Privacy Policy — Pathways

About this policy

Pathways AI Pty Ltd (ACN [INSERT]) (“Pathways”, “we”, “us”, “our”) provides clinical reasoning support software, including the Differential, Socrates and Scribe products (the “Services”), at getpathways.ai and app.getpathways.ai.

This Privacy Policy explains how we collect, use, disclose, store and protect personal information and health information when you visit our websites, interact with us, or use the Services. It is written to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, the UK GDPR and the Data Protection Act 2018, and applicable United States federal and state privacy laws, including HIPAA, the CCPA/CPRA and comparable state statutes.

01

Who we are and how to contact us

Pathways AI Pty Ltd is an Australian proprietary limited company that develops clinical decision support software for licensed healthcare professionals.

Pathways is a clinical decision support tool designed to assist — never replace — the clinical judgement of qualified healthcare professionals. The clinician is always the final decision-maker.

Contact details

Entity	Pathways AI Pty Ltd (ACN 695 207 606)
Registered office	L6, 20 Bungan Street, Mona Vale NSW 2103, Australia
Privacy Officer (AU)	privacy@getpathways.ai
Data Protection Officer (UK / EEA)	dpo@getpathways.ai
HIPAA Privacy Officer (US)	hipaa@getpathways.ai
Postal address	As above

02

Scope of this policy

This policy applies to:

visitors to our marketing websites (including getpathways.ai);
healthcare professionals and other authorised users who register for and use the Services;
representatives of our customers, prospects, suppliers and partners; and
patients whose personal information or health information is processed through the Services by our customers.

Patients: Where a healthcare provider uses the Services to support care for a patient, the healthcare provider is the entity that decides how and why the patient’s information is handled. In Australian terms they are the relevant APP entity; in UK / EU terms they are the data controller; in US terms they are the HIPAA covered entity. Pathways acts on their behalf as a service provider, processor and (where HIPAA applies) business associate. Patients with questions about their information should contact their healthcare provider in the first instance.

03

Key terms

Term	Meaning
Personal information / personal data	Information that identifies, or could reasonably identify, an individual. Includes “personal information” under the Australian Privacy Act, “personal data” under the UK GDPR, and “personal information” under the CCPA/CPRA.
Health information / PHI	Information about an individual’s health, disability, or the health services provided to them. In the United States, this includes Protected Health Information (PHI) as defined under HIPAA when handled on behalf of a covered entity.
Sensitive information / special category data	A subset of personal information given heightened protection under each regime, including health information, genetic and biometric data, and information about race, sexual orientation and religious beliefs.
De-identified data	Information from which identifiers have been removed so that an individual cannot reasonably be identified, in accordance with OAIC guidance, the HIPAA Safe Harbor or Expert Determination method, and UK ICO anonymisation guidance.
Customer	A healthcare provider, practice, hospital, clinic or other organisation that subscribes to the Services.
Authorised user	An individual (typically a clinician or practice staff member) authorised by a Customer to access the Services.

04

Information we collect

The categories of information we collect depend on how you interact with us.

4.1 Information you or your organisation provide

Account and identity information: name, work email address, professional role, employer or practice, healthcare professional registration number (e.g. AHPRA, GMC, NPI), and credentials used to authenticate.
Billing and contract information: billing contact, billing address, purchase orders and tax identifiers. We do not store full payment card numbers; these are processed by our PCI-DSS compliant payment processors.
Communications: content of demo requests, support tickets, sales correspondence, survey responses and feedback you submit to us.

4.2 Clinical content processed through the Services

When Customers and Authorised Users use the Services, we process clinical content on their behalf. This may include:

pathology results, imaging reports and other diagnostic data (ingested via HL7 feeds, file upload, or direct integration with sources such as Sonic Healthcare and Douglass Hanly Moir);
structured patient history, demographics and clinical notes captured by Socrates or Scribe (including voice recordings and their transcripts);
differentials, evidence chains, self-critique outputs, safety screening results and plans generated by the reasoning pipeline; and
messages exchanged in the clinical chat interface.

PHI is stripped before model inference. Direct identifiers are removed from clinical content before it is sent to any large language model used by the reasoning pipeline. Re-identification keys are held separately in our Australian environment and are not exposed to model providers.

4.3 Information collected automatically

Usage and product telemetry: pages and features used, pipeline phases executed, response times, error logs, feature flags, and aggregate performance metrics.
Device and connection information: IP address, browser type and version, operating system, device identifiers, time zone and approximate location derived from IP.
Audit logs: records of access to clinical content, including which Authorised User accessed which case, when, and from what device — retained for security, audit and clinical governance purposes.
Cookies and similar technologies: see Section 12.

4.4 Information from third parties

identity verification and registration data from professional bodies (e.g. AHPRA, GMC) where applicable;
integration partners and pathology providers that send results into the Services on Customer instruction;
our identity provider and single sign-on services; and
publicly available professional information used for sales and marketing (e.g. LinkedIn, practice websites).

05

How and why we use information

We use the information described above for the following purposes:

Purpose	Lawful basis (UK GDPR) / authorisation
Providing and operating the Services for our Customers, including running the clinical reasoning pipeline, verification, contextualisation, diagnosis, planning and output phases.	Performance of a contract with the Customer; legitimate interests in operating our business; Customer consent and instructions (where applicable, on behalf of patients).
Authenticating users, managing access, generating audit logs, and securing the Services.	Legitimate interests in security and integrity; legal obligations relating to records and security; APP 11.
Supporting Customers, responding to enquiries, providing training and managing accounts.	Performance of a contract; legitimate interests.
Improving the Services, including diagnostics, error analysis, and model and pipeline performance evaluation using de-identified data only.	Legitimate interests, subject to de-identification; consent where required.
Marketing our products to existing and prospective Customers by email or phone.	Consent (where required); legitimate interests in promoting our services to professional contacts. You can opt out at any time.
Complying with legal obligations, including notifiable data breach reporting, tax, accounting, regulatory enquiries and responding to lawful requests.	Legal obligation; legitimate interests.
Establishing, exercising or defending legal claims.	Legitimate interests; legal obligation.

No secondary use of identifiable clinical content. We do not use identifiable clinical content (including PHI) to train third-party large language models, to develop new commercial products, or for any purpose other than providing the Services to the Customer that submitted it — unless we have an explicit lawful basis to do so (such as the patient’s express consent, an authorisation from the Customer that itself has consent, or where the data has been de-identified to the relevant standard).

06

When we share information

We share information only as described below.

6.1 With and on behalf of our Customers

Clinical content is shared back to the Customer that submitted it and to the Authorised Users they have permitted to access it. Audit logs of access are made available to the Customer.

6.2 Service providers and sub-processors

We engage a limited set of vendors to operate the Services. All sub-processors are bound by written contracts that impose security, confidentiality and data protection obligations equivalent to those in this policy and, where applicable, Standard Contractual Clauses, the UK International Data Transfer Addendum, HIPAA Business Associate Agreements and Australian-equivalent contractual protections. Our current categories of sub-processor include:

Cloud infrastructure: Amazon Web Services (AWS Sydney, ap-southeast-2 — primary; additional regional environments listed in our sub-processor register for non-Australian Customers).
Large language model providers: Anthropic and other providers used by the reasoning pipeline. Identifiable PHI is removed before any data is sent to these providers, and zero-retention configurations are used where available.
Pathology and clinical integrations: Sonic Healthcare, Douglass Hanly Moir and other clinical data sources that act under Customer instruction.
Operational tooling: identity and authentication, error monitoring, analytics, customer support, email delivery, billing and payments.

Our up-to-date sub-processor register is available at getpathways.ai/security/subprocessors or on request to privacy@getpathways.ai.

6.3 Professional advisers, acquirers and successors

We may disclose information to our auditors, lawyers, insurers and other professional advisers under duties of confidence. If we are involved in a merger, acquisition, financing or sale of assets, information may be transferred as part of that transaction subject to equivalent protections.

6.4 Law enforcement, regulators and legal process

We may disclose information where we reasonably believe disclosure is required by law, court order, or to protect the rights, property or safety of any person. We carefully review all such requests and push back on requests that exceed legal authority.

6.5 With your consent

We may disclose information for any other purpose with your consent or at your direction.

07

International data transfers and storage location

7.1 Australian Customers — data sovereignty

For Customers in Australia, PHI and other clinical content are processed and stored in AWS Sydney (ap-southeast-2). PHI does not leave Australia, except where strictly necessary to deliver the Services and only under the safeguards described below. This commitment is contractual and enforced at the infrastructure level.

7.2 UK Customers

For UK Customers, primary processing of clinical content occurs in AWS London eu-west-2. Where data is transferred outside the UK, we rely on:

UK adequacy regulations (where applicable);
the UK International Data Transfer Addendum to the EU Standard Contractual Clauses;
the EU Standard Contractual Clauses (where the recipient is in the EEA); and
a transfer risk assessment documenting the supplementary technical and organisational measures applied (encryption in transit and at rest, key separation, access controls, de-identification before inference).

7.3 US Customers

For US Customers, processing occurs in AWS US East-1. Where Pathways is acting as a HIPAA business associate, a Business Associate Agreement (BAA) governs the processing and the Services are operated in a HIPAA-aligned environment.

7.4 Onward transfers

Where personal information collected from Australia, the UK or the US is transferred to another jurisdiction (for example, to support staff or sub-processors), we take reasonable steps to ensure the recipient handles the information consistently with this policy and the law of the originating jurisdiction. Under Australian Privacy Principle 8, Pathways remains accountable for the acts of its overseas recipients.

08

How we protect information

We maintain a layered security program designed for clinical data:

Encryption: AES-256 encryption at rest and TLS 1.3 in transit. Keys are managed in a dedicated key management service with strict access controls.
Access controls: role-based access, single sign-on, mandatory multi-factor authentication for staff, and least-privilege access to production systems.
De-identification before inference: direct identifiers are stripped from clinical content before any external model inference call.
Phase-gated reasoning pipeline: the clinical harness enforces deterministic safety rules at the harness level — they cannot be bypassed by prompt engineering, context drift, or model update.
Audit logging: all access to clinical data is logged and retained for clinical governance and compliance purposes.
Personnel: background checks where lawful, mandatory privacy and security training, and contractual confidentiality obligations.
Vulnerability management: regular penetration testing, dependency scanning, code review and incident response exercises.
Certifications: ISO/IEC 27001 information security management system — certification in progress. SOC 2 readiness underway. We will update this policy as certifications are achieved.

No security measure is perfect. While we apply industry-leading controls appropriate to clinical data, we cannot guarantee absolute security. Authorised Users are responsible for safeguarding their credentials and notifying us of any suspected unauthorised access.

09

Data retention

We retain information for the period necessary to provide the Services and to meet our legal, accounting and regulatory obligations. Retention periods include:

Clinical content — for the duration of the Customer’s subscription and then in accordance with the Customer’s instructions and applicable health records retention laws (e.g. seven years from the date of last service in most Australian jurisdictions; longer for paediatric records);
Audit logs of access to clinical content — at least seven years;
Account, billing and contract records — for the term of the relationship and at least seven years after termination for tax and accounting purposes;
Marketing data — until you opt out or after a reasonable period of inactivity;
De-identified data — may be retained indefinitely.

When information is no longer needed and there is no legal basis to retain it, we securely destroy, delete or de-identify it.

10

Your privacy rights

Your rights depend on where you live and which law applies. Pathways supports the following rights:

10.1 Australia (Privacy Act 1988 and APPs)

access the personal information we hold about you (APP 12);
seek correction of inaccurate, out-of-date, incomplete or misleading information (APP 13);
lodge a complaint with us and, if not satisfied, with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au; and
opt out of direct marketing.

10.2 United Kingdom (UK GDPR and Data Protection Act 2018)

access — to obtain a copy of your personal data;
rectification — to correct inaccurate or incomplete data;
erasure (“right to be forgotten”) — in defined circumstances;
restriction — to limit how we use your data;
portability — to receive your data in a structured, machine-readable format;
objection — including to processing based on legitimate interests and to direct marketing;
not to be subject to a decision based solely on automated processing that has legal or similarly significant effects on you;
withdraw consent at any time, where processing is based on consent; and
lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

Automated decision-making. Pathways produces clinical decision support — ranked differentials, evidence chains, self-critique and safety screening — that is reviewed and acted on by a qualified clinician. The clinician is always the final decision-maker. Pathways does not make solely automated decisions with legal or similarly significant effects on patients within the meaning of Article 22 UK GDPR.

10.3 United States

HIPAA (where Pathways is a business associate)

Where Pathways processes PHI on behalf of a HIPAA covered entity, the individual rights set out in 45 CFR Part 164 — including the right to access, amend and receive an accounting of disclosures of PHI — are exercised through the covered entity. Pathways will support the covered entity in responding to such requests in accordance with the BAA.

California (CCPA / CPRA)

California residents have the right to:

know what categories and specific pieces of personal information we have collected, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it;
request deletion of personal information (subject to exceptions);
correct inaccurate personal information;
limit the use and disclosure of sensitive personal information;
opt out of the “sale” or “sharing” of personal information; and
not receive discriminatory treatment for exercising these rights.

We do not sell personal information within the meaning of the CCPA/CPRA, and we do not share personal information for cross-context behavioural advertising. PHI handled subject to HIPAA is exempt from the CCPA/CPRA.

Other US states

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana and others as those laws come into force — have rights to access, correct, delete and port their personal information, to opt out of targeted advertising and profiling for decisions with legal or similarly significant effects, and to appeal our decisions on rights requests. PHI processed under HIPAA is exempt from these state laws.

10.4 How to exercise your rights

Email privacy@getpathways.ai with “Privacy rights request” in the subject line, or write to us at the postal address above. We will respond within the time limits set by applicable law (generally one month under UK GDPR, 45 days under CCPA/CPRA, and a reasonable time under the Privacy Act). We may need to verify your identity before acting on a request. There is generally no fee, although fees may apply in limited circumstances for excessive or repetitive requests.

Authorised agents. Under the CCPA/CPRA and similar laws, you may use an authorised agent. We will require written proof of the agent’s authority and may verify the request directly with you.

11

Children

The Services are made available only to healthcare professionals and other adult Authorised Users. We do not knowingly collect personal information directly from children. The Services may, however, process the health information of paediatric patients on behalf of healthcare provider Customers; in those circumstances the Customer is responsible for any parental or guardian consent required by law.

We do not knowingly sell or share personal information of consumers under the age of 16 within the meaning of the CCPA/CPRA, and we comply with COPPA in relation to children under 13 in the United States.

12

Cookies and similar technologies

We use cookies and similar technologies on our marketing websites and within the Services. Categories include:

Strictly necessary — required to operate the Services (e.g. session management, security, load balancing). These cannot be disabled.
Functional — remember your preferences and settings.
Analytics — help us understand how the Services are used so that we can improve them.
Marketing — used on marketing pages only and never within the clinical application.

In the UK and EU, non-essential cookies are loaded only after you give consent through our cookie banner. In the US, you can manage non-essential cookies through the same banner and via your browser controls. We honour Global Privacy Control (GPC) signals as an opt-out of sale/sharing where applicable.

13

Data breach notification

We maintain an incident response process designed to detect, contain, investigate and remediate security incidents quickly.

Australia: Where we form the view, or it is reasonable to believe, that an eligible data breach has occurred under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988), we will notify affected individuals and the OAIC as soon as practicable.
United Kingdom: Where we act as a processor, we will notify the relevant controller without undue delay after becoming aware of a personal data breach. Where we act as a controller, we will notify the ICO within 72 hours where required by Article 33 UK GDPR, and affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
United States: Where Pathways acts as a HIPAA business associate, we will notify the covered entity without unreasonable delay and in any event within 60 days of discovery of a breach of unsecured PHI, in accordance with 45 CFR §164.410. We will also comply with applicable US state breach notification laws.

14

Clinical decision support disclaimer

Pathways is positioned as clinical decision support. It does not diagnose, treat, cure or prevent any disease. The clinician is always the final decision-maker. Differentials, confidence scores, evidence chains, self-critique and safety screening outputs produced by the Services are intended to support, not replace, the independent professional judgement of a qualified healthcare professional. The regulatory status of the Services varies by jurisdiction and is set out in our Clinical Disclaimer.

15

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent revision. If we make material changes, we will notify you by email (to the address associated with your account or your Customer’s account) or by prominent notice in the Services before the change takes effect, and where required by law we will seek your fresh consent.

16

Complaints and how to escalate

If you have a privacy concern, please contact us first so we can try to resolve it. We aim to acknowledge complaints within 5 business days and resolve them within 30 days. If you are not satisfied with our response you may complain to the relevant regulator:

Jurisdiction	Regulator
Australia	Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992
United Kingdom	Information Commissioner’s Office (ICO) — ico.org.uk — 0303 123 1113
United States — HIPAA	U.S. Department of Health and Human Services, Office for Civil Rights — hhs.gov/ocr
California	California Privacy Protection Agency (CPPA) — cppa.ca.gov; or California Attorney General — oag.ca.gov/privacy
Other US states	The Attorney General or designated privacy regulator in your state.

This document is a template that has been tailored to Pathways AI’s product description. Before publication, it should be reviewed by qualified legal counsel in each of Australia, the United Kingdom and the United States, and the bracketed placeholders should be completed with current operational details (entity numbers, regions, sub-processor list, retention periods and representative information).