UNCAPT

Legal

Privacy Policy

How we collect, use, and protect your information

Effective: 23 February 2026

1. Introduction

UNCAPT Pty Ltd (ABN 15 641 190 552) (“UNCAPT”, “we”, “our”, “us”) is committed to protecting the privacy of individuals who interact with our platform and services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with:

  • The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs)
  • The Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs)
  • The Health Records and Information Privacy Act 2002 (NSW) and the Health Privacy Principles
  • The Health Records (Privacy and Access) Act 1997 (ACT)
  • Other applicable state and territory health records legislation

Where state-based health records legislation imposes stricter requirements than the federal APPs, we comply with the stricter standard.

1.1 What UNCAPT builds

UNCAPT is the creator of the ELI Platform — an Operating System for expert reasoning that captures, governs, scales, and compounds domain expertise. Healthcare is our first domain; the platform is domain-agnostic.

MIAMental health triage
ARI / InsightResearch intelligence
MATILDAClinical decision support
CARAAged care reablement
NADIA

UNCAPT is an APP entity under the Privacy Act. Where our products are deployed within a Partner Organisation's platform, both UNCAPT and the Partner Organisation hold obligations to individuals under Australian privacy law:

Partner Organisation

The primary entity that holds the direct relationship with the individual (also referred to as “Partner” or “Customer” in UNCAPT's commercial agreements). Responsible for obtaining consent, managing the primary relationship, and meeting obligations under the Privacy Act and applicable health records legislation.

UNCAPT

As an entity that “holds” and processes information in the course of providing the platform, UNCAPT has direct obligations under the APPs — including security (APP 11), data quality (APP 10), and use and disclosure (APPs 6 and 7) — regardless of contractual arrangements with the Partner Organisation.

We do not rely on our role as a technology provider to limit our direct responsibilities to individuals whose data we process.

UNCAPT interacts with two distinct categories of individuals:

Direct Patients / End Users

Individuals using MIA for mental health triage. UNCAPT collects health information and triage data directly from these individuals, with their express informed consent, at the point of use.

Expert Users / Clinicians

Clinicians and domain experts using the ELI Platform to review, edit, validate, or scale expert reasoning. UNCAPT collects professional details and activity records to maintain accountability and the integrity of clinical reasoning outputs.

This distinction determines how consent is obtained, what information is collected, and how breach notifications are communicated, as set out in the relevant sections below.

2. Information We Collect

2.1 Unsolicited information (APP 4)

If we receive personal information we did not solicit, we will assess whether it could have been collected under APP 3. If not, we will destroy or de-identify it as soon as practicable, provided it is lawful and reasonable to do so.

2.2 Information you provide

  • Contact information: Name, email address, organisation, and role when you request access, enquire about partnerships, or submit an enquiry form.
  • Direct patient / end-user data (via MIA): Health information, triage responses, and session data collected directly from individuals using MIA, based on their express informed consent at the point of triage.
  • Expert / clinician data (via ELI Platform): Professional details (name, role, credentials) and audit logs from clinicians and domain experts using the ELI Platform to review, edit, or scale clinical reasoning. This information is collected to ensure accountability and to maintain the integrity of clinical reasoning edits.
  • Clinical or domain data (via Partner Organisations): When UNCAPT products are deployed within a Partner Organisation's platform, de-identified or identifiable data may be processed as directed by the Partner Organisation, subject to their privacy obligations and consent processes.
  • Research participant data: If you participate in a research program involving UNCAPT products, data collection is governed by the relevant ethics approval and separate participant consent forms.

2.3 Information collected automatically

  • Usage data: Aggregated, de-identified interaction patterns used to improve platform performance and safety.
  • Technical data: Browser type, IP address, and device information when you visit our website.

3. How We Use Your Information

We use personal information for the following purposes:

  • Responding to access requests and partnership enquiries
  • Providing and improving the ELI Platform and its products
  • Supporting research conducted under ethics approval
  • Ensuring the safety, security, and quality of our services
  • Complying with legal and regulatory obligations
  • Generating aggregated, de-identified insights to improve platform performance

3.1 Direct marketing and communications (APP 7)

We may use contact information provided by domain experts, Partner Organisations, and trial participants to send relevant updates about UNCAPT, including platform updates, research findings, and partnership opportunities.

We will only do so where you have provided your contact information directly to us and would reasonably expect to receive such communications based on your interaction with us.

Opt-out: Every communication we send includes a clear way to opt out of future communications. You can also opt out at any time by contacting info@uncapt.com. We will process opt-out requests within 5 business days.

We do not use patient or subject health information for direct marketing purposes under any circumstances.

4. Health Information (APP 3)

We recognise that health information is sensitive information under the Privacy Act and is afforded additional protections under both the APPs and state-based Health Privacy Principles. We only collect health information where:

  • Direct consent (MIA): For individuals using MIA directly, we collect health information based on your express informed consent provided at the start of the triage process. You will be clearly informed of the purpose of collection and how your information will be used before you provide any health information.
  • A Partner Organisation has obtained appropriate consent and has directed our products to process the information as part of clinical care or a research program
  • It is part of an approved research program with explicit participant consent under a Human Research Ethics Committee (HREC) approval
  • It is required or authorised by Australian law

Health information processed by UNCAPT products is handled in accordance with the Australian Privacy Principles, applicable state and territory health records legislation, and our contractual obligations to the Partner Organisation.

5. AI, Data Usage and Model Training

5.1 Your data is not used to train AI models

We do not use identifiable patient data, clinical recordings, or session data to train, fine-tune, or improve the underlying AI models in our products. Your data remains yours. Data processed by UNCAPT products is used solely for the purpose of providing the service to the Partner Organisation.

5.2 Anonymised clinical reasoning

UNCAPT products generate structured reasoning outputs (e.g., assessment logic, care plan rationale, scoring pathways) as part of normal operation. We retain de-identified versions of these reasoning outputs to enable continuous improvement of clinical knowledge bases.

This de-identified reasoning may be reviewed and refined by qualified domain experts (including research partners) as part of the Expert-Led Iteration (ELI) cycle. This process ensures our products' reasoning remains accurate, current, and aligned with best practice.

5.3 De-identification standard

We apply de-identification processes consistent with the OAIC's De-identification and the Privacy Act guidance and the De-Identification Decision-Making Framework published by the OAIC and CSIRO's Data61. Our process includes:

  • Removal of all direct identifiers (names, dates of birth, contact details, healthcare identifiers)
  • Removal or generalisation of indirect identifiers that could contribute to re-identification
  • Assessment of re-identification risk, including the “motivated intruder” test
  • Ongoing review of re-identification risk as datasets grow

5.4 Sensitive data and re-identification risk

We acknowledge that health and clinical data carries heightened re-identification risk. To mitigate this, our de-identification of reasoning outputs specifically:

  • Strips all session-specific narrative content — retaining only structured reasoning pathways, not underlying patient narratives
  • Generalises demographic and contextual information to broad categories
  • Does not retain unstructured session transcripts or free-text notes in any de-identified dataset
  • Subjects de-identified datasets to periodic re-identification risk assessments

If at any point we determine that de-identified data carries a non-trivial re-identification risk, we treat that data as personal information and apply the full protections of the APPs.

5.5 Transparency and explainability

UNCAPT products are designed to be explainable. Where a product generates a recommendation, it provides the reasoning pathway so that a clinician or domain expert can understand why a suggestion was made and can review, edit, or override the output. UNCAPT products are decision-support tools — they suggest, experts decide.

We are committed to the principles set out in the OAIC's guidance on privacy and AI, including that individuals should be informed when AI is used to process their information, and that human oversight must be maintained for consequential decisions.

6. Use and Disclosure (APPs 6, 7 and 8)

We do not sell, rent, or trade personal information. We use and disclose personal information only for the primary purpose for which it was collected, or for a directly related secondary purpose. Specifically, we may disclose information to:

  • Partner Organisations: Processed outputs are returned to the Partner Organisation as part of the agreed workflow — this is the primary purpose of collection.
  • Research partners: De-identified data (meeting the standards in Section 5.3) may be shared with approved research partners (such as the University of Sydney's Brain and Mind Centre) for ethics-approved research purposes.
  • Service providers: We use a limited number of Australian-based service providers to deliver our platform. These providers are contractually bound to protect your data. All sub-processors that handle clinical data are located in Australia.
  • Legal requirements: Where required or authorised by Australian law, regulation, court order, or enforceable government request (APP 6.2(b)).
  • Serious threat to life, health, or safety: Where we reasonably believe disclosure is necessary to prevent or lessen a serious threat (APP 6.2(c)).

7. Sub-processors

We use the following third-party service providers to deliver our platform. All sub-processors are contractually required to maintain security and privacy standards consistent with this policy and the Australian Privacy Principles.

ProviderPurposeData LocationClinical Data?
Microsoft AzureCloud infrastructure, compute, storage, databasesAustralia EastYes
Private inference providerPrivate model inference (AI processing)AustraliaYes (in transit)
Google AnalyticsWebsite analytics (if enabled)See Google’s termsNo

Important: All sub-processors that handle clinical data are located in Australia. No clinical or health information is transferred to or processed outside of Australia.

Zero-Retention / No-Logging policy: Private inference providers used for AI processing are contractually required to operate under a Zero-Retention, No-Logging configuration. Clinical data submitted for inference is processed in memory only and is never written to disk, logged, or retained by the sub-processor. No clinical data, prompts, or model outputs are stored by the inference provider after the request is complete.

ELI cycle — UNCAPT expert and staff confidentiality: UNCAPT's own domain experts and staff involved in the Expert-Led Iteration (ELI) cycle who review and refine de-identified reasoning outputs are subject to contractual confidentiality obligations of clinical-grade standard. These obligations include restrictions on disclosure, data handling standards consistent with professional clinical duty, and prohibitions on secondary use of any reviewed material. The same standard applies to any external domain expert engaged by UNCAPT under a formal agreement.

This list is kept current. If we add a new sub-processor that handles personal or clinical data, we will update this page and, where required by contract, notify affected Partner Organisations in advance.

8. Data Storage, Security and Location

All clinical data is hosted on infrastructure located in Australia. We implement comprehensive security measures including:

  • Encryption at rest and in transit (AES-256, TLS 1.2+)
  • ISO 27001-aligned information security management practices
  • Role-based access controls and audit logging
  • Regular security assessments and vulnerability testing
  • Private model hosting — clinical data is not sent to shared or public AI services

8.1 Data quality (APP 10)

We take reasonable steps to ensure that personal information we hold is accurate, up-to-date, complete, and relevant. For clinical data, accuracy is critical to safety. Clinicians and domain experts can review and correct all product outputs before they are relied upon for decisions.

8.2 Cross-border data transfers (APP 8)

All clinical and personal data for Australian clients is processed and stored exclusively within Australia. As we expand to serve clients in other jurisdictions (e.g., Canada), we will deploy localised infrastructure in those regions to ensure data remains within the relevant jurisdiction. Our architecture is designed for data sovereignty — each deployment region keeps data local.

9. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law. When data is no longer needed, it is securely deleted or de-identified.

9.1 Clinical data

For clinical data processed on behalf of Partner Organisations, retention periods are determined by the Partner Organisation's policies and applicable health records legislation. Minimum retention periods under state law may include:

  • NSW: Health records must generally be retained for at least 7 years from the date of last entry (or until a child reaches 25)
  • Victoria: Health records must be retained for at least 7 years (or until a child reaches 25)
  • ACT: Similar minimum retention periods apply under the Health Records (Privacy and Access) Act 1997

9.2 Contact and business information

Contact information provided through partnership enquiries or access requests is retained for the duration of the business relationship and for a reasonable period afterward (up to 2 years), unless you request earlier deletion.

9.3 De-identified reasoning outputs

De-identified reasoning outputs (as described in Section 5.2) may be retained indefinitely, as they contain no personal information and serve the ongoing improvement of clinical and domain quality. These outputs are subject to periodic re-identification risk assessments.

10. Notifiable Data Breaches

UNCAPT complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we become aware of an eligible data breach, we will:

  • Take immediate steps to contain the breach and mitigate harm
  • Complete a reasonable assessment within 30 days to determine if the breach is likely to result in serious harm
  • MIA direct users: Where the breach affects individuals who provided information directly to UNCAPT through MIA, UNCAPT will notify those individuals directly as soon as practicable, as we hold the primary relationship with them
  • ELI expert users / clinicians: Where the breach affects clinicians or domain experts using the ELI Platform whose data UNCAPT holds directly, UNCAPT will notify those individuals directly as soon as practicable
  • Partner Organisation cohorts: Where the breach affects individuals whose data was provided through a Partner Organisation, UNCAPT will notify the Partner Organisation as soon as possible and provide all information necessary for them to lead the notification to their affected cohort, consistent with their primary relationship with those individuals
  • Notify the Office of the Australian Information Commissioner (OAIC) where required under the NDB scheme, as soon as practicable after completing the breach assessment
  • Support affected Partner Organisations through the individual notification process and coordinate any required OAIC reporting obligations with them

Our target initial response time for suspected data breaches is 24 hours. We maintain a documented incident response plan that is tested regularly. For full details, see our Security page.

11. Government-Related Identifiers (APP 9)

UNCAPT does not adopt, use, or disclose government-related identifiers (such as Medicare numbers, Individual Healthcare Identifiers, or tax file numbers) as its own identifiers. Where such identifiers are processed as part of clinical data provided by a Partner Organisation, they are handled solely for the clinical purpose directed by that Partner Organisation.

12. Your Rights: Access and Correction

12.1 Business and contact information

If you are a domain expert, researcher, or partner, you may contact us directly to request access (APP 12) or correction (APP 13) of your contact information. We will respond within 30 days.

12.2 Clinical information

For health information and reasoning outputs processed by UNCAPT products, we recommend that patients first contact their treating clinician or healthcare provider. If you contact us directly, we will verify your identity, consult with the Partner Organisation, and coordinate an appropriate response.

12.3 How to exercise your rights

To lodge a request for access or correction, please contact:

UNCAPT Privacy Officer
Email: info@uncapt.com
Level 4, 83 Mount St, North Sydney NSW 2060 Australia

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

13. Children and Young People

UNCAPT products may be used in clinical settings that include young people and adolescents. Our products are not intended for unsupervised use by individuals under 16 years of age. Where products are used in settings involving minors, consent is managed by the Partner Organisation in accordance with applicable legislation.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website and, where relevant, directly to Partner Organisations. The “Effective” date at the top indicates the latest revision.

15. Cross-Border Transfers and Data Residency

Our architecture is designed for data sovereignty — each deployment region keeps data local.

Australian customers

All personal information and End User data is stored within Australian jurisdiction. All data processing, including model inference, is performed on infrastructure located within Australia (Microsoft Azure, australiaeast region).

US customers

All personal information and End User data is stored within US jurisdiction, with all data processing and model inference performed on infrastructure located within the United States. Australian data is never transferred to or processed on US infrastructure, and vice versa.

Other jurisdictions

As we expand to serve clients in other jurisdictions, we deploy localised infrastructure in those regions. Data processing agreements are in place with all cloud providers to maintain these residency requirements.

16. Contact Us

For questions about this Privacy Policy or our data practices:

UNCAPT Pty Ltd
Privacy Officer
Email: info@uncapt.com
Address: Level 4, 83 Mount St, North Sydney NSW 2060 Australia
ABN: 15 641 190 552

For security-related concerns: security@uncapt.com