Google Analytics New Integration with Google Analytics
Zanda Release Notes Client Portal Update
BizzyAI: Write is now Live
Get Started Free

Our Privacy Policy

Contents

  1. Introduction
  2. What Personal Data We Collect
  3. How We Use Personal Data (Purposes and Legal Bases)
  4. AI Features and Large Language Models
  5. How and Why We Share Your Data
  6. International Data Transfers
  7. Data Security and Retention
  8. Your Rights and How to Exercise Them
  9. Changes to this Policy
  10. How to Contact Us
  11. Appendix for Individuals in Australia
  12. Appendix for Individuals in the UK, EEA, and Switzerland
  13. Appendix for Individuals in the United States
  14. Appendix for Individuals in Canada and Territories
  15. Privacy Notice Appendix for Individuals in South Africa

Introduction

This Privacy Policy explains how Zanda Health Pty Ltd (“Zanda”, “we”, “us”, or “our”) collects, uses, shares, and secures personal information, and describes the rights individuals have regarding their personal data. Zanda offers cloud-based practice management software for healthcare and allied healthcare providers (the “Services”). We take privacy seriously, maintaining robust technical and organizational measures to protect your personal information.

If you have any questions about this Privacy Policy or how we handle personal data, please contact our Data Protection Officer at [email protected].

What Personal Data We Collect

Zanda Health processes personal data in different roles depending on the context. We act as a data controller for Account Data and other information needed to create and manage accounts, provide service communications, and administer billing and subscriptions. We act as a data processor for Customer Data that our customers upload or enter into the Services (including patient/client information). In those cases, we process Customer Data only on the customer’s documented instructions and in accordance with our Global Data Processing Agreement (DPA).

Account Data

When you or your organisation creates an account to use our health practice management platform, we collect information needed to set up, administer, and support the account, such as:

  • Name
  • Email address
  • Phone number
  • Organisation/business details
  • Billing and payment administration details

Security logging for Account Data: To protect accounts and prevent fraud or misuse, we may create and retain security logs related to account activity.

Payments: Payment subscriptions and card details are generally handled by our payment service providers. We typically receive and store only limited payment information (such as a payment token and transaction details).

Customer Data

We process information that you or your organisation chooses to enter, upload, or generate within the Services. This may include:

  • Patient/client records
  • Contact details
  • Demographic information
  • Appointment and treatment history
  • Other sensitive information (including health information), depending on how you use the Services

Automatically Collected Data

When you use our website or platform, we automatically collect certain technical and usage information:

Usage Data

We collect data such as your IP address, browser type and version, pages visited, dates and times of access, time spent on pages, device identifiers, and diagnostic data. We use this information to operate the Services, troubleshoot issues, and improve performance.

Log Data

Our systems generate logs that record events and activity within the platform. We use logs to maintain system integrity, support security monitoring, investigate incidents, and improve reliability.

Cookies and Similar Technologies

We use cookies and similar technologies (such as pixels, tags, and scripts) to help our website and Services work, remember your preferences, understand usage, and improve functionality. You can manage your cookie preferences through our Cookie Notice.

How We Use Personal Data (Purposes and Legal Bases)

As a controller, we process the Account Data you provide in a lawful, fair, and transparent way. Depending on the purpose, we rely on your consent, our legal obligations, and/or our legitimate interests—where those interests are not overridden by your rights.

Purposes

  • Services Provision (Performance of Contract – Legitimate Interests): To operate our website and deliver our Services (e.g., appointment booking, telehealth, billing), administer and support your account, and maintain the security and reliability of the Services.
  • Marketing and Communications (Consent – Legitimate Interests): To inform you about new features, special offers, discounts, and promotional opportunities to help you maximize value, send operational updates, security notices, invoices, and respond to inquiries.
  • Customer Support (Legitimate Interests – Performance of Contract): To respond to enquiries, troubleshoot issues, provide technical support, and maintain and improve the reliability and quality of our Services.
  • Analysis & Development (Consent – Legitimate Interests): To analyze usage data, improve platform’s functionality, and ensure Services reliability, security and effectiveness.
  • Human Resources (Legitimate Interests – Legal Obligations): For processing candidate applications, recruitment activities, and internal organizational planning.

When processing relies on legitimate interests, we have conducted a Legitimate Interest Assessment to ensure these interests are not overridden by individuals’ data protection rights.

Optional Communications

You may opt out of non-essential emails (e.g., marketing) at any time using the opt-out link provided. You cannot opt out of essential operational communications, such as security or billing notices.

AI Features and Large Language Models

When you use AI-enabled features in the Services, we process Customer Data (which may include sensitive information such as health information) only to provide the requested functionality, in accordance with your instructions and our contractual obligations.

We do not use Customer Data to train or fine-tune foundation models, or to improve third-party AI models. Where we use large language models, we access them through Amazon Web Services (AWS) Bedrock within our AWS environment, and Customer Data submitted for AI processing is not used by model providers to train or improve their underlying models.

To support the quality, reliability, and safety of AI features, we may retain AI inputs, outputs, and related logs within our AWS environment for a limited period to monitor performance, manage updates, and validate that outputs are suitable for the intended use. For details, see the Data Retention section of this Privacy Notice.

These activities are performed within our controlled infrastructure and are subject to our security safeguards. For details, see the Security section of this Privacy Notice.

How and Why We Share Your Data

Third-party Vendors

We use third-party vendors to run our business and deliver the Services. We group them into two categories below. They receive only the data needed for their function and are subject to appropriate contractual and security safeguards. You can see our current vendor list here.

Processors

These vendors support Zanda’s internal operations, such as billing, customer support, finance, and compliance, and process Account Data under our instructions.

Sub-processors

These vendors help us deliver platform features and process Customer Data on our behalf under our Data Processing Agreement with customers, such as infrastructure hosting, email delivery, and telehealth.

Legal Requirements (Legal Obligation)

We may disclose personal data to law enforcement, regulatory bodies, or healthcare professionals in emergencies where it’s necessary to protect life or prevent serious harm, or to comply with a legal obligation.

Corporate Transactions

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred under appropriate safeguards and remain subject to this Privacy Policy unless you consent to new terms.

International Data Transfers

When we transfer data internationally, we use legal safeguards where required (such as EU Standard Contractual Clauses and the UK IDTA/UK Addendum) and take reasonable steps to ensure overseas recipients protect personal information in line with applicable laws (including the Australian Privacy Principles, where relevant). For more information, contact [email protected].

Data Security and Retention

Security Measures

We implement and maintain industry-standard security measures (technical, administrative, and physical) to protect personal data against unauthorized access, alteration, disclosure, or destruction. Access to servers is strictly limited and monitored. While we follow recognized best practices (e.g., encryption, secure hosting), no method of transmission or storage is completely secure.

We are proud to be ISO 27001 certified, which reflects our commitment to maintaining the highest standards of information security management. For additional details about our security measures, please visit our Security Page.

Your Responsibility

You play a key role in protecting your data. Keep your account credentials confidential. Contact us immediately if you suspect unauthorized account access.

Retention Periods

We retain personal data only as long as necessary for the purposes described in this Privacy Notice or as required by law:

  • Account Data is retained for the duration of your active account and for a regulation-specified period following its closure to comply with legal, tax, and regulatory obligations.
  • Customer Data is processed as per our Global Data Processing Agreement (DPA). Upon termination, data is deleted or returned as instructed by the customer.

Your Rights and How to Exercise Them

We respect the rights granted to individuals under applicable data protection laws, Depending on your location, you may have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectify: Ask us to correct inaccurate or incomplete data.
  • Erase: Request deletion of personal data no longer needed or processed unlawfully.
  • Restrict Processing: Ask to limit how we process your data in certain circumstances.
  • Object: Object to processing based on legitimate interests or direct marketing.
  • Data Portability: Receive your data in a structured, machine-readable format.
  • Withdraw Consent: Where processing relies on consent, you may withdraw it at any time.

How to Make a Request

Contact us at [email protected]. We will acknowledge your request promptly and aim to respond within applicable legal deadlines. To protect your privacy, we may request additional verification of your identity.

If you are a client or patient of a Zanda user (e.g., a healthcare practice), please reach out to that business directly to exercise your rights.

Complaints

If you’re not satisfied with how we handle your personal data, you can contact your local privacy or data protection authority. This may include the OAIC (Australia), the Irish Data Protection Commission (EEA), the ICO (UK), the OPC or a provincial regulator (Canada), or your state Attorney General/other regulator (United States). See the Regional Appendices for details.

Changes to this Policy

We may update this policy from time to time. Updates take effect when posted, and the “Last Updated” date will show when it changed. If we make material changes that affect your rights, we will notify you by email, in-app notice, or a website banner.

How to Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Data Protection Officer: [email protected]

Appendix for Individuals in Australia

This section is applicable to individuals whose personal information is collected, stored, used or disclosed by an APP Entity under the Australian Privacy Principles (“APPs”) contained in the Privacy Act of 1988.

Providing Anonymous and Pseudonymous Options

You have the option of anonymity or using a pseudonym when dealing with Zanda Health. However, this option may not be made available to you in certain cases, including if it’s impractical for Zanda Health to allow this option or when Zanda Health is required or authorized to deal with an identified individual by or under the law.

Collection, Use and Disclosure of Personal Information

Zanda Health collects personal information lawfully and fairly. We primarily collect information directly from you or your authorized representative. However, we may collect information from other sources (such as third parties) if:

  • You have given your consent;
  • It is required or permitted by law; or
  • Collecting it directly from you would be unreasonable or impractical

If we need to collect sensitive information (such as health data), we will only do so if:

You have explicitly consented, and it is necessary for our services; or
It is required or authorized by law.

State and territory-specific health privacy requirements may also apply, depending on where you are located and where your health information is handled. Additional obligations may apply in relation to health information handled in New South Wales under the Health Records and Information Privacy Act 2002 (NSW), in Victoria under the Health Records Act 2001 (VIC), and in the Australian Capital Territory under the Health Records (Privacy and Access) Act 1997 (ACT).

Zanda Health only uses and discloses your information for the purpose for which it was collected (the primary purpose) unless one or more of the following apply:

  • You have consented;
  • You would reasonably expect the secondary purpose;
  • It is required or authorized by or under law;
  • Zanda Health believes that it is reasonably necessary for an enforcement body’s activities.

We share your personal information with trusted service providers. You can find a detailed list of these providers and their locations at https://zandahealth.com/processors/. We do not disclose your personal information to overseas recipients unless:

  • You have consented to the disclosure
  • The recipient is subject to a law or binding scheme substantially similar to the APPs, and you can enforce that law/binding scheme
  • It is required or authorized by law
  • It is required or authorized by an international agreement relating to information sharing
  • It is reasonably necessary for an enforcement body’s or similar entity’s activities
  • It is required to provide the core functionality of the platform including Customer Support

Your Rights Under the APPs

You have the following rights related to the collection, use and disclosure of your personal data:

  • Be informed about the collection and use of your personal data
  • Access your personal information
  • Correction of your personal information to ensure accuracy and completeness
  • Request to not receive direct marketing communications from us or to not disclose your personal information to others for direct marketing purposes

If you have concerns about how Zanda Health handles your personal information, you can submit a written complaint to [email protected]. We will review your complaint and respond in writing within 30 days. You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Email: [email protected] (For secure submission, use the OAIC online form.)
  • Mail: GPO Box 5218, Sydney NSW 2001 (Registered mail recommended.)
  • Fax: (02) 9284 9666

Appendix for Individuals in the UK, EEA, and Switzerland

Our Role Under Relevant Laws

Data Controller: When processing Account Data (as specified in “What Personal Data We Collect” above), we determine how and why the data is processed.
Data Processor: When processing Customer Data (as specified in “What Personal Data We Collect” above), we act only on the customer’s instructions and in accordance with our Global Data Processing Agreement (DPA).

Your Rights (UK GDPR, EU GDPR, Swiss FADP)

Depending on the circumstances and our role (controller or processor), you may have the right to:

  • Access your personal data.
  • Correct inaccurate or incomplete personal data.
  • Delete your personal data (subject to legal and contractual exceptions).
  • Restrict processing of your personal data in certain situations.
  • Object to processing in certain situations (including, where applicable, processing based on legitimate interests or direct marketing).
  • Request data portability (where applicable and technically feasible).

Where we process Customer Data as a processor, requests may need to be submitted to (or fulfilled by) the relevant customer (the controller). We will support the controller to respond where required.

You also have the right to file a complaint with a supervisory authority, including:

  • EEA: the relevant EEA supervisory authority (for example, the Irish Data Protection Commission (DPC))
  • UK: the Information Commissioner’s Office (ICO)
  • Switzerland: the Federal Data Protection and Information Commissioner (FDPIC)

GDPR and UK GDPR Representatives

We have appointed representatives to act as our local point of contact for individuals and supervisory authorities:

You can contact our representatives or contact us directly at [email protected].

Withdrawing Consent

If we process your personal data based on your consent, you can withdraw your consent at any time. Withdrawing consent does not affect any processing carried out before you withdrew it.

International Data Transfers

When we transfer personal data outside the UK, EEA, or Switzerland, we follow applicable data transfer rules and use appropriate safeguards, which may include:

  • Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA) or UK Addendum (as applicable).
  • Other lawful mechanisms recognized under the UK GDPR, EU GDPR, and the Swiss FADP.

Contact Us

For any questions, contact us at [email protected].

Appendix for Individuals in the United States

In the United States, privacy rights vary by state and by the type of information involved. In most cases, Zanda Health provides services to clinics and practitioners (our customers). Where we process personal information on a customer’s instructions to provide the service, the customer may be the primary party responsible for responding to certain requests, and Zanda Health will provide reasonable support to you where required.

Health information note (HIPAA / medical records): If your information is handled by a healthcare provider or plan and is regulated as Protected Health Information (PHI) under HIPAA, your access and correction rights are typically handled through that provider/plan’s HIPAA process. Many state consumer privacy laws (including California and several others listed below) also contain exemptions for HIPAA-regulated PHI and similar medical-record information.

California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), your rights may include:

  • Requesting details about our personal information collection, use, and disclosure practices.
  • Accessing your personal information.
  • Requesting deletion of your personal information (subject to exceptions under law).
  • Correcting inaccurate personal information (where applicable).
  • Opting out of the “sale” or “sharing” of personal information (as defined by California law), if applicable.

We do not “sell” personal information as defined by California law. If we deny your request, we will explain the reason and describe any options available to you (including any appeal options where applicable, such as in limited contexts under California rules). For more information, contact [email protected].

Virginia Residents

Under the Virginia Consumer Data Protection Act (VCDPA), you have the right to:

  • Access, correct, or delete your personal data.
  • Obtain a portable copy of your personal data.
  • Opt out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

If we deny your request, you may appeal by following our provided instructions. For more details, contact [email protected].

Residents of Other States

We also comply with other applicable U.S. state privacy laws, such as:

  • Colorado Privacy Act (CPA): Similar rights to Virginia, including opting out of targeted advertising, sale, and certain profiling; includes an appeals process for denied requests.
  • Connecticut Data Privacy Act (CTDPA): Rights to access, correct, delete, obtain a copy of personal data, and opt out of data sales and targeted advertising; includes an appeals process for denied requests.
  • Utah Consumer Privacy Act (UCPA): Rights to access, delete, and obtain a copy of your personal data, and opt out of the sale of personal data.

If we deny a request, you can follow the instructions in our response (including appeal steps where required by law). For questions, please contact [email protected].

Appendix for Individuals in Canada and Territories

Canada has a mix of federal and provincial/territorial privacy laws. In most cases, Zanda Health provides services to clinics and practitioners (our customers) who act as the organization responsible for your records under applicable laws. Zanda Health typically processes personal information on our customers’ instructions and in support of providing the service.

Your rights

Under PIPEDA (Canada’s federal private-sector privacy law for commercial activities), you generally have the right to:

  • Access: Request access to the personal information we hold about you, including details on how it is used and shared.
  • Correction: Ask us to correct any inaccurate or incomplete information.
  • Deletion/disposal (limited): Request that we delete or dispose of your personal information where allowed and appropriate. Some legal, regulatory, security, or contractual requirements may require us (or our customers) to retain certain information.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca/.

Provincial privacy laws (where they apply)

Depending on where you live and how your information is handled, provincial private-sector privacy laws may apply instead of, or alongside, PIPEDA. This includes (where applicable):

  • British Columbia: Personal Information Protection Act (BC PIPA)
  • Quebec: QuĂ©bec’s private-sector privacy law, as modernized by Law 25

We will handle your request according to all applicable laws.

Health information laws (where they apply)

If your request relates to personal health information, additional rules may apply. In particular:

  • Ontario: Personal Health Information Protection Act (PHIPA) may apply to healthcare providers and other “health information custodians” that control your health records, and to their service providers where applicable.
  • Alberta: Health Information Act (HIA) may apply to healthcare providers and other “custodians” that control your health records, and to their service providers where applicable.

Where Zanda Health is acting as a service provider to a clinic/practitioner, requests about your health records may need to be handled by your clinic/practitioner directly (as the organization responsible for your records). We will support them to respond where required.

Contact Us

If you have questions or requests related to your personal information, email us at [email protected].

Privacy Notice Appendix for Individuals in South Africa

Under the Protection of Personal Information Act (POPIA), you have the right to:

  • Access: Request access to the personal data we have about you.
  • Correction: Ask us to correct or update inaccurate or incomplete data.
  • Deletion: Request deletion or removal of your personal data, where permitted.
  • Objection to Processing: Object to certain types of data processing, such as direct marketing.

If you have concerns about how your personal data is handled, you may file a complaint with the Information Regulator of South Africa.

Contact Us

If you need help or wish to exercise your rights, please contact our Data Protection Officer (DPO) at [email protected].

Information Regulator of South Africa:
Website: www.justice.gov.za/inforeg
Email: [email protected]

Last Updated: March, 2026
See previous version

Eliminate the Sting of Busy Work

FREE UNTIL FEB 2025* +50% off for 8 months

Eliminate the Sting of Busy Work

START IN [month]AND GET THE FIRST 6 MONTHS AT 50% OFF