Oracare Privacy Policy
Version 1.0 — current as of 24 May 2026
1. About this policy
This Privacy Policy explains how Oracare Dental & Aesthetics (operated by Oracare Dental Pty Ltd, ABN 57 675 893 295) collects, uses, holds, discloses, and protects your personal information — including your health information — and the rights you have over it.
Oracare is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also follow the Information Privacy Act 2009 (Qld), the My Health Records Act 2012 (Cth), and the record-keeping standards set by the Dental Board of Australia and the Australian Health Practitioner Regulation Agency (AHPRA).
This policy applies to everyone whose personal information Oracare holds — patients, parents and guardians of patient minors, website visitors, and people who contact us through our website, phone, or email.
Privacy Officer. Ethan Nguyen, Executive Director.
Email: info@oracare.com.au (mark ATTN: Privacy Officer).
Phone: (07) 3286 6914.
Mail: Privacy Officer, Oracare Dental & Aesthetics, T17 / 251 Panorama Drive, Thornlands QLD 4164.
If you would prefer a printed copy of this policy, ask any of our reception team.
2. What information we collect
We only collect information we need to provide you with safe dental care and to run the practice that supports that care. The information we may collect includes:
Personal information. Your name, date of birth, residential and postal addresses, phone numbers, email address, and emergency contact details. For patients under 18, the name and contact details of your parent or guardian. Where applicable, the name and contact details of your usual GP, your specialist, or the person who referred you.
Sensitive (health) information. Your dental history, the dental treatment and services you have received, your general medical history (medications, allergies, medical conditions, pregnancy status), and any information your GP, specialist, or another health practitioner shares with us to support your care.
Identification and funding information. Health-fund details, Medicare number, Child Dental Benefits Schedule eligibility, Department of Veterans' Affairs entitlement, National Disability Insurance Scheme participant number, and workers' compensation or motor-vehicle-accident details where relevant. We may sight (but do not retain a copy of) a photo ID at intake to verify your identity.
Financial information. The treatments you have paid for, the amounts paid, the payment method (card type and last four digits, not full card number), and any outstanding balance. We do not store full credit-card details — payments are processed by our merchant terminal.
Imagery. Clinical photographs of your teeth, mouth, or face taken during your care, intra-oral scans, and dental radiographs (x-rays, OPG, CBCT). These form part of your clinical record.
Website and chatbot information. Information you send through our website enquiry form. Information you share with our website chatbot (when launched — see §8). Standard web-server information such as your browser type, device type, IP address, and pages visited. We use cookies and similar technologies to make our website work — see §12.
You always have the option to deal with us anonymously or under a pseudonym — for example, when asking a general question by phone. However, where we are providing clinical care, claiming a rebate on your behalf, or are required by law, we will need to identify you.
3. How we collect your information
We collect your information in the following ways:
- Directly from you — when you complete your new-patient intake form, sign your Patient Consent Form, attend an appointment, contact us by phone or email, submit our online enquiry form, or interact with our chatbot.
- From our team during your care — when our dentists and team make clinical notes, take photographs, perform scans, or record radiographs.
- From your other health practitioners — when your GP, specialist, or another dentist refers you to us, or when we refer you to a specialist and they send back a report.
- From your health fund, Medicare, or government scheme — when we check your eligibility or submit a claim on your behalf.
- From your parent, guardian, or carer — when you are a minor or where another person is acting on your behalf.
Wherever practicable, we collect your information directly from you. Where we need to collect it from someone else (for example, your previous dentist's records), we will tell you that we are doing so, what information we expect to collect, and why.
When we collect your information for the first time, this policy and the consent statement on your intake form together act as the APP 5 collection notice required by the Privacy Act.
4. Why we collect and use your information
The primary purpose for collecting your information is to provide you with safe, appropriate dental care.
We also use your information for directly related secondary purposes, including:
- Processing claims and rebates with your health fund, HICAPS, Medicare, the Child Dental Benefits Schedule, the Department of Veterans' Affairs, and the National Disability Insurance Scheme.
- Sending you appointment reminders, recall notices, treatment plans, written quotes, and receipts — by the channels you have opted into on your consent form.
- Following up after treatment for clinical reasons.
- Internal practice operations — appointment scheduling, records management, accounting, audit, complaint resolution, quality improvement, and staff training (using de-identified information where possible).
- Direct marketing — newsletters or promotional information about Oracare's services — only if you have explicitly opted in on your consent form. You can withdraw that consent at any time and it will not affect the care you receive.
If we need to use your information for any purpose not covered in this policy or your consent form, we will ask you first — unless an exception under the Privacy Act applies (for example, where the use is required by law).
5. Who we may disclose your information to
We share your information only with people and organisations who need it to support your care or to meet a legal obligation. Specifically:
- Our treating clinicians and practice staff — only those involved in your care.
- Other health practitioners involved in your care — referring practitioners, specialists (oral surgeons, endodontists, periodontists, prosthodontists, orthodontists), your GP, your pharmacist — when it is clinically necessary.
- Our dental laboratory partner — AceSmile Dental Lab — for the fabrication of crowns, bridges, dentures, mouthguards, aligners, and similar lab work tied to your case.
- Your health fund, HICAPS, Medicare, the CDBS, the DVA, and the NDIS — for claims, rebates, and benefits processing.
- Our contracted service providers — listed in §6 below — who store, process, or transmit your information on our behalf and who are required to protect it to at least the standard required by the Privacy Act.
- Regulators, government agencies, and courts — where we are required or authorised by law (for example, AHPRA, a court subpoena, a coronial enquiry, mandatory reporting, or to assist in locating a missing person).
- Our insurers, legal advisers, and dispute-resolution bodies — where it is necessary to establish, exercise, or defend a legal claim.
We will not share your information with any other party without your consent, except as set out above or as required or authorised by law.
We will not sell your information to anyone, and we will not provide it to third parties for their own marketing.
6. Service providers and storage
Oracare uses contracted service providers to store, process, and transmit information securely. We choose service providers carefully and require them, by contract or by their published terms, to protect your information consistently with the Privacy Act. We remain responsible for the way they handle your information on our behalf.
The current named service providers that may handle personal or health information are:
| Service provider | Purpose | Data category | Country | Last reviewed |
|---|---|---|---|---|
| CorePractice | Practice management system — patient records, appointments, charting, billing | Personal, sensitive (health), identification, financial | Australia | 2026-05-24 |
| HICAPS (NAB-owned) | Claims terminal — same-day electronic claims to health funds | Identification, financial | Australia | 2026-05-24 |
| Microsoft 365 | Email (Outlook), file storage (OneDrive / SharePoint), team chat (Teams) | Personal, sensitive (health) where included in correspondence | Primary processing in Australia; failover and support may occur in the United States and other Microsoft regions | 2026-05-24 |
| Squarespace | Website host and content management for oracare.com.au (including enquiry form submissions) |
Personal — from enquiry form submissions and chatbot interactions | United States | 2026-05-24 |
| AceSmile Dental Lab | Fabrication of crowns, bridges, dentures, aligners, mouthguards | Personal, sensitive (the case prescription and scans tied to your treatment) | Australia | 2026-05-24 |
| 3Shape (Communicate cloud) | Intra-oral scan files and case-collaboration platform for the TRIOS scanner | Sensitive (scans tied to your case) | Denmark (European Union) | 2026-05-24 |
| DentalMonitoring | Remote aligner monitoring — patient-captured smartphone scans, AI-flagged exceptions | Personal, sensitive (imagery, treatment progress) | France (European Union) | 2026-05-24 |
| Ormco (Spark) | Clear aligner case submission and tracking | Personal, sensitive (treatment plans, scans) | United States | 2026-05-24 |
| Anthropic (Claude API) | AI service powering our planned website chatbot (see §8) | Conversation content only — no patient identifiers, no clinical records | United States | 2026-05-24 |
| Cloudflare | Web infrastructure for our planned chatbot — short-term log storage, request handling | Chatbot conversation transcripts (retained for 30 days), lead-capture submissions (retained for 90 days) | United States (globally distributed edge network) | 2026-05-24 |
We review this table annually, and again whenever we add, remove, or materially change a service provider. Vendor changes will trigger a minor version update to this policy (a republish). Material additions — for example, a new AI processor, a new data category, or a new overseas processor — will trigger a major version update and we will ask for your consent again at your next visit.
7. Overseas disclosure
Some of the service providers in §6 are based outside Australia, or process or store information outside Australia, including in the United States, France, and Denmark. By using our services and signing the Patient Consent Form, you acknowledge that your information may be handled in those countries.
Where information is disclosed to an overseas recipient, Oracare relies on the contractual and statutory protections set out in our agreements with those providers, supplemented by your consent (APP 8). The privacy protections available in those countries may differ from those available in Australia.
If you do not wish your information to be disclosed overseas, please discuss this with our Privacy Officer before treatment. In most cases we can offer treatment without overseas disclosure, but some services (for example, clear-aligner monitoring through DentalMonitoring) cannot be delivered without it; we will explain the alternatives and the implications for your care.
8. AI and automated tools
Oracare uses artificial-intelligence tools in a deliberately limited way. We want to be explicit about what we do and do not do.
What we do not currently do. We do not use AI to read your patient record, your emails to us, your phone calls, or any other clinical correspondence. We do not use AI to make clinical decisions. We do not train AI models on your information.
Website chatbot — planned for our refreshed website. Our new website will include a chatbot powered by Anthropic's Claude language model. The chatbot is designed to answer general questions about hours, services, location, and booking — it does not give clinical advice, does not access your patient record, and does not make appointment changes on your behalf. We do not include patient identifiers from your dental record in the prompts we send to Anthropic. Conversations and any lead-capture details you submit are stored on Cloudflare infrastructure for 30 days (conversations) or 90 days (lead capture) and then automatically deleted.
Internal meetings. From time to time we use AI transcription tools for internal staff meetings. These tools are used only for staff meetings and not for any patient-facing recording.
If we ever expand AI use to patient information, we will update this policy first, ask for your consent, and not make the change retrospectively.
9. Data security and retention
Security. We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These steps include:
- Locked physical premises with after-hours alarm.
- Locked filing cabinets for paper records.
- Password-protected workstations with role-based access — each team member has access only to the information needed for their role.
- Practice management system (CorePractice) with per-user login, audit logs, and admin-controlled permissions.
- Encrypted transmission for sensitive data sent over the internet (TLS).
- Confidentiality obligations in every staff and contractor agreement, supported by induction training.
- Regular review of access lists, especially when a team member leaves.
Retention. We are required to keep your dental records for a minimum of:
- 7 years from the date of your last attendance, for adult patients.
- Until your 25th birthday, for patients who were minors when they attended.
These minimums come from a combination of AHPRA's record-keeping requirements, our agreements with major health funds, and Queensland record-keeping guidance. We may keep records longer where there is an active clinical, legal, or compliance reason to do so.
Destruction. When the retention period ends and there is no legal reason to keep your record longer, we securely destroy or permanently de-identify it — paper records are shredded, electronic records are deleted from active systems and from accessible backups.
10. Accessing and correcting your information
Access. You have the right to request a copy of the personal and health information we hold about you. Please send your request in writing to our Privacy Officer at info@oracare.com.au (marked ATTN: Privacy Officer) or by mail to the address in §1. We will ask you to verify your identity before releasing any information.
We will respond to your request within 30 days. In most cases there is no charge for the request itself. A reasonable cost may apply where producing the copy requires significant time or materials — we will tell you the expected cost before doing the work.
Correction. If any of the information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you can ask us to correct it. Send your correction request in the same way as an access request. We will take reasonable steps to correct the information promptly and to notify any third party we previously disclosed it to (where this is required and practicable).
If we disagree that information is inaccurate, we will tell you in writing and you may ask us to attach a statement of correction to your record.
11. Complaints and breach notification
Complaints to us. If you believe Oracare has handled your personal information in a way that breaches the Privacy Act or this policy, please tell us. Write to the Privacy Officer at info@oracare.com.au or by mail. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days.
Escalation to the OAIC. If you are not satisfied with our response, or if we do not respond within 30 days, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or on 1300 363 992. The OAIC generally expects you to raise the matter with us first.
Data breach notification. Oracare complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. Where we have reasonable grounds to believe that an eligible data breach has occurred — an unauthorised access, disclosure, or loss of your information that is likely to result in serious harm — we will notify the OAIC and you as soon as practicable, in line with our Data Breach Response Plan (available on request from the Privacy Officer).
12. Website privacy
Our website at oracare.com.au is hosted by Squarespace. When you visit the website:
- Cookies. We and Squarespace use cookies to make the site work, to remember your preferences, and to measure how the site is used. You can block or delete cookies in your browser settings — some parts of the site may not work properly if you do.
- Analytics. We collect aggregate, de-identified information about how the site is used (pages viewed, approximate location at the city level, browser and device type). We use this to improve the site.
- Enquiry forms. Information you submit through our online enquiry form is delivered to
info@oracare.com.auand is treated as a patient enquiry. - Chatbot. When our chatbot launches (see §8), conversation logs are stored on Cloudflare infrastructure for 30 days and then automatically deleted; any lead-capture details you submit are stored for 90 days. We do not use chatbot conversations for marketing or sell them to anyone.
- Third-party links. Our website may link to third-party sites (for example, Facebook or Instagram). This policy does not cover those sites; their own privacy policies apply.
13. Changes to this policy
We review this policy at least once a year, and whenever we add, change, or remove a service provider, a data category, or an AI tool that handles patient information.
- Minor changes (for example, swapping one cloud-storage vendor for another with equivalent protection) — we republish the policy with an updated version date.
- Material changes (for example, adding a new AI tool that processes patient information, or adding a new overseas processor) — we republish the policy and ask for your consent again at your next visit, before continuing to use the new arrangement for your care.
The current version of this policy is always available at oracare.com.au/privacy, and reception can give you a printed copy on request.
Document control. Version 1.0 — 24 May 2026. Owner: Privacy Officer, Oracare Dental Pty Ltd. Next scheduled review: May 2027 (or sooner on material change). Companion documents: Oracare Patient Consent Form v1.0 (same date); Oracare Data Breach Response Plan v0.1 (24 May 2026).