and that the call may be recorded. Continuing the call indicates agreement to administrative handling as described in this policy; it does not replace any consent the healthcare provider separately obtains for clinical purposes.

Personal information processed by Olyva may be used for:

• appointment management
• identity verification
• responding to enquiries
• improving system performance
• monitoring service availability
• producing de-identified operational analytics for healthcare providers

Olyva does not sell, rent, or trade personal information, and does not use patient information for advertising or marketing.

Olyva discloses information only in limited circumstances:

We require our service providers to protect personal information and to use it only for the purposes for which we engage them.

Olyva uses secure cloud infrastructure. Our application and database run in Inside Sydney (Australia) region, supporting Australian data sovereignty for the information we store.

Security measures include:

• encryption of data at rest (AES-256)
• encryption of data in transit (TLS 1.2 or higher)
• restricted access controls
• secure network architecture
• vulnerability monitoring
• security logging and auditing

Most personal information we handle is stored and processed in Australia (see section 14).

However, some real-time voice processing — such as speech recognition and speech synthesis during a live call — is performed by specialist voice-technology providers that may process call audio or text outside Australia.

Where any personal information is disclosed to, or processed by, an overseas recipient, Olyva takes reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles, including through contractual protections and, where available, zero-retention configurations that prevent the provider from storing call content.

Olyva follows a data minimisation model. Personal information processed during interactions is retained only for as long as necessary to complete the requested administrative task or as required by law.

Where possible:

• identifiable data is transmitted directly to the healthcare provider's PMS
• temporary processing data is deleted after completion of the interaction
• de-identified operational logs may be retained for system security and performance monitoring

Olyva maintains a Data Breach Response Plan consistent with the Notifiable Data Breaches (NDB) scheme.

If an eligible data breach occurs, we will:

1. 1Contain the incident
2. 2Assess the scope and potential impact
3. 3Notify affected healthcare providers
4. 4Notify the Office of the Australian Information Commissioner (OAIC) where required by law
5. 5Cooperate with healthcare providers in notifying affected individuals

Nothing in any agreement Olyva is party to prevents us from making a disclosure or notification that is required by law.

Individuals have the right to request access to their personal information or request correction of inaccurate information.

Because healthcare providers maintain the primary patient records, patients should direct these requests to the relevant healthcare provider. Olyva will assist healthcare providers where necessary to support these requests. Clinic users and other individuals can contact us using the details below.

Healthcare services may involve personal information relating to minors. In these circumstances, information is typically provided by parents or guardians on behalf of the child. Olyva handles such information in accordance with applicable privacy laws and healthcare provider instructions.

Our website may use cookies and analytics tools to understand how visitors use our website. These technologies may collect IP address, browser type, device information, and pages visited. This information helps us improve website functionality and user experience.

If you have concerns about how Olyva has handled personal information, please contact our Privacy Officer (details below). We will investigate complaints and respond within a reasonable timeframe.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. The "Last Updated" date at the top of this policy indicates the most recent revision.

Questions about this policy, or about how we handle personal information, can be directed to our Privacy Officer.