Privacy Policy

1. About This Policy

This Privacy Policy explains how Docworks ("we", "us", "our") handles personal information in connection with OnRounds, our healthcare shift management and clinical communication platform. Docworks is an Australian company based in Shepparton, Victoria.

We are committed to complying with the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) and treating all personal information with the care and respect it deserves — particularly given its healthcare context.

2. Information We Collect

When your organisation uses OnRounds, we collect and store the following categories of personal information:

2.1 Identity and Account Information

Authentication is managed through Microsoft Entra ID (formerly Azure Active Directory). When you sign in, we receive your name, email address, organisation identifier, and Azure AD object ID. We do not collect or store passwords — authentication is handled entirely by your organisation's identity provider.

2.2 Role and Shift Information

OnRounds records which clinical role you are assigned to, when you clock on and off, and your team and organisation memberships. This information is essential for the platform's role-based communication model.

2.3 Messages and Communications

We store all messages sent through OnRounds, including direct messages between roles, team chat messages, patient discussion content, and handover notes. Images shared within messages are also stored. This content may contain clinical or patient information and is treated with the highest level of sensitivity.

2.4 Technical and Device Information

When you enable push notifications, we store a push subscription record for your device, which includes an endpoint URL and cryptographic keys. We do not collect device identifiers, IP address logs, browsing history, or location data beyond what is necessary for delivering notifications.

2.5 Administrative Data

For organisation administrators, we record administrative actions such as team configuration changes, role assignments, and subscription management activities.

3. How We Use Your Information

We use the information we collect to provide and operate OnRounds, including delivering messages between clinical roles, managing shift schedules and handovers, sending push notifications for new messages and mentions, administering organisation and team settings, and maintaining the platform's security and integrity.

We do not use your personal information for advertising, marketing profiling, automated decision-making, or any purpose unrelated to the operation of OnRounds.

4. How We Store and Protect Your Information

All data is stored on Microsoft Azure infrastructure located exclusively in the Australia East (Sydney) region. Your data never leaves Australia.

We employ the following security measures:

• TLS/SSL encryption for all data in transit
• Azure-managed encryption at rest for all stored data
• Microsoft Entra ID for enterprise-grade authentication and single sign-on
• Secure access tokens (SAS) for image storage
• VAPID-based web push for notification delivery, with no reliance on third-party push services

We do not use any third-party analytics services, advertising SDKs, or tracking technologies within OnRounds.

5. Data Retention

OnRounds is designed for use in clinical environments where audit trails are essential. Accordingly, messages, images, and handover notes are retained indefinitely using a soft-delete model. This means that even when content appears deleted within the interface, it is preserved in the underlying database for compliance and audit purposes.

Users cannot permanently erase message history. This approach is consistent with the clinical record-keeping obligations that apply to healthcare communications.

Push notification subscriptions are retained only for as long as they remain active and valid.

6. Disclosure of Personal Information

We do not sell, rent, or share your personal information with third parties for their own purposes. Information is disclosed only in the following circumstances:

• Within your organisation: Messages and role assignments are visible to other members of your clinical team and organisation in accordance with the platform's role-based access model.
• Infrastructure providers: Your data is stored on Microsoft Azure. Microsoft acts as a data processor under their enterprise agreements and does not access your data for their own purposes.
• Legal obligations: We may disclose information if required by Australian law, a court order, or a lawful request from a regulatory authority.

7. Access and Correction

Under the Australian Privacy Principles, you have the right to request access to the personal information we hold about you and to request corrections if that information is inaccurate, incomplete, or out of date.

Because OnRounds operates on a role-based model where access is managed at the organisation level, requests related to your account data should be directed through your organisation's IT or administration team in the first instance. For privacy-related requests that your organisation cannot address, you may contact us directly.

8. Complaints

If you believe we have breached the Australian Privacy Principles or have a concern about how your personal information has been handled, please contact us using the details below. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the effective date at the top of this page. We encourage you to review this policy periodically.

10. Contact Us