How we handle your information.

About this policy.

This Privacy Policy explains how Aly's Dental Services Pty Ltd (ABN 36 139 765 012) trading as Berala Dental ("we", "us", "our") collects, uses, stores, discloses and protects your personal information.

It applies to information collected through our website (beraladental.com.au), our clinic at 184 Woodburn Road, Berala NSW 2141, our phone line, our WhatsApp business number, our email correspondence, our online forms (including the CDBS Eligibility Checker tool), and any other channel by which you interact with us.

This policy is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Health Records and Information Privacy Act 2002 (NSW), the My Health Records Act 2012 (Cth) where applicable, and the privacy and confidentiality obligations imposed on registered dental practitioners by the Dental Board of Australia and AHPRA.

Who we are.

What we collect.

The personal information we collect depends on how you interact with us. We only collect what is reasonably necessary for our functions and activities as a dental practice. Categories include:

Identification & contact details

• Full name, date of birth, gender
• Residential address, postal address
• Phone numbers (mobile and landline)
• Email address
• Emergency contact name and number
• Preferred language and any cultural / accessibility considerations you tell us about

Health information (sensitive information)

• Dental history, current concerns, presenting symptoms
• General medical history including current medications, allergies, and relevant medical conditions
• Clinical notes, examination findings, treatment provided, treatment plans
• Dental x-rays, intraoral photographs, 3D scans
• Information from referring practitioners or specialists
• Information shared with other healthcare providers as part of your care (with your consent)

Financial & insurance details

• Medicare card number, Individual Reference Number (IRN), and card expiry — for CDBS eligibility verification and billing
• Private health fund name, member number, and cover level — for HICAPS claiming
• Department of Veterans' Affairs (DVA) card details, where applicable
• Payment information — credit card details (processed by our payment provider, never stored by us), bank details for refunds, BPAY references
• Pension or healthcare card details, where eligible for concessions

Children's information

• For children under your care: full name, DOB, IRN on the Medicare card, school year (if relevant for after-school appointments), CDBS eligibility status, dental and medical history

Website & technology data

• IP address, browser type, device type, operating system
• Pages visited, time spent, click paths through the site
• Referring website (e.g. Google search, social media link)
• Cookies and similar tracking technologies — see Cookies & Tracking below

Communications

• Records of phone calls (we may note the topic and outcome — calls are not generally recorded)
• Email correspondence
• WhatsApp messages and any photos you send (e.g. of your Medicare card or a dental concern)
• Online form submissions (booking enquiries, CDBS checker, contact form, newsletter signup)
• Any reviews or feedback you provide directly to us

Information from third parties

• Information from referring dentists, GPs, or specialists
• Information from Services Australia / Medicare regarding CDBS eligibility (via the HPOS portal)
• Information from your private health fund regarding cover and claim eligibility (via HICAPS)

How we collect it.

We collect personal information in the following ways:

• Directly from you — when you fill out a form on our website, send us a WhatsApp message, call us, email us, attend an appointment, or speak to our reception team
• Through our website — including the CDBS Eligibility Checker, contact form, booking enquiry form, and newsletter signup
• From third parties with your consent or as authorised by law — including referring practitioners, your private health fund (via HICAPS), Services Australia / Medicare (via HPOS for CDBS verification)
• Through cookies and analytics on our website — for general usage statistics
• Through our practice management software — when our team creates or updates your patient file

Where we collect information from a third party, we will (where reasonable and practicable) take steps to ensure you are aware of the collection.

Why we use it.

We use your personal information for the following purposes:

• Providing dental care — assessing, diagnosing, treating and following up on your dental health
• Administering your appointments — booking, rescheduling, sending reminders, confirming attendance
• Verifying eligibility for funded programs — particularly the Child Dental Benefits Schedule (CDBS) and DVA
• Processing payments and claims — including HICAPS, Medicare bulk-billing, payment plans (Afterpay, Zip, etc.)
• Communicating with you — responding to your enquiries, sending appointment reminders, notifying you of changes
• Sending marketing communications — newsletter, blog updates, occasional offers — only with your consent and with a clear opt-out
• Improving our services — analysing how patients use our website and where we can improve, training staff (using de-identified information)
• Complying with legal obligations — record-keeping under the Health Records and Information Privacy Act, mandatory notifications under the Health Practitioner Regulation National Law (AHPRA), tax and accounting obligations
• Protecting our legal interests — handling complaints, defending claims, recovering unpaid fees

Health information.

Health information is treated as sensitive information under the Privacy Act and receives a higher level of protection than other personal information. We will only collect health information about you with your consent, except where we are required or authorised to do so by law (for example, mandatory reporting obligations).

Your dental records are governed by the Health Records and Information Privacy Act 2002 (NSW). Under this Act, you have:

• The right to know what health information we hold about you
• The right to access that information (subject to limited exceptions, e.g. where access would pose a serious threat to life or health)
• The right to request correction of inaccurate, out-of-date, incomplete, or misleading information
• The right to request restrictions on disclosure

Information about how to exercise these rights is set out in Access & Correction below.

We retain dental records for at least seven (7) years from the date of last service for adults, and until the patient turns 25 years of age for children, in line with NSW health record retention requirements. We may retain information for longer where required for medico-legal purposes.

CDBS Eligibility Checker tool.

The CDBS Eligibility Checker on our website (at /cdbs-checker) is a free tool that allows parents and guardians to send their Medicare and child details to us so we can verify their eligibility for the Child Dental Benefits Schedule via Medicare's Health Professional Online Services (HPOS) portal.

When you use this tool:

• You may submit details either by WhatsApp (recommended — opens a pre-filled message you review and send) or by web form (submitted via Formspree, an encrypted form-handling service)
• Submission is HTTPS-encrypted in transit. WhatsApp messages are end-to-end encrypted.
• You must tick a consent box before the form will allow submission. Without consent, no data is sent.
• The information collected is used only to verify CDBS eligibility through the HPOS portal and to call you back with the result
• If you are not booked in as a new patient, the Medicare card number, expiry, and child IRN will be deleted from our systems within thirty (30) days of the eligibility check being completed
• If you are booked in as a new patient, your details will be transferred to your patient record and managed under the standard health-record retention periods set out above
• Your contact details (name, phone, email) may be retained on a low-risk basis for follow-up if you have not yet decided to book — we will delete them on request, or after twelve (12) months of inactivity

WhatsApp communications.

We use WhatsApp Business as one of our communication channels. When you message us on WhatsApp:

• WhatsApp messages are end-to-end encrypted by WhatsApp's infrastructure (operated by Meta Platforms, Inc.)
• Our reception team receives and reads your messages on practice-managed devices
• We may save important details from WhatsApp conversations (such as your name and reason for contact) into your patient file in our practice management software
• Photos you send (e.g. Medicare cards, photos of dental concerns) are stored briefly while we process your enquiry, then deleted from the WhatsApp device unless they are saved to your patient file
• Meta Platforms, Inc. handles the underlying WhatsApp infrastructure and is subject to its own privacy practices, which you can review at whatsapp.com/legal/business-policy

You can choose to contact us by phone, email, or in person if you would prefer not to use WhatsApp.

Who we share information with.

We do not sell your personal information. We may disclose it to the following categories of recipients, only as needed to provide your care or fulfil our legal obligations:

• Other healthcare providers involved in your care — referring or accepting practitioners, specialists, oral surgeons, prosthodontists, orthodontists, your GP — only with your consent unless emergency or legal exception applies
• Services Australia / Medicare — for CDBS eligibility checks and bulk-billing claims
• HICAPS and your private health fund — for processing on-the-spot health fund claims
• Department of Veterans' Affairs — for DVA-card holders, for claim processing
• Payment processors — Tyro, EFTPOS providers, Afterpay, Zip, BPAY, for payment transactions
• Our practice management software vendor — for the secure hosting and operation of patient records
• IT service providers — for hosting, backups, technical support, cybersecurity
• Form-handling services — Formspree (which receives form submissions and forwards them to our email)
• Email and SMS providers — for sending appointment reminders, marketing emails (with consent), and other communications
• Professional advisors — accountants, auditors, lawyers, insurers, where reasonably required
• Regulators and government bodies — including AHPRA, the Dental Board of Australia, the Office of the Australian Information Commissioner (OAIC), state and federal courts, where required by law
• In a sale or transfer of our practice — to a successor entity, with appropriate confidentiality protections

Overseas storage.

Some of our service providers process or store information outside Australia. Where they do, we take reasonable steps to ensure the information is handled in a way that is consistent with the Australian Privacy Principles. The principal jurisdictions where this may occur are:

• United States — our website is hosted on Webflow, and our online forms use Formspree, both US-based services. Email infrastructure may also use US-based providers.
• Other jurisdictions — our practice management software, communications platforms, and analytics services may have data centres in other countries

We do not transfer health records overseas other than as needed for the technical operation of our IT systems. By using our website and submitting information to us, you consent to your information being processed in the jurisdictions noted above.

Cookies & tracking.

Our website uses cookies and similar technologies for the following purposes:

• Essential cookies — required for the website to function (e.g. remembering form inputs, keeping the menu state)
• Analytics cookies — to understand which pages are visited, how long users stay, where users come from. This may include first-party Webflow analytics and, in future, services such as Google Analytics. Analytics data is generally aggregated and de-identified.
• Performance cookies — to monitor site performance and detect errors

If we add advertising or remarketing pixels (e.g. Meta Pixel, Google Ads conversion tracking) in future, we will update this policy and offer a way to manage consent.

You can control cookies through your browser settings. Disabling cookies may affect some website features but you will still be able to access the core information.

Marketing communications.

We may send you marketing communications — such as our newsletter, blog updates, oral health tips, and information about services or offers — only where:

• You have explicitly opted in (e.g. by signing up to our newsletter), or
• You are an existing patient and the information is reasonably related to the services we provide you, and you have not previously opted out

Every marketing communication we send will include a clear way to unsubscribe (such as an "unsubscribe" link in emails). You can also opt out at any time by emailing privacy@beraladental.com.au or replying STOP to any SMS we send.

Opting out of marketing does not affect appointment reminders, recall notices, or other operational communications relating to your care.

Information about children.

We treat the dental records of children with particular care. When information is collected about a child, we typically collect it from the child's parent or legal guardian. We assess on a case-by-case basis whether a young person under 18 has the capacity to consent to their own treatment and to manage their own information — this generally aligns with the Gillick competence framework used in Australian healthcare practice.

For the CDBS Eligibility Checker, only a parent or guardian should submit a child's details. Children's records are retained until the patient turns 25 years of age, in line with NSW health record retention rules.

How we protect your information.

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include:

• Encrypted transmission — our website uses HTTPS for all pages. Form submissions are encrypted in transit.
• Access controls — patient records and sensitive systems are accessible only to authorised staff with individual login credentials
• Staff training — all team members are trained in privacy and confidentiality obligations as a condition of employment
• Password and device security — practice devices are password-protected, automatically lock when idle, and use up-to-date security patches
• Physical security — paper records (where used) are stored in locked cabinets in restricted-access areas
• Backups — encrypted backups of patient records, with regular integrity checks
• Vendor due diligence — when we choose service providers, we review their privacy and security practices

No system is completely secure. While we take strong protections, we cannot guarantee absolute security of any information transmitted over the internet. You also have a role in protecting your information — for example, by keeping your own devices and accounts secure.

How long we keep information.

We retain personal information only for as long as needed for the purposes set out in this policy or as required by law. Specific retention periods include:

• Adult dental records — at least 7 years from the date of last service
• Children's dental records — until the patient turns 25 years of age
• Financial records — at least 5 years (Australian Taxation Office requirement)
• CDBS checker submissions where the child is not booked in — Medicare card number, expiry, and IRN deleted within 30 days; contact details deleted within 12 months
• Marketing subscriber data — until you unsubscribe, then deleted within 90 days
• Website analytics — typically retained in aggregated form for up to 26 months

When information is no longer needed, we destroy it securely (electronic information is permanently deleted, paper records are shredded).

Access & correction.

You have the right to:

• Access the personal information we hold about you
• Request a correction if you believe information we hold is inaccurate, out of date, incomplete, irrelevant, or misleading
• Request a copy of your dental records — including transferring records to another practice

To make a request, contact us at privacy@beraladental.com.au or by post to our clinic address. We may need to verify your identity before processing the request.

We aim to respond to access and correction requests within 30 days. There may be a reasonable administrative fee for retrieving and copying extensive records — we will tell you in advance if a fee applies.

In limited circumstances we may refuse access (for example, where it would pose a serious threat to life or health, or where it would unreasonably impact another person's privacy). If we refuse, we will explain why in writing.

Data breach response.

We have an internal data breach response plan. If we suffer a breach that is likely to result in serious harm to affected individuals, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals directly with a clear explanation of what happened, what information was involved, what we are doing about it, and what you can do
• This is in line with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988

Complaints & concerns.

If you are concerned about how we have handled your personal information, please contact us first — most issues can be resolved quickly through a conversation. Email privacy@beraladental.com.au with the subject "Privacy concern" and we will:

• Acknowledge your concern within 5 working days
• Investigate it and respond substantively within 30 days

If you are not satisfied with our response, you may complain to:

Changes to this policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal obligations, or other circumstances. The "last updated" date at the top of the page will reflect the date of any change.

Material changes will be communicated where appropriate (e.g. a notice on our home page, or an email to active patients). We encourage you to review this policy periodically.

Contact us.