Privacy

Privacy notice

This notice explains how Emba Consulting Pty Ltd (ABN 43 684 216 706), trading as Refera, handles information across the public website, account setup, billing, support and the Refera practice service.

Effective 11 July 2026. This is the current public notice. It describes Refera's current product and operating boundaries; it does not replace a practice's own patient collection notice or the data processing agreement required before real referral data can flow.

1. Scope and roles

Refera provides administrative process-state software to Australian practices. Refera performs no clinical triage and is not a patient-facing service. Practices decide how referral information is collected and used in their care and administration. Refera handles that information as the practice's contracted service provider and on the practice's instructions.

New accounts begin in staging, where only synthetic and clearly tagged test documents are accepted. Real patient data remains technically blocked until the practice and Refera complete every published go-live control, including the data processing agreement and the practice collection-notice check.

Do not send patient information through public channels. The public assistant, enquiry form, voice service, telephone line and billing forms are for business, product and account matters only.

2. What we collect

ContextInformation handled
Public websiteTechnical request and security data needed to serve and protect the site, plus Cloudflare Web Analytics. The public assistant sends its model gateway a bounded request category and trusted Refera documentation, not the visitor's authored question or conversation history.
Enquiries and supportBusiness contact name, work email, practice, phone, ABN and a bounded request category when a person explicitly asks for follow-up. Assistant conversation text and AI-generated summaries are not written to the CRM or support handoff.
Account setupPractice name, ABN, specialty, location, business contacts, systems, selected capture channels, plan preference and the signed acceptance record. The acceptance record includes the signer's name, role, email, timestamp, document fingerprint and signup reference.
Practice brandingAn optional public practice website, confirmed colours and an optional small embedded raster logo. A brand lookup reads a bounded public homepage and eligible public logo to prepare a preview; page content is not retained or returned. Nothing is applied until an Owner or Admin confirms it.
Sign-in and securityWork email, passkey public credential material, authenticator and recovery verification records, session state and generic security events. Recovery proof permits restricted factor replacement only and does not open referral data.
BillingPractice business identity, ABN, selected plan and cycle, subscription and invoice state, billing email and an optional business purchase-order reference. Card and bank details are entered into Stripe's hosted surface and do not touch Refera. Submitting an invoice request does not charge, create a Stripe invoice, start a subscription or unlock paid capture. Invoice-request fields must not contain patient or payment-card information.
Referral serviceOnce a practice is explicitly activated for real data, the referral information the practice instructs Refera to process, including identifiers, referral text and source documents needed for the contracted administrative workflow. Refera does not enrich it from unrelated sources or use it for marketing.
Device notificationsAn optional browser push endpoint and generic count-only delivery state. Lock-screen copy contains no patient, referrer, referral, practice or clinical detail.
Voice and telephoneBusiness sales and support audio processed after the web disclosure or through the published practice line. Web voice uses encrypted transport, but is not end-to-end encrypted because the voice providers process the live audio. After the privacy guard, Refera's downstream business records may contain a generic business intent and limited call metadata. Caller number and organisation are retained only when the caller's own words establish explicit practice or business context; a standalone name or callback request loses every identity field. Downstream records do not contain the raw transcript, free-text summary, caller name or patient-shaped turns.

3. How we use information

Refera uses information to:

  • create, secure and support the practice account;
  • provide the contracted referral-administration workflow on the practice's instructions;
  • prepare and verify practice branding the practice explicitly chooses;
  • operate subscription checkout, invoice requests, receipts and account administration;
  • answer product questions and respond to requested business follow-up;
  • send generic account, security, billing and device notifications; and
  • protect, test, audit and improve the reliability of the service using synthetic data and bounded operational evidence.

Refera does not sell patient information, use patient information for direct marketing, train AI models on patient information, independently contact a patient, or use referral information to rank clinical urgency, acuity, severity or diagnosis.

4. Who receives information

Refera uses service providers only for the functions described in the current sub-processor register. The main groups are:

  • AWS and Amazon Bedrock for the licensed service, Australian storage and referral extraction;
  • Cloudflare for the public website, documentation, analytics and business-only edge relays;
  • Stripe for hosted checkout, payment methods, subscriptions and invoices;
  • Resend for account, agreement and sign-in email;
  • Attio and Slack for bounded business lifecycle, invoice-request and operational handoffs;
  • OpenRouter for bounded public/support request categories and trusted documentation only;
  • ElevenLabs and Twilio for the optional business voice and telephone channel; and
  • browser push providers for optional generic count-only notifications.

Only the AWS and Bedrock referral-data path is permitted to receive patient or referral material. Business, public-site, support, voice, CRM, billing-alert and push providers are prohibited from receiving it.

5. Where information is handled

The licensed portal, tenant data plane and referral AI processing are designed for Australian AWS regions and enforced by an AWS regional-deny policy. The connected portal is served directly from AWS Sydney rather than proxied through Cloudflare.

Public website, payment, business email, CRM, support, browser push and optional voice providers operate global infrastructure. Those channels are restricted to the business-only or generic information described above and must not be used for patient, referral or clinical information. The live sub-processor register identifies each provider and its permitted scope. See Data residency for the testable technical boundary.

Provider certifications belong to the providers, not Refera. AWS infrastructure is independently ISO 27001 certified, and ElevenLabs states that it maintains SOC 2 certification. Refera does not claim either certification as its own.

6. Security

Refera uses encrypted transport and encrypted AWS storage, tenant-partitioned access, server-held seal keys, passkey-preferred access, email plus authenticator as the non-passkey live-access route, restricted recovery sessions, session revocation after factor changes, one-hour inactivity locking, privacy-safe logging and a sealed event history.

Refera does not describe the service as zero-knowledge or end-to-end encrypted: authorised Refera server components process data to provide the service. Refera does not claim a separate encryption key or token vault for every practice. The current security status and certification ladder are published on the Trust page.

7. Retention, export and deletion

Refera keeps information for as long as needed to provide and secure the service, maintain required business and acceptance records, respond to a request, and meet any applicable legal, security and backup-retention obligations. Retention differs by record and provider; this notice does not promise one period for every category.

A practice can export its structured tenant data and available sealed history free while the account is open. Account closure and deletion are authenticated, operator-assisted processes. Refera confirms the export, deletion scope and any acceptance, legal, security or backup retention before carrying out the request. It does not claim instant cryptographic erasure or a deployed self-service deletion engine.

For optional web voice, ElevenLabs audio saving is disabled and provider retention is configured to 0 days, although audio must be processed during the conversation. A generic business intent and limited timing metadata may remain in Refera's normal business systems for follow-up. Caller number and organisation are retained only when the caller's own words establish explicit practice or business context. A provider-extracted field or summary cannot establish that alone, and a standalone name or callback request loses every identity field. Raw transcript, free-text summary, caller name and patient-shaped turns are withheld from downstream records.

8. Access and correction

Practice users can review and correct their business profile in the authenticated workspace and can request access, correction, export or closure through Refera. Corrections to sealed referral history are recorded as new events rather than silently rewriting the prior record.

Patients should direct access or correction requests about their referral or health information to their practice. Refera assists the practice with the records it processes on the practice's instructions.

9. Contact, concerns and changes

Privacy requests and complaints

Email [email protected] with the subject Privacy request or Privacy complaint. Do not include patient or referral details in an ordinary email. Refera will verify the request and move sensitive follow-up to an appropriate channel.

For a complaint, explain what happened and the outcome you are seeking. Refera will acknowledge it, investigate the facts and respond with the outcome or next steps. This notice does not promise a fixed response time.

If the concern remains unresolved after Refera has had an opportunity to address it, you can make a privacy complaint to the Office of the Australian Information Commissioner.

Emba Consulting Pty Ltd (ABN 43 684 216 706), trading as Refera
Melbourne, Australia

Refera may update this notice when the service or its providers change. The effective date at the top changes with it. A change to this public notice does not silently change an accepted practice agreement; where re-acceptance is required, Refera presents the new agreement separately.