Privacy
Praxiko Privacy Policy
Last updated: 4 July 2026. Version 1.0.
1. About this policy and who we are
Praxiko is a software platform operated by Benjamin Stanton-Humphreys (ABN 71 554 670 669), trading as Praxiko ("Praxiko", "we", "us", "our"). Praxiko provides a multi-tenant software service that health and wellness practitioners and their organisations ("Practitioners") use to support their work with, and their relationships with, the people they see ("Clients").
This policy explains how we handle personal information and how we comply with the Privacy Act 1988 (Cth) ("Privacy Act") and the 13 Australian Privacy Principles ("APPs"). We treat ourselves as bound by the Privacy Act and the APPs, and we apply this policy to all personal information we handle, regardless of whether an exemption might otherwise be available to us. Because Praxiko holds health information on behalf of Practitioners, we consider ourselves bound in any event.
2. How the platform works — who is responsible for what
Praxiko is a platform used by Practitioners. The relationship between a Practitioner and their Clients — including any clinical, health or wellness relationship — is between the Practitioner and the Client. It is not a relationship with Praxiko.
Because of this, personal information on the platform falls into two categories, and responsibility differs:
- Information Praxiko handles for its own purposes. This is information about Practitioners and their staff who hold accounts, people who buy a personal Praxiko subscription directly from us, and visitors to our website. For this information, Praxiko decides how and why it is handled, and Praxiko is directly responsible under the Privacy Act.
- Client information that a Practitioner enters into or stores on the platform. The Practitioner is the party that has the relationship with the Client, decides what to collect, and is responsible for having the necessary consents and giving the necessary notices to the Client. Praxiko provides the secure environment that stores and processes this information on the Practitioner's behalf and under the Practitioner's direction. Praxiko still protects this information under the APPs — in particular the security, access-and-correction, and data-breach obligations — because Praxiko holds it.
If you are a Client with a question about why your information was collected or how your Practitioner uses it, please contact your Practitioner first. Section 11 explains how Praxiko handles requests it receives directly.
3. The kinds of personal information we collect
- Account and identity information — name, email address, phone number, business name, ABN, professional role and details, and login credentials.
- Billing and subscription information — subscription plan, billing history, and limited payment details. Card details are collected and processed by our payment provider (Stripe) and are not stored by Praxiko. See section 6.
- Usage and technical information — device and browser type, IP address, log data, and how you use the platform.
- Client information entered by Practitioners — a Client's name and contact details, appointment and engagement records, notes, tracked wellness data, and other information the Practitioner chooses to record. In our launch categories (including women's and pelvic health), this information can be especially sensitive.
4. Sensitive information and health information
Some information on the platform is sensitive information under the Privacy Act, and health information is a category of sensitive information that attracts a higher standard of protection.
- Where a Practitioner records health or other sensitive information about a Client, the Practitioner is responsible for obtaining the Client's consent to collect it, and for ensuring the collection is reasonably necessary for the Practitioner's services. Praxiko's platform supports the Practitioner in obtaining and recording that consent (see our Client consent materials), but the consent obligation rests with the Practitioner.
- Where Praxiko would collect sensitive information for its own purposes, we will generally seek your express consent first, and we will only collect it where it is reasonably necessary for our functions.
We apply heightened security and access controls to health and other sensitive information (see section 7).
5. How we collect personal information, and our collection notices
We collect personal information: directly from you when you create an account, subscribe, contact us, or use the platform; from a Practitioner, where a Practitioner enters Client information; automatically, through your use of the platform; and from our service providers (for example, our payment provider confirming a subscription payment).
At or before the time we collect personal information for our own purposes, we take reasonable steps to notify you of the matters required by APP 5 — including who we are, why we are collecting the information, who we usually disclose it to, that this policy explains how to access and correct it and how to complain, and whether we are likely to disclose it overseas.
We use personal information to: provide, operate, secure and improve the platform; create and administer accounts and subscriptions, and process our subscription payments; respond to enquiries and provide support; send service communications and, where permitted, product updates (you can opt out of marketing at any time); meet our legal, regulatory and record-keeping obligations; and detect, prevent and respond to fraud, misuse and security incidents.
We only use or disclose personal information for the purpose we collected it, for a directly related purpose you would reasonably expect, or where you have consented or the law permits or requires it (APP 6).
Client information is used by Praxiko only to provide the platform to the Practitioner and on the Practitioner's instructions. Praxiko does not sell personal information, and does not use identifiable Client information for its own marketing.
Some features of the platform use automated tools to help a Practitioner — for example, generating a draft summary of notes. These tools assist the Practitioner; they do not make automated decisions that produce legal or similarly significant effects for any Client. See section 12.
6. Our service providers, and who we disclose information to
We use a small number of trusted service providers (sub-processors) to run the platform. They are permitted to use personal information only to provide their services to us, under contract, and not for their own purposes.
| Provider | What they do for us | Information involved | Where it is stored / accessed |
|---|---|---|---|
| Supabase | Core database and user authentication — the primary store for platform data | Account information and Client information | Hosted in Sydney, Australia (Amazon Web Services Asia Pacific
(Sydney), ap-southeast-2). Supabase is a United States
company; its personnel may access systems from outside Australia to provide support
and engineering. |
| Resend | Transactional email delivery (for example, invitations, notifications and password resets) | Email address and email content | Processed by a United States provider; email may be routed and handled outside Australia. |
| Netlify | Website and application hosting and content delivery (CDN) | Technical and log data (requests served via a global content-delivery network) | United States company operating a global content-delivery network; content may be served from edge locations outside Australia. |
| Stripe | Billing for Praxiko's own subscriptions only — Practitioner plans and the optional personal self-pay subscription | Subscription and limited payment information (card details are handled by Stripe, not stored by Praxiko) | Operates internationally, including the United States and Ireland. |
Praxiko does not process, hold, pool or transmit any payment between a Practitioner and their Clients. Where the platform includes an invoicing feature, it is a record-keeping and document tool only: the Practitioner issues the invoice and receives payment directly, outside the platform. Stripe is used solely to bill Praxiko's own subscription fees.
We may also disclose personal information to: a Practitioner, in respect of that Practitioner's own Clients; professional advisers, regulators or authorities where required or authorised by law; and an acquirer in connection with a sale or restructure of the business, subject to appropriate protections.
We do not disclose Client information to other Practitioners or tenants. The platform is designed so that each Practitioner or organisation can only access its own data.
7. Where your information is stored, and overseas access (data residency)
The core of the platform — including account information and Client health information — is stored in a database hosted in Sydney, Australia (Amazon Web Services Asia Pacific (Sydney) region), through our infrastructure provider Supabase.
As set out in the table in section 6, some of our service providers, their personnel or their sub-contractors are located outside Australia or may access information from outside Australia — in particular our email provider (Resend), our hosting and content-delivery provider (Netlify), our payment provider (Stripe), and some support and engineering functions of Supabase.
Where a provider only stores or processes information for us under a binding contract that limits how they may handle it, requires their sub-contractors to accept the same obligations, and leaves us in effective control, we treat this as our own use of the information. Where information is genuinely disclosed overseas, we take reasonable steps under APP 8 to ensure the recipient handles it consistently with the APPs, and we remain accountable for it under the Privacy Act. By using the platform, you acknowledge that your information may be stored or accessed overseas in the ways described above.
8. How we keep information secure
We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11):
- data hosted in the Sydney region, with encryption in transit and at rest;
- tenant isolation (row-level security) so each Practitioner or organisation can only access its own data;
- access controls, authentication and least-privilege internal access;
- logging and monitoring; and
- confidentiality obligations on anyone who works on the platform.
No system is perfectly secure. We continue to review and improve our security, and we destroy or de-identify personal information when we no longer need it (see section 10).
9. Data breaches
We maintain a data breach response plan. If we experience a data breach that is likely to result in serious harm to affected individuals and that we cannot prevent with remedial action, we will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act — we will assess the incident (taking all reasonable steps to complete our assessment within 30 days of becoming aware of it, and sooner where we can) and, where it is an eligible data breach, notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
Where a breach affects Client information a Practitioner stores on the platform, we will notify the affected Practitioner promptly and work with them, recognising that the Practitioner may also have its own notification obligations.
10. How long we keep information
We keep personal information only for as long as we need it for the purposes described in this policy, or for as long as we are required to keep it by law, and then we take reasonable steps to destroy it or de-identify it.
Client information is retained on behalf of the Practitioner for the life of the Practitioner's account, and for a limited period after the Practitioner leaves the platform to allow export and to help the Practitioner meet their own record-keeping obligations, after which it is deleted or de-identified in line with our terms. Health-record retention periods are set by the law and professional obligations that apply to the Practitioner, not to Praxiko; our default retention window is set so that it does not force a Practitioner to breach those obligations.
11. Accessing and correcting your information
You may ask us to access the personal information we hold about you, or to correct it (APP 12 and APP 13). To make a request, email us at privacy@praxiko.app.
We handle access and correction requests manually. When you contact us, we will verify your identity, respond within a reasonable time (we aim to respond within 30 days), and generally will not charge you for an access request. If we correct information, we will not charge you; if we do not agree to correct it, you may ask us to attach a statement noting that you consider it inaccurate, out of date, incomplete, irrelevant or misleading. If we refuse access or correction, we will tell you why and how you can complain.
If you are a Client, information your Practitioner has recorded about you is usually best accessed or corrected through your Practitioner, who holds the relationship with you. If you contact us directly, we will help by directing your request to the relevant Practitioner, or by responding ourselves where that is appropriate.
(Note: at launch we do not offer instant self-service download of your data; we handle every request through the manual process above. If we introduce a self-service export feature, we will update this policy.)
12. Automated decision-making
Praxiko does not make decisions about you using solely automated processes that have a legal or similarly significant effect on you. Some platform features use automated tools to assist a Practitioner — for example, drafting a summary of notes for the Practitioner to review — but a person (the Practitioner) remains responsible for any decision about a Client. If this changes, we will update this policy to describe those processes before the relevant obligations apply to us.
13. Cookies and analytics
We use cookies and similar technologies to keep you signed in, remember your preferences, keep the platform secure, and understand how the platform is used so we can improve it. You can control cookies through your browser settings, though some features may not work without them. We do not use third-party advertising cookies.
14. Complaints
If you think we have breached the APPs or mishandled your personal information, please contact
us first at privacy@praxiko.app. If you are not satisfied with our response, you can complain
to the Office of the Australian Information Commissioner (OAIC): web www.oaic.gov.au, phone 1300 363 992. If you are in New
South Wales and your complaint concerns health information, you may also be able to complain
to the NSW Information and Privacy Commission (www.ipc.nsw.gov.au).
15. Changes to this policy
We may update this policy from time to time. The current version is always available on our website, and we will take reasonable steps to notify you of material changes.
16. Contact us
Privacy enquiries and access/correction requests: privacy@praxiko.app.