Start free trial

Privacy Policy

Version 2.0 · Last updated: 4 April 2026 · Effective: 4 April 2026

1. About this policy

Webbed Feet Pty Ltd (ABN 50 135 841 477) trading as Velluto Health (“Velluto”, “we”, “us”) operates the Velluto platform at velluto.app and the website at velluto.health. We provide a clinical assessment support platform for general practitioners and their patients, enabling structured collection of patient history, validated questionnaire responses, and supporting documents across a range of clinical presentations.

Velluto currently supports adult and paediatric ADHD assessments. The platform is designed to expand to additional clinical areas over time.

This policy explains how we collect, use, disclose, and protect personal information, including sensitive health information, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What information we collect

From patients

  • Name, date of birth, email address
  • GP and practice details (provided by the GP when creating the assessment)
  • Responses to clinical questionnaires (validated screening instruments relevant to the assessment) and related context questions
  • Timing data associated with questionnaire completion
  • Uploaded supporting documents (school reports, medical records, previous assessments, employer letters)
  • Free-text observations and self-reported medical and mental health history
  • Observer/informant name, relationship, and questionnaire responses
  • Consent records (date, time, IP address, user agent)

From GPs and practices

  • Name, email address, AHPRA registration number (publicly available on the AHPRA register)
  • Practice name and address
  • Appointment dates and clinical notes added to the assessment record

3. How we collect your information

Directly from you

  • Registration: When a GP or practice manager registers on the Velluto platform.
  • Assessment creation: When a GP creates a new patient assessment and enters patient details.
  • Patient intake: When a patient completes questionnaires, uploads documents, or provides medical history through the platform.
  • Observer reports: When a patient-nominated observer completes their questionnaire.
  • Communication: When you contact us by email, through the platform, or through our website.

From third parties

  • Where you are a GP, we may verify your registration status through publicly available AHPRA records.
  • If payment processing is enabled, we receive payment confirmation from our payment provider (we do not receive or store full credit card numbers).

Automatically

When you access our website or platform, we automatically collect technical data such as device type, browser, IP address, and pages visited (see Section 11).

If you choose not to provide requested information, it may affect our ability to deliver the service to you.

4. How we use personal information

We use personal information to:

  • Provide the Velluto assessment platform to GPs and their patients
  • Generate AI-assisted clinical summaries for review by the treating GP
  • Send assessment invitations and completion notifications to patients
  • Send completed summary notifications to GPs
  • Verify identity and manage accounts
  • Comply with legal obligations
  • Improve the platform (aggregated, de-identified data only)

We do not use patient health information for advertising, profiling, or sale to third parties.

GP and practice information (including name, email address, AHPRA registration number, and practice details) is used only to provide and administer the Velluto platform, verify practitioner registration, and communicate with you about the platform. It is not used for purposes unrelated to your use of Velluto and is not sold or provided to third parties for their independent use.

No patient data is used to train, develop, or improve any AI models. AI systems receive pseudonymised data solely to generate clinical summaries for the treating GP. Outputs are not fed back into model training.

5. Sensitive information

Responses to clinical questionnaires, uploaded medical documents, and clinical summary content are sensitive information under the Privacy Act. We handle sensitive information with additional care:

  • We only collect it with explicit consent
  • We only use it for the purposes stated at collection
  • We apply technical pseudonymisation before it is processed by AI systems (see Section 7)
  • Access is restricted to the treating GP and authorised Velluto staff under strict need-to-know controls

6. Disclosure of personal information

We disclose personal information to the following categories of recipients:

RecipientPurposeLocation
SupabaseDatabase hostingAWS ap-southeast-2 (Sydney)
AWS S3Document storageap-southeast-2 (Sydney)
Google (Vertex AI)Document extraction (see Section 7)australia-southeast1 (Sydney)
AWS (Bedrock / Anthropic)Clinical summary generation (see Section 7)ap-southeast-2 (Sydney)
ResendEmail deliveryUnited States
VercelApplication hostingUnited States (global CDN)
CloudflareDNS, CDN, network securityUnited States (global network)
SentryError monitoring (anonymised events only)Germany (EU)

We do not sell personal information to any party.

We may also share your personal information with:

  • Professional advisers (legal, accounting) under confidentiality obligations
  • Government agencies, regulatory bodies, or law enforcement where required or authorised by law

7. Cross-border disclosure of personal information

Under Australian Privacy Principle 8, we are required to disclose when we transfer personal information to overseas recipients and to take reasonable steps to ensure those recipients comply with the APPs.

Pseudonymisation before AI processing

Before any patient information is sent to an AI system, Velluto applies a pseudonymisation layer. Personal identifiers are replaced with tokens, and the mapping between tokens and identities is retained securely by Velluto and never disclosed to any AI provider.

Specifically:

  • Patient name, GP name, and practice name are replaced with placeholder tokens
  • Date of birth is converted to a 5-year age band (e.g., “35–39”)
  • Email addresses, Medicare numbers, and street addresses are scrubbed using pattern matching
  • Free-text fields undergo secondary scrubbing to remove any remaining identifying patterns

After AI processing, patient names are restored from the secure mapping for display to the GP only. The AI provider receives only pseudonymised data and cannot re-identify any individual.

Google (Vertex AI): document extraction

  • What is sent: Pseudonymised content of uploaded supporting documents
  • Purpose: Extracting clinically relevant information from uploaded files
  • Data residency: australia-southeast1 (Sydney). All requests are processed through the Australian endpoint.
  • Safeguards: Google Cloud Data Processing Addendum, SOC 2 Type II, ISO 27001 certified
  • Countries: Australia

AWS (Bedrock / Anthropic): clinical summary generation

  • What is sent: Pseudonymised assessment data (questionnaire scores, validity signals, observer data, extracted document summaries, medical history)
  • Purpose: Generating a structured clinical summary for the treating GP
  • Data residency: ap-southeast-2 (Sydney). AWS Bedrock provides an explicit regional data residency guarantee.
  • Safeguards: AWS Data Processing Addendum, IRAP assessed infrastructure, SOC 2 Type II, ISO 27001 certified. Anthropic does not receive customer data.
  • Countries: Australia

Resend: email delivery

  • What is sent: Patient first name, observer first name, practice name, appointment date, and secure intake/observer links. No health information is included in any email.
  • Purpose: Sending assessment intake invitations, completion reminders, and observer questionnaire invitations
  • Safeguards: SOC 2 Type II certified. GDPR compliant with a published Data Processing Agreement. EU-US Data Privacy Framework certified. All data encrypted at rest (AES-256) and in transit (TLS 1.3). Resend acts as a data processor under Velluto’s instructions.
  • Countries: United States

Vercel: application hosting

  • What is sent: Request metadata only (IP address, request path, browser headers). Patient health data is stored in Supabase (Sydney) and is not stored by Vercel.
  • Purpose: Hosting and delivering the Velluto web application.
  • Safeguards: SOC 2 Type II certified. Vercel acts as a data processor under Velluto’s instructions.
  • Countries: United States (primarily); application serverless functions run in the Sydney region.

Cloudflare: network security and DNS

  • What is sent: Request metadata only (IP address, request path, browser headers). Patient health data is not disclosed to Cloudflare.
  • Purpose: DNS resolution, DDoS protection, and network-level security.
  • Safeguards: SOC 2 Type II certified.
  • Countries: United States (global network).

Sentry: error monitoring

  • What is sent: Anonymised error events, stack traces, and application performance metrics. PII transmission is explicitly disabled. No patient names, email addresses, health information, or session identifiers are sent to Sentry.
  • Purpose: Detecting and diagnosing application errors to maintain platform reliability.
  • Safeguards: SOC 2 Type II certified. GDPR compliant. Sentry acts as a data processor under Velluto’s instructions.
  • Countries: Germany (EU).

Accountability

Our AI processing (Google Vertex AI and AWS Bedrock) runs through Australian endpoints. Overseas recipients of personal information are Resend (USA) for email delivery, Vercel (USA) for application hosting, Cloudflare (USA) for network security, and Sentry (Germany) for error monitoring. In each case, the personal information disclosed is limited and does not include patient health information or clinical data. We have taken reasonable steps to ensure that each overseas recipient handles personal information in accordance with the APPs, including through data processing agreements incorporating privacy and security obligations (APP 8.2(a)).

8. Marketing and opt-out

We may occasionally send you information about Velluto’s services by email. We will only do so in accordance with privacy laws.

We will never:

  • Use your health information to send you marketing communications
  • Disclose your information to a third party for their marketing purposes

You can opt out of marketing communications at any time by using the unsubscribe link in any email or by contacting us at [email protected].

9. Data security

Data protection is built into the platform architecture. Practice data is isolated at the database level so that one practice cannot access another’s records. Security-critical session fields are derived server-side and cannot be modified by the user. We implement the following security measures:

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Patient assessment tokens are cryptographically random (128-bit, URL-safe)
  • Document storage in private S3 buckets with presigned URLs (5-minute expiry)
  • Role-based access: GPs can only access their own patients’ data
  • Passwordless authentication via magic link (no stored passwords to compromise)
  • Audit logging of all data access and consent events
  • Security audits and automated vulnerability scanning conducted regularly
  • Cybersecurity and professional indemnity insurance maintained to cover data breach response, regulatory inquiry, and platform errors

10. Data retention

Retention periods are aligned with Australian medical records obligations.

Adult patients

For adult patients, assessment data is retained for 7 years from the date of assessment completion, consistent with RACGP standards and federal requirements.

Paediatric patients

Velluto supports assessments for children and adolescents (ages 6 to 17). For paediatric patients, data is retained until the later of: 7 years from the date of assessment, or until the patient turns 25. This aligns with obligations applicable to medical records created for minors under the age of 18.

Parent or guardian consent is obtained on behalf of the child before any paediatric assessment commences. The consent record identifies the parent or guardian and their relationship to the child.

Retention schedule

Data typeRetention period
Assessment data and clinical summaries (adults)7 years from assessment completion
Assessment data and clinical summaries (paediatric)7 years from assessment, or until age 25, whichever is later
Uploaded documentsSame period as assessment data
Consent recordsSame period as assessment data
Billing records7 years (tax obligation)
Server access logs90 days

Patients and GPs may request deletion of personal information subject to our legal retention obligations.

Practice termination

If a GP practice ceases to use the Velluto platform, patient data remains accessible to the practice for 30 days for the purpose of data export. After this export window closes, patient assessment data is scheduled for deletion and permanently removed within 90 days. GP account data is deactivated at the time of termination.

11. Cookies and analytics

Our website (velluto.health) may use cookies, which are small files stored on your device. We use cookies to remember your preferences and understand how visitors use our website.

On the clinical platform (velluto.app), we use functional cookies only. These are necessary to keep you logged in and to maintain your session. We do not use tracking, advertising, or analytics cookies on the clinical platform. No patient health information is shared with or transmitted to any third-party analytics service.

You can configure your browser to accept or reject cookies. If you reject functional cookies on the clinical platform, you will not be able to remain logged in.

12. Access and correction

Individuals have the right to:

  • Request access to personal information we hold about them (APP 12)
  • Request correction of inaccurate or incomplete information (APP 13)

To make a request, contact our Privacy Officer at [email protected]. Please include your name, email address, and a description of the information you are seeking. We will verify your identity before releasing any health information.

We will respond to access and correction requests within 30 days. We may charge a reasonable fee for access requests that require substantial effort to fulfil. We may refuse access where the Privacy Act permits (for example, where access would impact the privacy of another individual), and will provide written reasons for any refusal.

For questions about clinical decisions recorded during your assessment (such as your GP’s diagnostic notes or treatment recommendations), please contact the GP practice that initiated your assessment. These decisions are made by your treating GP, not by Velluto.

13. Notifiable data breaches

Under the Notifiable Data Breaches (NDB) scheme (Part IIIC, Privacy Act 1988), we are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm.

If we become aware of a suspected data breach involving personal information held on the Velluto platform, we will:

  • Contain the breach and take immediate steps to limit any further access or disclosure
  • Assess whether the breach is likely to result in serious harm, completing our assessment as quickly as practicable and within 30 days at most (the statutory maximum)
  • Where we determine the breach is an eligible data breach: notify the OAIC and affected individuals in accordance with Part IIIC of the Privacy Act
  • Notify the relevant GP practice or practices as soon as practicable, regardless of whether the breach meets the NDB threshold, so they can take any steps needed to protect their patients
  • Document the breach, our assessment, and all actions taken

We maintain an internal breach response plan that sets out roles, escalation procedures, and communication templates. Our cybersecurity insurance covers breach response costs including forensic investigation, legal advice, and notification expenses.

14. Complaints

If you believe we have breached the APPs, please contact our Privacy Officer at [email protected]. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

15. Changes to this policy

We will notify registered users by email before material changes to this policy take effect. Material changes include changes to how we handle health information, the addition of new overseas sub-processors, changes to data retention periods, and changes to your privacy rights under this policy.

16. Contact

Webbed Feet Pty Ltd (trading as Velluto Health)
ABN 50 135 841 477

Privacy Officer: [email protected]
General enquiries: [email protected]

Velluto has designated a Privacy Officer responsible for ensuring compliance with the Privacy Act 1988 and the Australian Privacy Principles. Privacy enquiries, access requests, correction requests, and complaints may be directed to the Privacy Officer at [email protected].

This policy was last reviewed on 4 April 2026.