Privacy Policy

1. Scope

We trade in Australia. When we act as a controller (our website), this policy applies directly. When our widgets are used inside a Customer’s system, Hapli generally acts as a processor/service provider to the Customer.

2. What we collect

A) Website visitors

We may collect contact details (e.g., name, email, phone), business details, enquiry content, IP address, device and browser data, and—when enabled—cookies/analytics data.

B) End-users inside Customer systems (via our widgets)

We do not store input or output. We retain only minimal metadata (e.g., request timestamp, word/token counts) for usage reporting, billing and security.

• Audio: for speech-to-text (processed but not retained by us).
• Time-tracking widget: timestamps and user IDs.

Children: we do not intentionally process children’s data.

3. How we collect information

We collect information directly from individuals (e.g., forms, emails), automatically (logs, cookies/SDKs once enabled), and from Customers when our widgets are invoked in their systems. We also receive limited information from service providers that help us operate, secure and support our services.

4. Why we use and disclose information

Website (Hapli as controller)

• Respond to enquiries and provide requested information.
• Operate, secure and improve the website (including analytics/cookies once enabled).
• Business administration and legal compliance.
• Marketing communications (with opt-out) and aggregated, de-identified usage statistics (we do not name Customers without consent).

Widgets (Hapli as processor to Customer)

• Deliver widget functions: summarisation, translation, enhancement, clinical coding (SNOMED/ICD-10), text generation, speech-to-text and time tracking.
• Provide usage/billing metrics (e.g., call counts, word/token usage).
• Support, troubleshooting and service quality.

5. AI model training & human review

Default: Customer/end-user content is excluded from model training (ours or third-party).

Future optional: Any model-improvement program will be opt-in with clear controls and contract terms. Any limited human review (if used) will be minimised and de-identified where possible.

6. Overseas disclosures & service providers

We use cloud and AI infrastructure providers including AWS, Google Cloud, Microsoft Azure and OpenAI, with regions that may include APAC and the United States. Where personal information is disclosed overseas, we take reasonable steps to ensure recipients handle it appropriately (e.g., contractual safeguards and technical controls).

7. Security

We apply layered safeguards appropriate to the data and risk, including encryption in transit, authentication/authorisation, credential management, access controls and audit logging. We continuously improve our practices over time.

8. Retention & deletion

• Website enquiries/CRM: kept as needed to manage our relationship and legal obligations, then erased or de-identified.
• Widget content (six widgets named above): transient processing only; we do not store input/output. Minimal metadata may be retained.
• Time-tracking data: stored on the Customer’s behalf for agreed durations; we support deletion on instruction.
• Logs/diagnostics: retained only as necessary for security and troubleshooting, then erased or de-identified.

9. Cookies & analytics

Our website may use cookies/SDKs (e.g., analytics and error monitoring) to operate, secure and improve the service. We will update this section and provide controls when enabled.

10. Your choices & rights

• Marketing: you may opt-out of marketing emails we send.
• Access & correction: request access to, or correction of, your personal information.
• End-users of Customers: you may contact us or the Customer. We will coordinate with the Customer where we act as processor.

11. Complaints

If you have a privacy concern, contact us at support@gohapli.com. We aim to respond within 30 days. If you’re not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) after contacting us.

12. Changes to this policy

We may update this policy to reflect changes to our services or legal obligations and will notify Customers of any significant changes (for example, by email or an in-app notice).

Annex A – Widgets & Data Processing (B2B)

Roles. By default, the Customer is the controller; Hapli is the processor/service provider.

Data we process (per widget)

• Summarise / Translate / Enhance / Clinical Annotation / Generate / Speech-to-Text: processed on request; no input/output stored; minimal metadata retained (timestamp, word/token counts).
• Time tracking: timestamps, durations, user IDs and (optionally) location/device metadata stored on the Customer’s behalf.

Sub-processors

Cloud/AI vendors: AWS, Google Cloud, Microsoft Azure, OpenAI (regions may include APAC and US). Cross-border safeguards apply.

Security

Encryption in transit, access controls, credential management, network isolation, audit logging and incident handling.

Retention & deletion

Content for the six widgets above is transient only. Metadata and time-tracking are retained only as required for delivery, billing, security and legal obligations, then deleted or de-identified at Customer request or contract end.

Training & evaluation

Excluded by default. Any future model-improvement will be opt-in with additional terms and controls (masking, sampling, de-identification).

HIPAA (Australia and U.S.)

Where applicable, Hapli will sign a Business Associate Agreement (BAA) and configure services accordingly. We currently hold BAA with Amazon Web Services (AWS), Google Cloud Platform (GCP) and OpenAI.