Check out our new tier pricing

Privacy Policy

Everything that we do with the information you entrust to us.

Last updated: 11 June 2026


Definitions

In this Policy:

  • Clinic: means medical practice, centre, clinic or other medical facility, whether private or public.
  • Policy: means this Privacy Policy.
  • Nookal: , us, we means Nookal Pty Ltd ACN 636 857 979.
  • Nookal Website: means the online services accessible via the Nookal websites at www.nookal.com and its regional subpages.
  • Personal Information: means information or an opinion about an identified natural person, or a natural person who is reasonably identifiable.
  • Products: means those products on a Nookal Website from time to time.
  • Sensitive Information: is a subset of Personal Information and includes information or opinions about such things as health information, and information about an individualโ€™s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record, and biometric information (that is, data derived from your physical characteristics, such as a fingerprint) and biometric templates (that is, a stored digital template of biometric information, such as a fingerprint or retina scan).

Introduction

This Policy sets out the types of Personal Information we collect about you, how that information is used, handled, stored and disclosed, and your rights in relation to it. It applies to Personal Information we collect directly from you or about you; it does not govern how third parties handle information they collect independently.

We may update this Policy from time to time. We will post the updated version on our website and, where a change is material, post a notice alongside it. We encourage you to review this Policy periodically.


Information We Collect About You

The kinds of Personal Information we collect about you depends on our relationship with you, and we limit the information we collect to what is reasonably necessary for one or more of our functions or activities.

We may collect, use, store and transfer Personal Information about you which we have grouped together as follows:

  • Website User Identity Data: being your first name, last name, title, address, email address and username collected through the Website;
  • Patient Identity Data: being your first name, last name, title, address, email address and username that is collected and input directly by a Clinic;
  • Clinic Identity Data: being the first name, last name, title, address, email address and username of employees and contractors of the Clinic;
  • Contact Data: being your billing address, shipping address, email address and telephone numbers;
  • Financial Data: , to the extent required by law or by any payment processor, being your bank account details, credit card details or other payment information;
  • Clinic Data: being medical information, including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors, Medicare number for identification, health care identifiers and health fund information (if applicable);
  • Transaction Data: being details about payments to and from you and other details of products or services you have purchased from us;
  • Technical Data: being information regarding the IP addresses used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, cookies, operating system and platform, type of device;
  • Profile Data: being your username or password from each Nookal Website, details regarding purchases or orders made by you, your interests, preferences, feedback and reviews;
  • Usage Data: being information about how you use the Nookal Website, and Products;
  • Marketing and Communications Data: being information regarding your preferencing in receiving marketing from us and your communication preferences. You may unsubscribe from our mailing/marketing lists at any time by using the unsubscribe feature on any emails we send, or otherwise by contacting us in writing. We do not use your Sensitive Information for marketing purposes;
  • Third-Party Data: being information we may receive from third-parties such as business partners, sub-contractors in technical and delivery services, advertising networks, analytics providers and search information providers, third party applications that plug into the Products and payment providers or merchants;
  • Religious and Political Beliefs Data: being information or opinions about your racial or ethnic origin, political opinions, or memberships, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation, or criminal record;
  • Nookal Products and Services Data: being information, communication, or opinions about any of our products, services, transactions, payment history and business activities;
  • Proof of Identity Data: being identifiers (such as tax file number and business number), citizenship and residency details, details regarding and information provided by your referees, details regarding and information provided by your guarantor(s) and business partner(s), financials/credit/criminal history checks, results of any pre-employment or profile tests, employment history, education history, identity documents, health information and next of kin details; and
  • Digital Media Data: being digital media and content such as video, footage and audio.

We only collect Sensitive Information where you have consented (which may be implied by the circumstances) or where we are required or permitted to do so by law, and only to the extent reasonably necessary for our functions and activities.

If you do not provide information we request, or provide incomplete or inaccurate information, it may affect our or a Clinicโ€™s ability to deliver the relevant Products or services.


How Do We Collect Information from You?

We use different methods to collect data from you and about you, including:

  • (direct interactions) โ€“ you may give us your Identity, Contact, Financial, Profile and Proof of Identity Data by creating an account with us, completing online forms or corresponding with us;
  • (interactions you have with other sources) โ€“ we receive Clinic, Identity, Contact, Financial, Transaction, Usage and Marketing and Communications Data from Clinics, business partners, sub-contractors in technical and delivery services, advertising networks, analytics providers and search information providers, third party applications that plug into the Products and payment providers or merchants;
  • (automated technologies or interactions) โ€“ we use the following technologies to collect Technical and Third-Party Data: โ€œCookiesโ€ are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about how we implement cookies, please see our Cookie Policy; โ€œLog filesโ€ track actions occurring on the Nookal Website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps; and โ€œWeb beaconsโ€, โ€œtagsโ€, and โ€œpixelsโ€ are electronic files used to record information about how you browse the Nookal Website and Products.

We may also receive your Personal Information from your use of artificial intelligence (AI) features available on the Nookal Website. For more information on AI features and how it may interact with your Personal Information, please see our AI Policy.


How We Use Your Information

How we use your information depends on your relationship with us. Please read the section that applies to you.

Patients

Your relationship is with your Clinic. The Clinic controls what information is collected about you and how it is used, and is responsible for all your interactions through the platform โ€” bookings, reminders, treatment and billing. We process your information only to deliver the platform to your Clinic. We do not contact you, market to you, or sell your information.

On your Clinicโ€™s behalf, we may process:

Purpose / ActivityType of Personal InformationLawful basis for processing (including basis of legitimate interest)
For the Clinic to register and manage you as a patient and to provide its services to you, including appointments, treatment records, recalls and retrieval of historical records about you.Patient Identity Data, Contact Data, Clinic Data, Proof of Identity DataThe Clinicโ€™s performance of a contract with you. Our performance of a contract with the Clinic.
For the Clinic to take and manage bookings you make through online booking pages powered by Nookal.Patient Identity Data, Contact Data, Transaction Data, Technical DataThe Clinicโ€™s performance of a contract with you. Our performance of a contract with the Clinic.
For the Clinic to send you appointment reminders, recalls and other communications (for example by SMS or email) that the Clinic initiates.Patient Identity Data, Contact Data, Marketing and Communications DataThe Clinicโ€™s performance of a contract with you. Our performance of a contract with the Clinic.
For the Clinic to process payments you make to the Clinic, including through integrated payment providers, and for the Clinic to manage its fees, charges and money owed to it.Patient Identity Data, Contact Data, Financial Data, Transaction DataThe Clinicโ€™s performance of a contract with you. Our performance of a contract with the Clinic. Necessary for our legitimate interests (to reduce the risk of fraud).
To administer, secure and support the Products and the Nookal Website (including troubleshooting, system maintenance, backups, security monitoring and hosting of data), including where your Clinic raises a support request that requires us to view records relating to you.Patient Identity Data, Contact Data, Technical Data, Clinic DataOur performance of a contract with the Clinic. Necessary for our legitimate interests (running our business securely, network security and preventing fraud). Necessary to comply with a legal obligation.
To produce de-identified, aggregated analytics and statistics in order to maintain and improve the Products.Technical Data, Usage DataNecessary for our legitimate interests (to improve our Products and services).

If you would like to access or correct your Personal Information, or have questions about how it is handled, please contact your Clinic in the first instance. We will assist the Clinic with your request as required. See also โ€œAccessing and Correcting your Informationโ€ below.

Clinic Staff

If you use Nookal as a practitioner, receptionist or administrator on behalf of a Clinic, we may process:

Purpose / ActivityType of Personal InformationLawful basis for processing (including basis of legitimate interest)
To create and administer your user account so that you can use the Products on behalf of your Clinic, and to identify you.Clinic Identity Data, Contact Data, Proof of Identity DataOur performance of a contract with the Clinic. Necessary for our legitimate interests (administering user accounts).
To authenticate your access and keep the Products secure, including maintaining audit logs of activity in the Clinicโ€™s account.Clinic Identity Data, Technical Data, Usage DataOur performance of a contract with the Clinic. Necessary for our legitimate interests (network and account security). Necessary to comply with a legal obligation.
To respond to support requests and to provide training and onboarding, including internal training to ensure the effective delivery of our products and services and to resolve disputes or problems.Clinic Identity Data, Contact Data, Digital Media DataOur performance of a contract with the Clinic. Necessary for our legitimate interests (delivering effective support).
To manage our relationship with you and the Clinic, including notifying you about changes to our Products, our terms or this Policy, and asking you to leave a review or take a survey.Clinic Identity Data, Contact Data, Marketing and Communications DataOur performance of a contract with the Clinic. Necessary to comply with a legal obligation. Necessary for our legitimate interests (keeping our records updated and understanding how customers use our products and services).
To process and manage payments, fees and charges relating to the Clinicโ€™s subscription, perform fraud checks and collect and recover money owed to us.Clinic Identity Data, Contact Data, Financial Data, Transaction Data, Proof of Identity DataOur performance of a contract with the Clinic. Necessary for our legitimate interests (to recover debts due to us and reduce the risk of fraud).
To provide you with our newsletter and information about products, services or promotions that may be of interest to the Clinic. You can opt out of marketing communications at any time.Clinic Identity Data, Contact Data, Profile Data, Marketing and Communications DataNecessary for our legitimate interests (to develop our products/services and grow our business). Consent, where required by applicable law.
To use data analytics to improve the Nookal Website, our Products, marketing and customer experience, and to gather anonymous statistics.Technical Data, Usage Data, Third-Party DataNecessary for our legitimate interests (to keep our website updated and relevant, to develop our business and to inform our marketing strategy).

Nookal website users

If you visit or use the Nookal Website directly (for example to explore the platform or sign up for a subscription), we may collect the following types of Personal Information:

Purpose / ActivityType of Personal InformationLawful basis for processing (including basis of legitimate interest)
To register you as a new customer or create an account with us, to identify you.Website User Identity Data, Contact Data, Marketing and Communications Data, Proof of Identity DataPerformance of a contract with you.
To process and deliver your order including, manage payments, fees, and charges, perform fraud checks and collect and recover money owed to us.Website User Identity Data, Contact Data, Financial Data, Technical Data, Transaction Data, Usage Data, Marketing and Communications Data, Proof of Identity Data, Third-Party DataPerformance of a contract with you. Necessary for our legitimate interests (to recover debts due to us and reduce this risk of fraud).
To manage our relationship with you, including notifying you about changes to our terms or privacy policy, asking you to leave a review or take a survey, and engaging with you in relation to any support request or communication that you may submit.Website User Identity Data, Contact Data, Profile Data, Marketing and Communications DataPerformance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products and services).
To administer and protect our business and the Nookal Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).Website User Identity Data, Contact Data, Technical DataNecessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). Necessary to comply with a legal obligation.
To deliver relevant Nookal Website content and measure the effectiveness of our website and online software.Website User Identity Data, Contact Data, Profile Data, Usage Data, Marketing and Communications Data, Technical DataNecessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).
To use data analytics to improve the Nookal Website, products/services, marketing, customer relationships and experiences and to gather anonymous statistics.Technical Data, Usage Data, Third-Party DataNecessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).
To provide you with our newsletter and make suggestions and recommendations to you about goods, services or promotions that may be of interest to you.Website User Identity Data, Contact Data, Technical Data, Usage Data, Profile Data, Marketing and Communications DataNecessary for our legitimate interests (to develop our products/services and grow our business).
To maintain records in the event of any product, service or warranty request.Proof of Identity Data, Website User Identity Data, Contact Data, Financial DataNecessary for our legitimate interests (to maintain customer satisfaction and ensure appropriate processes for warranty requests).

Storing Your Information

Personal information is stored electronically on secure cloud infrastructure. For details of where data is hosted by jurisdiction, see our Security & Compliance page and Sub-processors list.

We retain personal information only for as long as necessary to provide the Products, comply with our legal obligations (including tax, audit and healthcare records laws), resolve disputes and enforce our agreements. For patient data held on behalf of a Clinic, the Clinic determines how long records are kept, consistent with the laws that apply to it. When retention is no longer required, we delete or de-identify the information.


Disclosing Your Information

We do not sell Personal Information. Patient and clinical data is not shared with third parties for advertising or marketing purposes.

To operate the platform we engage sub-processors (such as cloud hosting, payment and communications providers) who are bound by contractual data protection obligations. Our employees and contractors with access to personal information are subject to confidentiality obligations. See our Sub-processors list for details.

Where a Clinic enables a third-party integration or issues an API key, the Clinic authorises and controls that access and is responsible for the third partyโ€™s use of any data it receives.

We may also disclose personal information to professional advisers and insurers where reasonably required, to a business acquirer (who must honour this Policy), or to government authorities and law enforcement where required by law.


Your Privacy Rights by Region

We do not knowingly collect personal information directly from children; where a Clinic records information about a child patient, the Clinic is responsible for any required parental consent.

🇦🇺 Australia

These additional terms apply under the Privacy Act 1988 (Cth).

Your rights include:

  • access the personal information we hold about you
  • request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading
  • deal with us anonymously or by pseudonym where lawful and practicable
  • opt out of direct marketing communications from us
  • ask us to identify the source of personal information we hold about you (where reasonably practicable)

To exercise any of these rights, contact our Privacy Officer at privacy@nookal.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) โ€” https://www.oaic.gov.au/.

Data breach notification: Where a data breach is likely to result in serious harm to any individual whose personal information is involved, we comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), and notify the OAIC and affected individuals as soon as practicable.

Data storage and transfers: Personal information of Australian Clinics is hosted in Australia. We do not routinely transfer personal information out of Australia, except where strictly necessary for support, security or service operations under contractual safeguards consistent with APP 8.

🇨🇦 Canada

These additional terms apply under PIPEDA.

Your rights include:

  • access the personal information we hold about you and be informed of how it has been used and disclosed
  • challenge the accuracy and completeness of personal information and have it amended
  • withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice
  • in Quebec, request cessation of dissemination, de-indexing or anonymisation of personal information, and request human review of automated decisions affecting you
  • file a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner

To exercise any of these rights, contact our Privacy Officer at privacy@nookal.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) (and, where applicable, the provincial privacy commissioners of Alberta, British Columbia and Quebec) โ€” https://www.priv.gc.ca/.

Data breach notification: Where a breach of security safeguards creates a real risk of significant harm, we report the breach to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible, in accordance with section 10.1 of PIPEDA and the Breach of Security Safeguards Regulations. We maintain records of all breaches for at least 24 months.

Data storage and transfers: Personal information of Canadian Clinics is processed in the United States and, in respect of Quebec-based Clinics, may also be processed within Canada. Where personal information is transferred outside Canada, we use appropriate contractual safeguards for those transfers.

🇮🇪 Ireland

These additional terms apply under the EU GDPR.

Your rights include:

  • be informed about how we process your personal data
  • access the personal data we hold about you
  • request rectification of inaccurate or incomplete personal data
  • erasure of your personal data (the ‘right to be forgotten’) in certain circumstances
  • restriction of processing in certain circumstances
  • data portability in certain circumstances
  • object to processing, including for direct marketing
  • not be subject to solely automated decision-making that significantly affects you
  • withdraw consent at any time where processing is based on consent
  • lodge a complaint with the Data Protection Commission

To exercise any of these rights, contact our Privacy Officer at privacy@nookal.com. If you are not satisfied with our response, you may lodge a complaint with the Data Protection Commission (Coimisiรบn um Chosaint Sonraรญ) โ€” https://www.dataprotection.ie/.

Data breach notification: Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the Data Protection Commission without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 GDPR.

Data storage and transfers: Personal data of Irish and EU Clinics is processed in the European Union (Ireland). Transfers to third countries rely on adequacy decisions of the European Commission or, where none apply, on the EU Standard Contractual Clauses approved under Commission Implementing Decision (EU) 2021/914 with appropriate supplementary measures.

🇳🇿 New Zealand

These additional terms apply under the Privacy Act 2020.

Your rights include:

  • access personal information we hold about you
  • request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading
  • be informed of how your personal information is being used and to whom it is being disclosed
  • make a complaint about how we have handled your personal information

To exercise any of these rights, contact our Privacy Officer at privacy@nookal.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner (Te Mana Mฤtฤpono Matatapu) โ€” https://www.privacy.org.nz/.

Data breach notification: Where a privacy breach has caused or is likely to cause serious harm to an affected individual, we notify the Office of the Privacy Commissioner and affected individuals as soon as practicable, in accordance with Part 6 of the Privacy Act 2020.

Data storage and transfers: Personal information of New Zealand Clinics is hosted in Australia. Cross-border disclosures comply with IPP 12 of the Privacy Act 2020.

🇬🇧 United Kingdom

These additional terms apply under the UK GDPR.

Your rights include:

  • be informed about how we process your personal data
  • access the personal data we hold about you
  • request rectification of inaccurate or incomplete personal data
  • erasure of your personal data (the ‘right to be forgotten’) in certain circumstances
  • restriction of processing in certain circumstances
  • data portability in certain circumstances
  • object to processing, including for direct marketing
  • not be subject to solely automated decision-making that significantly affects you
  • withdraw consent at any time where processing is based on consent
  • lodge a complaint with the Information Commissioner’s Office

To exercise any of these rights, contact our Privacy Officer at privacy@nookal.com. If you are not satisfied with our response, you may lodge a complaint with the Information Commissioner’s Office (ICO) โ€” https://ico.org.uk/.

Data breach notification: Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk, we also notify affected individuals without undue delay.

Data storage and transfers: Personal data of UK Clinics is processed in the European Union (Ireland). Where personal data is transferred outside the UK, we rely on adequacy regulations made by the UK Secretary of State or, where none apply, on the ICO’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum.

🇺🇸 United States

These additional terms apply under HIPAA and CCPA/CPRA.

Your rights include:

  • know what personal information we have collected, used, disclosed or sold/shared about you
  • request deletion of personal information we have collected from you, subject to exceptions
  • request correction of inaccurate personal information
  • opt out of the sale or sharing of personal information for cross-context behavioural advertising, including via a Global Privacy Control signal
  • limit the use and disclosure of sensitive personal information
  • non-discrimination for exercising any of these rights
  • if your information is Protected Health Information (PHI) under HIPAA, access, amend and receive an accounting of disclosures โ€” request these through your Clinic
  • rights under the consumer privacy law of your State of residence

To exercise any of these rights, contact our Privacy Officer at privacy@nookal.com. If you are not satisfied with our response, you may lodge a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the Federal Trade Commission (FTC) and applicable State Attorneys General โ€” https://www.hhs.gov/ocr/.

Data breach notification: We comply with the breach notification requirements of 45 C.F.R. ยงยง 164.400-414. Following the discovery of a Breach of Unsecured PHI, we notify the affected Covered Entity without unreasonable delay and in no case later than 60 days after discovery, with the information required by 45 C.F.R. ยง 164.410. Where State law applies, we also comply with the applicable State breach-notification statute.

Data storage and transfers: Protected Health Information and other personal information of U.S. Clinics is processed in the United States. We act as a HIPAA Business Associate of Covered Entity Clinics and have entered into a Business Associate Agreement with each such Clinic.

🇿🇦 South Africa

These additional terms apply under POPIA.

Your rights include:

  • be notified that personal information is being collected and of the source
  • confirm whether we hold personal information about you and access that information
  • request correction, deletion or destruction of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or unlawfully obtained personal information
  • object to processing for direct marketing purposes
  • submit a complaint to the Information Regulator
  • institute civil proceedings regarding interference with protection of your personal information

To exercise any of these rights, contact our Privacy Officer at privacy@nookal.com. If you are not satisfied with our response, you may lodge a complaint with the Information Regulator (South Africa) โ€” https://inforegulator.org.za/.

Data breach notification: Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we notify the Information Regulator and the affected data subject as soon as reasonably possible in accordance with section 22 of POPIA.

Data storage and transfers: Personal information of South African Clinics is processed in the European Union (Ireland). Trans-border information flows comply with section 72 of POPIA.


Accessing and Correcting Your Information

You may request access to personal information that we hold about you at any time by contacting our Privacy Officer at privacy@nookal.com. We will respond within a reasonable time and provide access to the information we hold, where permitted by our agreement with your Clinic or by applicable law. If the Clinic requires us to forward your request to the Clinic so that the Clinic can address it, the Clinic will be responsible for responding.

If you believe personal information we hold about you is incorrect, out of date, incomplete, irrelevant or misleading, please notify our Privacy Officer. Where the information was provided through a Clinic, we will forward your correction request to the Clinic, which will be responsible for reviewing and acting on it.


Contact

For any questions, concerns or complaints about this Policy or the personal information we hold about you, contact our Privacy Officer at privacy@nookal.com.

We have appointed the following representatives for privacy matters:

  • EEA: VeraSafe Ireland Ltd, Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland
  • UK: VeraSafe United Kingdom Ltd, 37 Albert Embankment, London SE1 7TL, United Kingdom
  • All other jurisdictions: Nookal Pty Ltd, PO Box 1576, Oxenford QLD 4210, Australia

Questions? Contact privacy@nookal.com for privacy and compliance enquiries, or support@nookal.com for product support.

Chat with Us!
🍪 Cookies

🍪 Cookie Consent

We use cookies to provide functionality, improve, analyse, market, and support relevant solutions for you. More info ›