Your Data at Abby: Where It's Stored, Who Sees It

Your Abby Health data is stored in Australia, on Australian-hosted infrastructure, under the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 and the My Health Records Act 2012. Only clinicians and clinical staff directly involved in your care can access your medical record. Abby AI, our medical AI, sees the clinical context needed to prepare for your consult — it never diagnoses or prescribes, and it does not share your data outside the Abby care network. You can request a copy of your data at any time, correct anything inaccurate, withdraw consent for specific uses, or delete your account. In the event of a notifiable data breach, Abby is required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

The rulebook: Australian Privacy Principles and the Privacy Act

Health information in Australia is governed by some of the strictest privacy rules in the country's legal framework. The Office of the Australian Information Commissioner (OAIC) oversees the Privacy Act 1988, under which the Australian Privacy Principles (APPs) set out how organisations may collect, use, disclose, store, and secure personal information — and, specifically, "sensitive information", which includes health data.

Thirteen APPs apply to Abby. In plain English, they require that we:

• Only collect personal and health information that is reasonably necessary for your care or for running a lawful healthcare service.
• Tell you, in clear language, why we are collecting it and what we will do with it.
• Only use or disclose it for the reason we collected it — or a directly related reason a patient would reasonably expect (for example, using your medication history to prepare for your next appointment).
• Take reasonable steps to keep it accurate, up to date, and secure.
• Give you access to your own data on request, and correct it if you identify an error.
• Notify the OAIC and affected individuals in the event of an eligible data breach.

Health information is "sensitive information" under the Privacy Act. That means higher consent and handling thresholds than ordinary personal data — and fewer permitted secondary uses without specific consent.

Where your data is physically stored

Your Abby Health data — including your medical record, consult notes, messages with clinicians, and any images or documents you upload — is stored in Australia, on Australian-hosted cloud infrastructure that meets the requirements of the Australian Signals Directorate's Information Security Manual (ISM) for handling Protected-level data where applicable. The practical effect: your health data does not cross a border without a specific, legal, and consented reason.

This is sometimes referred to as "data sovereignty" — the idea that the laws governing your data should be the laws of the country you live in. For Australian healthcare data, that principle matters. A Medicare-rebated consult involves information about eligibility, prescriptions, and clinical history that sits squarely within Australian privacy and health-records law. Keeping the data in Australia keeps that framework enforceable.

Backups are also held in Australia. Encryption is applied both in transit (when data moves between your device and our systems) and at rest (when it is sitting on a server). Access to infrastructure is logged, audited, and role-restricted.

Who can see your medical record

Short answer: the clinicians and clinical staff directly involved in your care, and no one else.

In more detail, the people who can see your record are:

• The clinician conducting your consult. They see your full medical history at Abby, your current medications, allergies, and relevant previous notes. This is how continuity works — see how Abby remembers you: continuity of care.
• Other clinicians in your care network, when they are providing follow-up care — for example, reviewing your pathology results, conducting a follow-up consult, or stepping in when your regular clinician is unavailable.
• Clinical governance staff, including Dr Bosco Wu (Clinical Director) and senior clinical delegates, for the purposes of audit, peer review, and clinical safety review. This is described in how Abby clinicians are vetted and registered.
• A small number of administrative staff, with access strictly limited to what they need for their role (for example, billing reconciliation, appointment scheduling, or technical support when you ask for help).

Access is role-based and audited. Every access to a patient record is logged, and logs are reviewed. Clinicians and staff who no longer need access — for example, when they leave — have access removed.

Commercial teams (marketing, growth, partnerships) do not have access to identifiable patient medical records. Aggregate, de-identified data may be used to understand service usage at a population level, but not to view any individual patient's record.

What Abby AI sees, and what it does with it

Abby AI, our medical AI, is a decision-support tool that prepares the clinician for your consult and supports the documentation of the consult afterwards. It is explained in full at what Abby AI is: decision support explained.

Before your appointment, Abby AI surfaces the relevant clinical context: your current medications, allergies, recent consults, ongoing conditions, flagged risk signals, and any follow-ups. It asks you structured, adaptive symptom questions and passes that information — alongside your existing record — to the clinician in the form of a consult-ready brief.

A few important points about what Abby AI does not do:

• It does not diagnose. It surfaces patterns and flags risk signals. The clinician decides.
• It does not prescribe. Prescribing is a clinical decision made by an AHPRA-registered practitioner within their scope of practice.
• It does not replace clinician judgment. Every note it drafts is reviewed by the clinician before it is finalised. The AI note disapproval rate — the rate at which a clinician rejects or substantively rewrites the AI's draft — is 0.03% (Abby Health internal data, Q1 2026). That is by design: the AI is calibrated to support, not to lead.
• It does not share your data outside the Abby care network for the purposes of training third-party models, selling to advertisers, or any other non-care use.

Abby AI operates within the same Australian-hosted infrastructure and the same privacy framework as the rest of your data.

When we might share your data — and when we won't

There are a small number of circumstances in which your health data may be shared outside Abby, and we want to be explicit about each one.

Medicare claiming. If your appointment is bulk billed through Medicare, limited claim information is submitted to Services Australia for the purpose of rebating the consult. This is how Medicare works across Australian healthcare. Abby appointments are bulk billed for eligible patients with a valid Medicare card — see is Abby bulk billed? for detail.

Prescriptions and pathology referrals. A prescription is sent to the pharmacy you nominate; a pathology or imaging referral goes to the provider you use. Both are part of providing your care — see how to get a prescription online in Australia.

My Health Record. If you consent, clinical information can be uploaded to or accessed from the national My Health Record, governed by the My Health Records Act 2012.

Legal obligations. A small number of situations require us to share information by law — for example, mandatory reporting of certain notifiable conditions to state public health authorities, or complying with a court order. These situations are narrow and the legal thresholds are specific.

Safety risk. If a clinician judges there is a serious and imminent risk to your life or someone else's, a duty-of-care obligation may override confidentiality — for example, a call to emergency services. This is standard clinical practice. If you are in crisis, please see if you're in crisis: immediate support.

What we will not do: sell your data, share identifiable health information with advertisers, share data with non-clinical third parties for commercial purposes, or use your data to train external AI models. This is a deliberate line. For the parallel list of things Abby will never ask you to do, see what Abby will never ask you to do.

Your rights and your opt-outs

Under the Privacy Act, you have clearly defined rights over your own data. At Abby, we make it easy to exercise them.

• Right to access. You can request a copy of your Abby medical record at any time. We will provide it in a readable format within 30 days, and usually much sooner.
• Right to correction. If something in your record is wrong, we will correct it. Clinical notes that reflect a clinician's professional judgment at the time are not altered retrospectively, but a correction note is added.
• Right to withdraw consent. You can withdraw consent for non-essential uses of your data (for example, optional communications) at any time in your account settings.
• Right to delete your account. You can close your Abby account and request deletion of personal data. A clinical record that we are legally required to retain (for example, under state health-records legislation requiring retention for a minimum period) will be securely archived rather than deleted — this is not an Abby choice, it is a legal obligation. The retention period varies by state and by record type.
• Right to complain. You can raise a privacy complaint directly with Abby, and if you are not satisfied, you can escalate to the OAIC at oaic.gov.au.

Data breach notification

Under the Notifiable Data Breaches scheme — Part IIIC of the Privacy Act — Abby is required to notify affected individuals and the OAIC if there is an eligible data breach likely to result in serious harm. The notification must be made as soon as practicable after Abby becomes aware of the breach.

In plain terms: if something goes wrong with your data, we tell you, we tell the regulator, and we tell you what we are doing about it. We do not wait. We do not quietly fix it internally. Transparency is built into the scheme for a reason — it is the single most important protection an affected individual has in a data incident. More detail on the scheme is at oaic.gov.au.

The practical shape of our security program

The regulatory framework sets the rules. The security program implements them. A few of the controls that sit behind the privacy policy:

• Encryption in transit (TLS) and at rest.
• Role-based access control — each staff member can only see what their role requires.
• Multi-factor authentication for staff access.
• Access logging and regular audit review.
• Background checks for all staff with access to patient data.
• Data minimisation — we do not collect data we do not need.
• Routine penetration testing and vulnerability management.
• Incident response protocols, including direct escalation to the Clinical Director and the Head of Engineering.

All Abby Health practitioners hold current AHPRA registration and operate under clinical confidentiality obligations that are longstanding parts of Australian medical practice. Security is the technical layer on top of those obligations, not a replacement for them.

A note on Australian hosting

"Australian-hosted" is not a marketing phrase. It is an enforceable statement about jurisdiction. When your health data is stored in Australia, it sits under Australian law — the Privacy Act, state health-records legislation, and Australian subpoena and warrant processes. Data in another country would, to varying degrees, sit under that country's laws too. For a healthcare record, that matters.

This is also why Abby's clinical framework, regulatory compliance (see how Abby clinicians are vetted and registered), and data storage are all anchored in Australia. An online-first clinic serving Australian patients should be, by every practical measure, Australian.

Frequently asked questions

Is my Abby data stored overseas?

No. Your Abby health data is stored in Australia, on Australian-hosted infrastructure. Backups are also held in Australia. Data does not cross a border without a specific, legal, and consented reason.

Does Abby sell my data?

No. Abby does not sell identifiable patient data, share it with advertisers, or use it for commercial purposes outside delivering your care. De-identified aggregate data may be used to understand service usage at a population level, but not to view any individual record.

What happens to my data if I close my Abby account?

You can request deletion of personal data at any time. Clinical records we are legally required to retain (under state health-records legislation) will be securely archived for the minimum legal retention period rather than deleted immediately. After that period, they are securely destroyed.

How do I report a privacy concern?

Raise it directly with Abby — your account has a contact form for privacy matters. If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, which oversees the Privacy Act and the Notifiable Data Breaches scheme.

Find Comfort. Abby Health. Care that understands you.