Privacy Policy

1. About This Policy

CYORA Pty Ltd (ABN 59 649 153 935) ("CYORA", "we", "us", "our") is committed to protecting the privacy and confidentiality of your personal and health information.

This Privacy Policy explains what personal and health information we collect, why we collect it, how we use and disclose it, and your rights to access, correct, and complain about how it is handled.

It applies to all personal information collected by CYORA Pty Ltd in connection with our health optimisation programs, website, client portal, and onboarding funnel.

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the thirteen (13) Australian Privacy Principles (APPs). Health information is treated as sensitive information under the Privacy Act and afforded additional protections.

2. Who We Are

CYORA Pty Ltd
ABN 59 649 153 935
52/17 Great Southern Drive, Robina QLD 4226, Australia
support@cyora.com.au
cyora.com.au

Responsible Practitioner: Dr Daniel Kirkbride, Osteopath
AHPRA Registration: OST0002224719 | Provider Number: 5605954W

3. What Information We Collect

3.1 Identity and Contact Information

Full name, date of birth, and sex
Email address, phone number, and residential address

3.2 Health Information Sensitive

Health information is a category of sensitive information under the Privacy Act. We collect it only with your explicit consent. We collect:

Medical history, current medications, allergies, and supplements
Known diagnoses, chronic conditions, and family health history
Reproductive status (pregnancy, breastfeeding, hormonal contraception)
Mental health history and psychological wellbeing
Dietary restrictions, food intolerances, and eating patterns
Exercise history, injuries, and physical capacity
Sleep patterns and recovery metrics

3.3 Diagnostic and Clinical Data Sensitive

Where you consent to diagnostic testing as part of your program, we collect and retain:

Comprehensive blood test results (biomarkers, hormone panels, metabolic markers)
DNA / genetic SNP analysis reports
Microbiome / stool analysis reports
Body composition data (DEXA scan results)
Cardiorespiratory fitness data (VO2 Max test results)
Organic Acids Test (OAT) results
Oura ring biometric data (HRV, sleep, activity) — with your personal access token

3.4 Program and Engagement Data

Clinical intake form responses
Signed client agreement and e-signature timestamp
Consultation notes and practitioner assessments
Supplement protocols, meal plans, nutrition blueprints, training plans

3.5 Financial Information

Payment amounts and transaction references (Stripe processes card payments — CYORA does not store full card details)
Invoice records

3.6 Technical Information

IP address and device type when accessing our client portal
Usage patterns within the CYORA client portal (see Cookies section)

4. How We Collect Your Information

We collect information:

Directly from you — via our online onboarding funnel, clinical intake form (Typeform), consultations, and communications
From diagnostic laboratories — when you consent to testing through our partner network (Australian Clinical Labs, NutriPATH, iMedical, iScreen)
From connected devices — Oura ring data, with your explicit consent and personal access token
Via DocuSeal — when you electronically sign your Client Agreement
From your GP or specialists — only with your prior written consent

We will always tell you why we are collecting information at the point of collection. We will only collect health information with your explicit consent, except in circumstances permitted by law such as an emergency.

5. Why We Collect Your Information

We collect and use your information to:

Deliver clinical care — interpret diagnostic data, develop personalised protocols, and provide practitioner consultations
Administer your program — manage onboarding, scheduling, billing, and access to resources
Communicate with you — send protocol updates, appointment reminders, community information, and support responses
Improve our programs — analyse de-identified, aggregated outcomes data
Comply with legal obligations — maintain health records as required by law
Protect safety — respond to urgent health disclosures requiring referral or emergency services

We will not use your information for any purpose incompatible with these primary purposes without your consent.

6. Artificial Intelligence and Automated Processing

You have a right to know when AI is used to process your health information.

⚠️ AI is used in our clinical workflow

CYORA uses Anthropic Claude (an AI language model) to assist our clinical team. The AI does not make clinical decisions — it supports practitioners who remain fully responsible for all clinical interpretation and recommendations.

6.1 Clinical Intake Summary

When you complete the CYORA clinical intake form, our system uses Anthropic Claude API (operated by Anthropic PBC, USA) to extract a brief clinical summary from your intake responses. This summary — typically 3 key clinical points — is:

Sent to your assigned practitioner(s) in our internal Slack channel before your first consultation
Appended to your client record in our practice management system

Your intake data is transmitted to Anthropic's API for processing. Per Anthropic's current API usage policy, data submitted via their API is not used to train their AI models. Anthropic's data processing is governed by their Privacy Policy and API Terms of Service.

6.2 Pre-Consult Brief

Prior to scheduled consultations, our system may use AI to compile a summary of recent activity, diagnostic trends, and consultation notes to assist your practitioner's preparation. This is a support tool only — your practitioner reviews and is solely responsible for all clinical decisions.

6.3 Opting Out of AI Processing

You may opt out of AI-assisted intake summary processing by contacting support@cyora.com.au before completing your intake form. You can still participate in the program; your practitioner will review your full intake form directly.

7. Disclosure of Your Information

7.1 CYORA Practitioner Team

Your information is accessible to team members on a need-to-know basis:

Dr Daniel Kirkbride (Osteopath, AHPRA OST0002224719) — head clinician, reviews all clinical data
Hannah King (APD, DA APD050601) — reviews nutrition-relevant data
Dr David Kirkbride (Osteopath, AHPRA OST0002691036) — reviews training and physical capacity data
Administrative and support staff — limited to non-clinical administrative data only

7.2 Your General Practitioner or Specialists

With your prior written consent, we may share a program summary, diagnostic findings, or protocol with your GP or treating specialists for coordinated care. We will never share your clinical information with your GP without your explicit consent, unless required by law or in a health emergency.

7.3 Diagnostic Laboratories

When you order diagnostic tests through our partner labs, the labs receive identifying information necessary to process and return your results. Partners include: Australian Clinical Labs, iMedical, NutriPATH, and iScreen. Each operates under its own privacy obligations.

7.4 Technology Service Providers

We use the following technology providers to operate our business. We disclose your information to these providers only to the extent necessary to deliver our services, and engage each under a data processing agreement.

Provider	Purpose	Data Location
Supabase Inc (USA)	Primary database hosting — client records, diagnostic data, portal	Sydney, Australia (ap-southeast-2)
Stripe Inc (USA)	Payment processing	USA
GoHighLevel Inc (USA)	CRM — contact management, appointment booking, client tags	USA
Typeform SL (Spain / EU)	Clinical intake form collection	EU (GDPR compliant)
DocuSeal (USA)	Electronic signature for client agreements	USA
Google LLC (USA)	Google Drive document storage, Google Workspace (email)	USA / AU data centres
Anthropic PBC (USA)	AI language model for clinical intake summary (see Section 6)	USA
Slack Technologies (USA)	Internal team communication — practitioner briefings	USA
Vercel Inc (USA)	Hosting of client portal and onboarding funnel	USA / global CDN

7.5 Legal and Regulatory Disclosure

We may disclose your information without consent where required or authorised by law, including: to AHPRA in a regulatory investigation, to a court pursuant to a subpoena, to police or emergency services where there is an immediate threat to life, or to the OAIC in the context of a privacy complaint.

8. Cross-Border Disclosure

Your personal and health information may be transferred to, and stored or processed in, countries other than Australia — see Section 7.4 for specific locations.

Before disclosing your information overseas, we take reasonable steps to ensure overseas recipients handle it consistently with the Australian Privacy Principles, through:

Contractual data processing agreements with providers requiring APP-equivalent protections
Providers certified under equivalent frameworks (e.g. Typeform under GDPR; Stripe and Supabase with SOC 2 Type II certification)

Your diagnostic and clinical data (blood results, DEXA, VO2, DNA, stool, OAT) is stored in Supabase on servers located in Sydney, Australia.

By consenting to our services and this Privacy Policy, you consent to the cross-border transfer of your information as described in Section 7.4, in accordance with APP 8.2(a).

9. Security of Your Information

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
Role-based access controls — practitioner data access is scoped to relevant records
Time-limited signed URLs for document access (not permanently public)
Multi-factor authentication for portal access
Regular security reviews

Our primary database (Supabase) holds SOC 2 Type II certification and ISO 27001 compliance.

In the event of an eligible data breach affecting your information, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme (Part IIIC, Privacy Act 1988 (Cth)), as soon as practicable and no later than 30 days after we have reasonable grounds to believe a breach has occurred.

10. Retention of Your Information

We retain your information for:

Health and clinical records — minimum 10 years from your last consultation, consistent with AHPRA professional standards and state health records legislation. Records of individuals who were minors at the time of collection are retained until they turn 25.
Financial records — 7 years from the date of the transaction (ATO requirement)
Onboarding and agreement records — 7 years from the end of your program
Marketing communications — until you unsubscribe or withdraw consent

After the applicable retention period, your information will be securely destroyed or permanently de-identified.

11. Your Rights

Access

Request a copy of the personal and health information we hold about you. We respond within 30 days. A reasonable fee may apply for large requests.

Correction

If information we hold is inaccurate, incomplete, or out of date, request a correction. We respond within 30 days.

Opt Out of Marketing

Opt out of direct marketing at any time by clicking "Unsubscribe" in any marketing email or contacting support@cyora.com.au. Processed within 5 business days.

Opt Out of AI Processing

Opt out of AI-assisted intake summary processing before completing your intake form. Contact support@cyora.com.au.

Anonymity

Where practicable, you may interact with us anonymously. However, anonymity is not compatible with program participation — we must know who you are to provide clinical care.

Complaint

If you believe we have mishandled your information, you may complain to us directly or to the OAIC. See Section 13.

To exercise any right, contact us at support@cyora.com.au.

12. Cookies and Tracking

Our client portal and onboarding funnel use the following:

Cookie / Technology	Purpose	Retention
Supabase session cookie	Maintains your authenticated session in the CYORA OS portal (practitioner access only)	Session
Vercel analytics (anonymous)	Anonymous page view analytics — no personal data collected	30 days

We do not use advertising cookies, tracking pixels, or third-party retargeting technologies on our client portal or onboarding funnel. We do not sell your data to advertisers.

Our main marketing website (cyora.com.au) may use analytics tools. If you have questions about tracking on the marketing site, contact support@cyora.com.au.

13. Complaints

If you have a complaint about how we handle your personal information, please contact us first:

Privacy enquiries: support@cyora.com.au
We will acknowledge your complaint within 5 business days and respond fully within 30 days.

If you are not satisfied with our response, you may lodge a complaint with:

Office of the Australian Information Commissioner (OAIC)
Website: oaic.gov.au/privacy/privacy-complaints
Phone: 1300 363 992

Complaints about the professional conduct of a registered practitioner may be made to:

AHPRA
Website: ahpra.gov.au/Notifications
Phone: 1300 419 495

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active clients via email at least 30 days before they take effect.

The current version of this Policy is always available at cyora.com.au/privacy-policy.

This Privacy Policy was prepared having regard to the Privacy Act 1988 (Cth), the Australian Privacy Principles, applicable state and territory health records legislation, and the Notifiable Data Breaches scheme. It will be updated following passage of any Privacy Act reform legislation (Privacy and Other Legislation Amendment Act 2024) and upon completion of the CYORA AHPRA and medicolegal compliance review (in progress, May 2026).