More time-saving automations now available

Power Diary is now Zanda!

BizzyAI Now Live!

Note-taking with built-in AI scribe

NEW: Zoom integration for Telehealth

Elevate your skills with Zanda Academy

Our Privacy Policy

  1. Introduction
  2. What Personal Data We Collect
  3. How We Use Personal Data
  4. How and Why We Share Your Data
  5. International Data Transfers
  6. Data Security and Retention
  7. Your Rights and How to Exercise Them
  8. Changes to this Policy
  9. How to Contact Us
  10. Regional Appendices

Introduction

This Privacy Policy explains how Zanda Health Pty Ltd (“Zanda”, “we”, “us”, or “our”) collects, uses, shares, and secures personal information, and describes the rights individuals have regarding their personal data. Zanda offers cloud-based practice management software for healthcare and allied healthcare providers (the “Services”). We take privacy seriously, maintaining robust technical and organizational measures to protect your personal information.

If you have any questions about this Privacy Policy or how we handle personal data, please contact our Data Protection Officer at [email protected].

What Personal Data We Collect

Account Data:

When you sign up to use our health practice management platform, we collect personal details such as your name, email address, phone number, physical address, and payment information.

Customer Data:

We collect data you choose to enter into the Services. This may include patient health records, contact information, demographic details (e.g., date of birth, gender, and location), appointment histories, and sensitive data like health conditions or payment credentials (e.g., credit card numbers).

Automatically Collected:

Usage Data

We automatically capture certain data whenever you use our platform, including IP address, browser type and version, pages visited, dates, times, and durations of visits, device identifiers, diagnostic data to help resolve issues and enhance performance.

Log Data

Our system produces logs that record detailed event information, including who performed an action, when and where it occurred, and the methods involved. We use these logs to maintain system integrity, support security efforts, and improve the overall user experience.

Cookies and Similar Technologies

We use cookies, pixels, tags, and scripts to understand usage, remember preferences, and improve our Services. You can manage your cookie preferences in our Cookie Notice.

How We Use Personal Data (Purposes and Legal Bases)

We process Account Data you provide us lawfully, fairly, and transparently. Under the EU GDPR and the UK GDPR, our legal bases include your consent, compliance with legal obligations, and/or our legitimate interests, provided these are not overridden by your rights.

Purposes:

  1. Services Provision (Legitimate Interests): To operate our website and deliver our Services (e.g., appointment booking, telehealth, billing), and support your account.
  2. Marketing and Communications (Consent / Legitimate Interests): To inform you about new features, special offers, discounts, and promotional opportunities to help you maximize value, send operational updates, security notices, invoices, and respond to inquiries.
  3. Customer Support (Legitimate Interests): To assist with technical issues and improve your user experience.
  4. Analysis & Development (Legitimate Interests): To analyze usage data, improve our platform’s functionality, and ensure Services reliability and security.
  5. Human Resources (Consent / Legitimate Interests / Legal Obligation): For processing candidate applications, recruitment activities, and internal organizational planning.
  6. Legal Requirements (Legal Obligation): To comply with applicable laws, court orders, or regulatory requirements.

When processing relies on legitimate interests, we have conducted a Legitimate Interest Assessment to ensure these interests are not overridden by individuals’ data protection rights.

Optional Communications:

You may opt out of non-essential emails (e.g., marketing) at any time using the opt-out link provided. You cannot opt out of essential operational communications, such as security or billing notices.

How and Why We Share Your Data

With Your Consent or Instruction:

We will not disclose personal data unless required or permitted by law, or we have your express consent to do so.

Processors:

We work with trusted service providers who follow strict data protection rules. They receive only the minimum personal data required to perform their tasks on our behalf. We do not share any Personal Health Data or Customer Data with processors. Our Processors List is regularly reviewed and updated as needed.

Third-parties:

We share your data with trusted third-party vendors to operate our business and deliver our Services. They receive only the minimum personal data required to perform their tasks. These vendors fall into two categories:

  • Processors – Vendors that support Zanda’s business operations, such as customer support, billing, and compliance tools. We do not share any Personal Health Data or Customer Data with processors.
  • Sub-processors – Vendors that enable Zanda’s software functionalities, such as cloud hosting, data storage, and payment processing.

See our Processors and Sub-Processors here.

Legal or Moral Requirements:

We may disclose personal data to law enforcement, regulatory bodies, or healthcare professionals in emergencies where it’s necessary to protect life or prevent serious harm, or to comply with a legal obligation.

Corporate Transactions:

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred under appropriate safeguards and remain subject to this Privacy Policy unless you consent to new terms.

International Data Transfers

Zanda operates globally. Where we transfer personal data outside your jurisdiction (e.g., EEA), we use appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to ensure an equivalent level of data protection. You can request more information about these safeguards at [email protected].

Data Security and Retention

Security Measures:

We implement and maintain industry-standard security measures (technical, administrative, and physical) to protect personal data against unauthorized access, alteration, disclosure, or destruction. Access to servers is strictly limited and monitored. While we follow recognized best practices (e.g., encryption, secure hosting), no method of transmission or storage is completely secure.

We are proud to be ISO 27001 certified, which reflects our commitment to maintaining the highest standards of information security management. For additional details about our security measures, please visit our Security Page.

Your Responsibility:

You play a key role in protecting your data. Keep your account credentials confidential. Contact us immediately if you suspect unauthorized account access.

Retention Periods:

We retain personal data only as long as necessary for the purposes described in this Privacy Policy or as required by law. For example:

  • Account Data is retained for the duration of your active account and for a regulation-specified period following its closure to comply with legal, tax, and regulatory obligations.
  • Customer Data is processed as per our Global Data Processing Agreement (DPA). Upon termination, data is deleted or returned as instructed by the customer.

Your Rights and How to Exercise Them

We respect the rights granted to individuals under applicable data protection laws, including EU GDPR, UK GDPR, CCPA/CPRA, PIPEDA, POPIA, and the Australian Privacy Act. Depending on your location, you may have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectify: Ask us to correct inaccurate or incomplete data.
  • Erase: Request deletion of personal data no longer needed or processed unlawfully.
  • Restrict Processing: Ask to limit how we process your data in certain circumstances.
  • Object: Object to processing based on legitimate interests or direct marketing.
  • Data Portability: Receive your data in a structured, machine-readable format.
  • Withdraw Consent: Where processing relies on consent, you may withdraw it at any time.

How to Make a Request:

Contact us at [email protected]. We will acknowledge your request promptly and aim to respond within applicable legal deadlines. To protect your privacy, we may request additional verification of your identity.

If you are a client or patient of a Zanda user (e.g., a healthcare practice), please reach out to that business directly to exercise your rights.

Complaints:

If you believe we have not addressed your data protection concerns, you may have the right to contact your local data protection authority. For example, in the EEA, you can contact the Irish Data Protection Commission; in the UK, the Information Commissioner’s Office (ICO); in Australia, the OAIC; and so forth. See the Appendices for more details.

Changes to this Policy

We may update this policy periodically. Changes take effect once posted on our website. The “Last Updated” date will indicate when revisions were made. If changes materially affect your rights, we will provide a prominent notice (e.g., email notification, in-app notification or website banner).

How to Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Data Protection Officer: [email protected]

Privacy Notice Appendix: Data Protection Information for Individuals in Australia

This section is applicable to individuals whose personal information is collected, stored, used or disclosed by an APP Entity under the Australian Privacy Principles (“APPs”) contained in the Privacy Act of 1988.

Providing Anonymous and Pseudonymous Options

You have the option of anonymity or using a pseudonym when dealing with Zanda Health. However, this option may not be made available to you in certain cases, including if it’s impractical for Zanda Health to allow this option or when Zanda Health is required or authorized to deal with an identified individual by or under the law.

Collection, Use and Disclosure of Personal Information

Zanda Health collects personal information lawfully and fairly. We primarily collect information directly from you or your authorized representative. However, we may collect information from other sources (such as third parties) if:

  • You have given your consent;
  • It is required or permitted by law; or
  • Collecting it directly from you would be unreasonable or impractical.

If we need to collect sensitive information (such as health data), we will only do so if:

  • You have explicitly consented, and it is necessary for our services; or
  • It is required or authorized by law.

Zanda Health only uses and discloses your information for the purpose for which it was collected (the primary purpose) unless one or more of the following apply:

  • You have consented;
  • You would reasonably expect the secondary purpose;
  • It is required or authorized by or under law;
  • Zanda Health believes that it is reasonably necessary for an enforcement body’s activities.

We share your personal information with trusted service providers. You can find a detailed list of these providers and their locations at https://zandahealth.com/processors/. We do not disclose your personal information to overseas recipients unless:

  • You have consented to the disclosure
  • The recipient is subject to a law or binding scheme substantially similar to the APPs, and you can enforce that law/binding scheme
  • It is required or authorized by law
  • It is required or authorized by an international agreement relating to information sharing
  • It is reasonably necessary for an enforcement body’s or similar entity’s activities

Your Rights Under the APPs

You have the following rights related to the collection, use and disclosure of your personal data:

  • Be informed about the collection and use of your personal data
  • Access your personal information
  • Correction of your personal information to ensure accuracy and completeness
  • Request to not receive direct marketing communications from us or to not disclose your personal information to others for direct marketing purposes

If you have concerns about how Zanda Health handles your personal information, you can submit a written complaint to [email protected]. We will review your complaint and respond in writing within 30 days. You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Email: [email protected] (For secure submission, use the OAIC online form.)
  • Mail: GPO Box 5218, Sydney NSW 2001 (Registered mail recommended.)
  • Fax: (02) 9284 9666

Privacy Notice Appendix: Data Protection Information for Individuals in the UK, EEA, and Switzerland

Our Role Under Relevant Laws

  • Data Controller: When processing Account Data as specified in the “What Personal Data We Collect” above we determine how and why the data is processed.
  • Data Processor: When processing Customer Data as specified in the “What Personal Data We Collect” above we act only on the Customers instructions and in accordance with our Global Data Processing Agreement (DPA).

Your Rights (UK GDPR, EU GDPR, Swiss FADP)

Where applicable, you have the right to:

  • Access, correct, or delete your personal data.
  • Restrict or object to how your data is processed.
  • Request data portability, when technically possible.
  • File a complaint with a supervisory authority, such as:
    • EU: Irish Data Protection Commission (DPC)
    • UK: Information Commissioner’s Office (ICO)
    • Switzerland: Federal Data Protection and Information Commissioner (FDPIC)

Withdrawing Consent

If we process your data based on your consent, you can withdraw this consent at any time. Withdrawing consent does not affect any processing we carried out before you withdrew it.

International Data Transfers

When we transfer your personal data outside the UK, EEA, or Switzerland, we follow applicable data transfer rules. We use safeguards like:

  • Standard Contractual Clauses (SCCs) approved by the relevant authorities.
  • Other legal mechanisms that comply with UK GDPR, EU GDPR, and the Swiss FADP.

For any questions, contact us at [email protected].

Privacy Notice Appendix: Data Protection Information for Individuals in the United States

California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have rights that may include:

  • Requesting details about our data collection practices.
  • Accessing your personal data.
  • Asking for deletion of your personal data.

We do not “sell” or “share” personal data as defined by California law. If we deny your request, you can appeal by following the instructions we provide in our response. For more information, contact [email protected].

Virginia Residents

Under the Virginia Consumer Data Protection Act (VCDPA), you have the right to:

  • Access, correct, or delete your personal data.
  • Obtain a portable copy of your personal data.
  • Opt out of targeted advertising, the sale of personal data, or profiling that leads to legal or similarly significant outcomes.

If we deny your request, you may appeal by following our provided instructions. For more details, contact [email protected].

Residents of Other States

We also comply with other U.S. state privacy laws, such as:

  • Colorado Privacy Act (CPA): Similar rights to Virginia, including opting out of targeted advertising and profiling.
  • Connecticut Data Privacy Act (CTDPA): Rights to access, correct, delete, and obtain personal data, and opt out of data sales and targeted advertising.
  • Utah Consumer Privacy Act (UCPA): Rights to access, delete, and obtain a copy of your personal data, and opt out of the sale of personal data.

If we deny a request, you can appeal by following the instructions in our response. For questions, please contact [email protected].

Privacy Notice Appendix: Data Protection Information for Individuals in Canada and Territories

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Access: Request access to the personal information we hold about you, including details on how it is used and shared.
  • Correction: Ask us to correct any inaccurate or incomplete information.
  • Deletion: Request that we delete your personal information where allowed by law. Some legal or regulatory requirements may prevent deletion of certain data.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca/.

For residents of Quebec, Alberta, and British Columbia, provincial privacy laws may also give you additional rights. We will handle your request according to all applicable laws.

Contact Us

If you have questions or requests related to your personal information, email us at [email protected].

Privacy Notice Appendix: Data Protection Information for Individuals in South Africa

Under the Protection of Personal Information Act (POPIA), you have the right to:

  • Access: Request access to the personal data we have about you.
  • Correction: Ask us to correct or update inaccurate or incomplete data.
  • Deletion: Request deletion or removal of your personal data, where permitted.
  • Objection to Processing: Object to certain types of data processing, such as direct marketing.

If you have concerns about how your personal data is handled, you may file a complaint with the Information Regulator of South Africa.

Contact Information

If you need help or wish to exercise your rights, please contact our Data Protection Officer (DPO) at [email protected].

Information Regulator of South Africa:

Website: www.justice.gov.za/inforeg
Email: [email protected]

Last updated: 31 March 2025
See previous version

Eliminate the Sting of Busy Work

FREE UNTIL FEB 2025* +50% off for 8 months

Eliminate the Sting of Busy Work

START IN [month]AND GET THE FIRST 6 MONTHS AT 50% OFF