BloodTrack.au – Privacy Policy
Last updated: 3 May 2025
1 Who we are
BloodTrack.au ("BloodTrack", "we", "us" or "our") is an online platform operated by Tugadot that lets users upload their pathology results, extracts biomarker data using artificial‑intelligence tools, and presents those results back to the user in graphs, trends and plain‑language explanations. We do not provide medical diagnosis or treatment advice.
This Privacy Policy explains how we handle your personal information, including sensitive health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
If you do not agree with this Policy, please do not use BloodTrack.
2 Our commitment
- We collect only what we need to run the service.
- We keep your data secure using encryption and industry‑standard controls aligned with the ASD Essential Eight – Maturity Level 2.
- We give you control over your data – download, correct or delete it at any time.
- We do not sell your information.
3 What information we collect
| Category | Examples | Mandatory? |
|---|---|---|
| Account details | Name, email address, password hash, multi‑factor authentication tokens | Yes |
| Pathology reports (sensitive information) | PDFs/JPGs of laboratory results, extracted biomarker names, values, reference ranges, collection dates | Only when you choose to upload |
| Self‑reported data | Age, weight, sex, medication notes you manually enter | Optional |
| Usage & device data | IP address, browser type, referral URL, pages viewed, time on page, cookies | Collected via cookies / analytics |
| Support interactions | Emails or chat transcripts with our support team | If you contact us |
4 How we collect information
- Directly from you – when you create an account, upload a report or enter notes.
- Automatically – via cookies, log files and similar technologies.
- From integrated services – if you connect a third‑party app (e.g. Google Fit) we collect the data you authorise.
Each time you upload a report you will be asked to tick a consent checkbox confirming you agree to the collection and processing of that sensitive information for the purposes set out in this Policy.
5 Why we collect & how we use your information
| Purpose | Use cases | APP lawful basis |
|---|---|---|
| Provide the BloodTrack service | Account creation, parsing biomarkers, generating dashboards, sending account notifications | Express consent (APP 3) |
| Improve and secure the platform | Debugging, usage analytics, penetration testing, fraud prevention | Legitimate functions of a health‑service provider |
| Research & development (de‑identified) | Aggregating anonymised biomarker trends to improve our AI models | We irreversibly de‑identify before use (APP 12 exemption) |
| Marketing (optional) | Product updates, newsletters | Your opt‑in consent; you may unsubscribe any time |
We do not use your data for automated decision‑making that has legal or significant effects.
6 Disclosure of your information
We disclose personal information only to:
- Cloud infrastructure providers (Supabase – Sydney region) for application hosting and data storage;
- Analytics & error‑logging services (e.g. Plausible Analytics, Sentry) – configured to pseudonymise IP addresses;
- Professional advisers (lawyers, auditors) who are bound by confidentiality; and
- Authorities where required by law or to prevent serious harm.
Overseas disclosure (APP 8)
All primary data and backups are stored in Australia. If we ever need to transfer data overseas (for example, disaster‑recovery backups) we will either:
- Obtain your explicit consent; or
- Ensure the overseas recipient is contractually bound to comply with the APPs.
We do not disclose your data for direct‑marketing purposes and we never sell your information.
7 Storage, security & retention
- Encryption in transit & at rest – TLS 1.2+ for data in motion; AES‑256 for data at rest.
- Role‑based access control (RBAC) – staff access limited on a need‑to‑know basis; MFA required for all admin accounts.
- Audit logging – every access to raw reports and extracted data is logged to an immutable store and retained for at least seven years.
- Back‑ups – encrypted daily and stored in a separate Australian region; retained for 30 days before secure deletion.
- Patching & hardening – monthly patch cycle; annual penetration test.
When you delete a report it is immediately inaccessible; backup copies are overwritten within 30 days.
8 Access, correction & deletion (APP 12 & 13)
You can review, download, correct or delete your information at any time via your account dashboard.
If you need help, email info@bloodtrack.au. We will respond within 30 days. There is no charge for these requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee.
9 Data Breach Response
If we become aware of an eligible data breach (as defined in s26WE of the Privacy Act) that is likely to cause serious harm, we will:
- Contain and assess the incident immediately;
- Notify affected users and the Office of the Australian Information Commissioner (OAIC) within 30 days; and
- Provide recommended steps you can take to protect yourself.
A summary of our Data‑Breach Response Plan is available on request.
10 Cookies & analytics
We use first‑party cookies only for session management and to remember your preferences. We use Plausible Analytics, a privacy‑centric tool that does not use persistent identifiers or share data with advertising networks. You can decline non‑essential cookies in your browser settings.
11 Children
BloodTrack is designed for users 18 years and older. If you are under 18, you must have verified parental or guardian consent to use the service. If we discover we have collected personal information from a minor without consent, we will delete it promptly.
12 Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates when the latest changes were made. If the changes are material we will notify registered users by email and/or an in‑app banner.
13 Contact us
If you have questions, concerns or wish to make a privacy complaint, please contact our Privacy Officer:
Email: info@bloodtrack.au
Thank you for trusting BloodTrack.au with your health data.