For aged care assessorssee how Hinterflow fits your workflow
Legal

Privacy Policy

Last updated: March 2026

1. About this policy

Hinterflow Pty Ltd ("Hinterflow", "we", "us", "our") is an Australian company committed to handling personal information responsibly and in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy explains what information we collect, why we collect it, how we use and protect it, and when it may be disclosed. Hinterflow is a flexible platform — depending on how you use it, the information you record may include sensitive information under the Privacy Act, including health information. Where it does, we treat all such information with the heightened obligations that applies.

By using Hinterflow you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the platform.

2. Who we are

Hinterflow Pty Ltd is an Australian proprietary company. Our Privacy Officer can be contacted at privacy@hinterflow.com.

We are the data controller for account information and usage data. For session transcripts and content recorded through Hinterflow, we act as a data processor on behalf of the organisation or individual using our platform.

3. Information we collect

Account information

Name, email address, organisation name, and professional role when you register an account.

Voice audio

Audio captured during a Hinterflow session. Audio is streamed in real time to our transcription service. Raw audio is not stored after the session ends. Only the transcript is retained.

Transcripts

Text transcribed from voice sessions. Depending on how you use Hinterflow, transcripts may contain sensitive personal information — including health information such as medical history, functional status, care needs, medications, or diagnoses — where the conversation involves it.

Extracted form data

Structured data mapped from the transcript to specific form fields. This is derived from the transcript and may contain the same categories of sensitive information.

Usage data

Log data including IP addresses, browser type, pages visited, and timestamps — used for security monitoring and service operation. This data does not include session content.

What we do not collect

We do not collect My Health Record data. We do not independently collect information about people you record — all such information enters the platform only through the session you conduct.

4. How and why we collect information

We collect information to provide the Hinterflow service. Specifically:

  • Account information is collected to authenticate users and operate the platform
  • Voice audio is collected to enable real-time transcription
  • Transcripts and extracted data are collected to support the workflow you are using Hinterflow for and the form-filling functionality
  • Usage data is collected for security, reliability, and operational monitoring

Where your use of Hinterflow involves recording health information about another person — for example, a clinical interview or aged care assessment — we collect such information only because it is inherent to that workflow. Users are responsible for ensuring they have appropriate authority and consent to use Hinterflow when recording personal information about someone else. See Section 9 (Consent obligations) below.

We do not use session data for any purpose other than providing the service to the user who recorded it.

5. Health information — heightened obligations

Where Hinterflow handles health information, that information is sensitive information under the Privacy Act 1988 (Cth). This means we are subject to stricter obligations in how we collect, use, and disclose it:

  • We collect health information only where it is reasonably necessary for the direct provision of our service
  • We do not use health information for any secondary purpose without consent
  • We do not disclose health information to any party other than those necessary to operate the service, as described in this policy
  • We do not use or disclose health information for direct marketing
  • We do not use client health information for AI model training

6. Data storage and sovereignty

All account data, transcripts, extracted form data, and associated records are stored in Australia on Amazon Web Services infrastructure in the Sydney region (ap-southeast-2). This is a structural commitment: the database, file storage, and all persistent data reside in Australia.

Backups are also retained within ap-southeast-2.

No customer data leaves Australia at any point — at rest, in transit, or during AI processing. See Section 7.

7. AI processing — runs in Australia

All AI processing on Hinterflow — voice transcription and field extraction — runs on AWS infrastructure in the Sydney region (ap-southeast-2). No customer data is disclosed overseas for AI inference or for any other purpose.

Voice transcription

Voice audio from sessions is streamed in real time to a transcription service running on AWS infrastructure in Sydney. The audio is processed live and is not stored by AWS or by us after transcription — only the resulting transcript is retained in your account. This processing is governed by the AWS Service Terms and our AWS Data Processing Addendum, under which AWS is contractually prohibited from using customer data to train or improve AI models.

AI field extraction

Transcript text is processed by AI models running on Amazon Bedrock in the Sydney region (ap-southeast-2) for structured data extraction — identifying and mapping information to form fields. AWS service terms prohibit using customer data submitted to Bedrock to train or improve foundation models. Processing is transient: data is sent for inference and the result returned; it is not retained by AWS for any other purpose.

No overseas disclosure

Because all AI processing runs in Australia, the cross-border disclosure provisions of APP 8 are not engaged for AI inference. Our AWS Data Processing Addendum applies to all AWS services we use, including Bedrock.

8. Disclosure of information

We do not sell, rent, or trade personal information. We disclose information only as follows:

  • Amazon Web Services: cloud infrastructure for storage, compute, voice transcription, and AI inference (via Amazon Bedrock) — all in the Sydney region. Covered by our AWS Data Processing Addendum.
  • Law enforcement or regulators: where required by Australian law, a court order, or to protect the rights and safety of individuals

We do not disclose session content to any other third party for any purpose.

9. Consent obligations when recording another person

Hinterflow can be used in many ways — some involve only your own voice (e.g., dictating notes), others involve recording a conversation with another person (e.g., an interview, consultation, or assessment).

If you use Hinterflow in a way that records another person, you are responsible for:

  • Informing them that the conversation is being recorded and transcribed
  • Informing them that AI processing will be used to transcribe the conversation and fill the form (all such processing runs on infrastructure in Australia)
  • Obtaining their consent (verbal or written, as appropriate to your professional context) before starting a Hinterflow session
  • Complying with any consent obligations under your professional registration, employer policy, or applicable legislation (including aged care, disability, or health privacy laws where relevant)

We provide guidance on how to explain Hinterflow at the start of a session. You remain responsible for obtaining and documenting consent.

10. Data retention

Transcripts and extracted data are retained for as long as your account is active or as required by applicable law. You may delete individual sessions or your entire account at any time through the platform. Deletion permanently removes the associated transcript and extracted data from our systems.

Encrypted backups may retain deleted records for up to 30 days before permanent removal. Usage logs are retained for 90 days.

We do not retain raw voice audio after a session ends.

11. Security

We implement technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, or destruction. These include:

  • Encryption in transit (TLS) for all data sent between your browser, our platform, and AI services
  • Encryption at rest for stored data
  • Authentication controls and role-based access
  • Web Application Firewall and rate limiting
  • Infrastructure contained within a private network

No method of transmission or storage is completely secure. In the event of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

12. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Know what personal information we hold about you
  • Access personal information we hold about you
  • Correct inaccurate, out-of-date, or incomplete information
  • Request deletion of your data (subject to legal retention obligations)
  • Complain about a breach of the APPs

To exercise these rights, contact our Privacy Officer at privacy@hinterflow.com. We will respond within 30 days.

Note: session content is held on behalf of the user who recorded it (or their organisation). If someone whose information appears in a session wishes to access or correct it, they should contact the user who recorded the session.

13. Cookies and tracking

We use essential session cookies to maintain your authenticated state. We do not use third-party tracking cookies, advertising cookies, or analytics services that send data to third parties.

14. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The date at the top of this page reflects when the policy was last updated. Continued use after changes take effect constitutes acceptance.

15. Contact and complaints

For privacy enquiries or to exercise your rights, contact our Privacy Officer:

Email: privacy@hinterflow.com
Organisation: Hinterflow Pty Ltd, Australia

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).