Clinical Studio

Privacy Policy

Last Updated: March 2026

[Company Pty Ltd] (ABN/ACN: [ABN/ACN]) trading as Clinical Studio. Registered address: [Registered Address].

1. About Us

Clinical Studio is a Continuing Professional Development (CPD) education platform designed for AHPRA-regulated healthcare professionals in Australia. We provide online courses, assessments, and CPD tracking to support healthcare professionals in meeting their registration requirements.

This platform is operated by [Company Pty Ltd] (ABN/ACN: [ABN/ACN]). Our postal address is [Registered Address]. For any privacy-related enquiries, you can contact us at education@clinicalstudio.com.au.

2. Information We Collect

We collect the following types of personal information:

  • Email address and name (via Google OAuth or email magic link)
  • AHPRA registration number and profession
  • Course enrolment, progress, and completion data
  • SCORM learning activity data (lesson status, scores, session time)
  • Quiz attempts, scores, and individual answers
  • Reflective practice form submissions
  • CPD points and completion certificates
  • Consent preferences (analytics and marketing choices)
  • Device information via Cloudflare (IP address, browser type)

3. How We Collect Information

Directly from you: When you register an account, verify your AHPRA credentials, enrol in courses, complete quizzes, and submit reflective practice forms.

Automatically: Course progress, quiz responses, and SCORM tracking data are recorded automatically as you interact with learning content.

From third parties: Google provides authentication information when you sign in via Google OAuth. Cloudflare provides security analytics and device information as part of content delivery and bot protection.

4. How We Use Your Information

  • Verify your AHPRA registration credentials
  • Track CPD progress and issue certificates of completion
  • Deliver course content and track learning progress
  • Administer quizzes and record results
  • Send service communications (magic links, enrolment confirmations, course completions)
  • Send marketing communications (with your consent only)
  • Improve our platform (with your analytics consent only)

5. Legal Basis for Processing

  • Contract: Service provision, AHPRA verification, course delivery, CPD tracking, and certificate generation. These are necessary to deliver the services you have requested.
  • Consent: Analytics tracking and marketing communications. You can withdraw consent at any time through your Account Settings.
  • Legitimate Interest: Service improvement, fraud prevention, and platform security.

6. Cookies and Local Storage

We use the following cookies and local storage items:

Cookies

  • auth_token (httpOnly cookie) — Authentication session. Strictly necessary for the platform to function; no consent required. Persistent (365 days) for the learner app, session-only for the admin portal.
  • __cf_bm (Cloudflare cookie) — Bot management. Strictly necessary for security; no consent required.

Local Storage

  • lms_consent_analytics — Stores your analytics consent preference.
  • lms_consent_marketing — Stores your marketing consent preference.
  • lms_consent_dismissed — Records whether the consent banner has been shown to you.
  • user_data — Cached user profile for session persistence.

7. Data Security

  • All data is encrypted at rest using AES-256 (Azure Transparent Data Encryption).
  • All data transfers are encrypted in transit using TLS 1.2+.
  • Database access is restricted by firewall rules to authorised services only.
  • Authentication is enforced at the application level for all data access.

AHPRA registration numbers are personal information but are not classified as sensitive information under the Privacy Act 1988. They are publicly searchable on AHPRA's national register.

8. Third-Party Services

We use the following third-party services to operate the platform:

  • Google: Authentication services (OAuth 2.0)
  • Microsoft Azure: Hosting and database (Australia East region)
  • Cloudflare: Content delivery, storage (R2), and security
  • Microsoft 365: Email delivery (education@clinicalstudio.com.au)

9. Data Retention

  • Account information (name, email, AHPRA number): Retained while your account is active. Permanently deleted 30 days after an account deletion request.
  • CPD completion records: Anonymised and retained for 5 years from the completion date for aggregate statistics, aligned with AHPRA audit cycles. Personal identifiers are stripped.
  • Quiz attempts and answers: Deleted 30 days after account deletion.
  • SCORM learning progress: Deleted 30 days after account deletion.
  • Reflective practice submissions: Deleted 30 days after account deletion.
  • Consent records: Pseudonymised (user identity replaced with a cryptographic hash) and retained for 7 years for legal compliance.
  • Cloudflare analytics: Subject to Cloudflare's own retention policies.

10. Account Deletion

You may request permanent deletion of your account at any time through your Account Settings.

  • Your account is immediately deactivated (you can no longer log in).
  • After 30 days, all personal data is permanently deleted, except:
    • CPD completion records are anonymised (personal identifiers removed, completion data retained for statistical purposes).
    • Consent records are pseudonymised and retained for 7 years.
  • Deletion is irreversible.

11. Your Rights (Australian Privacy Act)

Under the Privacy Act 1988 (Cth), you have the following rights:

  • Access: Request a copy of your personal data. You can download your data via Account Settings > Download My Data.
  • Correction: Request correction of inaccurate or out-of-date personal data.
  • Deletion: Request deletion of your personal data (see Account Deletion above).
  • Complaint: Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

12. Your Rights (GDPR — If Applicable)

Clinical Studio is designed for Australian healthcare professionals. However, the General Data Protection Regulation (GDPR) may apply if you are located in the European Union. If so, you have additional rights including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to restriction of processing
  • Right to object
  • Right to withdraw consent

You can exercise these rights through your Account Settings or by contacting us at education@clinicalstudio.com.au.

13. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, in accordance with Part IIIC of the Privacy Act 1988.

We maintain an internal breach register to document and respond to any incidents.

14. International Data Transfers

All primary data processing occurs within Australia (Microsoft Azure Australia East region). Cloudflare may cache content at edge locations globally for performance purposes. No personal data is intentionally transferred outside Australia.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account. Continued use of the platform after changes are communicated constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related enquiries, to exercise your rights, or to make a complaint, contact us at:

education@clinicalstudio.com.au

Please include "Privacy Request" in the subject line.

You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.