Privacy Policy
Last Updated: June 2026
Clinical Studio Pty Ltd (ABN 97 696 955 902) trading as Clinical Studio. Registered address: PO Box 3227, Wamberal NSW 2260.
1. About Us and This Policy
Clinical Studio is a Continuing Professional Development (CPD) education platform for AHPRA-regulated healthcare professionals in Australia. We provide online courses, assessments, clinical audit activities, and CPD tracking to support healthcare professionals in meeting their registration requirements.
The platform is operated by Clinical Studio Pty Ltd (ABN 97 696 955 902), of PO Box 3227, Wamberal NSW 2260 ("we", "us", "our"). This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
This Privacy Policy forms part of, and should be read together with, our Terms of Service. For any privacy-related enquiry, you can contact our Privacy Officer at education@clinicalstudio.com.au.
2. Information We Collect
We collect the following types of personal information:
1. Email address and name (via Google OAuth or email magic link).
2. AHPRA registration number and profession, and where provided, college or association membership numbers (such as RACGP, ACRRM, or APNA).
3. Course enrolment, progress, and completion data.
4. SCORM learning activity data (lesson status, scores, session time).
5. Quiz attempts, scores, and individual answers.
6. Reflective practice and evaluation form submissions.
7. De-identified information you enter during clinical audit activities. You review patient records within your own practice and enter only de-identified data into the platform; you must not submit any patient-identifying information.
8. CPD points and completion certificates.
9. Consent preferences (analytics and marketing choices).
10. Device information via Cloudflare (IP address, browser type).
AHPRA registration numbers are personal information but are not classified as sensitive information under the Privacy Act 1988. They are publicly searchable on AHPRA's national register.
3. How We Collect Information
Directly from you: When you register an account, verify your AHPRA credentials, enrol in courses, complete quizzes, submit reflective practice or evaluation forms, and enter de-identified data during clinical audit activities.
Automatically: Course progress, quiz responses, and SCORM tracking data are recorded automatically as you interact with learning content.
From third parties: Google provides authentication information when you sign in via Google OAuth. Cloudflare provides security analytics and device information as part of content delivery and bot protection.
4. Purposes of Collection and Use
We collect and use your personal information for the following primary purposes:
1. Verify your AHPRA registration credentials.
2. Deliver course content and track learning progress.
3. Track CPD progress and issue certificates of completion.
4. Administer quizzes, clinical audit activities, and reflective practice, and record results.
5. Send service communications (magic links, enrolment confirmations, course completions).
6. Create user profiles and segments by profession, location, and engagement patterns, to improve the platform and inform course development. This is a primary purpose of collection.
7. Generate aggregated, de-identified insights and reports about platform activity (see Section 5).
We use your personal information for the following purposes only with your consent:
1. Send marketing communications.
2. Analytics tracking to improve the platform.
You can withdraw consent for analytics and marketing at any time through your Account Settings. We will not use your personal information for a secondary purpose unless you would reasonably expect it, it is related to a primary purpose, or it is otherwise permitted under the APPs.
5. Aggregated and De-identified Information
1. We may collect, generate, and use aggregated, de-identified information derived from user activity ("Aggregated Information") that does not identify individuals and is not reasonably capable of re-identification. Uses include platform improvement, analytics, benchmarking, educational outcomes research, and industry-level reports.
2. Aggregated Information may be shared with research partners, sponsors, or institutional clients at cohort or population level only — never in a form that identifies you.
3. De-identified data you enter during clinical audit activities may be included in Aggregated Information.
4. We do not sell identifiable personal information for advertising or marketing.
6. Sponsored Courses
Individual courses on Clinical Studio may be sponsored by an industry sponsor. Where a course is sponsored, the sponsor is clearly identified on that course.
Sponsors do not have access to the platform backend or to identifiable user data. Any information made available to a sponsor is limited to Aggregated Information at cohort or population level. Sponsorship does not influence how we handle or protect your personal information.
7. Cookies and Local Storage
We use a small number of cookies and browser local-storage items:
Strictly necessary (no consent required) — a secure, httpOnly cookie to keep you signed in, and a Cloudflare cookie for bot protection and security.
Analytics (only with your consent) — Google Analytics cookies (such as _ga) to measure site usage. These are not set unless you accept analytics, and you can withdraw consent at any time in your Account Settings.
Local storage — your analytics and marketing consent choices, whether the consent banner has been shown, and a cached copy of your profile to maintain your session.
8. Data Security
We take reasonable steps to protect personal information against loss, misuse, interference, unauthorised access, modification or disclosure, including:
1. All data is encrypted at rest using AES-256 (Azure Transparent Data Encryption).
2. All data transfers are encrypted in transit using TLS 1.2+.
3. Database access is restricted by firewall rules to authorised services only.
4. Authentication is enforced at the application level for all data access.
5. We provide privacy and data-handling training to employees and contractors.
9. Third-Party Services
We engage the following third-party providers to operate the platform, under confidentiality obligations. Personal information shared with them is limited to what is necessary, and they may not use identifiable information for their own marketing.
1. Google: Authentication services (OAuth 2.0).
2. Microsoft Azure: Hosting and database (Australia East region).
3. Cloudflare: Content delivery, storage (R2), and security.
4. Microsoft 365: Email delivery.
5. Google Analytics: Website usage and traffic analytics, using Google Consent Mode. Until you accept analytics, it runs in a cookieless mode that sends only anonymous, aggregated measurement to Google (no cookies, no identifiers). If you accept analytics, it additionally sets cookies and collects identifiable usage data (such as pages visited and device/browser information). Google may process this data on servers outside Australia; see Google's privacy policy for details.
10. Data Retention
1. Account information (name, email, AHPRA number): Retained while your account is active. Permanently deleted 30 days after an account deletion request.
2. AHPRA verification data: Retained in identifiable form for up to 5 years for audit purposes, then destroyed.
3. CPD completion records: Anonymised and retained for up to 5 years from the completion date for aggregate statistics, aligned with AHPRA audit cycles. Personal identifiers are stripped.
4. Quiz attempts, SCORM progress, reflective practice and clinical audit submissions: Deleted 30 days after account deletion.
5. Consent records: Pseudonymised (user identity replaced with a cryptographic hash) and retained for up to 7 years for legal compliance.
6. Aggregated, de-identified information: Retained indefinitely (does not identify you).
7. Cloudflare analytics: Subject to Cloudflare's own retention policies.
11. Account Deletion
You may request permanent deletion of your account at any time through your Account Settings.
1. Your account is immediately deactivated.
2. You can reactivate it within 30 days by signing in again — this cancels the deletion and restores your data.
3. If you do not sign in within 30 days, all personal data is permanently deleted, except:
a. AHPRA verification data, retained in identifiable form for up to 5 years for audit purposes, then destroyed.
b. CPD completion records, anonymised (personal identifiers removed) and retained for up to 5 years.
c. Consent records, pseudonymised and retained for up to 7 years.
d. Aggregated, de-identified information, which does not identify you and is retained indefinitely.
4. Deletion does not reverse CPD credits already recorded with accrediting bodies.
5. After 30 days, deletion is permanent and irreversible.
12. Your Rights (Australian Privacy Act)
Under the Privacy Act 1988 (Cth), you have the following rights:
1. Access: Request a copy of your personal data. You can download your data via Account Settings > Download My Data.
2. Correction: Request correction of inaccurate or out-of-date personal data.
3. Deletion: Request deletion of your personal data (see Account Deletion above).
4. Complaint: Lodge a complaint with our Privacy Officer or with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
13. Overseas Disclosure
All primary data processing occurs within Australia (Microsoft Azure Australia East region). We will not transfer or store personal information outside Australia, or allow any person outside Australia to access it, without your prior approval or as otherwise permitted by law.
Two limited exceptions apply: Cloudflare may cache content at edge locations globally for performance and security; and Google Analytics may process usage data on Google servers outside Australia — anonymous, aggregated measurement even where you have not consented, and identifiable usage data where you have. Aside from these, no personal data is intentionally transferred outside Australia for processing.
14. GDPR-Aligned Practices (Where Applicable)
Clinical Studio is gated to Australian AHPRA-registered professionals and is designed for use in Australia. We do not target users in the European Union or United Kingdom, and the General Data Protection Regulation (GDPR) may not apply to us.
Nonetheless, we voluntarily adopt data-protection practices aligned with the GDPR. Where the GDPR does apply to you, you may have additional rights, including the right of access, rectification, erasure, data portability, restriction of processing, objection, and withdrawal of consent.
You can exercise these rights through your Account Settings or by contacting our Privacy Officer at education@clinicalstudio.com.au.
15. Data Breach Notification
If we become aware of a loss of, unauthorised access to, or disclosure of personal information that constitutes a notifiable data breach under the Privacy Act, we will promptly assess the breach, notify affected individuals and the Office of the Australian Information Commissioner (OAIC) within the timeframe prescribed by law, and take reasonable steps to mitigate any harm and remediate the breach, in accordance with Part IIIC of the Privacy Act 1988.
We maintain an internal breach register to document and respond to any incidents.
16. Complaints
If you have a complaint about how we handle your personal information, please contact our Privacy Officer at education@clinicalstudio.com.au with "Privacy Request" in the subject line. We will respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
17. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account. Continued use of the platform after changes are communicated constitutes acceptance of the updated policy.
18. Contact Us
For privacy-related enquiries, to exercise your rights, or to make a complaint, contact our Privacy Officer at:
education@clinicalstudio.com.au
Please include "Privacy Request" in the subject line.
You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.