In plain English: We collect the minimum data needed to run your pharmacy operations dashboard. We don't sell your data, we don't share it with advertisers, and your operational data belongs to you. This policy explains the details.
1. Who we are
Pharmacy HQ is a software-as-a-service (SaaS) product providing staff operations dashboards for Australian pharmacies. It is operated by Pharmacy HQ Pty Ltd (ACN 698 203 164 · ABN 86 698 203 164), an Australian company with registered office at C/- Perrier Ryan Business Advisors, Level 1, 30 Lisburn Street, East Brisbane QLD 4169.
In this policy, "Pharmacy HQ", "we", "us" and "our" refer to Pharmacy HQ Pty Ltd. "You" refers to the pharmacy owner, manager, or staff member using our service.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
2. What information we collect
Account information
When you create a Pharmacy HQ account, we collect:
- Your pharmacy name and email address
- A hashed password (we never store plain-text passwords)
- Your selected subscription plan and billing details (processed by Stripe — we store only a Stripe Customer ID, not card numbers)
Operational data you enter
All data entered by you or your staff into the application is stored under your pharmacy's account and includes:
- Staff records — names, roles, emoji avatars (no government IDs, no contact details unless you enter them)
- Task and diary entries — operational notes, task completions, timestamps
- Cash reconciliation data — float amounts, variance figures, POS totals
- Special orders and delivery records — patient names and item descriptions (as entered by your staff)
- Staff leave records — dates and leave types
- Front-of-store logs — incident notes, stocktake records, expiry dates
- Webster patient profiles — patient names, DOB, address, phone, Medicare/DVA/NDIS numbers, pack type + frequency, fee type, prescribing doctor, packing notes; plus, when supplied for PPA claim eligibility: concession status (pensioner / health-care-card-holder / general), Aboriginal and/or Torres Strait Islander identification (used for IDAA claim eligibility — entered with patient consent at enrolment), living setting (e.g. home / RACF / supported accommodation — used for staged supply program eligibility)
- Staged Supply records — A2 enrolment agreement (patient + prescriber + meds + service terms), per-visit dispensing log (A3/A4), comms log (A5), photographs of wet-signed acknowledgement slips
- Care Transfer records — patient name, DOB, Medicare/DVA/NDIS, scripts-per-month estimate, welcoming staff member
- Vaccination claim records — patient name, DOB, Medicare/DVA, vaccine batch/lot, dose number, vaccinator AHPRA registration
- PPA claim drafts — monthly DAA + Staged Supply claim line items aggregated from your patient records
- Sick-call records — staff name, shift, reason (optional), expected days off, photo of sick certificate (when uploaded)
- Staff Workforce records — rosters, time-clock punches, timesheets, annual leave balances
- File uploads — photographs (e.g. proof-of-delivery photos, Webster pack pre-check photos, photographs of wet-signed Staged Supply slips, sick certificate uploads, policy library document uploads) are stored in Firebase Storage. Each file is bound by Firebase Storage Security Rules so only members of the uploading pharmacy can access it.
Important: Pharmacy HQ stores both operational data (staff records, tasks, diary entries, cash reconciliation) AND, when you enable the relevant features, patient-adjacent operational data (Webster patient profiles including Medicare/DVA/NDIS, Care Transfer records, Staged Supply dispensing events, vaccination claim records). All such data is stored under your pharmacy's account with strict access controls. We are not a regulated health records platform; the dispensing system at your pharmacy remains the system of record for full clinical medication history. See Section 9 below for the full list of patient-adjacent data categories.
Sensitive information (APP 3.3). Where the pharmacy chooses to record a patient's Aboriginal and/or Torres Strait Islander identification (used to confirm IDAA — Indigenous Dose Administration Aid — program eligibility), that information is "sensitive information" under the Australian Privacy Principles. The pharmacy is the APP entity collecting it; Pharmacy HQ acts as the data processor on the pharmacy's behalf. Pharmacies must obtain the patient's consent before recording this field and may only use it for the specific purpose of confirming IDAA program eligibility. Pharmacy HQ enforces this by gating the field behind an explicit consent prompt at the Webster enrolment form. Concession status and living-setting metadata are not classified as sensitive information under the APPs but are still treated with the same access controls as other patient-adjacent data.
Technical data collected automatically
When you use our application, we or our infrastructure providers may automatically collect:
- Your IP address and approximate location (city-level)
- Browser type and version, operating system
- Pages visited within the application and timestamps
- Error logs and crash reports (to help us fix bugs)
| Data type | Collected by | Purpose |
|---|
| Auth tokens & session data | Firebase Authentication (Google) | Keeping you signed in securely |
| Realtime database (all app data) | Firebase Realtime Database (Google) | Live sync across devices |
| Payment & billing data | Stripe, Inc. | Processing subscription payments |
| Email delivery logs | Resend, Inc. | Welcome, trial, billing, and claim-nag emails |
3. How we use your information
We use the information we collect for the following purposes:
- Providing and improving the service — running your operations dashboard, syncing data across devices, and fixing bugs
- Account management — creating and managing your account, verifying your identity, and enforcing subscription limits
- Billing — processing subscription payments, sending invoices, and managing trial periods
- Communications — sending you service emails (welcome, trial expiry warnings, payment failure alerts, and important product updates). We do not send marketing emails without your consent.
- Analytics — understanding how the application is used in aggregate so we can improve it. We do not create individual behavioural profiles for advertising.
- Legal compliance — meeting our obligations under Australian law
We will never sell your data to third parties, use it to serve you advertisements, or share it with anyone who is not listed in Section 4 of this policy.
4. Who we share information with
We share data only with the following trusted third-party providers, and only to the extent necessary to provide the service:
| Provider | Country | Purpose | Their Privacy Policy |
|---|
| Google Firebase |
USA (data may be stored in Australia/APAC data centres — subject to Google's data residency settings) |
Authentication, real-time database, cloud functions |
firebase.google.com/support/privacy |
| Stripe, Inc. |
USA |
Payment processing and subscription management |
stripe.com/au/privacy |
| Resend, Inc. |
USA (Tokyo region) |
Transactional email delivery (welcome, password reset, billing alerts, trial expiry warnings, claim-nag reminders) |
resend.com/legal/privacy-policy |
| Cloudflare, Inc. |
USA (global edge) |
DNS hosting, Email Routing (inbound automated reports e.g. fridge temperature logs), Workers (transforming inbound emails into structured records) |
cloudflare.com/privacypolicy |
| Anthropic PBC |
USA |
AI assistant (Claude API) — powers Help Chat, Policy Chat, Workflow Chat, Pre-Check Webster pack image-analysis. Anthropic does not store or train on prompts under their commercial terms. |
anthropic.com/legal/privacy |
| Twilio Inc. |
USA (global) |
Outbound + inbound SMS (delivery + collection notifications, holiday-hours cohort SMS, sick-call cascades, pre-shift reminders) |
twilio.com/en-us/legal/privacy |
| Pharmacy Programs Administrator (PPA) — per-claim |
Australia |
When you submit a MedsCheck, NIPVIP, CVCP, DAA, or Staged Supply claim, patient identifiers (name, DOB, Medicare/DVA), vaccine batch/lot, and service particulars are sent to PPA's API under your existing Service Provider Agreement |
ppaonline.com.au/privacy |
| Xero — when connected |
New Zealand |
If you connect Xero in Pharmacy Settings → Integrations → Xero Payroll, approved timesheet data + staff identity is pushed to Xero on demand. Pharmacy HQ does not pull data from Xero. |
xero.com/au/legal/privacy |
| Google Maps Platform — when enabled |
USA (global) |
If you enable Deliveries route optimisation, delivery addresses are geocoded + routed via Google Maps APIs. Address strings only — no patient names. |
policies.google.com/privacy |
Authoritative sub-processor list: for the current authoritative list of every data sub-processor + their role + jurisdiction, see pharmacyhq.com.au/sub-processors. That page is updated whenever a sub-processor is added, removed, or changes role — it is the single source of truth and takes precedence over any listing in this document.
All of these providers are bound by contracts that require them to handle your data securely and only for the specified purpose. Data transfers to the USA are covered by standard contractual clauses.
We may also disclose your information if required to do so by Australian law (for example, in response to a court order or regulatory request).
4a. AI features and Anthropic
Pharmacy HQ provides four AI-powered surfaces, all backed by Anthropic's Claude API:
- Help Chat — answers "how do I do X in the app?" questions using public documentation.
- Policy Chat — searches policy documents your pharmacy has uploaded to its policy library and synthesises answers from them.
- Workflow Chat — can read your live pharmacy data (patients, deliveries, orders, roster) via a controlled set of read-only tools, and answers questions like "What's Mrs Smith's Webster status?".
- Pre-Check — assistive image analysis of Webster pack photos, returning a pill-count vs the expected count.
What is sent to Anthropic
When you ask a question in a chat surface, the text of your question and the contextual data the assistant needs to answer (which may include patient names, prescription details, or operational records) is transmitted to Anthropic's API. For Pre-Check, the photograph of the Webster pack is sent.
What Anthropic does with it
Under Anthropic's commercial terms in effect at the date of this policy, requests and responses are not used for model training and are not retained beyond the time required to deliver the response (subject to Anthropic's standard logging for abuse prevention).
What we log on our side
We log metadata only — timestamp, surface (help / policy / workflow / pre-check), tokens consumed, latency. We do not log the prompt or the response text on our side. This is a deliberate PHI-hygiene choice; the trade-off is we can't audit the content of historical AI queries.
How to opt out
Pharmacy owners can disable AI features for the entire pharmacy in Pharmacy Settings → AI Chat. Once disabled, no Anthropic API calls occur from your pharmacy's account.
5. Data storage and security
Your data is stored in Firebase Realtime Database, hosted by Google. All data is protected by:
- Encryption in transit — all connections use TLS 1.2 or higher
- Encryption at rest — Firebase encrypts data at rest by default
- Authentication-gated access — Firebase security rules ensure each pharmacy can only access their own data. No cross-pharmacy data leakage is possible by design.
- Admin access control — only whitelisted Pharmacy HQ administrators can access the management dashboard, protected by Firebase custom claims
Edge security and inbound mail processing. DNS for pharmacyhq.com.au is hosted on Cloudflare; inbound automated emails (e.g. fridge temperature logs from Clever Logger) are routed through Cloudflare Email Routing and processed by a Cloudflare Worker before being forwarded to our Cloud Functions for ingestion. Cloudflare may temporarily process the email contents in transit; we do not retain Cloudflare's processing logs beyond what their standard logging provides.
While we take reasonable technical measures to protect your data, no internet transmission or electronic storage method is 100% secure. If you become aware of any security vulnerability, please contact us immediately at security@pharmacyhq.com.au.
6. How long we keep your data
- Active account data — retained for as long as your account remains active
- Cancelled accounts — operational data is retained for 90 days after cancellation, giving you time to export records. After 90 days, it is permanently deleted.
- Billing records — retained for 7 years to comply with Australian taxation and accounting obligations
- Email logs — retained per Resend's standard retention (30 days for successful deliveries; 90 days for bounces and complaints), then deleted
- Anonymous/aggregate analytics — retained indefinitely (contains no personally identifiable information)
You can request earlier deletion of your data at any time by contacting privacy@pharmacyhq.com.au. Billing records may be retained longer if required by law.
7. Your privacy rights (Australian Privacy Act)
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights:
Right to access your data
You can request a copy of the personal information we hold about you. We will provide this within 30 days of your request. Your operational data is accessible directly through the application at any time.
Right to correction
If any information we hold about you is inaccurate or out of date, you can correct it yourself within the application or ask us to correct it.
Right to deletion
You can request that we delete your account and associated data. Some data may be retained where required by law (e.g. financial records).
Right to complain
If you believe we have handled your personal information in breach of the Privacy Act, you can lodge a complaint with us at privacy@pharmacyhq.com.au. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.
To exercise any of these rights, email privacy@pharmacyhq.com.au. We will respond within 30 days and may need to verify your identity before acting on your request.
8. Cookies and tracking
Pharmacy HQ is a single-page web application. We use the following minimal cookies and local storage:
- Firebase Authentication session cookies — strictly necessary to keep you signed in. These expire when you sign out or after 30 days of inactivity.
- Local preferences — browser local storage may be used to remember UI preferences (e.g. selected nav tab). This data never leaves your device.
We do not use advertising cookies, third-party tracking pixels, or social media widgets. The landing page (pharmacyhq.com.au) does not use Google Analytics or any equivalent analytics service that tracks individuals across sites.
9. Pharmacy and health-adjacent data
Pharmacy HQ is primarily a workflow and operations dashboard. We are not a clinical management system, regulated health records platform, or dispensing software. However, several features that you (the pharmacy) can optionally enable do require us to store patient-adjacent operational data.
What we may store, when your pharmacy uses the relevant feature:
- Patient identifiers (Medicare, DVA, NDIS, date of birth, address, phone) — captured in the Webster patient record, the Care Transfer modal, and the Staged Supply enrolment, so the pharmacy can match patients to PPA claim submissions and operational workflows.
- Dispensing-event records under Staged Supply — when your pharmacy operates a Staged Supply Service (a PSA-defined program for patients managing risk of medication misuse), each per-visit dispensing event is recorded against the patient (drug, scheduled vs actual doses, balance, photographs of wet-signed acknowledgement slips).
- Vaccination claim records — for MedsCheck, NIPVIP, CVCP claims: patient name, DOB, Medicare/DVA, vaccine batch/lot, vaccinator AHPRA number.
- Delivery and Webster pack metadata — patient name, address, pack frequency, delivery notes, packing instructions.
What we still do not store:
- Full clinical medication histories (the dispensing system at your pharmacy remains the system of record).
- Diagnosis or clinical decision documentation.
- My Health Record content (we may write to MHR in future when you connect that integration, but we do not store its contents in our database).
All patient-adjacent data is gated by Firebase Security Rules so that one pharmacy cannot read another pharmacy's records. Per-feature sensitivity controls (e.g. the Staged Supply path is admin-SDK-write-only — every write goes through an authenticated Cloud Function with an audit log) give an extra layer for the most sensitive paths.
Pharmacy owners remain responsible for ensuring their use of the application complies with applicable pharmacy board and privacy regulations. We provide the platform; you remain the data controller for patient information under the Privacy Act.
If you have specific compliance questions for your pharmacy, we recommend seeking independent legal advice or contacting the Pharmacy Guild of Australia.
10. Children's privacy
Pharmacy HQ is a professional business tool intended for use by adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please contact us at privacy@pharmacyhq.com.au and we will promptly delete the account.
11. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to all registered account holders at least 14 days before the change takes effect
- Display a notice in the application
Continued use of Pharmacy HQ after the effective date of any changes constitutes your acceptance of the updated policy.