Privacy Policy

1. About This Policy

exora is a personal health data platform that helps you organize your medical records using artificial intelligence. You upload your medical documents, and our AI extracts and structures the health information for your personal use.

This privacy policy explains how Exora Health Pty Ltd (“exora”, “we”, “us”, “our”) collects, uses, stores, and protects your personal information when you visit our marketing website (exora.au) or use the exora platform (our mobile app and web app at app.exora.au).

We are bound by the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Health information is classified as sensitive information under the Act, and we treat it with additional care.

exora is not a medical device, healthcare provider, or clinical decision support system. Information provided by exora, including AI-generated summaries and structured health records, is for your personal reference only and does not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional for medical decisions.

2. What We Collect

Account information: Your name, email address or phone number, date of birth, and optional fields such as biological sex and gender identity. Your PIN is stored as a secure hash only - we never see or store the raw PIN. If you verify your identity through ConnectID, we receive your verified legal name and date of birth from your bank.

Health information: Medical documents you upload (PDFs, images, scans) and the clinical data our AI extracts from them, including conditions, medications, allergies, vital signs, laboratory results, procedures, and immunization records. This is sensitive information under the Privacy Act and is only collected with your express consent.

Chat data: Messages you send to our AI health assistant and photos you share in chat for analysis. Photos shared in chat are stored on our servers alongside your chat history and are deleted when you delete the chat session or your account.

Voice-to-text input (chat composer mic): When you tap the microphone in the chat composer, your recorded voice clip is transcribed to text by Google’s speech-to-text service. The audio is transcribed and discarded immediately; we do not retain voice clips on our servers.

AI voice conversations (Beta features): When you opt in to AI voice conversations in Settings -> Beta features and explicitly accept the consent dialog the first time you use it, you can hold a spoken conversation with our AI assistant. Your microphone audio is streamed in real time to Google’s Gemini Live AI service for the duration of the conversation. Audio frames are not stored as audio; only structured session metadata and the text transcript of the conversation are retained (see Section 8). See Section 9 for the full description of how this works.

Device information: A unique identifier generated by the app (not a hardware device ID), your device name, platform (iOS or Android), app version, and push notification token if you enable notifications.

Location information (optional): If you grant location permission, we use your device’s approximate location to improve two features: suggesting nearby places when you add an appointment, and giving the AI health assistant city-level context. We use approximate (coarse) location only, never precise location, and only at the moment you use these features - we do not track you or build a location history. You can decline location access and both features still work without it.

Marketing contact information: If you submit any form on our website (contact form, blog “follow along” signup, family-history-request, future EOI surfaces), we capture your email address, the form submitted, and limited submission metadata (page URL, UTM parameters, country and locale at submission, IP address, and the exact consent copy you saw). This is stored in our Sydney-hosted Supabase database (see Section 6) and used as described in Section 4.

What we do not collect: Contacts, browsing history, advertising identifiers, biometric data (Face ID and Touch ID are processed entirely on your device), precise (GPS-level) location, or payment information.

3. How We Collect It

Directly from you: When you create an account, set up profiles, upload documents, send chat messages, take photos, or use voice input.

Automatically from your device: Device identifiers, platform information, and push notification tokens are collected when you use the app.

From your documents via AI processing: When you upload a medical document, our AI reads it and extracts structured health information. This processing is initiated by you and serves the primary purpose of organizing your health data.

From identity verification providers: If you choose to verify your identity, ConnectID returns your verified name and date of birth from your bank. This only happens when you initiate the process.

From external health data sources: In future, we may enable you to connect exora to external health data sources such as government health records or pathology providers. If we do, you will initiate and authorize each connection yourself, and you will be able to disconnect at any time. We will update this policy before launching any such integration.

4. Why We Use It

We collect your information to provide you with a personal, AI-powered health data platform. Specifically:

• Providing the service: Storing, organizing, and displaying your health records; processing your documents through our AI pipeline; powering the AI health assistant
• Account management: Authentication, device management, push notifications (with your permission)
• Sharing: Enabling you to share your health data with people and healthcare providers you choose
• Identity verification: Verifying your identity when you choose to use ConnectID
• Service improvement: Using aggregated, de-identified usage patterns to improve the platform (we do not use individual health data for this purpose)
• Marketing communications: Building a list of people who have submitted a form expressing interest in exora, so we can send invite codes when available, product updates, and the occasional newsletter. Every marketing email includes a one-click unsubscribe link. You can revoke at any time at exora.au/unsubscribe (use the link from any email we have sent you) or by emailing hello@exora.au.
• Legal compliance: Meeting our obligations under Australian law

What we never use your data for: Advertising, sale to third parties, AI model training, data mining, or commercial profiling. We do not send marketing messages unless you explicitly opt in.

When you upload a medical document, you consent to its processing by our AI systems to extract, structure, and organize your health data. We also send necessary service communications (authentication codes, security alerts, policy updates) via email or SMS - these are not marketing.

5. Who We Share It With

People you choose: You control who sees your health data. You can share specific records with family members, carers, or healthcare providers through exora’s sharing features. You choose the permission level and can revoke access at any time. All sharing actions are logged.

Service providers: We use the following providers to operate exora:

• Supabase - database and file storage (data hosted in Sydney, Australia)
• Google Cloud Platform - infrastructure (worker compute, OCR, storage in Sydney, Australia)
• Google Maps Platform (Places) - powers nearby-place suggestions when you add an appointment; receives your approximate location and search text only when you use that feature
• Google Cloud Gemini Enterprise (Vertex AI) - AI inference for document understanding, chat (text), narrative generation, and voice-to-text transcription. Routed via Google Cloud’s global endpoint under our signed Cloud Data Processing Addendum, with project-level data caching disabled and abuse-review logging opt-out requested. Inputs and outputs are not retained by Google after a request completes.
• Google AI Studio (Gemini Live API) - AI inference for real-time AI voice conversations (Beta). This is a different Google product to Gemini Enterprise above. Audio is streamed to Google’s global infrastructure (currently US-based for the model we use); the Cloud Data Processing Addendum that covers our Gemini Enterprise usage does not extend here. Use is gated behind explicit per-profile opt-in and informed consent (see Section 9). We are evaluating migration of this flow to Vertex AI Sydney once Google publishes the live-audio model variant there; this policy will be updated when that happens.
• Anthropic (Claude) - processes your document text and chat messages
• OpenAI - processes your document text and chat messages
• Vercel - hosts our marketing website and API routes (stateless transit layer for app data; app data is stored in Australia). Also provides cookieless aggregate analytics for the marketing website (see Section 12)
• ConnectID - identity verification (Australia only)
• Expo - push notification delivery routing
• Resend - email delivery for authentication messages and marketing emails (receives your email address only; never receives health data)
• Twilio - SMS delivery for authentication messages (receives your phone number only)

Authentication delivery providers (Resend, Twilio) receive only your email or phone number for delivering login codes. They do not receive health data.

Who cannot access your data: Other exora users (unless you share with them), advertisers, data brokers, insurance companies, or employers. We may disclose your personal information if required by law or legal process (such as a court order). If we receive a legal request for your data, we will notify you before disclosing it unless we are legally prohibited from doing so.

6. Where Your Data Is Stored and Processed

Stored in Australia. Your health records, documents, and account data are stored in Sydney, Australia, using Supabase (on AWS ap-southeast-2) and Google Cloud Platform (australia-southeast1).

AI processing may involve overseas services. When our AI processes your documents, chat messages, or voice conversations, content is sent to third-party AI providers. Our primary provider for document and chat AI is Google Cloud Gemini Enterprise. For real-time AI voice conversations (a Beta feature gated behind your explicit consent), we additionally use Google AI Studio’s Gemini Live API. We may also use Anthropic (Claude API) and OpenAI for specific features. These companies are headquartered in the United States. We may change, add, or remove AI providers based on quality, reliability, and cost. Per-provider terms:

• Google Cloud Gemini Enterprise (our primary provider): processed under our signed Cloud Data Processing Addendum. Server-side data caching is explicitly disabled at the project level. Inputs and outputs are not retained by Google after a request completes. We have additionally requested opt-out from Google’s safety abuse-review logging.
• Google AI Studio - Gemini Live API (voice conversations only): Real-time audio is streamed from our Sydney proxy server to Google’s global Gemini Live endpoint, which currently routes to US-based infrastructure for the audio model we use. As of this policy version, this flow is not covered by our Gemini Enterprise Cloud Data Processing Addendum. Under Google’s AI Studio terms for the free tier, Google may use submitted prompts and responses to improve its products and services. While voice is in internal Beta (Wave 2 testing only), we are operating on the free tier knowingly. Before any non-Wave-2 user is given voice access, we will either (a) migrate to a paid AI Studio tier or Vertex AI equivalent that contractually prohibits this training use, or (b) update this policy with clear disclosure of the data-use position then in effect. You can disable voice for any profile in Settings -> Beta features.
• OpenAI and Anthropic (when used): processed under their commercial API terms; data is not used for AI model training; providers may retain API data for up to 30 days for safety and abuse monitoring.
• All providers: data is processed and returned to us; not used to train AI models; not stored long-term.

We rely on signed contractual protections (Cloud Data Processing Addendum with Google; commercial terms of service with OpenAI and Anthropic) as our safeguard under APP 8 of the Privacy Act. If a provider breaches the APPs in handling your data, exora remains accountable under section 16C of the Privacy Act.

Our API routes are hosted on Vercel, which may process requests through servers in multiple regions during transit. All data is stored in Australia - Vercel acts as a stateless transit layer only.

All infrastructure providers maintain standard operational logs (including IP addresses and request metadata) for security monitoring and debugging, subject to their own retention policies.

7. How We Protect Your Information

We employ the following measures to protect your information:

• Encryption: All data is encrypted in transit (TLS) and at rest by our infrastructure providers
• Access controls: Row-Level Security on all clinical database tables ensures you can only access your own data
• User-isolated storage: Each user’s documents are stored in their own folder
• Authentication: Login via one-time codes sent to your email or phone - no passwords to breach
• Biometric unlock: Face ID and Touch ID are processed on your device; biometric data never leaves your device
• Session security: Authentication tokens are rotated on every use
• Audit logging: All data access and modifications are logged
• Infrastructure certification: Our database provider (Supabase) maintains SOC 2 Type II certification

No system is completely secure. If we ever experience a data breach affecting your personal information, we will notify you and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme.

8. How Long We Keep It

While your account is active: Your health data, documents, and chat history are retained for as long as your account exists. You can delete individual records at any time.

When you delete your account: All data is removed from live systems immediately and becomes inaccessible. Your account enters a 30-day recovery window during which you can reactivate by signing back in. After 30 days, an automated process permanently deletes all your data, including health records, documents, processing data, chat history, and storage files.

What survives deletion: Audit log entries are retained for 7 years after account deletion for compliance purposes. These logs contain user identifiers, timestamps, and records of data changes. They are not anonymised. Aggregated processing metrics (which do not contain health data) are also retained.

Backup retention: Automated database backups are kept for 7 days on a rolling basis. Uploaded documents are stored in file storage and retained for as long as your account is active. They are not included in database backups and are permanently deleted when your account is deleted.

AI provider retention: Google Cloud Gemini Enterprise (our primary provider) does not retain API data - server-side caching is disabled at the project level under our Cloud Data Processing Addendum. OpenAI and Anthropic (when used) may retain API data for up to 30 days for safety monitoring under their commercial API terms.

Local device data: Voice recordings stored on your device are automatically deleted after 7 days. Cached session data is cleared when you sign out.

AI voice conversation logs: When you have a real-time voice conversation with the AI assistant, we record session metadata (start time, end time, end reason, byte counts, error states) in our voice_sessions audit log for security and abuse-detection purposes. We also store the text transcript of the conversation in your chat history so you can review what was said. Audio is not retained - only the structured metadata and the transcript text. Session logs are retained for the lifetime of your account and deleted with your account; transcripts follow the same retention as your chat history.

Marketing contact information: Retained for as long as you remain subscribed. When you unsubscribe (one-click via any marketing email or at exora.au/unsubscribe), we keep the row marked as unsubscribed so we have proof of your consent revocation and so we never accidentally re-subscribe you. To request full deletion of the row itself, email hello@exora.au; we will action it within 30 days.

9. Artificial Intelligence

What our AI does. When you upload a medical document, our AI reads the full content of that document - including any names, dates, and other personal details it contains - to identify health information (conditions, medications, allergies, vital signs, lab results, procedures, immunizations) and organize it into your structured health record. Our AI chat assistant can answer questions about your health data. You can also send photos for AI analysis and use voice input that is transcribed by AI.

AI providers. Document understanding (entity extraction, structuring, narrative generation), chat, and voice transcription run primarily on Google Cloud Gemini Enterprise with Gemini models. Document scanning OCR runs on Google Cloud Vision. We may also use OpenAI and Anthropic for specific features. We may change, add, or remove providers based on quality, reliability, and cost. The current list of providers and what data each receives is in Section 5.

Your data and AI training. Your health data is not used to train AI models. Our AI providers process your data solely to return results to you, under their commercial API terms. Providers may temporarily retain data for safety monitoring (see Section 8). We do not currently use your data to train or improve exora’s own AI systems. In future, we may offer you the opportunity to contribute de-identified data to improve our systems. Any such use would require your separate, explicit consent.

AI accuracy. AI-extracted information may contain errors, omissions, or misinterpretations. Data quality indicators shown in the app reflect processing confidence and do not constitute clinical validation. Medical codes are AI-assigned and have not been verified by a healthcare professional. Always verify important health information with your healthcare provider and against your original documents.

No automated decisions. Our AI organizes and summarizes your health information. It does not make medical decisions, diagnoses, or treatment recommendations. No automated decisions are made by our systems that affect your legal rights or interests. Using exora does not create a doctor-patient or healthcare provider relationship.

Emergencies. The exora app is not designed for medical emergencies. If you are experiencing a medical emergency, call 000 (Australia) or your local emergency number immediately.

AI voice conversations (Beta). A separate Beta feature lets you hold a real-time spoken conversation with our AI assistant about a specific profile’s health records. This is structurally different from the voice-to-text chat input (where a single clip is transcribed and discarded). Here, your microphone audio is streamed continuously, the AI’s spoken response is streamed back, and the conversation can include multiple back-and-forth turns.

The flow: your iPhone opens an authenticated WebSocket to our Sydney Cloud Run server, which holds the Google AI Studio API key on your behalf. Your mic audio is sent through the Sydney server to Google’s Gemini Live API. The AI’s response audio comes back the same way. We log session-level metadata (start time, duration, end reason, byte counts) and the text transcript for audit and abuse-detection, but we do not retain the audio itself.

Per-profile opt-in. Voice conversations are OFF by default for every profile. To enable them, the profile owner navigates to Settings -> Beta features and toggles “AI voice conversations” on. The setting follows the profile, not the account holder - if you share a profile with someone else, voice availability on that profile is the owner’s choice.

Informed consent before first use. The first time you actually start a voice conversation for a profile, you will see a consent dialog summarizing what data is sent, where it is processed, what is retained, and that you can withdraw the feature at any time in Settings. You must tap “I understand and consent” before any audio leaves your device. Acceptance is recorded with a timestamp.

Withdrawing voice access. Toggle the feature off in Settings -> Beta features at any time. Existing session logs and transcripts remain in your audit log and chat history under your control (you can delete individual chat sessions). Disabling voice does not delete past records; we recommend reviewing the relevant section of this policy for our retention details.

Region of processing. As of this policy version, real-time voice conversations are processed by Google’s Gemini Live API in their global infrastructure, currently routing to US-based servers for the audio model we use. We are evaluating migration to Vertex AI in Sydney once the live-audio model is published in the Australian region. This policy will be updated when that change occurs.

Why this is treated differently from text chat. Document understanding and text chat run on Google Cloud Gemini Enterprise (Vertex AI) under our signed Cloud Data Processing Addendum. That contract does not extend to the Gemini Live API on Google AI Studio. We have chosen to enable the live-voice feature in a Beta state while we evaluate the data residency and contractual options. The opt-in, the consent dialog, and the audit logging are all in place to give you a clearly informed choice while we work on this.

The voice assistant is not a medical professional. Everything in this section also applies to voice: the AI organizes and summarizes your information; it does not provide medical advice, diagnoses, or treatment recommendations. Do not rely on the voice assistant in a medical emergency - call 000 (or your local emergency number) instead.

10. Your Rights

Under the Australian Privacy Principles, you have the right to:

Access your data. You can view all your health data in the app. To request a full copy of your personal information, contact us at hello@exora.au. We will respond within 30 days.

Correct your data. You can edit your profile information in the app. For AI-extracted health records, you can add notes, delete inaccurate records, or re-upload corrected documents. If you believe any other information we hold is inaccurate, contact us and we will correct it.

Delete your data. You can delete individual records in the app, or delete your entire account from Settings. Account deletion removes all your data (see Section 8 for details).

Control sharing. You choose who to share your health data with, what to share, and for how long. You can revoke access at any time.

Withdraw consent. You can withdraw your consent for health data processing at any time by deleting your data or your account.

Complain. See Section 14.

11. Children and Young People

exora requires a minimum age of 14 to create an independent account in Australia. This aligns with the age at which individuals gain control of their own My Health Record.

Parents and guardians can manage health records for children of any age through dependent profiles on their account. The parent or guardian declares their authority when creating a dependent profile and controls all data and sharing for that profile.

We do not knowingly allow children below the minimum age for their region to create independent accounts. If we discover an account was created by someone under the minimum age, we will work with the child’s parent or guardian to resolve the situation, which may include closing the account or migrating data to a parent-managed dependent profile.

12. Cookies and Tracking

We do not use advertising cookies, tracking pixels, or cross-site tracking.

Our web app uses essential cookies only for authentication and session management. These are necessary for the app to function and do not track you across other websites.

Marketing website analytics. Our marketing website at exora.au uses Vercel Web Analytics and Speed Insights to measure aggregate visitor traffic and page performance. These tools are cookieless and do not identify you individually. They collect: the page URL visited, the referring website, your approximate country (derived from your IP address, which is then discarded and not stored), device type, browser, operating system, and Core Web Vitals performance metrics. The data is aggregated and used solely to understand how our marketing site performs and to improve it. Vercel acts as our data processor.

This website analytics is not active inside our authenticated apps (the mobile app or the web app at app.exora.au). We do not currently use analytics or crash reporting tools inside the apps. If we add these in future, we will update this policy.

13. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements.

Material changes (changes to what data we collect, how we use it, or who we share it with): We will give you at least 14 days advance notice via in-app notification and/or email before the changes take effect.

Minor changes (clarifications, formatting, correcting errors): We may update the policy without advance notice.

The date at the top of this policy indicates when it was last updated. Previous versions are available on request by contacting hello@exora.au. Continued use of exora after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account before they take effect.

14. Complaints

If you have a concern about how we handle your personal information:

Step 1 - Contact us. Email our Privacy Officer at hello@exora.au. We will acknowledge your complaint within 5 business days.

Step 2 - Investigation. We will investigate your complaint and provide a substantive response within 30 days. If we need more time, we will let you know.

Step 3 - Escalation. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Online complaint form: www.oaic.gov.au/privacy/privacy-complaints
• Post: GPO Box 5288, Sydney NSW 2001

15. Contact Us

Exora Health Pty Ltd
ABN 16 690 025 462

Privacy Officer: hello@exora.au

For questions about this privacy policy, how we handle your data, or to exercise any of your rights, contact us at the email address above.

See also our Terms of Service for the rules governing your use of exora.

This privacy policy is governed by the laws of Australia.