MALU HEALTH GROUP PTY LTD
Privacy Policy
Effective Date: 24 February 2026
1. Our Commitment to Your Privacy
Malu Health Group Pty Ltd (ABN 17 682 104 089) and its related companies and subsidiaries are committed to protecting your privacy and maintaining the confidentiality of your personal and health information.
We recognise that mental health care involves deeply personal and sensitive information. Protecting that information is central to maintaining your trust and delivering safe, high-quality care.
This Privacy Policy explains how we collect, use, store and disclose your personal and health information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), applicable State and Territory health records legislation, the My Health Records Act 2012 (Cth) (where relevant), and the Notifiable Data Breaches Scheme.
We collect and handle sensitive health information only where reasonably necessary to provide our services and in accordance with applicable privacy laws
2. Who This Policy Applies To
This Policy applies to Malu Health Group Pty Ltd and all of its related entities and subsidiaries, including all Malu clinics, digital platforms, telehealth services and administrative offices.
Some related companies within the Malu group may provide specific products or services and may have separate but consistent privacy policies where appropriate.
We require that contracted service providers assisting us in delivering services to you maintain appropriate safeguards for protecting your information and comply with applicable privacy laws.
3. What Information We Collect
We collect personal and health information reasonably necessary to provide mental health services and operate our business. Where reasonable and practicable, we collect information directly from you. In some circumstances, we may collect information from third parties such as referring practitioners, family members, carers, insurers, government agencies or other healthcare providers involved in your care.
Personal information may include your name, date of birth, contact details, Medicare number, healthcare identifiers, health fund details and payment information.
Health information (classified as sensitive information under the Privacy Act) may include mental health history, medical history relevant to your care, assessments, diagnoses, treatment plans, clinical notes and relevant family or social history.
We may collect certain technical data when you access our website, including IP address, browser type and usage information, through cookies and similar technologies, to maintain security and enhance site performance.
4. Why We Collect Your Information
Our primary purpose for collecting your information is to provide mental health care.
We may also use your information to coordinate treatment, communicate with healthcare providers, process Medicare or insurance claims, comply with legal obligations, conduct quality assurance and improve our services (using de-identified information where possible).
If you do not provide certain information, we may be unable to provide appropriate care.
5. When We Share Your Information
We only share personal and health information where necessary and appropriate.
We may disclose your personal and health information to other healthcare providers involved in your care where reasonably necessary to provide treatment and where you would reasonably expect the information to be shared, with your consent where required, to Medicare or insurers for claiming purposes, where required or authorised by law, to lessen or prevent a serious threat to life, health or safety, or in connection with a business restructure, merger or acquisition subject to strict confidentiality obligations and only where permitted by law.
We do not sell personal or health information.
6. Cross-Border Disclosure
Health information is generally stored within Australia. If a third-party provider processes information overseas, we take reasonable steps to ensure appropriate privacy protections consistent with Australian standards.
7. Data Security and Retention
We take reasonable steps to protect your information through secure electronic health record systems, access controls, encryption, cybersecurity safeguards and staff confidentiality obligations.
Personal and health information may be stored in electronic systems, secure cloud environments and, where applicable, physical records. Access is restricted on a role-based basis.
Health records are retained in accordance with applicable legislation, including at least 7 years after the last consultation for adults and until age 25 for records relating to minors.
8. Access and Correction
You have the right to request access to your personal or health information and to request corrections if information is inaccurate or incomplete.
Requests must be made in writing. We will respond within a reasonable timeframe (usually within 30 days where practicable).
9. Privacy Breaches
If a privacy breach occurs involving unauthorised access, disclosure, loss or destruction of personal information, we will contain and assess the breach promptly, notify affected individuals where required, notify the Office of the Australian Information Commissioner (OAIC) where necessary, and take steps to prevent recurrence.
10. Privacy Complaints
If you believe your privacy has been breached or have concerns about how your information has been handled, please contact us in writing:
Att: Privacy Officer
Malu Health Group Pty Ltd
Email: privacy@malu.health
We will acknowledge your complaint within 5 business days, investigate the matter promptly and provide a written response outlining the outcome.
If you are not satisfied with our response, you may contact:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Australia
Telephone: 1300 363 992
Website: www.oaic.gov.au
Email: enquiries@oaic.gov.au
