PRIVACY AND COOKIE POLICY

Last updated: 28th October 2025

Norwest Wellbeing (operated by Damas Group Pty Ltd ABN: 58 162 956 274) is committed to protecting your privacy and complying with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and the NSW Health Records and Information Privacy Act 2002.

This Privacy Policy describes how we collect, use, store, and disclose your personal information and health information when you use our website, booking services, and clinical services.

Key terms:
“We,” “us,” “our,” and “Norwest Wellbeing” refer to Damas Group Pty Ltd and our clinical hypnotherapists, Paul Smith and Rebecca Smith

“You” refers to any person who visits our website or uses our services
“Personal information” means information about an identifiable individual
“Health information” means personal information about your physical or mental health
Data Controller: Damas Group Pty Ltd, L2, Suite 210, 4 Columbia Court, Norwest NSW 2153
Privacy Officer: Paul Smith
Contact: hello @ norwestwellbeing.com.au | (02) 8069 9777

1. WHAT PERSONAL INFORMATION WE COLLECT

Information you provide directly:
Contact details: Name, phone numbers, email address, postal address
Demographic information: Date of birth, gender identity, occupation
Health information: Medical history, current medications, GP details, mental health history, treatment goals, session notes
Emergency contacts: Names, relationships, contact details
Payment information: Credit card details (processed securely by our payment providers)
Communication records: Emails, phone calls, messages, feedback, and complaints
Information collected automatically:
Website usage: IP address, browser type, device information, pages visited, time spent on site
Cookies and tracking: Session data, preferences, analytics data
Location data: General location based on IP address (not precise location tracking)
Information from third parties:
Healthcare providers: With your consent, information from your GP, psychologists, or other treating practitioners
Referral sources: Information from people who refer you to our services
Payment providers: Transaction confirmations and payment status.
AI processing data: Transcription accuracy logs, processing timestamps, and system performance data (used for quality improvement only)

2. AUDIO AND VIDEO RECORDING

Recording at Norwest Wellbeing
Norwest Wellbeing uses audio and video recording in two distinct ways to ensure your safety and provide quality clinical care. By visiting our clinic, you consent to these recording practices as outlined below.

2.1 Security and Safety Recording
Purpose:
We operate video surveillance throughout our clinic premises (excluding treatment rooms) for:

Security and protection of clients, staff, and property
Safety monitoring and incident prevention
Compliance with duty of care obligations
Insurance and risk management requirements

What is recorded:
Reception and waiting areas
Hallways and common areas
Entry and exit points
External clinic perimeters

What is NOT recorded:
Treatment rooms (unless separately consented for therapeutic purposes. Section:Recording at the Clinic. )

Private consultation areas
Bathrooms or changing areas

Storage and retention:

Recordings are stored securely on encrypted systems
Security footage is typically retained for 30 days
Extended retention may occur if an incident requires investigation
Recordings are automatically deleted after the retention period

2.2 Therapeutic Session Recording
Purpose:
During your hypnotherapy sessions, we use a recording for:

Video recording:

Client and practitioner safety: Protecting both you and our practitioners during sessions
Professional protection: Providing objective records in case of any concerns or complaints
Quality assurance: Ensuring professional standards are maintained
Audio recording:

Accurate clinical documentation: Recording conversations to ensure precise and comprehensive treatment notes
Treatment planning: Reviewing sessions to develop effective ongoing treatment plans
Progress monitoring: Tracking your therapeutic journey accurately over time
Professional standards: Maintaining detailed clinical records as required by professional guidelines
Clinical supervision: Supporting supervision and consultation with qualified practitioners
Your consent and rights:

You provide consent for therapeutic recording when you sign your intake form
Recording only occurs in treatment rooms with your knowledge and consent
You can request to stop recording at any point during your session
You may withdraw consent for future recordings (this won’t affect previously recorded sessions)
You have the right to access, correct, or request deletion of your recordings
You can receive copies of your recordings (reasonable fees may apply)
Storage and security:

All therapeutic recordings are stored on secure, encrypted, password-protected systems
Files are named using client ID numbers, not personal names
Access is restricted to your treating practitioners (Paul Smith and Rebecca Smith)
Recordings are stored on Australian-based servers only
We do not transfer recordings overseas without your additional written consent
Retention period:

Adult client recordings: Retained for 7 years from your last appointment
Clients under 18: Retained for 7 years from when you turn 18, or 7 years from last appointment (whichever is longer)
Recordings are securely destroyed when no longer required
Clinical benefits:
Audio recording allows us to:

Focus fully on you during the session rather than taking extensive notes
Capture exact details of your concerns and responses
Create more accurate and comprehensive treatment plans
Ensure nothing important is missed or forgotten
Provide better continuity of care across sessions

2.3 When We May Share Recordings
We will only share your recordings with third parties:

With your written consent
When required by law or court order
If there’s a serious risk of harm to yourself or others
For professional supervision or consultation (maintaining confidentiality)
For insurance or legal proceedings related to your treatment
In emergency situations where your safety is at risk

2.4 Quality and Technical Limitations
While we maintain high-quality recording equipment and security systems:

We cannot guarantee perfect recording quality due to technical limitations
Equipment failures may occasionally occur
We are not liable for technical issues that affect recording quality
Backup systems are in place to minimise technical problems

2.5 Training and Educational Use
Additional consent required:
If you wish to help other clients by allowing your recordings to be used for training purposes:

Separate written consent is required
All identifying information will be removed
Recordings will only be used for professional training of qualified practitioners
You can withdraw this consent at any time

2.6 Data Security Measures for Recordings
We protect your recordings through:

End-to-end encryption of all files
Multi-factor authentication for system access
Regular security audits and updates
Staff training on privacy and confidentiality
Secure backup procedures
Incident response protocols

3. HOW WE USE YOUR INFORMATION

Primary purposes:
Clinical care: Providing hypnotherapy services, treatment planning, and progress monitoring
Clinical documentation: Audio recording sessions to ensure accurate, comprehensive treatment notes and maintain professional clinical records
Health and safety: Emergency situations, duty of care obligations, risk assessment
Administration: Appointment booking, payment processing, client communications
Legal compliance: Meeting regulatory requirements, responding to legal requests
Secondary purposes (with consent):
Marketing: Sending newsletters, treatment updates, health tips (opt-in only)
Quality improvement: Service development, staff training, client satisfaction surveys
Research: Anonymous, aggregated data for treatment effectiveness studies
Direct marketing:
We only send marketing communications with your explicit consent. You can unsubscribe at any time using the link in our emails or by contacting us directly.
AI-assisted documentation: Using artificial intelligence to transcribe audio recordings into accurate written clinical notes and maintain comprehensive session records

3A. ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING

How we use AI:
We may use artificial intelligence and automated systems to:
Transcribe audio recordings: Converting your session recordings into written clinical notes and documentation
Administrative tasks: Managing appointment bookings, client communications, and scheduling
Service improvement: Analysing website usage patterns and service delivery (using anonymised data only)
Communication assistance: Generating administrative correspondence and documentation templates
AI and your information:

Personal and health information may be processed by AI systems for transcription and administrative purposes only
AI transcription services are used to convert session audio into written clinical notes
All AI processing occurs on secure systems with appropriate privacy protections
AI systems do not have independent access to your information without human oversight
All AI-generated clinical notes and transcriptions are reviewed and verified by your treating practitioner
No AI system makes clinical decisions about your treatment
Data security for AI processing:

AI services used are selected for their privacy and security standards
Where possible, AI processing occurs on Australian-based secure systems
Third-party AI services are bound by strict confidentiality agreements
Your information is encrypted during AI processing
AI processing logs are maintained for security and quality purposes
Your AI rights:

You can request human review of any AI-processed information
You can opt-out of AI transcription services (manual notes will be taken instead)
You have the right to know when AI has been used in processing your information
You can request corrections to any AI-generated content in your records
AI processing does not affect your other privacy rights

4. WHO WE SHARE YOUR INFORMATION WITH

Healthcare providers:
Your GP, psychiatrists, psychologists, or other treating practitioners (with your written consent)
Emergency services if there’s an immediate risk to your safety or others’ safety
Service providers:
Booking system providers: For appointment management
Payment processors: For secure payment processing (they don’t access your health information)
IT support providers: For secure system maintenance (under strict confidentiality agreements)
Professional supervisors: Qualified hypnotherapists for clinical supervision (maintaining confidentiality)
Legal requirements:
Law enforcement, when required by court order or subpoena
Regulatory bodies for professional oversight
Child protection services if required under mandatory reporting laws
Coroners or other authorities if legally required

Business transactions:
In the event of a business sale, merger, or acquisition, your information may be transferred to the new owners under the same privacy protections.

Clinical recordings and health information:
We may share your therapeutic recordings and health information with other healthcare professionals involved in your care (such as your GP, psychiatrist, or other therapists) with your written consent, or when required by law for your safety or the safety of others.

We will never:
Sell your personal or health information to third parties
Use your information for purposes other than those stated
Share your information without a proper legal basis or your consent

AI transcription services: Secure artificial intelligence platforms that convert audio recordings to text for clinical documentation (under strict confidentiality agreements and privacy protections)

5. DATA STORAGE AND SECURITY

Security measures:
Encryption: All health information is encrypted in storage and transmission
Access controls: Multi-factor authentication and role-based access
Staff training: Regular privacy and security training for all team members
Physical security: Secure premises with restricted access to client files
System monitoring: Regular security audits and incident response procedures
Data location:
All information is stored on secure servers located in Australia
We do not transfer personal or health information overseas without your explicit consent
Cloud storage providers are Australian-based and subject to Australian privacy laws
Retention periods:
Adult health records: 7 years from last appointment
Minor health records: 7 years from when client turns 18, or 7 years from last appointment (whichever is longer)
Security recordings: 30 days (unless investigating an incident)
Financial records: 7 years as required by Australian taxation law
Marketing preferences: Until you unsubscribe or we cease operations

6. YOUR PRIVACY RIGHTS

Under Australian privacy law, you have the right to:

Access:
Request copies of your personal and health information
Receive information about how we’ve used and disclosed your information
Obtain access within 30 days (reasonable fees may apply for extensive requests)
Correction:
Request corrections to inaccurate or incomplete information
Add statements if we disagree about accuracy
Have corrections passed on to third parties where appropriate
Deletion:
Request deletion of your information (subject to legal and clinical requirements)
Have information anonymised where deletion isn’t possible
Restriction:
Object to certain uses of your information
Withdraw consent for secondary purposes (doesn’t affect previous lawful processing)
Opt-out of direct marketing at any time
Managing your recordings:
You can request access to your therapeutic recordings, request corrections, or ask for recordings to be deleted (subject to legal and clinical requirements). To make these requests, please contact our Privacy Officer at [email protected] or call us during business hours.

Complaint:
Lodge a complaint with us about privacy breaches or concerns
Complain to external authorities if unsatisfied with our response

AI transparency: Request information about any AI processing of your personal or health information
Human review: Request human verification of any AI-generated content in your records
AI opt-out: Decline AI processing of your information where alternative methods are available

7. COOKIES AND WEBSITE TRACKING

Types of cookies we use:
Essential cookies: Required for website functionality and security
Analytics cookies: Help us understand how visitors use our website (Google Analytics)
Preference cookies: Remember your settings and language preferences
Third-party services:
Google Analytics: Provides website usage statistics (anonymised data)
Booking system: Manages appointments and client communications
Social media plugins: If you interact with our social media content
Your choices:
You can control cookies through your browser settings, but some website functionality may be limited if you disable essential cookies.

8. CHILDREN’S PRIVACY

We provide services to clients aged 16 and over. For clients under 18:

Parent or guardian consent is required
We may need to share information with parents/guardians for safety reasons
Special retention rules apply (records kept until 7 years after turning 18)
Additional privacy protections are in place

9. CROSS-BORDER DISCLOSURE

We do not routinely transfer personal information overseas. If overseas disclosure becomes necessary:

We’ll obtain your explicit consent
Ensure equivalent privacy protections are in place
Only use countries with adequate privacy laws or approved entities

10. DATA BREACHES

In the event of a data breach:

We’ll assess and contain the breach immediately
Notify relevant authorities within 72 hours if required
Inform affected individuals if there’s a likely risk of serious harm
Take steps to prevent future breaches
Maintain records of all data breaches

11. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect:

Changes in privacy laws
New services or technologies
Improvements to our privacy practices
How we notify you:

Email notification to registered clients
Prominent website notice
Updated “last modified” date
Continued use of services indicates acceptance of changes

12. COMPLAINTS AND CONTACT

Privacy complaints process:
Contact us first: hello @ norwestwellbeing.com.au or (02) 8069 9777
We’ll respond within 7 days to acknowledge your complaint
Investigation completed within 30 days with a written response
Appeal process available if you’re unsatisfied.

AI and automated processing concerns: If you have questions about our use of artificial intelligence or automated processing of your information, please contact our Privacy Officer who can provide detailed information about specific AI systems used and your rights regarding AI processing.

Privacy and Recording Concerns
If you have concerns about our recording practices:

Privacy Officer: Paul Smith
Email: hello @ norwestwellbeing.com.au
Phone: (02) 8069 9777
Address: L2, Suite 210, 4 Columbia Court, Norwest NSW 2153

External complaint options:
Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au | 1300 363 992
NSW Privacy Commissioner: www.ipc.nsw.gov.au | 1800 IPC NSW
Health Care Complaints Commission NSW: www.hccc.nsw.gov.au | 1800 043 159
Contact details:
Privacy Officer: Paul Smith
Email: hello @ norwestwellbeing.com.au
Phone: (02) 8069 9777
Address: L2, Suite 210, 4 Columbia Court, Norwest NSW 2153
Business hours: Monday to Friday, 9:00 AM to 5:00 PM

This Privacy Policy complies with:
Privacy Act 1988 (Cth) and Australian Privacy Principles
Health Records and Information Privacy Act 2002 (NSW)
Therapeutic Goods Administration requirements
Professional association standards (AACHP)
Australian Consumer Law

Effective Date: 28th October 2025