Privacy Policy

1. Who we are and what this policy covers

Miyagi AI Pty Ltd (“we”, “us”, “our”) is an Australian software company. Our product is designed to help health practice staff manage patient administration more efficiently. Our product, Miyagi provides real-time call transcription and AI-powered insights for Australian medical practices. The audio from calls is captured and converted to text transcripts; the resulting transcripts are processed by our AI insights engine to generate clinical and operational suggestions.

We are not a healthcare provider - we are a technology company that handles information on behalf of the health practices who use our software. This distinction matters, and this policy explains clearly what we do with information, and what we don’t.

This policy covers:

• information about the staff and administrators at health practices who use Miyagi (“client data”); and
• patient information that health practices store and manage using our software (“patient data”).

We are committed to handling all information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. The two types of information we handle

It’s important to understand that we handle two distinct types of information, and our role is different for each.

Client data - information about practice staff and administrators

When a health practice signs up to use Miyagi, we collect information about the practice itself and the staff members who will use the software. This includes names, contact details, job roles, login credentials, and billing information.

For this information, we act as the data controller - we decide how it’s collected and used, and we’re directly responsible for it under the Privacy Act.

Patient data - information about patients of our client practices

Health practices use Miyagi to manage patient records for administrative purposes - things like appointment scheduling, contact details, and call records. This information belongs to the practice and their patients.

For patient data, we act as a data processor - we store and process it on the practice’s behalf, but the practice remains responsible for it. This means that if a patient wants to access, correct, or raise a concern about their records, they should contact their health practice directly. We will always cooperate with practices to help them meet their own privacy obligations.

In plain terms: if you’re a patient and want to know what’s in your record or want something changed, your first step is to contact your health practice directly - they’re best placed to help, and we’ll support them in doing so.

3. How we collect information

Client data

We collect client data when:

• a practice sets up an account with us;
• staff members register to use Miyagi;
• practices contact us for support; or
• practices visit our website or communicate with us.

Patient data

Patient data is collected as part of the normal administrative work undertaken by practice staff. We do not collect patient data directly from patients - all patient information comes to us through the practice’s administrative processes.

One specific feature of Miyagi involves the transcription of phone calls between patients and practice staff (see Section 5 for more detail on how this works and how to opt out).

4. Why we use your information

We use client data to:

• set up and manage accounts;
• provide, maintain, and improve Miyagi;
• respond to support requests;
• send important service updates and, where you’ve consented, relevant product information; and
• meet our legal obligations.

We use patient data solely to provide the services that practices have contracted us to deliver. We do not use patient data for any secondary purpose - including marketing, research, or product development - without explicit agreement from the practice.

We will never sell any information to third parties.

5. Who we share information with

We do not share information with third parties except in the circumstances described below.

Subprocessors

To deliver Miyagi, we work with a small number of trusted technology providers. Our cloud infrastructure is hosted in Australia. We also use one overseas service provider:

Deepgram (United States) - We use Deepgram’s voice processing technology to transcribe phone calls between patients and practice staff, where the call transcription feature is enabled. Deepgram processes audio in real time for the purpose of transcription only - audio data is not stored by Deepgram. This service is governed by a Data Processing Agreement that requires Deepgram to handle data in a manner consistent with the Australian Privacy Principles.

What this means in practice: when a patient calls a practice that uses Miyagi’s call transcription feature, their call audio is briefly processed by Deepgram’s servers in the United States to produce a text transcript. It is not stored there.

Call transcription is enabled by default. Patients are notified at the start of each call that the call may be recorded and transcribed. Either the patient or a staff member may opt out at any time - doing so immediately halts transcription for that call.

Other disclosures

We may also share information:

• with professional advisors (legal, accounting, auditing) who are bound by confidentiality obligations;
• where required by law, court order, or regulatory requirement; or
• in the event of a business sale or merger, where information may be transferred to a successor entity under equivalent privacy protections.

6. How we protect your information

We take the security of health information seriously. Our measures include:

• encryption of data in transit and at rest;
• role-based access controls so that staff only access information relevant to their role;
• audit logging of access to patient data;
• regular security assessments; and
• staff training on privacy and data handling obligations.

Our cloud infrastructure is hosted in Australia with an ISO 27001-certified provider (AWS), details of their certification can be provided on-demand.

Despite these measures, no system is completely immune to security risks. If you have a security concern, please contact us at founders@heymiyagi.ai.

Data breach notification

We are subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act. If we become aware of a suspected data breach, we will assess it promptly - and in any case within 30 days - to determine whether it is an ‘eligible data breach’: that is, whether it is likely to result in serious harm to any individual and cannot be prevented through remedial action. If we determine that an eligible data breach has occurred, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

7. How long we keep your information

We retain information only for as long as it is needed for the purposes described in this policy, or as required by law.

Patient data is retained for as long as the practice maintains an active account with us. Legal minimum retention periods for health records (typically 7 years from the date of last entry for adults, or until a minor turns 25) are obligations that sit with the health practice as the health service provider - not with us. We support practices in meeting those obligations by retaining their data securely for the life of their account.

Upon termination of a subscription, we will retain patient data for 90 days to allow the practice to export their records. We strongly recommend practices export their data before closing their account. After 90 days, patient data will be securely and permanently deleted from our systems, unless a longer period has been agreed in writing.

Client account data (practice and staff information) is retained for the duration of the subscription and for a reasonable period after termination to meet our legal and contractual obligations.

Call transcripts are subject to the same retention period as other patient data. Practices may request earlier deletion of transcripts at any time.

8. Your rights

Access and correction

You have the right to request access to personal information we hold about you, and to ask us to correct it if it is inaccurate or out of date.

For client data (practice staff and administrators): please contact us directly at founders@heymiyagi.ai

For patient data: as noted in Section 2, patient data is held by us on behalf of health practices. Patients should direct access and correction requests to their practice in the first instance. Where a practice asks us to assist, we will do so promptly.

We will respond to access and correction requests within 30 days. In some circumstances we may need to verify your identity before releasing information.

Complaints

We take privacy complaints seriously. If you have a concern about how we’ve handled your information, please contact us in writing at:

We will acknowledge your complaint within 5 business days of receiving it and aim to resolve it within 30 days.

If you are not satisfied with our response, you may also contact the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

9. Keeping this policy current

We review this policy regularly to ensure it remains accurate and reflects any changes to our practices, services, or legal obligations.

When we make material changes - changes that affect your rights or how we use your information - we will notify our clients by email before the changes take effect. The updated policy will always be available on our website.

The version date at the top of this document reflects when the policy was last updated.