How does Abby protect my medical data?

How Abby protects your medical data

Abby Health protects your medical data with layered security: encryption in transit and at rest, strict access controls, audit logging, and continuous monitoring — all under the Privacy Act 1988 and the Australian Privacy Principles. Your data is never sold, never shared with advertisers, and only seen by the clinicians involved in your care or staff with a clear service reason. If anything looks wrong, our support team can investigate any record access.

What does "layered security" mean?

No single control protects healthcare data on its own. Abby uses multiple layers, so if one fails, others still hold. The layers we rely on:

• Encryption in transit — every connection between your device and Abby is encrypted, so the conversation cannot be read in flight.
• Encryption at rest — stored data is encrypted on disk. Even if someone reached the storage layer, they could not read it without the keys.
• Strong authentication — clinicians and staff log in with secure credentials, and patient access uses unique account credentials.
• Role-based access — every staff role can only see what is needed; nobody has unlimited access by default.
• Audit logs — every access is recorded with the patient, the time, and the purpose.
• Continuous monitoring — security tooling watches for unusual behaviour and alerts our team.

Where is the data hosted?

Your information is hosted in Australia, on enterprise-grade infrastructure with the certifications used by other regulated industries. Hosting locally keeps your record under Australian law and the framework of the Australian Privacy Principles. The detail of how it is stored is in how does Abby store and secure my personal information.

Who controls access to my record?

Three groups can see your record, with limits on each:

• Your clinicians — they need your full history to provide safe care, and they are bound by AHPRA's professional standards.
• Trained support staff — when there is a service reason (a billing query, an appointment problem). They see only what they need to fix the issue.
• You — you can view, request, and correct your own information.

For the wider list of who never sees your record, see who can access my medical history.

How does Abby AI fit in?

Abby AI is our medical decision-support tool. It runs inside our protected environment to prepare consults for clinicians — surfacing past notes, medications, and follow-ups so they start informed. It never diagnoses, prescribes, or replaces clinician judgement. Your information is not used to advertise back at you, and it is not used to train external models on your identity. The detail is in what Abby AI is — decision support explained.

What about people and process?

Technology is only half the story. Abby's people-side controls include:

• Onboarding checks — staff and clinicians are vetted, including credential and identity checks.
• Privacy training — completed at induction and refreshed regularly.
• Confidentiality agreements — signed by everyone with access to patient information.
• Vendor controls — every supplier is contractually bound to Australian privacy law and uses your data only to deliver the service we have asked for.
• Incident response — a defined process for what happens if something goes wrong, including notification under the Notifiable Data Breaches scheme if a breach is likely to cause serious harm.

Clinician credentials are also covered in how Abby clinicians are vetted and registered.

What rights do I have?

Under Australian privacy law, you can:

• Access your record and request a copy.
• Correct inaccurate information.
• Limit sharing with specific providers or third parties.
• Withdraw consent for future sharing.
• Complain — first to us, then to the OAIC if needed.

The full set of patient rights is at the OAIC privacy rights guide. Our complaints path is in how do I provide feedback or make a complaint.

What can I do to help protect my data?

A few simple habits make a big difference:

• Use a unique, strong password for your Abby account.
• Lock your phone with a PIN, passcode, or biometric.
• Update the app regularly so you have the latest security fixes.
• Take consults somewhere private, ideally on a trusted Wi-Fi network.
• Watch for phishing — read what Abby will never ask you to do.

How Abby can help

If you ever feel uncertain about how your information is handled, our team is happy to walk you through it — including reviewing exactly who has seen your record. Read more at your data at Abby — privacy explained, or book a consult at abbyhealth.app. Abby appointments are bulk billed for eligible patients with a valid Medicare card.