Privacy and Data Protection Policy
Effective Date: 14 May 2026
Lumenara Pty Ltd (“Lumenara”, “we”, “our”, or “us”) is committed to protecting the privacy, confidentiality, and security of personal information. This Privacy and Data Protection Policy explains how we collect, use, store, disclose, and protect personal information, including health information and other sensitive information.
This policy applies to personal information collected through our website, digital platform, assessments, programs, telehealth services, psychological services, coaching, organisational programs, forms, communications, and related services.
We handle personal information in accordance with applicable privacy and data protection laws, including the Privacy Act 1988 (Cth), the Australian Privacy Principles, applicable Victorian health privacy requirements, and, where relevant, international privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).
1. Purpose
The purpose of this policy is to explain how Lumenara manages personal information in an open, transparent, safe, and responsible way. We aim to collect only the information we need, use it for clear and lawful purposes, protect it appropriately, and give individuals meaningful choices and access rights where applicable.
2. Scope
This policy applies to personal information collected from clients, participants, website visitors, referrers, employees, contractors, organisational customers, partners, suppliers, and other individuals who interact with Lumenara.
Where Lumenara provides psychological services, additional professional, ethical, clinical, supervision, and record-keeping obligations may apply.
3. Definitions
- Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable.
- Sensitive Information: A subset of personal information that may include health information, racial or ethnic origin, religious beliefs, sexual orientation, political opinions, disability information, biometric information, and other legally protected categories.
- Health Information: Information about an individual’s physical or psychological health, wellbeing, disability, health services received, treatment, assessment, support needs, referrals, or related information.
- Processing: Any operation performed on personal information, including collection, storage, use, disclosure, analysis, transfer, deletion, or de-identification.
- De-identified Information: Information that has been modified so that an individual is no longer reasonably identifiable.
- Aggregated Information: Information combined with other data so that it describes groups or trends rather than identifiable individuals.
4. What Information We Collect
The types of personal information we collect depend on how you interact with Lumenara. This may include:
- name, contact details, date of birth, location, and demographic information;
- account registration details, login information, and user preferences;
- referral information, presenting concerns, goals, wellbeing information, assessment responses, and program participation information;
- health information, including psychological history, risk and safety information, treatment information, session notes, reports, and support needs where relevant;
- Medicare, private health, WorkCover, TAC, NDIS, insurance, billing, payment, or funding information where applicable;
- emergency contact details and safety planning information where relevant to service delivery;
- communications with us, including emails, forms, messages, intake responses, feedback, and support requests;
- website and platform usage information, including device information, browser type, IP address, analytics data, cookies, and interaction data;
- organisational program information, including attendance, engagement, feedback, and assessment or learning activity data; and
- employment, contractor, or supplier information where relevant to business operations.
5. How We Collect Information
We usually collect personal information directly from you, including when you:
- complete a form, assessment, survey, intake, or booking request;
- use our website, platform, app, or digital tools;
- participate in a program, session, webinar, workshop, or assessment process;
- communicate with us by email, phone, video, form, or other channels;
- receive psychological, coaching, wellbeing, or related services from us; or
- apply for a role, contract, partnership, or supplier relationship with us.
In some cases, we may collect information from third parties, such as referrers, medical practitioners, insurers, employers, organisational customers, emergency contacts, payment providers, or other service providers, where this is lawful, authorised, consented to, or reasonably necessary for the service being provided.
6. Why We Collect, Use, and Disclose Information
We collect, use, and disclose personal information for purposes including:
- providing psychological, coaching, wellbeing, assessment, digital, or organisational services;
- conducting intake, triage, assessment, formulation, intervention planning, support, reporting, and follow-up;
- personalising programs, resources, recommendations, and learning pathways;
- administering bookings, billing, payments, Medicare or insurer processes, and service records;
- communicating with clients, participants, referrers, organisations, and service providers;
- supporting clinical governance, supervision, quality assurance, risk management, and professional obligations;
- improving our website, platform, assessments, programs, and services;
- conducting de-identified or aggregated analysis, evaluation, research, and reporting;
- meeting legal, regulatory, insurance, audit, tax, professional, and record-keeping obligations;
- responding to complaints, safety concerns, legal requests, or regulatory requirements; and
- sending service updates, program information, or marketing communications where permitted by law and consent settings.
7. Sensitive and Health Information
Lumenara may collect sensitive information, including health information, where it is reasonably necessary for providing our services, where you have consented, or where collection is otherwise permitted or required by law.
Health information is treated with additional care. We only collect health information that is relevant to the service being provided, and we take reasonable steps to protect it from misuse, interference, loss, unauthorised access, modification, or disclosure.
8. Psychological Services, Supervision, and Confidentiality
Where Lumenara provides psychological services, your information is handled confidentially and in accordance with professional, ethical, legal, and regulatory obligations.
Confidentiality is important, but it is not absolute. We may use or disclose information where:
- you have provided consent;
- disclosure is required or authorised by law;
- it is necessary to prevent or lessen a serious threat to life, health, safety, or wellbeing;
- it is necessary for clinical governance, supervision, consultation, risk management, or professional obligations;
- it is required for billing, Medicare, insurer, WorkCover, TAC, NDIS, or related administrative purposes; or
- it is otherwise permitted under applicable privacy, health, or professional standards.
If psychological services are provided under supervision, relevant client information may be discussed with a Board-approved supervisor or appropriate professional consultant for supervision, safety, quality, ethical, and professional development purposes. Wherever practical, information used in supervision or consultation is limited to what is necessary.
9. Digital Tools, Assessments, AI, and Automated Processing
Lumenara may use digital tools, assessments, algorithms, or AI-assisted systems to support wellbeing insights, program personalisation, reflective prompts, content recommendations, administrative workflows, and service improvement.
We do not use automated systems as the sole basis for clinical diagnosis, crisis decisions, treatment decisions, or decisions that significantly affect access to psychological services without appropriate human review.
Assessment results, digital reflections, and AI-assisted outputs should not be treated as a substitute for professional advice, diagnosis, emergency support, or clinical care. Where a tool identifies possible concerns, it may be used to support reflection, formulation, discussion, referral, or service planning.
Where third-party AI, hosting, analytics, or automation providers are used, we take reasonable steps to ensure appropriate privacy, security, and data handling arrangements are in place.
10. Cookies, Analytics, and Website Data
We may use cookies, analytics tools, tracking technologies, and similar technologies to understand website use, improve user experience, maintain security, measure engagement, and improve our services.
This may include information such as browser type, device type, IP address, pages visited, time spent on pages, referring links, and interactions with website features.
You can adjust cookie settings through your browser. Disabling cookies may affect website functionality.
11. Marketing Communications
We may send service updates, program information, newsletters, or marketing communications where permitted by law. You can unsubscribe from marketing communications at any time using the unsubscribe link provided or by contacting us.
We do not sell personal information.
12. Disclosure to Third Parties
We may disclose personal information to third parties where reasonably necessary for our services, operations, legal obligations, or with consent. This may include:
- health practitioners, supervisors, referrers, consultants, or professional advisers;
- practice management, booking, telehealth, payment, billing, email, cloud hosting, analytics, security, and technology providers;
- Medicare, private health insurers, WorkCover, TAC, NDIS, or other funding bodies where applicable;
- organisational customers, but only in accordance with agreed privacy settings, reporting boundaries, and consent arrangements;
- legal, accounting, insurance, audit, and compliance advisers;
- regulators, courts, law enforcement, or government agencies where required or authorised by law; and
- emergency services or support persons where necessary to manage serious safety concerns.
Where Lumenara provides services to organisations, individual results or personal health information are not provided to an employer or organisation unless this has been clearly explained, authorised, consented to, or required by law. Organisational reporting is usually de-identified, aggregated, or limited to agreed participation or program-level information.
13. Cross-Border Disclosure
Some of our technology, cloud, analytics, communication, payment, support, or AI service providers may store or process information outside Australia.
Before disclosing personal information overseas, we take reasonable steps to ensure that overseas recipients handle information in a way that is consistent with applicable privacy and data protection obligations, including through contractual, technical, organisational, and security safeguards where appropriate.
14. Data Quality
Lumenara takes reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, complete, current, and relevant for the purpose for which it is used.
You can contact us to request correction of personal information we hold about you.
15. Data Security
We take reasonable technical, organisational, and administrative steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
These measures may include secure systems, access controls, password protection, encryption where appropriate, staff and contractor confidentiality obligations, secure communication practices, data minimisation, backup processes, audit trails, and restricted access to sensitive information.
No method of transmission or electronic storage is completely secure. We cannot guarantee absolute security, but we take reasonable steps to protect information in line with the nature and sensitivity of the information we hold.
16. Data Breaches
If we become aware of a suspected or actual data breach, we will take reasonable steps to contain, assess, and respond to the breach.
Where a breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner where required under the Notifiable Data Breaches scheme or other applicable laws.
17. Access, Correction, and Data Rights
You may request access to personal information we hold about you, or ask us to correct information that is inaccurate, incomplete, or out of date.
In some circumstances, access may be refused or limited where permitted by law, including where providing access would pose a serious threat to life, health, or safety; unreasonably impact another person’s privacy; prejudice legal proceedings; or breach legal or professional obligations.
If GDPR, CCPA/CPRA, or another privacy framework applies to you, you may have additional rights, including:
- the right to access personal data;
- the right to rectification of inaccurate data;
- the right to erasure, subject to legal and professional record-keeping obligations;
- the right to restrict processing;
- the right to data portability;
- the right to object to processing;
- the right not to be subject to certain automated decision-making; and
- the right to opt out of the sale or sharing of personal information where applicable.
To exercise these rights, please contact us using the details provided below.
18. Data Retention
We retain personal information for as long as reasonably necessary for the purpose for which it was collected, and for any legal, professional, clinical, insurance, audit, tax, regulatory, or record-keeping obligations that apply.
Health and psychological service records may need to be retained for legally or professionally required periods, even if you ask us to delete them.
When information is no longer required, we take reasonable steps to securely destroy or de-identify it.
19. De-identified and Aggregated Information
Lumenara may use de-identified or aggregated information for service evaluation, research, reporting, product development, quality improvement, program design, and organisational insights.
We take reasonable steps to ensure that de-identified or aggregated information does not reasonably identify an individual.
20. Children and Young People
Lumenara’s services are primarily intended for adults. We do not knowingly collect personal information from children or young people without appropriate parent, guardian, authorised consent, or another lawful basis.
If we become aware that we have collected personal information from a child without appropriate consent or lawful authority, we will take reasonable steps to address the matter.
21. Third-Party Links and Services
Our website, platform, emails, or resources may contain links to third-party websites, tools, platforms, or services. We are not responsible for the privacy practices or content of third-party services. We encourage you to review their privacy policies before providing personal information.
22. Complaints
If you have concerns about how we have handled your personal information, please contact us using the details below. We will take privacy complaints seriously and respond within a reasonable timeframe.
If you are not satisfied with our response, you may be able to contact the Office of the Australian Information Commissioner or another relevant privacy, health, or data protection authority.
23. Changes to This Policy
We may update this policy from time to time to reflect changes in our services, technology, legal obligations, or privacy practices. The updated version will be published on our website with a revised effective date.
24. Contact Us
For questions, requests, or concerns about this Privacy and Data Protection Policy, please contact:
Email: privacy@lumenara.io
Address: 11 Wilson Street, South Yarra, Melbourne, VIC, Australia
