How your information is handled.

Last updated: 29 April 2026

This policy explains how Hard Conversations collects, stores, uses, and shares personal information. It applies to clients, prospective clients, and anyone who visits this website or contacts the practice.

Hard Conversations is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For health records collected in NSW, the Health Records and Information Privacy Act 2002 (NSW) and its Health Privacy Principles (HPPs) also apply.

1.Who we are

Hard Conversations is a solo private practice run by Ben Waters, registered psychologist (MProfPsych, AHPRA PSY0001961782). The practice provides individual psychological and psychosexual therapy to adult men, by telehealth, across Australia.

Contact for privacy matters:

Email: ben@hardconversations.com.au
Phone: 0435 213 283
Post: PO Box 3159, Minnamurra LPO NSW 2533

If you have a question about this policy, want to access or correct your information, or want to make a complaint, contact Ben directly using the details above.

2.What information we collect

The kinds of information collected depend on whether you are a client, a prospective client, or a website visitor.

From clients and prospective clients:

Identifying information — name, date of birth, address, phone number, email
Health information — including reasons for seeking therapy, mental and sexual health history, medical history, current medications, treatment history, family and relationship context, and any other information shared during sessions or in clinical correspondence
Government identifiers — Medicare card number and reference number where you are claiming a rebate; sometimes a referring GP's provider number
Emergency contact details — name and phone number of someone to contact in a genuine emergency
Information about who we may share with — collected on the Informed Consent Form at intake (for example, a treating GP or psychiatrist, or a partner or family member, if you choose to authorise this)
Payment information — your nominated card is held on file via the practice management system (see Section 5), or your bank transfer reference where you pay by invoice
Session content — clinical notes generated by Ben after each session, sometimes drawing on AI-assisted note-taking (see Section 5)
Questionnaire responses — psychometric and clinical questionnaires you complete

From website visitors:

Information you submit via the booking or contact form (typically name, email, phone, and a brief message)
Standard analytics data when you visit the site (see Section 10)

The Privacy Act treats health information as sensitive information, which carries higher protection than general personal information.

3.How we collect it

Most information is collected directly from you — through the booking and contact forms on this website, in conversation during the free intro call and clinical sessions, and in the intake paperwork you complete before your first session.

Some information may be collected from a third party with your consent — most commonly a referring GP who provides a Mental Health Care Plan (MHCP), referral letter, or relevant medical history.

We collect information from the website itself through analytics tools when you visit.

We will not collect health information about you without your consent, unless required or authorised by law.

4.Why we collect it

We only collect information needed to:

Provide psychological and psychosexual therapy to you
Bill you accurately and process Medicare rebates where applicable
Keep clinical records as required by Australian psychology regulation
Communicate with you about appointments, scheduling, and clinical matters
Meet legal obligations (mandatory reporting, court orders, AHPRA notifications, MHCP progress letters)
Respond to enquiries you send through the website
Understand how the website is being used so we can improve it

We will not use or disclose your information for any other purpose without your consent, unless required or authorised by law.

5.How we store and protect it — the software stack

Running a modern psychology practice involves several pieces of software. This section describes each one, what it holds, and where the data sits. Some tools store data outside Australia; this is disclosed honestly below and discussed further in Section 7.

Practice management — Halaxy

Client records, appointments, clinical notes, invoices, Medicare claims, and card-on-file payment details are held in Halaxy, an Australian-headquartered practice management platform. Halaxy stores Australian client data in Australia, hosted on Amazon Web Services (AWS) infrastructure with bank-grade encryption at rest and in transit. Halaxy submits Medicare rebate claims on your behalf via its integrated claiming pipeline to Services Australia.

Telehealth sessions — Zoom Workplace

Sessions are conducted on Zoom Workplace, configured for clinical use with passcodes, waiting rooms, and end-to-end encryption enabled. Cloud recording is disabled. Sessions are not recorded for replay. Zoom processes session data on servers in multiple regions, including outside Australia.

Clinical note-taking — Heidi Health

With your written consent at intake, Heidi Health is used as an AI-assisted clinical scribe during sessions. Heidi listens in real time and generates a draft summary that Ben reviews and edits before saving to your file. Audio is not retained beyond what's needed to produce the note. Heidi stores Australian user data on Australian servers and complies with the Australian Privacy Principles. You can decline AI-assisted note-taking; manual notes are taken instead.

Psychometric questionnaires — NovoPsych and Jotform

Some clinical questionnaires are sent to you electronically via NovoPsych (an Australian-based secure psychometric platform, with data stored in Australia) or Jotform. Jotform is used for the website's booking and general contact forms, and for some intake forms and psychometric assessments. Jotform stores responses on servers located in the United States, which means your information leaves Australia at the point of submission. US privacy law differs from Australian privacy law. For booking and contact form submissions, the information is used to arrange the intro call or reply to your enquiry; if you go on to become a client, the information is transferred into your clinical record in Halaxy. For intake and assessment forms, responses are transferred into Halaxy on receipt. Where neither tool is suitable, a PDF questionnaire may be sent by email — this is disclosed at the time as not end-to-end encrypted, and you can opt out and complete it another way.

Automated questionnaire scoring — Make

For some questionnaires, scoring is automated using Make (formerly Integromat), a workflow tool that runs on EU-based and AWS infrastructure. Workflow logs are typically retained for up to 30 days. You can opt out of automated scoring at any time; manual scoring is provided instead.

Email and calendar — Google Workspace

Email correspondence (ben@hardconversations.com.au and admin@hardconversations.com.au) and calendar entries are hosted on Google Workspace on the hardconversations.com.au domain. Google Workspace processes mail and calendar data on Google's global infrastructure, predominantly in the United States, under Google's data protection commitments including Standard Contractual Clauses, SOC 2, and ISO 27001 certifications.

Mailboxes are protected by strong, unique passwords and two-factor authentication. Email content is encrypted in transit and at rest. Calendar entries typically include only a first name and the appointment time.

Microsoft 365 (Outlook) is used as a desktop email client to read and send mail held in Google Workspace; no mail content is stored authoritatively by Microsoft.

Document storage — Dropbox Professional

Some clinical documents — service agreements, clinical correspondence sent or received by email, and reports prepared by Ben — may be stored temporarily in Dropbox Professional. Dropbox Professional stores data on US-based servers. Files are encrypted in transit and at rest, and access is protected by a strong password and multi-factor authentication.

Website hosting — Lovable

This website is built and hosted on Lovable, served via overseas content delivery infrastructure. The website itself does not have a backend database for client information. Booking and contact form submissions are not stored on the website; they are emailed directly to ben@hardconversations.com.au and handled from there (see Section 5: Google Workspace).

Payment processing

The default payment method is card-on-file via Halaxy's integrated payments, which is powered by Braintree (PayPal-owned, Australia-based for Australian customers). Card details are entered directly by you through Halaxy and tokenised at the payment gateway. The full card number is never seen, typed, or stored by the practice.

If you ask to be invoiced instead, you pay by bank transfer using the account details on the invoice. The practice sees only the reconciliation entry on its business bank statement.

Backups

Halaxy runs its own daily backups on AWS infrastructure in Australia. The practice does not maintain separate local backups of client records.

General security measures

All systems above are protected by strong, unique passwords and multi-factor authentication where available
Devices used to access client information are encrypted and password-protected
Access is restricted to Ben and, where relevant, a single administrative assistant (see Section 6)

6.Who we share it with

Your information is shared only where you have authorised it, where the law requires it, or where the practice cannot operate without it (for example, the software providers listed in Section 5, who act as data processors).

Authorised sharing — your choice. At intake, you complete an Informed Consent Form that lists who, if anyone, Hard Conversations can share information with — for example, your GP, psychiatrist, another treating professional, or a partner, family member, or carer. Information is not shared outside what you have authorised, except as required by law.

Administrative support. Limited administrative support is provided by an assistant who helps with tasks such as invoicing and scheduling. The assistant is bound in writing to the same confidentiality obligations that apply to the practice and does not have access to clinical notes or session content.

Limits of confidentiality. There are six circumstances in which information may be disclosed without your consent:

Imminent risk of serious harm to you or another person
A court order, subpoena, or warrant
Mandatory reporting under the NSW Children and Young Persons (Care and Protection) Act 1998
AHPRA mandatory notifications
Required progress letters to the referring GP under a Medicare Mental Health Care Plan
Other rare circumstances where disclosure is required by law

These limits are also covered in the Service Agreement you sign before your first session.

Software providers. The third-party platforms listed in Section 5 act as data processors. They handle information only on our instructions, are bound by privacy and confidentiality terms, and do not use your information for their own purposes.

7.Overseas data transfers

Australian Privacy Principle 8 requires us to disclose where your personal information may be processed outside Australia, and to take reasonable steps to ensure overseas recipients handle it consistently with the APPs.

The following tools may process your information outside Australia:

Zoom Workplace — session data processed on servers in multiple regions, including outside Australia
Make — workflow processing on EU-based and AWS infrastructure
Dropbox Professional — document storage on US-based servers
Jotform — online form and assessment responses stored on US-based servers
Lovable (website hosting) — page-load metadata processed via overseas content delivery infrastructure
Google Analytics — analytics data processed on US and other Google infrastructure (see Section 10)
Google Workspace — email and calendar data processed on Google's global infrastructure, predominantly in the United States

All of these providers publish privacy and security commitments and operate under data protection frameworks (GDPR, EU Standard Contractual Clauses, SOC 2, ISO 27001, or equivalent). The practice has selected each one with privacy and security as a primary consideration, but you should be aware that information processed outside Australia may be subject to the laws of those countries.

If you would prefer not to have your information processed by a particular tool, raise this with Ben before your first session. Alternatives are available for some tools (manual note-taking instead of Heidi, manual scoring instead of Make, paper questionnaires instead of NovoPsych or Jotform).

8.Your rights

Under the APPs and HPPs, you have the right to:

Access your information (APP 12 / HPP 7). You can ask in writing for a copy of, or a written summary of, the personal and health information held about you. We will respond within a reasonable time (usually within 30 days). There is no charge for the request itself; a reasonable fee may be charged for the cost of preparing and providing the records.

In limited circumstances, direct access may be refused or limited — for example, where access could pose a serious threat to anyone's life or safety, would unreasonably impact another person's privacy, or where another exception under APP 12.3 or HPP 7 applies. Where access is refused, written reasons will be given and the complaint pathway in Section 12 will be disclosed. In some cases, alternatives can be arranged: a review session to go through the records together, a written summary, or release through your GP.

Correct your information (APP 13 / HPP 8). If you believe information held about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you can ask for it to be corrected. We will respond within a reasonable time. Where a correction is made, we will notify any third party we have previously disclosed the information to, where reasonable.

Withdraw consent. You can withdraw consent for things like AI-assisted note-taking, automated scoring, or sharing with a particular third party at any time, by telling Ben in writing or in session.

Make a complaint. See Section 12.

9.Data retention and destruction

Clinical records are kept for seven years from the date of last contact for adult clients, in line with the NSW Health Records and Information Privacy Act 2002 and Psychology Board of Australia guidelines. After that period, records are securely destroyed.

Booking and contact form enquiries that don't lead to a client relationship are kept until you ask us to delete them. If you would like an enquiry deleted, contact Ben using the details in Section 1.

Email correspondence is kept while it is operationally relevant, and archived or deleted in line with the retention period above where it relates to a client.

10.Cookies and website analytics

This website uses Google Analytics 4 (GA4) to understand how visitors use the site — for example, which pages are read, where visitors come from, and what device they use. GA4 collects data using cookies and processes it on Google infrastructure, predominantly in the United States.

The information GA4 collects can include:

IP address (truncated by Google for the purposes of approximate location)
Device type, browser, and operating system
Pages viewed, time on page, and how you navigated through the site
Referring website (where you came from)

This information is not linked to your name or contact details. We use it only in aggregate, to make the site work better.

You can opt out of Google Analytics by:

Declining analytics cookies via the consent banner on this site
Using your browser's "do not track" or private/incognito mode
Installing the Google Analytics Opt-Out Browser Add-on

The website does not currently use any other analytics, advertising pixels, session-recording tools, or social media tracking.

11.Data breaches

If we become aware of a data breach that is likely to result in serious harm — for example, unauthorised access to client records — we will respond in line with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988.

This means we will:

Contain the breach and assess what happened
Notify affected individuals as soon as practicable
Notify the Office of the Australian Information Commissioner (OAIC)
Take steps to prevent recurrence

If you have reason to believe your information has been compromised, contact Ben immediately using the details in Section 1.

12.How to make a complaint

If you have a concern about how your information has been handled, please raise it with Ben first. Most concerns can be resolved directly. Contact details are in Section 1.

If you are not satisfied with the response, you can escalate to:

Office of the Australian Information Commissioner (OAIC) — for privacy complaints under the Privacy Act. Phone 1300 363 992 or oaic.gov.au
NSW Health Care Complaints Commission (HCCC) — for complaints about health services. Phone 1800 043 159 or hccc.nsw.gov.au
Australian Health Practitioner Regulation Agency (AHPRA) — for complaints about a registered health practitioner. Phone 1300 419 495 or ahpra.gov.au

13.Changes to this policy

This policy may be updated from time to time — for example, when a new piece of software is added to the practice or when privacy law changes. The current version is always available at hardconversations.com.au/privacy.

The "Last updated" date at the top of this page reflects the most recent change. A short note describing what changed is added to the Recent changes section below, so anyone re-reading the policy can see what is new at a glance.

If a change materially affects how information is handled for current clients, those clients will also be notified by email.

Recent changes

No changes to record yet — this is the first published version.

14.Crisis support

This is a website for an outpatient psychology practice. It is not a crisis service and email and contact form messages are not monitored 24/7.

If you or someone you know is in immediate danger, call 000.

If you need to talk to someone now:

Lifeline — 13 11 14
Suicide Call Back Service — 1300 659 467
MensLine Australia — 1300 78 99 78

Authored by Ben Waters, Registered Psychologist

MProfPsych · AHPRA registration: PSY0001961782

Hard Conversations · hardconversations.com.au

Last updated: 29 April 2026