0430 425 374 Book Online

Privacy Policy

How Rehab N Run collects, uses, stores and protects your personal and health information. Your trust matters to us, and this policy spells out exactly how we look after the information you share with us.

Last updated: 5 June 2026  ·  Operator: Rehab N Run Pty Ltd (ABN 27 683 473 065), trading as Rehab N Run.

1. About this policy

Rehab N Run Pty Ltd (ABN 27 683 473 065) ("we", "us", "our") operates a physiotherapy clinic at Shop 4C/389-393 Hume Highway, Liverpool NSW 2170 and the website at rehabnrun.com.au.

We take your privacy seriously. As a health service provider, we are bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs), the NSW Health Records and Information Privacy Act 2002 and its fifteen Health Privacy Principles (HPPs), the Physiotherapy Board of Australia / AHPRA Code of Conduct, and the Spam Act 2003 (Cth) for any marketing communications.

This policy explains what information we collect, why we collect it, how we use it, who we share it with, how you can access or correct it, and how to make a complaint if you're not happy with how we've handled your information.

2. Information we collect

Most of the information we collect from you is needed to treat you safely, bill correctly, and meet our legal obligations as a health service provider. We collect the following categories:

2.1 Personal and contact information

  • Your full name, date of birth, gender and address
  • Phone numbers, email address and emergency contact details
  • Occupation and (where relevant) employer
  • Photograph (only if you provide one for clinical purposes, e.g., wound photos with consent)

2.2 Health information (sensitive information)

  • Your medical history, current conditions, medications and allergies
  • Reasons for attending physiotherapy, including injury history and prior treatment
  • Assessment findings, diagnoses, treatment plans, progress notes and clinical photographs/imaging
  • Referral letters from GPs, surgeons or other practitioners
  • Results of investigations such as X-rays, MRIs or ultrasounds you share with us

Health information is "sensitive information" under the Privacy Act and is protected by stricter rules than ordinary personal information.

2.3 Payment and funding information

  • Medicare number, DVA number, NDIS participant number, claim numbers (CTP/icare, workers compensation through SIRA, etc.)
  • Private health fund membership and details (for HICAPS claiming)
  • Payment card details (processed by our payment provider — we do not store full card numbers)

2.4 Website and analytics information

When you visit our website, we automatically collect limited technical information, such as your IP address, device and browser type, the pages you view, the time you spend on them, and how you got to our site. We also use analytics and advertising tools described in Section 7 below.

3. How we collect your information

We collect information directly from you in most cases — when you book an appointment, fill out our new-patient form, speak with our clinicians, contact us by phone, email or our website form, or use our online booking system.

We may also collect information about you from third parties where this is reasonable and necessary, including:

  • Your treating GP, surgeon, specialist or other allied health professional who refers you to us
  • Medicare, the Department of Veterans' Affairs, the NDIS, your private health insurer or an injury claim insurer
  • Your employer or case manager (for workers compensation matters)
  • Your legal representative (with your authority)

Where it is lawful and practicable, you may deal with us anonymously or using a pseudonym (for example, when making a general enquiry). However, we cannot provide physiotherapy treatment, bill a third-party insurer or comply with our clinical record-keeping obligations without your identifying details.

4. Why we collect your information

We collect, hold, use and disclose your information for the following primary purposes:

  • To provide you with safe and effective physiotherapy assessment, treatment and rehabilitation
  • To communicate with you about your appointments, treatment plan and ongoing care
  • To liaise with your GP, specialist or other treating practitioners involved in your care
  • To bill you and process payments, including claims through Medicare, DVA, NDIS, your private health fund or an injury insurer
  • To meet our record-keeping obligations under the Health Records and Information Privacy Act, AHPRA registration standards and the Physiotherapy Board's Guidelines for Mandatory Notifications
  • To respond to complaints, legal claims, subpoenas or regulatory investigations
  • To improve our services, manage our practice and conduct internal training, audit and quality-assurance activities
  • For direct marketing of our services, where you have not opted out (see Section 8)

5. Who we share your information with

We do not sell your personal or health information, ever. We will only share your information where it is necessary for one of the purposes above, you have consented to it, or we are required or authorised by law. The categories of recipients include:

  • Other treating practitioners — your GP, surgeon, specialist or another physio or allied health professional, where this is needed for your care and you have consented (consent can be express or reasonably implied in the circumstances).
  • Government funders — Medicare (including Chronic Disease Management / EPC plans), the Department of Veterans' Affairs, and the NDIS, for the purpose of claiming and reporting under those programs.
  • Private health insurers — for HICAPS on-the-spot claiming.
  • Injury insurers — icare and SIRA-licensed insurers (workers compensation), CTP insurers and third-party insurers, where you are claiming under those schemes.
  • Our practice management software — we use Nookal as our primary clinical and practice management system. Nookal hosts your appointment schedule, clinical notes, treatment history and demographic information on secure Australian-based servers under contract with us.
  • Our payment and booking platforms — we use HICAPS for on-the-spot private health fund claiming at the point of care, and Halth for online bookings, securely storing your saved card details, and storing your private health fund details for a faster checkout experience. Both providers handle your payment information under their own PCI-compliant security standards and act as our service providers under contract.
  • IT and cloud service providers — including email, secure backup, file storage and our website host (Netlify), where information is processed strictly for us under contract.
  • Professional advisors and auditors — accountants, lawyers, and our professional indemnity insurer, on a strictly need-to-know basis.
  • Regulators and law-enforcement — AHPRA, the Health Care Complaints Commission (NSW), the Office of the Australian Information Commissioner (OAIC), and law-enforcement or court orders, where required or authorised by law.
  • Emergency services or your nominated contact — in the rare event we believe there is a serious threat to your life, health or safety, or the safety of others.

6. Storage, security and how long we keep it

Your information is held in a combination of secure electronic records (within our practice management software and other approved systems) and, where applicable, paper records kept locked on site.

We take reasonable steps to protect your information from misuse, interference, loss, unauthorised access, modification or disclosure. These steps include access controls and password protection on all clinical systems, staff confidentiality training and signed confidentiality agreements, encrypted storage and transmission of clinical records, physical security at our clinic premises, and regular backups.

We are required by law to retain adult health records for a minimum of seven years from the date of last service, and records of children until the patient turns twenty-five (25) years of age, in line with the NSW Health Records and Information Privacy Act. Some financial and tax records must be retained for at least seven years under separate legislation. After these periods, records are securely destroyed or de-identified.

7. Cookies, analytics and advertising pixels

Our website uses cookies and similar tracking technologies to understand how visitors use the site, to improve it, and to deliver relevant advertising. The third-party tools we currently use are:

  • Google Analytics 4 (Google LLC) — measures aggregate visitor traffic and behaviour. Google Privacy Policy.
  • Microsoft Clarity (Microsoft Corporation) — records anonymised heatmaps and session recordings so we can see how visitors interact with pages and improve usability. Microsoft Privacy Statement.
  • Meta Pixel (Meta Platforms, Inc.) — collects information about your visit so we can measure the performance of our Facebook and Instagram advertising and show our ads to people likely to be interested in our services. Meta Privacy Policy.
  • Google Tag Manager / Google Ads tags may also fire on the site to support measurement and conversion tracking.

The information collected by these tools is generally aggregated and not identifiable to you personally by us. However, where these providers (Google, Microsoft, Meta) combine the information with data they already hold about you, they may identify you under their own policies.

You can opt out of advertising and analytics tracking by:

We do not use cookies or pixels to collect health information from this website. Health information is only collected through clinical channels (new-patient forms, in-clinic and telehealth consultations).

8. Direct marketing and your right to opt out

From time to time we may contact you with information about our services — such as appointment reminders, follow-up care messages, newsletters, health education content, or promotions — by email, SMS or phone. You can opt out at any time by replying STOP to any SMS, clicking "unsubscribe" in any email, or emailing us at admin@rehabnrun.com.au. We will action your request promptly and will continue to send you essential clinical communications (such as appointment confirmations and recall notices) regardless.

9. Cross-border storage and disclosure

Your clinical and practice management records are stored on Australian-based servers (via Nookal). However, some of the other third-party providers we use — including Google (Analytics, Google Workspace), Microsoft (Clarity) and Meta (advertising pixel) — may store or process information on servers located outside Australia, including in the United States and other countries. Where this happens, we take reasonable steps to ensure those providers handle your information in a way that is consistent with the Australian Privacy Principles.

10. Your rights — accessing and correcting your information

You have the right under APP 12 and APP 13 to ask us for a copy of the personal and health information we hold about you, and to ask us to correct anything that is inaccurate, out of date, incomplete, irrelevant or misleading.

To make a request, contact us using the details in Section 14. We will respond within 30 days. There is no fee to make a request, but we may charge a reasonable fee to cover the cost of providing copies of extensive records. In rare circumstances we may refuse access where the law permits — for example, where giving access would pose a serious threat to a person's safety. If we refuse, we will tell you why in writing and explain how you can complain.

11. Children and young people

Where we treat patients under the age of eighteen, we generally obtain consent from a parent or legal guardian. Young people who are sufficiently mature to understand the nature and effect of treatment (a "mature minor") may consent on their own behalf in line with NSW health guidelines and our clinical judgement. We hold the records of a child until they turn twenty-five (25), in line with NSW law.

12. Data breaches

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If a data breach occurs that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner as soon as practicable, and we will tell you what steps you can take to protect yourself.

13. Complaints

If you believe we have breached the Australian Privacy Principles, the NSW Health Privacy Principles, or this policy, please contact us first. We take complaints seriously and will try to resolve the issue with you directly. Write to admin@rehabnrun.com.au with "Privacy complaint" in the subject line, or mail us at the clinic address. We aim to acknowledge your complaint within 7 days and resolve it within 30 days.

If you are not satisfied with our response, you can escalate the matter to the relevant regulator:

  • Office of the Australian Information Commissioner (OAIC) — for breaches of the Privacy Act. Phone 1300 363 992 or visit oaic.gov.au.
  • NSW Information and Privacy Commission — for breaches of the NSW HRIP Act. Phone 1800 472 679 or visit ipc.nsw.gov.au.
  • Health Care Complaints Commission (HCCC) — for concerns about the conduct or care of a registered health practitioner in NSW. Phone 1800 043 159 or visit hccc.nsw.gov.au.
  • AHPRA — for concerns about the professional conduct of a registered physiotherapist. Phone 1300 419 495 or visit ahpra.gov.au.

14. Changes to this policy

We may update this policy from time to time to reflect changes to the law, our services or our systems. The current version is always available at rehabnrun.com.au/privacy-policy, and the "last updated" date at the top of this page tells you when it last changed. Significant changes will be communicated to existing patients where appropriate.

15. Contact us

If you have a question about your privacy, want to access or correct your records, or want to make a complaint, please contact our Privacy Officer:

Privacy Officer — Rehab N Run Pty Ltd
Shop 4C/389-393 Hume Highway
Liverpool NSW 2170
Email: admin@rehabnrun.com.au
Phone: 0430 425 374