Last updated 25 May 2026

    Privacy by design.

    Abe AI is the AI-readiness and clinical governance layer for Australian healthcare. Our own posture must be exemplary, see below. This page is not legal advice.

    Abe AI privacy and audit — the pyramid mark amid governance icons (audit lock, ledger, identity, signature)

    The six commitments

    • Australian Privacy Principles (APPs) compliance under the Privacy Act 1988.
    • APP 1.7 / 1.8 automated-decision-making disclosures (effective 10 December 2026). Abe AI is preparing now and will publish the required disclosures here by 1 December 2026.
    • Australian data sovereignty. All health data is stored in the Supabase Sydney region (ap-southeast-2) and enforced at the application layer.
    • Immutable audit trail of every agent output: input hash, output hash, model used, corpus version queried, timestamp, organisation, tier, risk rating, human-reviewer ID where applicable.
    • Human-in-the-loop record-keeping for every Tier 2 (clinical) output before it leaves the dashboard.
    • SOC 2 Type II audit and ISO 27001 certification on the roadmap.

    Information collected

    Enquiry forms (Home, Services, Pricing, Investors)

    • Name and email (required to respond)
    • Service domain (GP / specialist / allied / dental / pharmacy / hospital / aged care / NDIS / mental health / other)
    • Organisation size, role of enquirer, free-text context
    • For investor enquiries: organisation, stage of interest, free-text question

    Once the product backend is live

    • Organisation profile (service type, accreditation set, tools in use)
    • User profile (role, scope of practice)
    • Agent outputs (assessments, generated policies, Oracle answers, alerts, registers)
    • Audit log per the immutable record schema in MEMORY.md

    Automatically collected

    • IP address, browser type, device, operating system
    • Pages visited, interaction telemetry (no third-party advertising trackers)
    • Referral source

    Cookies and similar technologies

    Strictly necessary

    Supabase authentication cookies (sb-*-auth-token) and session state. These cannot be disabled without breaking login.

    Analytics, aggregate

    Vercel Web Analytics where enabled — aggregate, no individual profile building. No third-party advertising trackers. No Google Analytics on the marketing surface.

    Advertising or tracking

    None. Abe AI does not run advertising trackers on abeai.com.au.

    By signing in you accept the strictly-necessary cookies. Analytics is opt-out via your browser's Do Not Track setting.

    How information is used

    • • Respond to enquiries from a clinician (no automated rejection)
    • • Operate the platform — agent routing, governance-document generation, regulatory monitoring
    • • Demonstrate APP 1.7 / 1.8 compliance for every automated decision the platform makes
    • • Improve the regulatory and accreditation corpora (anonymised, aggregated only)
    • • Comply with legal and regulatory requirements

    Personal information is never sold. Anonymised, aggregated insights may inform horizon-scanning and benchmarking reports — never with identifiable data.

    Data storage and Australian sovereignty

    All Abe AI data is stored in the Supabase Sydney region (ap-southeast-2). Sovereignty is enforced at three layers:

    • • Application layer — every write checks data_region === 'ap-southeast-2'
    • • Database layer — row-level security per organisation; per-agent service accounts with bounded SELECT
    • • Encryption — at rest (Supabase transparent encryption + per-organisation keys for personal-information jsonb columns) and in transit (TLS 1.3)

    SOC 2 Type II audit will be initiated alongside the seed raise (~12-month process). ISO 27001 certification follows SOC 2 readiness.

    Tier 2 clinical decision support, gated by design

    Abe AI does not currently make clinical decisions about individual patients. Tier 1 (governance, workforce, operations, horizon) is the only tier active today. Tier 2 (clinical decision support — pathology, radiology, medicines, deteriorating-patient detection, mental-health risk, telehealth clinical) is gated until ALL of the following are confirmed:

    • • TGA pathway (SaMD classification + ARTG inclusion or documented exemption)
    • • Clinical validation dataset
    • • Clinical governance lead sign-off protocol in the UI
    • • Professional indemnity coverage
    • • Human-in-the-loop review checkpoint

    Every Tier 2 output, when activated, is labelled "decision support — clinician must verify" and carries a human-reviewer record in the audit log.

    Retention

    • • Clinical-adjacent records: 7 years from creation (consistent with AU medical-record retention norms, including the NSW Health Records and Information Privacy Act 2002).
    • • Solo and Practice subscription tiers: 7 years.
    • • Growth and Enterprise tiers: indefinite (subscription-bound).
    • • On subscription end: records moved to a customer-exit archive (read-only) per contract terms; not deleted earlier than 7 years post-output.
    • • Enquiry-form submissions (not yet activated): retained for 24 months after last contact unless deletion is requested.

    Third-party services

    Abe AI operates on a deliberately narrow set of third parties — each bound by a data processing agreement.

    • Supabase (Sydney, ap-southeast-2): database, authentication, edge functions, storage.
    • Vercel: hosting and edge delivery for the marketing site and product front-end.
    • Vercel AI Gateway → Anthropic Claude: AI inference, server-side only, zero data retention by the gateway provider. No personal information leaves the audit-log boundary.
    • Resend: transactional email from abeai.com.au (verified domain).
    • Stripe: payment processing for subscription tiers (PCI compliant).

    Your privacy rights

    Under the Australian Privacy Principles you have the right to:

    • • Access the information Abe AI holds about you
    • • Correct inaccurate information
    • • Request deletion (subject to the retention obligations above)
    • • Export your data in a portable format
    • • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at any time

    Privacy contact

    Privacy questions, requests under the APPs, or to exercise your rights:

    Email: privacy@abeai.com.au

    Response time: within 2 business days

    Entity: Black Health Intelligence Pty Ltd (operator of Abe AI)

    For complaints, you may also contact the Office of the Australian Information Commissioner (OAIC).

    Policy updates

    Abe AI may update this privacy policy to reflect changes in our practices or in Australian law. Significant changes will be notified by email to active customers and posted here. The "Last updated" date at the top of this page indicates the most recent revision.