VoxDocs Privacy Policy

Effective Date: 1 January 2025
Last Updated: 7 August 2025

VoxDocs (a software product provided by Codestax Pty Ltd) lets clinicians capture consultation information on the road and securely deliver it to their own back-office team or an authorised Bureau for manual dictation, billing, and record keeping. We only collect what’s needed to run the service. We don’t sell personal information. ...

Effective Date: 1 January 2025
Last Updated: 7 August 2025

1. Who we are

Codestax Pty Ltd (“Codestax”, “we”, “us”, “our”) provides the VoxDocs software product and related services for healthcare professionals. In this policy, “VoxDocs” refers to our software and related services; “we/us/our” refers to Codestax Pty Ltd as the legal entity responsible for the Services. This policy explains how we collect, use, disclose, store, and protect personal information (including health information) when you use our website, platform, and mobile apps (the “Services”).

2. Our role (controller vs processor/operator)

For practitioner/admin account data (e.g., contact, login, subscription/billing), Codestax is the controller/responsible party. For patient/clinical data processed in VoxDocs on a practitioner’s documented instructions (e.g., consultation audio, transcripts, clinical notes), Codestax acts as a processor/operator and processes only on the practitioner’s instructions (GDPR Art. 28; POPIA operator obligations). We may act as controller for limited system data (security logs, fraud prevention, compliance).

3. Laws we comply with

• Australia: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including the Notifiable Data Breaches scheme.
• South Africa: Protection of Personal Information Act, 2013 (POPIA) and applicable HPCSA retention rules.
• EU/UK (if applicable): GDPR/UK GDPR (see Appendix A).

4. Information we collect

• Practitioner & account data: name, business/clinic details, contact details, user IDs, login/security credentials, subscription and billing information, support communications, device and usage data (e.g., IP address, app version, logs).
• Patient & clinical data (under your instructions): identifiers you capture; consultation audio/voice input; transcripts; clinical notes; diagnoses and treatment details you enter; uploaded files (PDFs, images); structured forms you configure.
• Files, media & permissions: with your permission—microphone (voice), camera/photos, and local file access for uploads.
• Cookies/analytics: we use cookies and similar technologies for functionality, security, and analytics. You can manage cookies in your browser settings; some features may not work if disabled.

5. How we collect information

• Directly from you or your authorised staff/medical Bureau.
• Automatically via the Services (logs, telemetry).
• From integrations you connect (e.g., EHR/billing services).

6. Conduit function & processing instructions

VoxDocs acts as a conduit for clinical information under the practitioner’s documented instructions. For patient/clinical data, Codestax processes personal information only to capture, transcribe/summarise (if enabled), and deliver that information to the practitioner’s designated recipients (e.g., the practitioner’s internal back office and/or an authorised medical Bureau). The practitioner remains the controller/responsible party for such data.

7. Audio, notes, and retention

• Definitions. “Dictation Audio” means audio created after a consultation where a practitioner records a narrative for transcription. “Consultation Audio” means audio recorded during a live consultation and may include a patient’s voice.
• Dictation Audio retention (for manual Bureau work): By default, we retain Dictation Audio for 30 days and you may configure a retention window between 7 and 180 days in settings. After the retention window expires, Dictation Audio is automatically deleted. The resulting transcripts/notes remain according to your account’s retention settings.
• Consultation Audio retention (optional): Consultation recording is disabled by default. If you enable it, you are responsible for obtaining and documenting all required recording consents before recording and, where applicable, for sharing with your Bureau. By default, we retain Consultation Audio for 7 days (configurable up to 30 days) where you have enabled retention to support QA or manual transcription. After the window expires, Consultation Audio is automatically deleted. If retention is disabled, Consultation Audio is deleted after the transcription workflow completes.
• Notes and exports: Notes saved in VoxDocs are retained 7 days by default to allow export to your system, then auto‑deleted. You may extend retention up to 6 months in settings.
• Handover & purge: Once delivery to your designated recipient is marked Complete, we begin a short purge window (e.g., 3–7 days) and then delete retained audio and interim notes, except where law requires longer retention.
• Dormant accounts: If your account is deleted or inactive for 24 months, we schedule deletion of associated personal information unless we must retain it for legal, security, or dispute‑resolution purposes.
• Healthcare recordkeeping: You (as controller/practitioner) are responsible for meeting medical record retention laws (e.g., Australia: generally 7 years after last contact, longer for minors; South Africa: at least 6 years after last entry, longer for minors/other cases). We provide retention settings to help you comply.

8. Sharing and disclosures

• We do not sell personal information.
• We disclose only as needed to: (a) your authorised medical Bureau or back‑office providers at your instruction (once transferred, they are responsible for their own compliance); (b) vetted subprocessors/service providers (hosting, storage, security, email/SMS, analytics, payments) under written agreements imposing confidentiality, security, limited purpose, and deletion at end of service; and (c) legal/safety recipients (to comply with laws, enforce terms, protect rights, prevent fraud, or respond to lawful requests).
• Bureau access for manual transcription: Where you link a Bureau Account and enable sharing, you instruct us to disclose Dictation Audio (and, if enabled, Consultation Audio) and related transcripts/notes to your authorised Bureau for manual transcription, billing and administrative processing. The Bureau acts as your service provider (processor/operator) under your agreement with them. We restrict Bureau access to the scope you enable and require technical and contractual safeguards (confidentiality, security, purpose limitation).
• Subprocessors: A current list of material subprocessors is available on request (and may be posted on our website).

9. International data transfers

Data may be processed in Australia and in other locations of our subprocessors. For South African data (POPIA s72), we ensure adequate protection via contractual safeguards and technical/organisational measures, and assess recipient protections. For EU/UK transfers (GDPR/UK GDPR Chapter V), we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and, where applicable, the UK IDTA/Addendum, plus supplementary measures where needed.

10. Security & breach notification

We apply administrative, technical, and physical security measures appropriate to the risks, including encryption in transit and at rest, role‑based and tenant‑scoped access, logging/monitoring, and staff confidentiality obligations. No system is 100% secure. If a notifiable breach occurs, we will notify you and regulators as required by law (Australia NDB, POPIA s22, GDPR/UK GDPR 72‑hour rule where applicable).

11. Your rights and choices

Depending on your location, you may have rights to access, rectify, erase, restrict or object to processing (including direct marketing), and data portability. If we process based on consent, you can withdraw consent at any time (this will not affect prior lawful processing). To exercise rights, contact support@voxdocs.com.au. We will verify identity and respond within required timeframes.

Marketing: You can opt out at any time (unsubscribe link or email us). Where POPIA s69 applies, we obtain consent before direct marketing and honour opt‑outs promptly.

12. Children and minors

The Services are for professional use. We process minors’ health information only under practitioner instructions. Retention for minors may be longer where required by law.

13. Cookies & remarketing

We use cookies for functionality and analytics and may use remarketing tools (e.g., Google Analytics/Ads). You can manage cookies in your browser settings; some features may not work if disabled.

14. How long we keep information

We keep personal information only as long as necessary for the purposes above, to comply with legal obligations, and to resolve disputes and enforce agreements. See Section 7 for clinical content retention options and dormant account deletion.

15. Changes to this policy

We may update this policy from time to time. We will post changes and, if material, notify you (email or in‑app). Your continued use after the effective date means you accept the changes.

16. Contact us

Codestax Pty Ltd – provider of the VoxDocs software product
Email: support@voxdocs.com.au
Postal: PO Box 274, Karrinyup, 6921, WA

If you are in Australia, you may contact the Office of the Australian Information Commissioner (OAIC). If you are in South Africa, you may contact the Information Regulator (South Africa). If you are in the EU/UK, you may contact your local supervisory authority.

Appendix A — GDPR/UK GDPR Disclosures

• Roles: For practitioner/admin data we are controller; for patient/clinical data we are processor acting on your instructions (Data Processing Agreement available on request).
• Processor commitments (Art. 28): We process only on instructions; ensure confidentiality; implement appropriate security (Art. 32); assist with data subject requests, DPIAs and breach notifications; engage subprocessors only under written contracts with equivalent obligations; return/delete personal data at end of services; provide evidence of compliance.
• Lawful bases (Art. 6): Contract, legitimate interests, legal obligation, and consent where required.
• Special‑category data (Art. 9): Where we process health data for EU/UK data subjects, this is performed as processor to healthcare controllers; controllers typically rely on Art. 9(2)(h) (health care/management) or Art. 9(2)(a) (consent).
• International transfers (Chapter V): SCCs/IDTA (and supplementary measures) where required.
• Data subject rights: Access, rectification, erasure, restriction, portability, objection (including to direct marketing/profiling), and the right to lodge a complaint with a supervisory authority.
• Breach notification: We notify controllers without undue delay; controllers notify authorities within 72 hours where required.
• Representatives: If Art. 27 applies, we will appoint an EU/UK representative and publish their details on our website.