ANTSA For Professionals
Log InStart Free TrialBook a Demo
Back to Home

Privacy Policy

Last updated: March 2026

Privacy Policy for Mental Health Practitioners

ANTSA Pty Ltd ABN 77 664 161 237 ("ANTSA", "we", "us", or "our") provides a Software as a Service platform ("Platform") for Mental Health Practitioners to manage their practice and provide services to their clients.

This document applies to the ANTSA platform, www.antsa.com.au, antsa.ai, associated applications, practitioner facing systems, client facing functionality, and direct communications.

ANTSA is committed to protecting the privacy of Mental Health Practitioners, Clinic Owners, and their clients.

1. Introduction and Scope

Ensuring the privacy and confidentiality of Platform users is of the utmost importance. ANTSA's framework is designed to meet obligations under:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • Notifiable Data Breaches Scheme
  • Spam Act 2003 (Cth)
  • GDPR, where applicable

Security and governance controls align with:

  • ISO 27001 Information Security Management
  • ISO 42001 AI Management Systems
  • ISO 9001 Quality Management
  • SOC 2 Trust Services Criteria
  • HIPAA-aligned security standards
  • ASD Essential Eight Maturity Model

Infrastructure is hosted on Microsoft Azure data centres located in Australia.

If you access the Platform from another country, your information may be subject to different privacy laws.

2. Contact and Enquiries

You may contact us at any time to:

  • Request access
  • Request correction
  • Request account deletion
  • Opt out of marketing
  • Raise a concern

Email: help@antsa.ai

3. Roles and Responsibilities

For practitioner controlled clinical data:

  • Practitioners and Clinic Owners act as Data Controllers
  • ANTSA acts as Data Processor

For website and marketing data:

  • ANTSA acts as Data Controller

Practitioners retain responsibility for lawful collection, consent, clinical judgement, and compliance with professional record keeping obligations.

ANTSA processes personal data only on documented instructions from the Controller and maintains strict confidentiality. Subprocessors, including Microsoft Azure, operate under contractual safeguards consistent with applicable privacy obligations. Data deletion or retention is managed in accordance with legal obligations and the terms of this Policy.

4. Categories of Information Collected

We may collect:

  • General personal information such as name and contact details
  • Practitioner registration details
  • Payment and subscription information
  • Health and therapy related information entered by practitioners
  • Device and usage information such as IP address and browser type
  • Recruitment and employment information

We may also collect sensitive information where necessary, including:

  • Racial or ethnic origin
  • Religious belief
  • Criminal record
  • Health and wellbeing information
  • Political opinion
  • Philosophical beliefs

Sensitive health information is processed under practitioner control and is not used to train external AI models.

5. How Information is Collected

Information is collected when users:

  • Register for accounts
  • Use the Platform
  • Contact support
  • Subscribe to communications
  • Apply for employment

Third party verification services may be used where appropriate.

6. How Information is Used

Information is used to:

  • Provide Platform services
  • Facilitate healthcare delivery
  • Provide technical support and updates
  • Improve system performance using de-identified data
  • Comply with legal obligations
  • Assess employment applications

Unless permitted by law, health information is not used without consent.

Third Party Service Providers

ANTSA may disclose personal information to trusted third party service providers including:

  • Payment processors
  • Cloud hosting and storage providers
  • System security services
  • Analytics services
  • Communication and notification providers

These providers are authorised to use personal information only as necessary to provide services to ANTSA and must maintain appropriate confidentiality and security safeguards.

Practitioner Responsibility

Practitioners determine what client information is entered into the Platform and must ensure appropriate authority and consent. ANTSA provides secure technology but does not control clinical decision making.

In cases of non-payment, information may be disclosed to debt collectors, credit reporting agencies, tribunals, courts, or other authorities.

7. Artificial Intelligence Governance

ANTSA includes practitioner-assigned conversational AI tools and AI-assisted documentation features. These tools support practitioner workflow and client engagement between sessions. They do not diagnose, provide clinical advice, or replace practitioner judgement. The practitioner retains full clinical responsibility at all times.

AI governance includes:

  • Defined and limited scope of functionality
  • Practitioner visibility and oversight of AI interactions
  • Editable AI-generated outputs
  • Documented risk assessments aligned with ISO 42001 and ISO 14971
  • Ongoing monitoring, incident management, and change controls
  • Alignment with TGA Software as a Medical Device guidance where applicable

No identifiable patient data is used to train external AI systems.

8. Storage and Security of Personal Information

Personal information is stored using secure infrastructure provided by Microsoft Azure. All servers are located in Australia.

While no transmission method is completely secure, we use commercially acceptable safeguards including:

  • End-to-end encryption
  • Secure storage methods
  • Restricted access to authorised personnel

Security Controls

  • AES-256 encryption at rest
  • TLS encryption in transit
  • Multi-factor authentication
  • Role-based access control
  • Logging and monitoring
  • Incident response procedures
  • Backup and disaster recovery
  • Staff privacy and security training

Encryption

ANTSA uses AES-256 encryption to protect Personally Identifiable Information at rest. All data transmitted between users and the Platform is encrypted using TLS.

Data Transport and Storage

  • Infrastructure is hosted on Microsoft Azure, with all data stored in Australian data centres
  • HTTPS is implemented for all data transmission
  • Azure-native security controls are applied across storage, networking, and identity services

Backup and Recovery

Data is regularly backed up and encrypted before transport to backup storage. Recovery procedures are tested periodically to ensure business continuity.

Security and Authentication

  • Single device login restriction
  • Automatic logout after inactivity
  • Strong password requirements
  • Two-factor authentication
  • One-time reset password tokens

Children's Privacy

The Platform is designed for use by qualified practitioners. ANTSA does not directly collect personal information from children under 13. Practitioners are responsible for determining capacity and consent requirements for minor clients in accordance with applicable law and professional obligations.

9. Privacy and Data Protection

ANTSA prioritises robust safeguards aligned with HIPAA standards. While HIPAA is United States legislation and not mandatory in Australia, HIPAA-aligned infrastructure supports high security standards consistent with Australian health data obligations.

Additional measures include:

  • De-identification where reasonable and practicable
  • Logically separate database environments
  • Regular encrypted backups
  • Password-protected and MFA-secured access
  • Alignment with the ASD Essential Eight Maturity Model
  • Compliance with the OWASP Application Security Verification Standard (ASVS)

10. Retention of Personal Information

We retain personal information for as long as necessary to provide services and meet legal obligations. When no longer required, it is securely destroyed or de-identified.

Practitioners and Clinic Owners

Information remains accessible while accounts are active. After closure, information is not accessible through the Platform but may remain in secure backups in accordance with applicable retention obligations.

Clients

Information remains accessible while accounts are active. After closure, it is no longer accessible through the Platform.

Payment and receipt data must be retained for Australian taxation purposes for up to 7 years.

11. Individual Rights

Individuals may:

  • Request access to their personal information
  • Request correction of inaccurate information
  • Lodge a complaint regarding our privacy practices

We aim to respond to requests within 30 days.

Where the GDPR applies, individuals may also exercise rights to erasure, restriction of processing, data portability, and objection to processing. International transfers of personal data rely on appropriate safeguards including Standard Contractual Clauses where required.

Unresolved complaints may be directed to the Office of the Australian Information Commissioner. Where the GDPR applies, complaints may also be directed to the relevant supervisory authority.

12. Third Party Links

This Privacy Policy applies only to the Platform. We are not responsible for third party websites or services linked from the Platform.

13. Marketing Communications

Marketing complies with the Spam Act 2003 (Cth). Health information is not used for marketing without consent.

You may opt out at any time via unsubscribe or by contacting help@antsa.ai.

14. Employees and Applicants

We may collect from employees or applicants:

  • Identity and contact details
  • Employment history and qualifications
  • Background checks where lawful
  • Financial and tax information
  • Health information where required by law or for workplace purposes

Employee records are handled in accordance with applicable employment and privacy legislation.

15. Data Breach Response

ANTSA maintains a documented Data Breach Response Plan and complies with notification requirements under the Notifiable Data Breaches Scheme and, where applicable, the GDPR. Affected individuals and the Office of the Australian Information Commissioner will be notified in accordance with legislative timeframes.

16. Complaints

If you have a complaint about our privacy practices, contact us using the details below. We will investigate and respond as soon as practicable.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Changes take effect upon publication on the Platform.

Contact

Attention: Data Protection Officer Email: help@antsa.ai Address: P.O. Box 2324, Blackburn South VIC 3130 Phone: +61 3 881 22 373