How does Abby store and secure my personal information?

How Abby stores and secures your personal information

Abby Health stores your personal and medical information on secure, Australian-hosted infrastructure, encrypted both in transit and at rest. Access is restricted to the clinicians involved in your care and a small group of trained support staff, and every access is logged. We operate under the Privacy Act 1988 and the Australian Privacy Principles, and your record is retained for the period required by Australian medical record law.

Where is my information stored?

Your record sits inside Abby's secure environment, hosted in Australia. We use enterprise-grade cloud infrastructure with the same kind of certifications used by Australian banks and other regulated services. Hosting in Australia matters because it keeps your information under Australian privacy law and inside the framework of the Australian Privacy Principles.

How is my information protected?

Security at Abby is layered, not relying on any single control. The main protections:

• Encryption in transit — every connection between your device and Abby is encrypted, so information cannot be read in flight.
• Encryption at rest — stored data is encrypted on disk. Even at the storage layer, it cannot be read without the right keys.
• Access controls — only the clinicians involved in your care, and a small set of trained support and engineering staff with a clear reason, can access records. The principle is least privilege: see only what you need to.
• Audit logging — every record access is logged. Unusual patterns are reviewed.
• Continuous monitoring — our systems are watched 24/7 for unusual behaviour.
• Vendor controls — every supplier we use is contractually bound to Australian privacy law and uses your information only to deliver the service we have asked for.

Who can see my data inside Abby?

Three groups, each with limits:

• Clinicians involved in your care — the doctor or nurse practitioner you are seeing, plus colleagues if your care is being shared (for example, a follow-up).
• Trained support staff — when there is a service reason, like resolving a billing or appointment issue. They see what they need, not your whole history.
• You — you can view, request, and correct your information at any time.

For the full picture of who sees what, read your data at Abby — where it's stored, who sees it and who can access my medical history.

What about Abby AI?

Abby AI is our medical decision-support tool. It runs inside our environment to prepare consults — surfacing your past notes, medications, and follow-ups so the clinician starts informed. It does not diagnose, prescribe, or replace clinician judgement. It is not used to advertise back at you, and your information is not used to train external models on your identity. You can read more in what Abby AI is — decision support explained.

How long is my data kept?

That depends on the type of data:

• Clinical records — kept for the period required under Australian medical record law (typically at least seven years for adults, longer for children).
• Account and contact details — kept while your account is active, and removed where possible after closure (see can I delete my medical history).
• Communications — emails and chat logs are retained for service and quality reasons, then deleted under our standard retention schedule.

What rights do I have over my information?

Australian privacy law gives you a clear set of rights:

• Access — request a copy of your information.
• Correction — ask us to correct anything inaccurate.
• Limit sharing — control who your information goes to next.
• Complain — raise a concern with us first, then with the OAIC if needed.

You can read the full set of patient rights in the OAIC privacy rights guide.

What if there is a breach?

Despite all the controls, no system is risk-free. If a confirmed breach involves your personal information and is likely to cause serious harm, Abby is required to notify you and the OAIC under the Notifiable Data Breaches scheme. We will explain what happened, what was involved, and what you should do next.

What can I do on my side?

A few habits help us keep your data safe:

• Use a unique, strong password for your Abby account.
• Keep your phone locked with a PIN, passcode, or biometric.
• Update the app regularly so you have the latest security fixes.
• Watch for phishing — read what Abby will never ask you to do.

How Abby can help

If you would like more detail on how your information is stored or used, our team is happy to walk you through it. Read more at your data at Abby — privacy explained, or book a consult at abbyhealth.app. Abby appointments are bulk billed for eligible patients with a valid Medicare card.