Privacy Policy

Last updated: 11 June 2026

This Privacy Policy applies to Personal Information collected by Qiri Pty Ltd (we, us or our) in connection with Qiri, our pharmacy and patient platform powered by Qiri.ai (Qiri or the Services), including through our websites at www.qiri.ai, and any related applications, integrations, or services we operate. Qiri is a trading name of Qiri Pty Ltd.

Qiri is used by two main groups:

  1. pharmacists and pharmacy staff, who use Qiri as a clinical decision support tool to assist their professional practice; and
  2. patients, who may use Qiri directly or through their pharmacy to access general health information.

How we handle your information depends on which group you fall into and how you access Qiri. Where relevant, this policy distinguishes between the two.

1. What information do we collect?

The Personal Information we collect depends on how you interact with Qiri. We collect only Personal Information that is reasonably necessary for our functions or activities. The categories of Personal Information we may collect and hold include:

  1. Account and authentication information, including usernames and securely stored (hashed and encrypted) passwords used to authenticate access to the Services;
  2. Contact information, including name, email address, and where relevant phone number, provided when you create an account, communicate with us, submit feedback, or otherwise interact with the Services;
  3. Professional registration information for pharmacist and pharmacy staff users, including AHPRA registration number, employer details, and role;
  4. Health information about patients, including medication history, conditions, allergies, symptoms, queries, and other health-related information entered into Qiri by a patient, or by a pharmacist on a patient's behalf. Health information is Sensitive Information under the Privacy Act 1988 (Cth) and is handled in accordance with the Australian Privacy Principles and applicable state and territory health privacy laws;
  5. Healthcare identifiers and My Health Record information, where Qiri is or becomes integrated with these systems. This may include Individual Healthcare Identifiers (IHI), Healthcare Provider Identifiers (HPI-I and HPI-O), and information accessed through the My Health Record system. We handle this information in accordance with the Healthcare Identifiers Act 2010 (Cth), the My Health Records Act 2012 (Cth), and the rules made under those Acts;
  6. Usage and interaction data, including search queries, prompts, AI interactions, and other information generated through use of the Services, which may be associated with your account or device;
  7. Feedback and communications, including information you provide when contacting us, raising support requests, or submitting feedback;
  8. Payment and transaction information, including billing details and payment method information, which may be stored securely on a recurring basis or processed on a one-off basis through PCI-DSS compliant payment service providers;
  9. User content and connected data, including content you upload to the Services and data obtained through authorised third-party integrations such as pharmacy dispensing systems; and
  10. Cookies and analytics: information collected through cookies and similar technologies. Session cookies are generally anonymous, but authentication cookies used when you are logged in will identify you to our servers.

2. Definitions

In this Privacy Policy, the terms Personal Information, Sensitive Information, and health information have the meanings given to them in the Privacy Act 1988 (Cth) (Privacy Act). Health information is a category of Sensitive Information.

Because Qiri is used in a healthcare setting, we collect Sensitive Information, including health information, where this is reasonably necessary to provide the Services. We do so with your consent, or where another exception under the Australian Privacy Principles or applicable health privacy legislation applies (for example, where collection is necessary for the provision of a health service).

3. How we collect your Personal Information

  1. We generally collect Personal Information directly from you when you create an account, enter information into Qiri, or otherwise communicate with us.
  2. If you are a patient accessing Qiri through a pharmacy, your pharmacy or pharmacist may also enter Personal Information about you into the Services on your behalf, with your consent.
  3. We may also collect Personal Information from third parties, including authorised integrations (such as pharmacy dispensing systems and government health systems), payment providers, identity verification providers, and analytics providers. Where we receive Personal Information from a third party, we handle it in accordance with this Privacy Policy and applicable law.

4. Purpose of collection

We collect and use Personal Information for the primary purpose of providing, operating, and improving Qiri, and for related purposes you would reasonably expect, including to:

  1. create and manage user accounts and authenticate access to the Services;
  2. operate platform features, including the generation of AI outputs in response to user inputs, to assist pharmacists with decision support and to provide patients with general health information;
  3. communicate with users about service updates, support requests, and operational matters;
  4. conduct analytics, research, and service improvement activities, using de-identified or aggregated data wherever practicable and in accordance with the Office of the Australian Information Commissioner's guidance on de-identification;
  5. process payments and manage billing arrangements;
  6. comply with legal, regulatory, and professional obligations, including those applicable to pharmacists and pharmacy operators; and
  7. detect, prevent, and respond to fraud, misuse, and security incidents.

Some features of the Services allow users to share content or make profile information visible to others (for example, between a pharmacist and a patient). Visibility is controlled by user-selected settings. Further information is provided in the Software User Terms and within the Services.

We may send direct marketing communications where permitted by law. We will not use your health information or other Sensitive Information for direct marketing without your express consent. You can opt out of any direct marketing at any time using the unsubscribe link in the message or by contacting us at the details in section 17.

5. Qiri is decision support, not a substitute for professional advice

Qiri is designed to assist pharmacists in their professional practice and to provide patients with general health information. AI-generated outputs are not a substitute for a personal clinical assessment by a qualified health professional. Pharmacists using Qiri retain full professional responsibility for any decision they make based on Qiri outputs. Patients should consult their pharmacist, doctor, or other qualified health professional before acting on any information provided through Qiri.

6. Automated decision making and AI

Qiri uses artificial intelligence to generate responses, summaries, and suggestions based on user inputs. Where required by the Privacy Act 1988 (Cth) (including amendments introduced by the Privacy and Other Legislation Amendment Act 2024) or other applicable law, we will provide additional information about how automated decisions or AI-generated outputs are produced and how they may affect you. Qiri is configured so that meaningful human oversight is maintained for any output that supports a clinical decision affecting a patient.

7. Security and retention

We take reasonable technical and organisational measures to protect Personal Information from misuse, interference, loss, and unauthorised access or disclosure. These measures include encryption in transit and at rest, access controls, audit logging, and secure development practices.

We retain Personal Information only for as long as reasonably necessary for the purposes for which it was collected, and in any case for the periods required by Australian law. For health information, this includes any minimum retention periods under applicable state and territory health records legislation (for example, seven years from the date of last service for adult records, and until the patient reaches 25 years of age for records of minors, or longer where required).

To provide the Services, we may transmit user inputs to trusted third-party AI service providers and cloud infrastructure providers for processing. These providers are bound by contractual confidentiality, security, and data processing obligations and are not permitted to use your Personal Information to train public models without authorisation.

8. Access and correction

You may request access to, or correction of, the Personal Information we hold about you in accordance with Australian Privacy Principles 12 and 13. Requests should be made in writing using the contact details in section 17. We will respond within a reasonable period and in accordance with the Privacy Act.

In limited circumstances involving health information, access may be provided through a qualified health practitioner where this is appropriate (for example, where direct access could pose a serious threat to the life, health, or safety of any person).

9. State and territory health privacy laws

In addition to the Privacy Act, the handling of health information may be regulated by state and territory laws, including:

  1. the Health Records and Information Privacy Act 2002 (NSW);
  2. the Health Records Act 2001 (Vic); and
  3. the Health Records (Privacy and Access) Act 1997 (ACT).

We comply with these laws to the extent they apply to our handling of your information.

10. Data breaches

In the event of an eligible data breach under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, we will notify affected individuals and the Office of the Australian Information Commissioner as required. Given the sensitivity of health information, we treat any suspected breach involving health information as a priority and assess it promptly.

11. Complaints

If you have a complaint about how we have handled your Personal Information, please contact us using the details in section 17. Complaints are reviewed by an Executive of Qiri responsible for privacy compliance, and we may seek further information from you to clarify your concerns.

If we agree the complaint is well founded, we will, in consultation with you, take appropriate steps to resolve the issue. If you are not satisfied with our response, you may refer the matter to the Office of the Australian Information Commissioner (www.oaic.gov.au) or, where applicable, the relevant state or territory privacy regulator.

12. Overseas transfers

To provide Qiri, your Personal Information may be transferred to, and processed in, countries outside Australia where our cloud infrastructure providers and AI model providers operate, including the United States and other jurisdictions in which our sub-processors are located.

Privacy laws in these jurisdictions may differ from Australian law. Before disclosing Personal Information overseas, we take reasonable steps to ensure the recipient handles your information consistently with the Australian Privacy Principles, including by entering into Data Processing Agreements with our sub-processors. We maintain a current list of sub-processors and can provide it on request.

Where a pharmacy uses Qiri to communicate with patients by SMS or WhatsApp, those messages are carried by third-party messaging providers (including Twilio Inc. and Meta Platforms, Inc.) and may be transmitted, processed, or stored overseas. Qiri acts as a conduit for those messages; the pharmacy is responsible for obtaining the patient's consent to be contacted on the relevant channel.

13. GDPR and equivalent overseas privacy laws

This section applies only where the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, or equivalent overseas data protection laws apply to our processing. In those cases, we process Personal Information only where we have a lawful basis to do so, including where processing is:

  1. necessary for the performance of a contract with you, including to provide the Services;
  2. required to comply with legal obligations;
  3. necessary for our legitimate business interests (such as operating, securing, and improving the Services), provided those interests do not override your rights;
  4. necessary for the provision of health care or treatment, with appropriate safeguards; or
  5. based on your consent, where required.

Subject to applicable law, you may have rights to request access to, correction or deletion of your Personal Information, to object to or restrict certain processing, to request data portability, or to withdraw consent where processing is based on consent. You may also lodge a complaint with a relevant supervisory authority.

Requests may be made using the contact details in section 17. We may need to verify your identity before responding.

14. Children's privacy

Qiri is not intended for unsupervised use by children under 18. Where Qiri is used in connection with a child's healthcare (for example, a parent or guardian using Qiri in relation to their child, or a pharmacist entering information about a paediatric patient), we collect and handle the child's information only with the consent of the parent, guardian, or other person with lawful authority, and in accordance with the Privacy Act and applicable health privacy laws.

If we become aware that we have collected Personal Information about a child without appropriate authority, we will take steps to delete it.

15. Pharmacy and enterprise accounts

Where you access Qiri through a pharmacy or other organisation, that organisation is the controller of patient Personal Information entered into Qiri through its account, and Qiri Pty Ltd acts as a processor on the organisation's instructions, in accordance with the agreement between Qiri and the organisation. In those cases, requests by patients to access, correct, or delete Personal Information should be directed to the relevant pharmacy or organisation in the first instance. We will assist the organisation in responding where required.

For all other Personal Information collected through Qiri, including pharmacist user accounts, account contact details, billing information, and direct interactions between Qiri and a user, Qiri Pty Ltd is the controller.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you through the Services (for example, on the login page or by email). The "Last updated" date at the top of this policy reflects the most recent version.

17. How to contact us about privacy

For privacy enquiries, access or correction requests, or complaints, you can contact us at:

Email: hello@qiri.ai