top of page

Privacy Policy

1. Introduction

Clearleaf Consulting Pty Ltd (ABN: 11 651 622 972) trading as Cannalink Clinic (“Cannalink”, “we”, “us”, “our”) is committed to protecting the privacy and security of personal and health information collected in connection with our telehealth services and digital platforms.

 

We manage personal information in accordance with:

  • the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

  • the My Health Records Act 2012 (Cth)

  • applicable state and territory health records legislation

  • the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth)

  • the Therapeutic Goods Administration (TGA) requirements relevant to prescribing

 

This Privacy Policy explains how we collect, use, store, share and protect your personal and health information. It also explains your rights in relation to that information and how to contact us if you have concerns.

 

By using our website or providing information to us, you agree to the handling of your personal information in line with this Policy and applicable Australian privacy law.

2. When this Policy applies

This Policy applies to all individuals who interact with Cannalink digitally or through our services, including:

  • people making general enquiries through our website or contact channels

  • prospective or current patients completing intake or clinical forms

  • healthcare professionals or pharmacies contacting us about services

  • anyone who receives marketing or informational communications from us

 

Note on clinical records: If you receive clinical services through Cannalink, your clinical records are held by Cannalink Clinic within our secure practice management system. Prescribers engaged by Cannalink as contractors access your records through the prescribing software; they do not hold your records independently or within their own separate practice systems. Our administrative staff also have role-based access to records as necessary to support the delivery of your care. Cannalink is the entity responsible for your clinical records, and all access and correction requests should be directed to us using the contact details.

3. Geographic Scope of Our Services

Cannalink provides Telehealth services to patients located in all Australian states and territories, subject to applicable prescribing laws in each jurisdiction. Our services are currently available in:

  • New South Wales

  • Victoria

  • Queensland

  • Western Australia

  • South Australia

  • Tasmania

  • Australian Capital Territory

  • Northern Territory

 

All prescribing decisions are made by AHPRA-registered practitioners in accordance with the laws of the jurisdiction in which the patient is located at the time of consultation. We do not provide services outside Australia.

4. Key terms

Personal Information

Information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined in the Privacy Act 1988 (Cth).

Health Information

A subset of Personal Information relating to an individual’s health, disability, health services received, or information collected in the course of providing health services.

Protected Health Information (PHI)

Health Information that is subject to specific legal protections, including under the My Health Records Act 2012 (Cth) and applicable state health records legislation.

Services

The administrative, telehealth support, and related services provided by Cannalink as described on our website and in our terms of service.

Website / Platforms

Any website, online form, portal, or digital service operated or controlled by Cannalink.

Staff

Our employees and contractors who assist in delivering our Services.

5. Information we collect

We only collect Personal Information that we reasonably need to provide and manage our Services and Platforms.

 
5.1 Information you provide directly

We may collect information you give us when you:

  • complete an online form (e.g. contact form, intake form, feedback form)

  • make an enquiry about our Services

  • communicate with us by email, SMS, phone or through our Platforms

  • subscribe to updates or communications 

  • provide information as a healthcare professional or pharmacy (e.g. name, role, AHPRA number, business details).

Depending on the context, this may include:

  • name, contact details and basic demographic details

  • information about your health or medications that you choose to share in a form or message

  • information about your role, place of work and professional registration (for healthcare professionals).

We generally ask that sensitive clinical details are only provided via secure, purpose-built forms rather than general contact channels.

5.2 Information from third parties

Where permitted by law, or with your consent, we may receive Personal Information from third parties where it is relevant to our Services. For example:

  • information from prescribers, pharmacies or other health providers involved in your care

  • confirmation of professional registration for healthcare providers (e.g. AHPRA public register)

  • information from payment or booking platforms used to support our Services.

5.3 Information collected automatically

When you use our website, we and our service providers may automatically collect certain technical information, such as:

  • IP address and approximate location

  • browser type and operating system

  • pages viewed, time on page and click-throughs

  • referring URL and search terms

  • device identifiers and cookie data.

This is typically used in aggregated form to monitor site performance and improve user experience.

6. How we use your information

 
6.1 To provide and manage our Services

Including to:

  • respond to enquiries and provide information you request

  • assess and manage intake forms and bookings

  • communicate with you about appointments, reminders or administrative matters

  • support prescribers and pharmacies in delivering care, where relevant

  • maintain internal records and administration.

6.2 To verify eligibility or identity

In some cases we may need to confirm that:

  • you are who you say you are (for safety, fraud prevention or regulatory reasons)

  • you are eligible to access certain information or Services (for example, materials intended only for healthcare professionals).

6.4 Marketing and communications

We may use your contact details to send you information about updates, services or resources that may be relevant to you, where this is permitted by law and in line with your preferences. You can opt out of non-essential marketing communications at any time by following the unsubscribe instructions or contacting us.

7. How We Obtain Your Consent

Before we collect health or sensitive information from you, we will:

  • clearly explain why we are collecting the information and how it will be used

  • obtain your express consent, either through our intake form consent declaration or another clear opt-in mechanism

  • give you the opportunity to ask questions before providing information

 

Where you contact us through a general channel (e.g. email or phone), we will only collect health information if you voluntarily provide it and will treat it with the same protections as information collected through our secure forms.

 

You may withdraw your consent to the collection or use of your information at any time by contacting us using the details in Section 13. Withdrawal of consent may limit our ability to provide some Services.

8. How we disclose your information

We may share Personal Information with third parties where reasonably necessary to provide our Services, conduct essential business operations, or comply with the law. This may include disclosure:

 
8.1 Within our organisation

To Staff who need access to perform their role (e.g. admin, clinic management).

 
8.2 Service providers

We use trusted third-party providers to operate our website and Services. These may include hosting, secure form and data collection, practice management, document storage, communication, IT, security, analytics, and payment processing providers. We require these providers to handle Personal Information in accordance with applicable privacy and security standards, including by executing data processing agreements where required.

8.3 Healthcare providers and pharmacies

Where relevant and lawful, we may share information with:

  • prescribers involved in your care

  • pharmacies dispensing prescriptions or providing medicine-related services.

This usually occurs with your knowledge as part of using our Services.

8.4 Legal, regulatory and safety reasons

We may disclose Personal Information where:

  • required or authorised by law (e.g. a court order, subpoena or regulatory notice)

  • necessary to respond to complaints, disputes or regulatory enquiries

  • we reasonably believe it is necessary to prevent or lessen a serious threat to life, health or safety.

8.5 Overseas disclosures

To the best of our knowledge, all third-party technology providers engaged by Cannalink store and process data on servers located within Australia. We take reasonable steps to verify this when engaging new providers and require providers to notify us of any material changes to their data storage arrangements. If overseas processing becomes necessary, we will take reasonable steps to ensure those providers are bound by contractual data protection obligations consistent with Australian privacy law. We use providers who maintain recognised security certifications (such as ISO 27001 or SOC 2) where possible. Countries where data may be processed include the United States and the European Union, depending on the provider. We will update this section if our provider arrangements change materially.

9. How We Store and Protect Your Information

We take reasonable steps to protect Personal Information and Protected Health Information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

  • Secure Socket Layer (SSL) / TLS encryption for all data transmitted through our website, intake forms, and patient transaction systems. All patient health data, billing information, and transaction records are processed exclusively over encrypted SSL/TLS connections.

  • HTTPS protocol enforced across all Cannalink web properties

  • Multi-factor authentication (MFA) on key systems

  • Role-based access controls so Staff only access information relevant to their role

  • Secure, approved software for document storage and clinical communications

  • Password protection and encryption for stored data

  • Regular review and audit of our information-handling practices

 

When Personal Information is no longer required for the purposes for which it was collected, and we are not required by law to retain it, we will take reasonable steps to securely destroy or de-identify it.

10. Data Breach Notification

Cannalink complies with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). In the event of an eligible data breach that is likely to result in serious harm to any individual whose information is involved, we will:

  1. Contain the breach and assess the risk as quickly as possible

  2. Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable

  3. Notify affected individuals directly (or, where not practicable, via a public statement on our website)

  4. Take remedial steps to prevent or mitigate further harm

 

We maintain an internal data breach response procedure and conduct periodic testing of our security controls to minimise the risk of a breach occurring.

11. Cookies and tracking technologies

Our Platforms may use cookies and similar technologies to:

  • enable core site functionality

  • remember preferences

  • collect analytics to understand how the site is used

  • improve performance and user experience.

You can adjust your browser settings to block or delete cookies, but some features of the site may not function properly if you do so.

We may also use third-party analytics tools which set their own cookies and are subject to their own privacy policies.

12. Your rights – access, correction and consent

 
12.1 Access and correction

You may request access to Personal Information we hold about you, or ask us to correct it if you believe it is inaccurate, incomplete or out of date. To do this, please contact us using the details in section 14. We may need to verify your identity before providing access or making changes. In some cases, we may lawfully refuse access (for example, if disclosure would impact the privacy of others). If this happens, we will explain why.

12.2 Withdrawing consent

Where we rely on your consent (for example, to send certain communications), you may withdraw that consent at any time by contacting us or using the unsubscribe options provided. Withdrawal of consent may limit our ability to provide some Services.

13. Complaints

If you have concerns about how we have handled your Personal Information, you can contact us using the details below.

We will:

  1. Acknowledge your complaint

  2. Investigate the issues raised

  3. Respond to you within a reasonable timeframe with our findings and any actions we will take.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

14. Contact details

For questions about this Policy, to request access or correction, or to make a privacy complaint, please contact:

 

Privacy Officer

Cannalink Clinic (Clearleaf Consulting Pty Ltd)

Suite 32, 135 Cardigan St, Carlton VIC 3053

Email: hello@cannalink.biz

Phone: 1300 082 368

Response time: We aim to respond to all privacy enquiries within 5 business days.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our operations. Updates take effect when published on our website. Where changes are material, we will take reasonable steps to notify you (for example, by email or a notice on our website). Your continued use of our website or Services after an update is published indicates your acceptance of the revised Policy.

 

Previous versions of this Policy are available upon request from our Privacy Officer.

bottom of page