Privacy Policy

Last updated: January 27, 2026

Introduction

InterSession Group Pty Ltd (ABN 40 694 587 150, ACN 694 587 150), trading as InterSession ("we," "our," or "us"), is committed to protecting the privacy and security of your personal information and the clinical data you entrust to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our platform.

As a service designed for mental health professionals, we understand the sensitive nature of the information processed through our platform. We are committed to complying with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), which govern how we handle your personal and health information.

Australian Privacy Act Compliance

InterSession is designed to comply with the Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs). Health information is classified as "sensitive information" under the Act, and we apply enhanced protections accordingly.

Our compliance measures include:

  • Explicit Consent (APP 3): We only collect sensitive health information with explicit consent from the individual or their authorised representative.
  • Purpose Limitation (APP 6): We only use and disclose personal information for the purposes for which it was collected, or as otherwise permitted by law.
  • Data Quality (APP 10): We take reasonable steps to ensure personal information is accurate, up-to-date, and complete.
  • Data Security (APP 11): We implement robust technical and organisational measures to protect personal information from misuse, interference, loss, and unauthorised access.
  • Access and Correction (APP 12 & 13): Individuals can access and request correction of their personal information held by us.

Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Professional credentials and practice information
  • Billing information (processed securely by our payment provider)
  • Account preferences and settings

Clinical Data (Health Information)

Through your use of our service, we process clinical data that you choose to enter or record, including:

  • Session recordings (audio)
  • Transcriptions of sessions
  • Clinical notes and documentation
  • Client information that you input
  • Resources and materials you upload

This information constitutes "health information" under the Privacy Act 1988 and is afforded the highest level of protection.

Usage Information

We automatically collect certain information about your use of our service:

  • Log data (IP address, browser type, access times)
  • Device information
  • Feature usage patterns
  • Error logs and performance data

Information About Minor Clients

When practitioners use InterSession for child, adolescent, or family therapy, we may process health information about minors (individuals under 18 years of age). This information is afforded the same protections as all health information processed through our platform.

Parental consent: Under Australian privacy law and OAIC guidance, children generally cannot consent to the collection of their health information on their own behalf. For clients under 15 years of age, parental or guardian consent is typically required. For clients aged 15-17, capacity to consent depends on their maturity and understanding. Practitioners are responsible for obtaining appropriate consent in accordance with their professional obligations.

Parent-facing features: InterSession includes features that generate summaries, homework tasks, and other materials intended to be shared with parents or guardians. Practitioners are responsible for determining when disclosure to parents is appropriate, taking into account factors such as:

  • The age and maturity of the child
  • The nature of the information (e.g., sensitive disclosures)
  • Family dynamics and any safety concerns
  • Mature minor considerations for older adolescents
  • Mandatory reporting obligations

Data retention: Records relating to minor clients may be subject to longer retention requirements under state and territory health records legislation (typically until the child reaches 25 years of age). Practitioners are responsible for maintaining appropriate records to meet these obligations.

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process session recordings and generate clinical documentation
  • Send you service-related communications
  • Process payments and manage your subscription
  • Respond to your inquiries and provide customer support
  • Ensure the security and integrity of our platform
  • Comply with legal obligations

What We Do NOT Do

We want to be clear about what we never do with your data:

  • We do not sell your data. Ever. To anyone.
  • We do not use clinical data to train AI models. Your client data is processed only to provide services to you and is never used to improve our general AI capabilities.
  • We do not share identifiable clinical data with third parties except as required to provide our services or as required by law.

Overseas Data Transfers

In accordance with APP 8 (Cross-border disclosure of personal information), we inform you that your personal information may be disclosed to service providers located in the following countries:

  • United States: Deepgram (transcription), OpenAI and Anthropic (AI note generation)
  • Japan: Resend (transactional email delivery)
  • Singapore: Render (application hosting)

Data Minimisation

We apply data minimisation principles to overseas transfers. When processing session content through AI services, we strip identifying information including client names, dates of birth, and contact details before transmission. Only the clinical content necessary to generate documentation is sent to overseas processors.

All overseas service providers are contractually bound to protect your information in accordance with standards comparable to the Australian Privacy Principles. We take reasonable steps to ensure that overseas recipients do not breach the APPs.

Note: Your primary data (clinical records, client information) is stored on servers located in Australia.

Data Security

We implement robust security measures to protect your information:

  • AES-256 encryption for all stored data
  • TLS 1.3 encryption for all data in transit
  • Primary data hosted on servers in Sydney, Australia
  • Row-level security policies to isolate clinician data
  • Secure authentication with encrypted passwords
  • Audio recordings automatically deleted after transcription processing

Our infrastructure is built on enterprise-grade platforms (Supabase for database, Render for application hosting) that maintain SOC 2 Type II certification and undergo regular independent security audits. While InterSession itself has not undergone independent security certification, we inherit the security controls and compliance of these certified infrastructure providers.

Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches as soon as practicable after becoming aware of the breach, and in any event no later than 30 days. We treat prompt notification as a priority, not a deadline to be maximised.

An eligible data breach occurs when:

  • There is unauthorised access to, or disclosure of, personal information held by us
  • The breach is likely to result in serious harm to any of the individuals to whom the information relates

Our breach notification will include the nature of the breach, the types of information involved, and recommendations for steps individuals can take to protect themselves. We maintain incident response procedures to ensure timely detection, containment, and notification of data breaches.

Data Retention

We retain your data for as long as your account exists, regardless of subscription status. If your subscription lapses or you downgrade to a free plan, your data remains accessible—you do not lose your clinical records due to non-payment.

For clinical data:

  • Session recordings: Audio is processed for transcription and then automatically deleted. We do not retain audio recordings.
  • Clinical notes: Retained indefinitely until you explicitly delete them or close your account.
  • Client data: Retained indefinitely until you explicitly delete individual records or close your account.

Account closure and deletion requests: If you close your account or request deletion of your data, all data is permanently and immediately deleted. This action cannot be undone. Please ensure you have exported any records you need before closing your account.

Important notice for practitioners: Mental health professionals in Australia are typically required to retain clinical records for 7 years or longer under professional registration requirements and state health records legislation. InterSession is a clinical tool, not an archive of record. You are responsible for maintaining your own record-keeping obligations, including exporting or archiving records before closing your account or requesting data deletion. We recommend maintaining independent backups of clinical records to meet your professional and legal obligations.

Third-Party Services

We use the following third-party services to provide our platform:

  • Supabase — Database hosting (Sydney, Australia)
  • Render — Application hosting (Singapore)
  • Stripe — Payment processing (PCI DSS Level 1 certified)
  • Resend — Transactional email delivery (Japan)
  • Deepgram — Audio-to-text transcription (United States)
  • OpenAI / Anthropic — AI-assisted clinical note generation (United States)

All third-party providers are vetted for security and privacy compliance, and are contractually bound to protect your information in accordance with the Australian Privacy Principles. We will update this list if we add or change sub-processors.

Data Processing Agreements: For enterprise customers and larger practices that require a formal Data Processing Agreement (DPA), please contact us at privacy@intersession.io.

Your Rights Under the Privacy Act

Under the Australian Privacy Act 1988, you have the right to:

  • Access your personal information held by us (APP 12)
  • Request correction of inaccurate information (APP 13)
  • Know how your information is being used and disclosed
  • Opt out of receiving marketing communications
  • Request deletion of your data (subject to legal retention requirements)
  • Withdraw consent for optional processing
  • Lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC)

To exercise these rights, contact us at privacy@intersession.io.

Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, you can lodge a complaint with us by contacting privacy@intersession.io.

We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

Future: International Expansion

InterSession is currently available only in Australia. We plan to expand to other countries in future, including the United States.

If you are located outside Australia and interested in InterSession, please contact us at hello@intersession.io to be notified when we launch in your region.

Cookies and Tracking

We use essential cookies to:

  • Maintain your session and authentication
  • Remember your preferences
  • Ensure security

Analytics

We use Google Analytics on our marketing website (intersession.io) to understand how visitors find and use our website. Google Analytics is not used within the clinical application (app.intersession.io). No clinical data or application usage patterns are shared with Google.

On our marketing website, Google Analytics collects information such as:

  • Pages visited and time spent on site
  • Device and browser information
  • Geographic location (country/city level)
  • Referral sources

This data is collected in aggregate and is not linked to individual clinical data or client information. Google Analytics data is processed in the United States. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We do not use third-party advertising cookies or sell data to advertisers.

Changes to This Policy

We may update this Privacy Policy from time to time. For any material changes, we will provide at least 30 days notice before the changes take effect by:

  • Sending an email to the address associated with your account
  • Posting a notice within the Service
  • Updating the "Last updated" date on this page

Your continued use of our services after the 30-day notice period constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

InterSession Group Pty Ltd
ABN 40 694 587 150 | ACN 694 587 150
Melbourne, Victoria, Australia