How we process data on your behalf.

1. Roles

Your practice is data controller; RecallQ Pty Ltd is data processor for all patient personal information processed through the service.

2. Scope

We process patient data only on your documented instructions and for the purposes described in the Privacy Policy. We do not sell, rent, or disclose patient data.

3. Sub-processors

Supabase (Sydney), Anthropic (USA), ClickSend (AU), Resend (USA), Stripe (AU), Sentry (EU). We notify you 30 days in advance of any change.

4. Security

AES-256 at rest, TLS 1.3 in transit, RBAC, audit logs, annual penetration testing.

5. Breach notification

24-hour notification on confirmation of an eligible breach.

6. Return & deletion

30-day export window on cancellation; permanent deletion within 60 days.

7. Audit

Written audit requests handled with current security summary; on-site audits by arrangement.

8. Contact

security@recallq.com.au