New Integration with Google Analytics
Zanda Health
Login

Our Privacy Policy

Introduction

This Privacy Policy explains how Zanda Health Pty Ltd (“Zanda”, “we”, “us”, or “our”) collects, uses, shares, and secures personal information, and describes the rights individuals have regarding their personal data. Zanda offers cloud-based practice management software for healthcare and allied healthcare providers (the “Services”). We take privacy seriously, maintaining robust technical and organizational measures to protect your personal information.

If you have any questions about this Privacy Policy or how we handle personal data, please contact our Data Protection Officer at [email protected].

What Personal Data We Collect

Account Data:

When you sign up to use our health practice management platform, we collect personal details such as your name, email address, phone number, physical address, and payment information.

Customer Data:

We collect data you choose to enter into the Services. This may include patient health records, contact information, demographic details (e.g., date of birth, gender, and location), appointment histories, and sensitive data like health conditions or payment credentials (e.g., credit card numbers).

Automatically Collected:

Usage Data

We automatically capture certain data whenever you use our platform, including IP address, browser type and version, pages visited, dates, times, and durations of visits, device identifiers, diagnostic data to help resolve issues and enhance performance.

Log Data

Our system produces logs that record detailed event information, including who performed an action, when and where it occurred, and the methods involved. We use these logs to maintain system integrity, support security efforts, and improve the overall user experience.

Cookies and Similar Technologies

We use cookies, pixels, tags, and scripts to understand usage, remember preferences, and improve our Services. You can manage your cookie preferences in our Cookie Notice.

We process Account Data you provide us lawfully, fairly, and transparently. Under the EU GDPR and the UK GDPR, our legal bases include your consent, compliance with legal obligations, and/or our legitimate interests, provided these are not overridden by your rights.

Purposes:

When processing relies on legitimate interests, we have conducted a Legitimate Interest Assessment to ensure these interests are not overridden by individuals’ data protection rights.

Optional Communications:

You may opt out of non-essential emails (e.g., marketing) at any time using the opt-out link provided. You cannot opt out of essential operational communications, such as security or billing notices.

How and Why We Share Your Data

We will not disclose personal data unless required or permitted by law, or we have your express consent to do so.

Processors:

We work with trusted service providers who follow strict data protection rules. They receive only the minimum personal data required to perform their tasks on our behalf. We do not share any Personal Health Data or Customer Data with processors. Our Processors List is regularly reviewed and updated as needed.

Third-parties:

We share your data with trusted third-party vendors to operate our business and deliver our Services. They receive only the minimum personal data required to perform their tasks. These vendors fall into two categories:

See our Processors and Sub-Processors here.

We may disclose personal data to law enforcement, regulatory bodies, or healthcare professionals in emergencies where it’s necessary to protect life or prevent serious harm, or to comply with a legal obligation.

Corporate Transactions:

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred under appropriate safeguards and remain subject to this Privacy Policy unless you consent to new terms.

International Data Transfers

Zanda operates globally. Where we transfer personal data outside your jurisdiction (e.g., EEA), we use appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to ensure an equivalent level of data protection. You can request more information about these safeguards at [email protected].

Data Security and Retention

Security Measures:

We implement and maintain industry-standard security measures (technical, administrative, and physical) to protect personal data against unauthorized access, alteration, disclosure, or destruction. Access to servers is strictly limited and monitored. While we follow recognized best practices (e.g., encryption, secure hosting), no method of transmission or storage is completely secure.

We are proud to be ISO 27001 certified, which reflects our commitment to maintaining the highest standards of information security management. For additional details about our security measures, please visit our Security Page.

Your Responsibility:

You play a key role in protecting your data. Keep your account credentials confidential. Contact us immediately if you suspect unauthorized account access.

Retention Periods:

We retain personal data only as long as necessary for the purposes described in this Privacy Policy or as required by law. For example:

Your Rights and How to Exercise Them

We respect the rights granted to individuals under applicable data protection laws, including EU GDPR, UK GDPR, CCPA/CPRA, PIPEDA, POPIA, and the Australian Privacy Act. Depending on your location, you may have the right to:

How to Make a Request:

Contact us at [email protected]. We will acknowledge your request promptly and aim to respond within applicable legal deadlines. To protect your privacy, we may request additional verification of your identity.

If you are a client or patient of a Zanda user (e.g., a healthcare practice), please reach out to that business directly to exercise your rights.

Complaints:

If you believe we have not addressed your data protection concerns, you may have the right to contact your local data protection authority. For example, in the EEA, you can contact the Irish Data Protection Commission; in the UK, the Information Commissioner’s Office (ICO); in Australia, the OAIC; and so forth. See the Appendices for more details.

Changes to this Policy

We may update this policy periodically. Changes take effect once posted on our website. The “Last Updated” date will indicate when revisions were made. If changes materially affect your rights, we will provide a prominent notice (e.g., email notification, in-app notification or website banner).

How to Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Data Protection Officer: [email protected]

Privacy Notice Appendix: Data Protection Information for Individuals in Australia

This section is applicable to individuals whose personal information is collected, stored, used or disclosed by an APP Entity under the Australian Privacy Principles (“APPs”) contained in the Privacy Act of 1988.

Providing Anonymous and Pseudonymous Options

You have the option of anonymity or using a pseudonym when dealing with Zanda Health. However, this option may not be made available to you in certain cases, including if it’s impractical for Zanda Health to allow this option or when Zanda Health is required or authorized to deal with an identified individual by or under the law.

Collection, Use and Disclosure of Personal Information

Zanda Health collects personal information lawfully and fairly. We primarily collect information directly from you or your authorized representative. However, we may collect information from other sources (such as third parties) if:

If we need to collect sensitive information (such as health data), we will only do so if:

Zanda Health only uses and discloses your information for the purpose for which it was collected (the primary purpose) unless one or more of the following apply:

We share your personal information with trusted service providers. You can find a detailed list of these providers and their locations at https://zandahealth.com/processors/. We do not disclose your personal information to overseas recipients unless:

Your Rights Under the APPs

You have the following rights related to the collection, use and disclosure of your personal data:

If you have concerns about how Zanda Health handles your personal information, you can submit a written complaint to [email protected]. We will review your complaint and respond in writing within 30 days. You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Privacy Notice Appendix: Data Protection Information for Individuals in the UK, EEA, and Switzerland

Our Role Under Relevant Laws

Your Rights (UK GDPR, EU GDPR, Swiss FADP)

Where applicable, you have the right to:

Withdrawing Consent

If we process your data based on your consent, you can withdraw this consent at any time. Withdrawing consent does not affect any processing we carried out before you withdrew it.

International Data Transfers

When we transfer your personal data outside the UK, EEA, or Switzerland, we follow applicable data transfer rules. We use safeguards like:

For any questions, contact us at [email protected].

Privacy Notice Appendix: Data Protection Information for Individuals in the United States

California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have rights that may include:

We do not “sell” or “share” personal data as defined by California law. If we deny your request, you can appeal by following the instructions we provide in our response. For more information, contact [email protected].

Virginia Residents

Under the Virginia Consumer Data Protection Act (VCDPA), you have the right to:

If we deny your request, you may appeal by following our provided instructions. For more details, contact [email protected].

Residents of Other States

We also comply with other U.S. state privacy laws, such as:

If we deny a request, you can appeal by following the instructions in our response. For questions, please contact [email protected].

Privacy Notice Appendix: Data Protection Information for Individuals in Canada and Territories

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca/.

For residents of Quebec, Alberta, and British Columbia, provincial privacy laws may also give you additional rights. We will handle your request according to all applicable laws.

Contact Us

If you have questions or requests related to your personal information, email us at [email protected].

Privacy Notice Appendix: Data Protection Information for Individuals in South Africa

Under the Protection of Personal Information Act (POPIA), you have the right to:

If you have concerns about how your personal data is handled, you may file a complaint with the Information Regulator of South Africa.

Contact Information

If you need help or wish to exercise your rights, please contact our Data Protection Officer (DPO) at [email protected].

Information Regulator of South Africa:

Website: www.justice.gov.za/inforeg
Email: [email protected]

Last updated: 31 March 2025
See previous version