Unison Mental Health Pty Ltd | ABN 48 678 132 888

Effective Date: 18 June 2026

Unison Mental Health Pty Ltd (ABN 48 678 132 888) ("Unison Mental Health", "we", "us", or "our") is committed to protecting the privacy of everyone who interacts with us — whether as a client, website visitor, referrer, or prospective employee.

This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information, including sensitive health information. It applies to our website (www.unisonmentalhealth.com), our clinical services, and all other interactions with our practice.

We are bound by the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Privacy and Other Legislation Amendment Act 2024. As a health service provider, we are subject to heightened obligations on the collection and handling of sensitive information, including health information.

Important: Unison Mental Health is not a crisis service. If you are in crisis or immediate danger, please call 000. For mental health crisis support, contact Lifeline on 13 11 14 or Beyond Blue on 1300 22 4636.

1. Who This Policy Applies To

This Policy applies to all individuals whose personal information we hold, including:

Current and former clients
People who enquire about our services
Referrers, GPs, and other health professionals who interact with us
Visitors to our website
Prospective and current employees and contractors

If you are a client, your treating practitioner will also provide you with a separate Informed Consent document at the commencement of your therapeutic relationship, which sets out additional information about the handling of your clinical records.

2. What Personal Information We Collect

Personal Information

We may collect the following categories of personal information:

Name, preferred name, and pronouns
Date of birth
Contact details (address, phone number, email address)
Emergency contact details
Medicare number, DVA number, or private health insurance details
Referral information (e.g., GP Mental Health Treatment Plan)
Payment information (processed securely through our payment provider)
Correspondence with our practice

Sensitive Health Information

As a mental health practice, we necessarily collect sensitive health information. This may include:

Mental health history, diagnoses, and presenting concerns
Session notes, progress notes, and clinical correspondence
Medication details and medical history relevant to your care
Information about relationships, sexuality, and gender identity where relevant to your therapeutic work
Any other health information you share with your treating practitioner

We treat all health information with the highest standard of care and in accordance with our obligations under the Privacy Act 1988 (Cth) and our practitioners' professional codes of conduct.

Website and Technical Information

When you visit our website, we may automatically collect:

IP address (anonymised before storage — see Section 10)
Browser type and device information
Pages visited, time spent on the site, and navigation paths
Referral source (how you found our website)
Information submitted via enquiry or contact forms
Cookie identifiers and associated usage data (see Section 10)

3. How We Collect Your Information

We collect information directly from you wherever possible, including through:

Enquiry and intake forms submitted via our website or practice management system
Phone calls, SMS messages, and emails
In-person interactions at our Carlton practice
Telehealth sessions
Documents you provide, such as referrals or reports from other providers

We may also collect information from third parties where you have authorised this, including:

Referring health professionals (GPs, psychiatrists, other practitioners)
Medicare Australia and the Department of Veterans' Affairs
Private health insurers
Open Arms — Veterans and Families Counselling, and other government-funded programs

4. Why We Collect and Use Your Information

We collect and use your personal and health information primarily to provide you with quality mental health care. Specifically, we use it to:

Assess your needs and match you with an appropriate practitioner
Deliver therapy, counselling, and related clinical services
Maintain accurate clinical records in accordance with professional and legal obligations
Process Medicare, private health, DVA, or other rebates and claims on your behalf
Schedule and manage appointments
Communicate with you about your care, appointments, and account
Comply with mandatory reporting obligations and other legal requirements
Ensure the safety of clients and staff
Measure and improve our website and services (using anonymised analytics data — see Section 10)

With your consent, we may also use your information to:

Send practice updates or information about services (you may opt out at any time)
Conduct de-identified service improvement and quality assurance activities

We will not use your health information for purposes other than those described in this Policy without your consent, unless required or permitted by law.

5. Clinical Records and Retention

Your clinical records are maintained in our practice management system, Halaxy, which is hosted in Australia. Records include session notes, correspondence, billing records, and any documents provided in the course of your care.

Under Australian law and our professional obligations, we are required to retain client health records for a minimum of seven years from the date of last contact, or until a client turns 25 (whichever is later) for clients who were minors during treatment.

Clinical records are accessible only to your treating practitioner and authorised practice staff. Where you have multiple practitioners within our practice, records may be shared between treating clinicians for the purpose of coordinated care, with your knowledge.

6. Disclosure of Your Information

When we share your information

We may disclose your personal or health information to third parties in the following circumstances:

To Medicare Australia, the Department of Veterans' Affairs, or private health insurers, for the purpose of processing rebate claims
To your GP or referring health professional, to support coordinated care (ordinarily as a brief summary letter, with your knowledge)
To other practitioners within Unison Mental Health, where clinically necessary
To contracted service providers who assist us in operating the practice, bound by confidentiality obligations
As required by law, including mandatory reporting obligations under child protection legislation
To emergency services or health professionals where there is a serious and imminent risk to your safety or the safety of others
As authorised or required by a court order or subpoena

Third-party service providers

We engage the following service providers who may handle personal information on our behalf:

Practice management and billing: Halaxy (data hosted in Australia)
Accounting and financial management: Xero
Payment processing: via our nominated payment gateway
Telehealth delivery: video conferencing platforms
AI-assisted clinical documentation: Heidi Health (see Section 9)
Website hosting: Hostinger
Website analytics and advertising: Google LLC (see Section 10)

We do not sell, rent, or trade your personal information to third parties for marketing or commercial purposes.

7. Overseas Disclosure

Some of the third-party service providers we use may store or process data outside of Australia. This includes:

Google LLC (United States) — for Google Analytics, Google Ads, and related services. Data is processed on Google's servers, which may be located in the United States or other jurisdictions. Google is certified under applicable data transfer frameworks and is subject to Google's Privacy Policy (policies.google.com/privacy). See Section 10 for full detail on how Google processes your data and your opt-out rights.
Heidi Health — clinical transcription data may be processed on overseas servers. We maintain a data processing agreement with Heidi Health governing their handling of this data.
Xero — accounting data may be stored in Australia and New Zealand.

Where we disclose personal information overseas, we take reasonable steps to ensure that recipients are subject to privacy obligations substantially similar to the APPs, including through contractual protections and data processing agreements. By using our website, you acknowledge that your anonymised usage data may be processed overseas as described in this section.

8. Telehealth and Electronic Communications

Telehealth sessions are conducted via encrypted video conferencing platforms. Whilst these platforms use industry-standard encryption, no electronic transmission is entirely risk-free. By booking a telehealth session, you acknowledge this inherent limitation.

Sessions are not recorded by us without your explicit consent. Any consented recording is stored securely and treated as part of your clinical record.

Email and SMS are convenient but may not be fully secure. Please use these channels only for non-sensitive administrative matters. Do not send clinical details or crisis communications via email or SMS — please call us instead.

9. Artificial Intelligence and Automated Processing

We use AI-assisted tools to support the efficient delivery of our services. We are committed to using these tools responsibly, transparently, and in a manner consistent with the Privacy Act 1988 (Cth), the Privacy and Other Legislation Amendment Act 2024, and applicable professional standards.

AI-assisted clinical note generation

With your explicit consent, we use an AI-powered transcription and note-generation tool (currently Heidi Health) to assist practitioners in generating draft clinical notes from session recordings. This tool:

Is only used where you have given specific informed consent prior to your session
Processes audio and transcript data solely for the purpose of generating your clinical notes
Does not use your data to train AI models
Operates under a data processing agreement that governs how your data is stored and protected
Produces draft notes that are reviewed, edited, and approved by your practitioner before being entered into your clinical record

You have the right to decline AI transcription at any time without any impact on the quality of your care.

AI tools for administrative purposes

We may use AI tools for administrative tasks. When we do so:

We do not input identifiable client information into general-purpose AI tools
Any data processed by administrative AI tools is de-identified before use
We maintain internal safeguards to strip personally identifiable information (PII) before any data interacts with external AI systems

Automated decision-making

We do not use automated decision-making processes in relation to your clinical care or access to services. All clinical and triage decisions are made by or reviewed by a qualified human practitioner.

Your rights in relation to AI processing

Be informed before any AI tool is used in connection with your care
Decline the use of AI tools without penalty
Request an explanation of how AI has been used in relation to your records
Request correction of any inaccuracies in AI-generated content (see Section 11)

10. Website Measurement, Advertising, and Cookies

Our website may use privacy-conscious measurement and advertising services to understand how visitors find and use the site, improve the experience, and measure the effectiveness of approved advertising. We do not send names, email addresses, phone numbers, message contents, appointment details, or free-text enquiry information to analytics or advertising tools.

10.1 Google Analytics (GA4)

Where enabled, we use Google Analytics 4 (GA4), a web analytics service provided by Google LLC ("Google"). GA4 uses cookies and similar technologies to collect information about how visitors use our website. This helps us understand which pages are most visited, how users navigate the site, and where we can improve content and user experience.

GA4 collects and reports the following types of data:

Anonymised IP address — GA4 does not store full IP addresses; IP data is used only to derive approximate geographic location (city-level) before being discarded
Device and browser type, operating system, and screen resolution
Pages visited, time spent on each page, and navigation paths
Referral source (e.g., Google Search, direct visit, social media)
Events and interactions (e.g., form submission success, button clicks, outbound link clicks)
Session and user identifiers (pseudonymous cookie-based IDs, not linked to your name or contact details)

Data collected through GA4 is sent to Google's servers, which may be located in the United States. GA4 does not store full IP addresses, and we configure analytics for aggregated reporting rather than individual identification. Our website code does not enable Google ad personalisation signals by default for health-sensitive traffic.

Google acts as a data processor on our behalf for GA4, subject to Google's Measurement Data Processing Terms and Google's Privacy Policy (policies.google.com/privacy).

10.2 Google Signals and Ad Personalisation

We do not enable Google Signals or Google ad personalisation signals by default in the website code. If we later enable Google Signals, this would allow GA4 to include data from Google users who are signed into their Google account and have enabled ad personalisation in their Google settings. Where enabled:

Google Signals may associate website visits with a Google user's account to provide cross-device reporting and demographic insights (e.g., age range, gender, interests)
This data is reported in aggregate only — we do not receive individually identifiable information
Google Signals data is only collected from users who have opted in via their own Google account settings

If you do not wish your Google account data to be used in this way, you can turn off ad personalisation in your Google Account settings at myaccount.google.com/data-and-privacy.

10.3 Google Ads and Conversion Tracking

Where enabled, we use Google Ads to promote our services through approved Google advertising placements. As part of this, we may use Google Ads conversion tracking to measure when someone completes a specific action after clicking on one of our ads - for example, submitting an enquiry form, submitting a booking request, clicking a phone link, or clicking an SMS link.

Conversion tracking works by placing a small piece of code (a "conversion tag") on specific pages of our website. When a user visits those pages after clicking a Google ad, a cookie is set on their device. This cookie allows us to measure:

Whether an enquiry or other conversion action occurred after clicking our ad
Which ads or keywords led to conversions
The cost-effectiveness of our advertising campaigns

Conversion data is aggregated and does not identify you personally. We do not use conversion data to retarget or remarket to individuals based on their mental health status, therapy usage, or other sensitive characteristics.

Google acts as a data processor for conversion tracking data, subject to Google's Ads Data Processing Terms and Google's Privacy Policy.

10.4 PostHog Product Analytics

Where enabled, we use PostHog to understand how people move through the website, where they leave forms or matching flows, and where the interface may be confusing. PostHog may collect privacy-safe events such as page views, button clicks, quiz step progress, enquiry form start, enquiry form success, and booking request success. We configure our website events to avoid sending contact details, free-text messages, appointment details, or clinical notes.

If PostHog session replay is enabled, the website is configured to mask text and form inputs by default, and sensitive forms are marked so they are blocked from replay capture. PostHog is used for product and user-experience diagnostics, not to build sensitive advertising audiences.

10.5 Optional Microsoft Clarity

We may use Microsoft Clarity as an optional visual analytics tool for heatmaps and session recordings during website audits. Where enabled, Clarity helps us understand broad interaction patterns such as scrolling, clicks, and layout friction. We configure sensitive form areas so they are masked or excluded from recordings, and we do not use Clarity to collect enquiry messages, contact details, or clinical information.

10.6 Remarketing and Audience Targeting

We do not use remarketing to target people based on mental health status, therapy usage, clinical presentation, or visits to sensitive content. If any remarketing is used in future, it must follow the following limits:

Remarketing audiences are built using anonymised cookie-based identifiers, not personal identifying information
We do not build remarketing audiences based on sensitive interest categories, including mental health, medical conditions, or therapy-related activity, in accordance with Google's Sensitive Categories policy and our obligations under AHPRA's advertising guidelines
We do not use Customer Match (uploading client email lists to Google) for client populations
Any remarketing campaigns are designed to reach people who have shown general interest in our services, not to target individuals based on their clinical presentation

You can opt out of personalised advertising from Google at any time by visiting Google's Ad Settings (adssettings.google.com) or by using the NAI opt-out tool at optout.networkadvertising.org.

10.7 Google Search Console

We link Google Search Console to our GA4 account to understand how our website appears in organic (unpaid) Google Search results. Search Console data includes search queries that led users to our site, click-through rates, and page rankings. This data is aggregated and does not identify individual users.

10.8 Cookies and Tracking Technologies

Our website may use cookies and similar browser storage technologies to enable website functionality, analytics, and advertising measurement. Some items are only set when the relevant service is enabled.

Cookie / Category	Provider	Purpose	Expiry / Type
Essential / Functional	Unison Mental Health website	Required for the website to function (session management, form submissions, security)	Session / Persistent
Local attribution storage	Unison Mental Health website	Stores first-touch and recent UTM/ad click attribution locally so enquiries can be understood in aggregate	Up to 30 days
Session analytics debug log	Unison Mental Health website	Stores local analytics test events in the visitor's browser session for quality assurance	Current browser session
_ga	Google Analytics	Distinguishes unique website visitors for analytics reporting	2 years
_ga_<ID>	Google Analytics (GA4)	Maintains session state for GA4 measurement	2 years
_gid	Google Analytics	Identifies users within a 24-hour session	24 hours
_gat / _gat_gtag	Google Analytics	Rate-limits analytics requests (1 in 100 sampling)	1 minute
Google Signals	Google / Google Analytics	Disabled by default; where enabled, links visits to signed-in Google users for aggregate demographic and cross-device reporting only where the user has consented in their Google account	Session
_gcl_au	Google Ads (Conversion Linker)	Stores and tracks ad conversion data for Google Ads campaigns	90 days
IDE / DSID	Google Ads / DoubleClick	Used by Google to measure ad effectiveness and, where permitted, support advertising features	1-2 years
NID / 1P_JAR	Google	Supports Google services including Search and Maps; stores user preferences	6 months
PostHog analytics storage	PostHog	Stores pseudonymous device or session identifiers for product analytics and funnel reporting	Service-defined / Persistent
_clck	Microsoft Clarity	Persists a pseudonymous Clarity user ID and preferences for the site	Persistent
_clsk	Microsoft Clarity	Connects multiple page views into a single Clarity session recording	Session / Short-lived
CLID / MUID / related Microsoft cookies	Microsoft Clarity / Microsoft services	Supports Clarity measurement and Microsoft service operation where Clarity is enabled	Service-defined

We do not use cookies to build individual profiles for targeted advertising based on health or sensitive information.

10.9 Your Choices and Opt-Out Options

You have several options to limit or opt out of tracking on our website:

Cookie settings: You can manage or delete cookies at any time through your browser settings. Note that disabling analytics or advertising cookies may not prevent data collection — it will prevent the relevant cookie from being set or read, but does not opt you out of Google's measurement across other sites.
Google Analytics opt-out: Install the Google Analytics Opt-Out Browser Add-On, available at tools.google.com/dlpage/gaoptout. This prevents GA4 from collecting data about your visits across all websites.
Google Ads personalisation: Visit adssettings.google.com to control whether Google uses your data to show personalised ads.
Google account settings: If you have a Google account, you can review and adjust data sharing and ad personalisation settings at myaccount.google.com/data-and-privacy.
Browser controls: You can block or delete cookies and site storage through your browser settings.
Do Not Track (DNT): Some browsers offer a "Do Not Track" setting. Our website acknowledges this signal where technically feasible, but note that Google's services may not respond to DNT signals.

We do not currently deploy a cookie consent management platform (CMP) with a pre-consent banner, as Australia does not currently impose a mandatory opt-in consent requirement for analytics cookies equivalent to the EU's GDPR. However, we are monitoring regulatory developments, including the ongoing review of the Privacy Act 1988, and will update our practices accordingly. Analytics and advertising data collected through third-party services is governed by this Policy and the relevant provider's privacy terms.

11. Accessing and Correcting Your Information

You have the right to access the personal and health information we hold about you, and to request corrections where information is inaccurate, incomplete, or out of date.

To make a request, contact us using the details in Section 15. We will respond within 30 days. Access is generally free of charge, though a reasonable fee may apply for complex requests. Where we decline access, we will provide written reasons.

12. Security of Your Information

We take reasonable steps to protect your personal and health information from misuse, loss, unauthorised access, modification, and disclosure. Our security measures include:

Secure, password-protected practice management software (Halaxy) with role-based access controls
Encrypted telehealth and communication platforms
Staff training on privacy obligations and information handling
Limiting access to clinical records to treating practitioners and authorised staff
Secure disposal of records when no longer required

In the event of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988).

13. Affiliate Links and Third-Party Websites

Some links on this website may be affiliate links. We may receive a small commission if you make a purchase through them. This does not affect the price you pay or the independence of any clinical recommendations.

Our website contains links to third-party websites. We are not responsible for their privacy practices or content. We encourage you to review the privacy policies of any external sites you visit.

14. Complaints

If you have a concern about how we have handled your personal information, please contact us in the first instance using the details in Section 15. We will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218, Sydney NSW 2001

You may also have the right to complain to AHPRA or the relevant professional board if your concern relates to the conduct of a registered health practitioner.

15. Contact Details

For privacy-related enquiries, access or correction requests, or complaints, please contact:

Unison Mental Health Pty Ltd

Privacy Contact / Practice Manager

3 York Place, Carlton VIC 3053

Phone: (+61) 0480 706 922 (calls or SMS, business hours only)

Email: contact@unisonmentalhealth.com

Website: www.unisonmentalhealth.com

16. Acknowledgement of Country

Unison Mental Health respectfully acknowledges the Traditional Custodians of the unceded lands on which we work and live, the Wurundjeri People of the Kulin Nation. We celebrate the diversity of Aboriginal and Torres Strait Islander peoples and acknowledge their deep connection to the lands and waters of Australia.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices. Material changes will be posted on our website and, where appropriate, communicated to clients directly. Your continued use of our website or services following any update constitutes acceptance of the revised Policy.