Privacy Policy

Last Updated: April 20, 2026

1. About This Policy

This Privacy Policy explains how Care Connected Pty Limited, trading as Spectrum.Life (ABN 87 616 646 309) (“Spectrum.Life”, “we”, “our” or “us”), collects, holds, uses, discloses and otherwise handles personal information in connection with our digital wellbeing, mental health, employee assistance programme (EAP), clinical support and related platform services (the “Services”).
Spectrum.Life is committed to protecting the privacy and confidentiality of the personal information we collect and handle. We comply with the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”), and any applicable State or Territory health records legislation. Where our Services are provided to individuals in New Zealand, we also comply with the New Zealand Privacy Act 2020 and the New Zealand Information Privacy Principles.
This policy applies to all individuals who interact with our Services, including employees, contractors, volunteers and other beneficiaries (“End Users”) of organisations that engage Spectrum.Life (“Customers”), as well as visitors to our website and individuals who contact us directly.

2. Who We Are

Spectrum.Life is a global provider of digital wellbeing, mental health and EAP services. Our registered office in Australia is at Unit 526, 368 Sussex Street, Sydney NSW 2000. Spectrum.Life is part of a group of companies with operations in Ireland, the United Kingdom, Australia and New Zealand.
For the purposes of Australian Privacy Laws, Spectrum.Life is the entity responsible for the handling of your personal information in connection with the Services described in this policy.

3. What Personal Information We Collect

The types of personal information we collect depend on how you interact with us and which Services you access.

3.1 Identity and Contact Information

  • Full name
  • Email address and telephone number
  • Employer or organisation name
  • Job title or role (where relevant to eligibility
  • Login credentials for access to the Spectrum.Life Platform
  • 3.2 Employment and Eligibility Information

  • Employee or membership identifier provided by your employer or organisation
  • Workplace location or site (where relevant to service delivery)
  • Eligibility status and programme enrolment details
  • 3.3 Health and Sensitive Information

    Where you access clinical or counselling services through the Spectrum.Life Platform, we may collect sensitive information including health information within the meaning of the Privacy Act. This may include:

  • Mental health and psychological wellbeing assessments
  • Counselling session notes and clinical records
  • Triage, risk assessment and referral information
  • Self-reported health and wellbeing data (including survey responses and mood tracking)
  • Information relating to presenting concerns, diagnoses and treatment plans
  • We collect health information where it is necessary to provide our clinical and wellbeing Services, in reliance on the permitted health situation exception under APP 3.4(c) and section 16B(1) of the Privacy Act. All personal information collected in the course of providing a health service is health information under the Privacy Act, including information that might otherwise fall into other sensitive information categories (such as racial or ethnic origin, or sexual orientation) where it is disclosed during a clinical interaction.

    3.4 Usage and Technical Information

  • Platform usage data, including pages viewed, features accessed and session duration
  • Device and browser information
  • IP address and approximate geolocation
  • Cookies and similar tracking technologies (see Section 14)
  • 3.5 Communications

  • Support requests and correspondence with Spectrum.Life
  • Feedback and survey responses
  • Records of telephone calls to our clinical helpline (where applicable)
  • 4. How We Collect Personal Information

    We collect personal information in the following ways:

  • Directly from you when you register for or use the Spectrum.Life Platform, contact our clinical helpline, complete assessments, access counselling, or communicate with us
  • From your employer or organisation when they provide eligibility information to set up your access to the Services
  • From a reseller or intermediary (such as an insurer or health fund) that has engaged Spectrum.Life to provide Services on behalf of your employer
  • Automatically through your use of the Spectrum.Life Platform (usage and technical data)
  • From our clinical practitioners in the course of delivering clinical and counselling services
  • Where practicable, we collect personal information directly from you. Where we collect from a third party, we take reasonable steps to ensure you are made aware of this collection, as required by APP 5.

    5. Why We Collect, Use and Disclose Personal Information

    We collect, hold, use and disclose personal information for the following purposes:

  • To provide the Services, including access to the Spectrum.Life Platform, EAP services, clinical support, counselling, triage, risk assessment, case management and referrals
  • To verify your identity and eligibility and to manage your account
  • To provide technical support, service administration and reporting
  • To communicate with you about the Services, including appointment reminders and service notifications
  • To comply with legal and regulatory obligations, including mandatory reporting, duty of care, and clinical governance requirements
  • To respond to complaints, disputes and legal proceedings
  • To create anonymised, de-identified or aggregated usage data for service improvement, analytics, quality assurance, clinical audit and research (in a form that does not identify any individual)
  • To maintain and improve the security, functionality and performance of the Spectrum.Life Platform
  • For internal business operations, including training, quality assurance and clinical supervision
  • We will not use or disclose your personal information for a purpose other than the primary purpose for which it was collected, a related secondary purpose you would reasonably expect, or as otherwise permitted or required by law (APP 6).

    6. Sensitive Information and Health Information

    Under the Privacy Act, sensitive information (including health information) is afforded a higher level of protection. Spectrum.Life collects and handles health information in reliance on the permitted health situation exception (APP 3.4(c) and section 16B(1) of the Privacy Act), not on the basis of consent. This exception permits an organisation to collect health information where the information is necessary to provide a health service to an individual, and the collection is in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality.
    All personal information collected in the course of providing a health service is health information under the Privacy Act (section 6(1)), including information that might otherwise fall into other sensitive information categories where it is disclosed during a clinical interaction. This means the permitted health situation exception covers the full scope of sensitive information Spectrum.Life collects through its clinical and EAP services.
    Where the collection of information is required or authorised by or under an Australian law or a court or tribunal order, we may also rely on the exception in APP 3.4(a).

    6.1 AI Scribe

    Where a clinical service includes the option to use an AI-assisted clinical scribe to transcribe your session, Spectrum.Life will seek your explicit consent before activating this feature. The AI scribe records and transcribes clinical sessions to support clinical note-taking and record accuracy. You are free to decline or withdraw your consent at any time, and declining will not affect your access to the clinical service itself. AI scribe transcriptions are processed in accordance with Spectrum.Life’s ISO 27001 certified information security controls and are treated as part of your clinical record.
    In addition to the Privacy Act and APPs, Spectrum.Life complies with relevant State and Territory health records legislation when handling health information, including:

  • Health Records Act 2001 (Vic)
  • Health Records and Information Privacy Act 2002 (NSW)
  • Health Records (Privacy and Access) Act 1997 (ACT)
  • Your health information and clinical records are treated as strictly confidential. They are not disclosed to your employer, the Customer or any reseller, except in anonymised or de-identified aggregate form, or where disclosure is required by law (for example, mandatory reporting of an imminent risk of serious harm).

    7. Disclosure of Personal Information

    We may disclose your personal information to the following categories of recipients:

  • Spectrum.Life group companies in Ireland and the United Kingdom, where necessary for clinical services delivery, technical support or operational functions (see Section 8)
  • Our authorised sub-processors and service providers who assist in delivering the Services (see Section 9)
  • Your employer or organisation, but only in anonymised or aggregated form that does not identify you personally. We do not disclose your individual personal data, health information or clinical records to your employer or Customer
  • Regulatory authorities, law enforcement bodies or the Office of the Australian Information Commissioner (OAIC), where required or authorised by law
  • Professional bodies, where required for clinical governance purposes
  • Third parties in connection with a mandatory reporting obligation or duty of care, where there is an imminent risk of serious harm
  • 8. Cross-Border Disclosure of Personal Information

    Spectrum.Life is a global organisation with operations in Australia, Ireland and the United Kingdom. In the course of delivering our Services, your personal information (including health information) may be disclosed to or accessed from jurisdictions outside Australia.

    8.1 Clinical Services

    To ensure continuity and availability of clinical services, Spectrum.Life operates a follow-the-sun clinical delivery model. Clinical services (including counselling, triage, risk assessment and crisis support) may be delivered to End Users by Spectrum.Life clinicians located in Ireland or the United Kingdom, in addition to clinicians located in Australia.
    Where clinical services are delivered by clinicians located in Ireland or the United Kingdom, your personal information (including health information and sensitive information) will be collected, used and disclosed by those clinicians in the course of delivering those services. Such processing is undertaken in accordance with Spectrum.Life’s ISO 27001 certified information security management system and is subject to the confidentiality, security and data protection obligations set out in our agreements with Customers.
    Spectrum.Life clinicians in Ireland and the United Kingdom are also subject to the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR) respectively, which ensures a high standard of data protection.

    8.2 Technical Support

    In circumstances requiring escalation to advanced technical support, Spectrum.Life engineers located in Ireland and the United Kingdom may access platforms, technology applications and personal information hosted in Australia for the purposes of troubleshooting and incident resolution. Such access occurs only where an issue cannot be resolved by Australia-based support personnel and is subject to Spectrum.Life’s ISO 27001 certified information security controls.

    8.3 Compliance with APP 8

    Before disclosing personal information to a recipient outside Australia, Spectrum.Life takes reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information, as required by APP 8. Our measures include:

  • Binding intragroup data processing agreements between Spectrum.Life entities in Australia, Ireland and the United Kingdom
  • Ensuring all overseas recipients are subject to data protection obligations substantially similar to the APPs
  • Maintaining ISO 27001 certified information security controls across all jurisdictions
  • Conducting privacy impact assessments before implementing new cross-border data flows
  • The countries in which your personal information may be stored, accessed or disclosed are: Australia, Ireland and the United Kingdom. If these countries materially change, we will update this policy.

    8.4 New Zealand

    Where our Services are provided to individuals in New Zealand, Spectrum.Life also complies with the New Zealand Privacy Act 2020. Cross-border disclosures of New Zealand residents’ personal information are handled in accordance with that Act, including Information Privacy Principle 12 (disclosure of personal information outside New Zealand).

    9. Cross-Border Disclosure of Personal Information

    Spectrum.Life engages authorised sub-processors to assist in delivering the Services. Each is bound by written obligations no less protective of personal information than Spectrum.Life’s own obligations. Our current sub-processors are:

    Sub-Processor Purpose Primary Location
    Amazon Web Services (AWS) Platform hosting, compute and storage Australia
    Salesforce Clinical record management Australia
    TelecomStack 24/7 clinical telephone line Australia
    Heidi AI clinical scribe Australia
    Posthog Platform and web analytics Australia

    This list will be updated as sub-processors change. We notify affected Customers in advance of any proposed engagement of a new sub-processor that will handle personal information.

    10. Data Security

    Spectrum.Life is committed to protecting personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11). Our security measures include:

  • ISO 27001 certified information security management system, independently audited
  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and multi-factor authentication
  • Regular penetration testing and vulnerability assessments
  • Incident response and business continuity procedures
  • Staff training on privacy and information security obligations
  • Secure cloud hosting within Australian data centres (AWS Sydney region)
  • 11. Data Retention

    Spectrum.Life retains personal information only for as long as reasonably needed for the purposes for which it was collected, or as required by law. Our retention practices include:

  • Clinical records are retained in accordance with applicable clinical governance requirements and relevant State or Territory health records legislation
  • Platform usage data and technical logs are retained for the duration of the service relationship and a reasonable period thereafter for audit and security purposes
  • On termination of a Customer agreement, personal information is returned on request or securely destroyed or de-identified in accordance with our retention policies and applicable law
  • Where personal information is no longer needed for any purpose for which it may be used or disclosed, Spectrum.Life takes reasonable steps to destroy or de-identify that information (APP 11.2).

    12. Data Breaches

    Spectrum.Life maintains an incident response procedure for managing data breaches. In the event of an eligible data breach under Part IIIC of the Privacy Act (Notifiable Data Breaches scheme), Spectrum.Life will:

  • Contain the breach and conduct a reasonable and expeditious assessment
  • Notify the OAIC and affected individuals if the assessment concludes there are reasonable grounds to believe the breach is an eligible data breach
  • Notify the relevant Customer as soon as reasonably practicable
  • Take reasonable steps to remediate the breach and prevent recurrence
  • Where Services are provided to individuals in New Zealand, we will also comply with the notification requirements under the New Zealand Privacy Act 2020, including notification to the New Zealand Privacy Commissioner where required.

    13. Your Rights

    Under the Privacy Act and the APPs, you have the following rights in relation to your personal information:

    13.1 Access (APP 12)

    You may request access to the personal information we hold about you. We will respond within a reasonable period. In some circumstances, we may refuse access where permitted by law (for example, where providing access would unreasonably impact the privacy of others).

    13.2 Correction (APP 13)

    You may request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading. We will take reasonable steps to correct the information within a reasonable period.

    13.3 Complaints

    If you believe we have breached the APPs or this policy, you may lodge a complaint with us using the contact details in Section 16. We will acknowledge your complaint and investigate it within a reasonable period. If you are not satisfied with our response, you may lodge a complaint with:

  • Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au | Phone: 1300 363 992 | Email: enquiries@oaic.gov.au
  • New Zealand Privacy Commissioner (for NZ residents): www.privacy.org.nz
  • 14. Cookies and Analytics

    The Spectrum.Life Platform and website use cookies and similar technologies to improve functionality, analyse usage and enhance your experience. We use:

  • Essential cookies required for the operation of the Platform (session management, authentication)
  • Analytics cookies to understand how the Platform is used and to improve our Services (using PostHog, hosted in Australia)
  • You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality.
    We do not use cookies to collect personal information for direct marketing purposes without your consent.

    15. Direct Marketing

    Spectrum.Life does not use or disclose personal information collected through the delivery of clinical or EAP services for direct marketing purposes.
    Where we use personal information for direct marketing in connection with commercial or promotional activities (for example, newsletters or event invitations), we will only do so where we have your consent or where you would reasonably expect such communications, and we will always provide a simple means of opting out (APP 7).

    16. How to Contact Us

    If you have questions about this policy, wish to make an access or correction request, or wish to lodge a privacy complaint, please contact us:

    Entity Care Connected Pty Limited T/A Spectrum.Life
    ABN 87 616 646 309
    Registered address Unit 526, 368 Sussex Street, Sydney NSW 2000
    Privacy contact Data Protection Officer
    Email dpo@spectrum.life
    Website https://www.spectrum.life/au/

    Entity Care Connected Pty Limited T/A Spectrum.Life
    ABN 87 616 646 309
    Registered address Unit 526, 368 Sussex Street, Sydney NSW 2000
    Privacy contact Data Protection Officer
    Email dpo@spectrum.life
    Website https://www.spectrum.life/au/

    17. Changes to This Policy

    Spectrum.Life may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable law. We will publish the updated policy on our website and, where practicable, notify affected individuals of material changes.

    18. State and Territory Health Records Legislation

    In addition to the Privacy Act and APPs, Spectrum.Life complies with applicable State and Territory health records legislation when handling health information in the course of delivering clinical services:

    Jurisdiction Legislation
    New South Wales Health Records and Information Privacy Act 2002 (NSW)
    Victoria Health Records Act 2001 (Vic)
    Australian Capital Territory Health Records (Privacy and Access) Act 1997 (ACT)
    Queensland Privacy Act 1988 (Cth) applies (no separate health records legislation)
    South Australia Privacy Act 1988 (Cth) applies (no separate health records legislation)
    Western Australia Privacy Act 1988 (Cth) applies. Note: Western Australia Privacy and Information Sharing Act 2024 expected to commence 1 July 2026
    Tasmania Privacy Act 1988 (Cth) applies (no separate health records legislation)
    Northern Territory Privacy Act 1988 (Cth) applies (no separate health records legislation)
    New Zealand Health Information Privacy Code 2020, issued under the NZ Privacy Act 2020

    Where a State or Territory imposes additional requirements for handling health information beyond the APPs, Spectrum.Life will comply with those additional requirements.