Privacy Policy

Honed Health Pty Ltd ("Honed Health", "we", "us") is committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy explains what personal information (including sensitive health information) we collect, why we collect it, how we use and disclose it, and how you can access and correct it.

By using our website (honed.health) or purchasing our services, you agree to the collection and use of your information as described in this policy.

We collect the following categories of personal information:

• Identity information: first name, last name, preferred name, date of birth, gender, pronouns
• Contact information: email address, mobile phone number, residential address
• Health information (sensitive): blood test results, biomarker values, and any health goals you share with us
• Payment information: processed by Stripe — we do not store card details
• Technical information: IP address, browser type, pages visited (via Vercel Analytics and Google Analytics)

We collect health information because it is necessary to provide you with pathology referrals and to display your blood test results. This is collected with your explicit consent.

We collect information:

• Directly from you when you complete the checkout form or create a patient portal account
• From Blood Group Technologies (BGT) Pty Ltd, our pathology referral partner, who returns your completed test results to us
• Automatically via cookies and analytics tools when you browse our website

We use your personal information to:

• Generate a pathology referral and send it to our accredited laboratory partner
• Display your blood test results securely in your patient portal
• Send you transactional emails about your order and results
• Send you follow-up emails about your health journey (you may opt out at any time)
• Improve our services and website (analytics, aggregated, de-identified)
• Meet our legal and regulatory obligations

We will not use your health information for any purpose other than those listed above without your explicit consent.

We disclose your personal information only to:

• Blood Group Technologies (BGT) Pty Ltd — our pathology referral partner, to generate your referral and return results
• Stripe Inc. — to process your payment securely
• Supabase Inc. — our database provider (data stored in AWS ap-southeast-2, Sydney)
• Resend Inc. — our transactional email provider
• Vercel Inc. — our hosting provider

All service providers are bound by data processing agreements. We do not sell your personal information. We do not disclose health information to insurers, employers, or any third party for commercial purposes.

We may disclose your information if required by law or a court order.

Your data is stored in Supabase on AWS infrastructure in the ap-southeast-2 (Sydney) region. We implement the following security controls:

• Encryption in transit (TLS 1.2+) and at rest
• Row-level security on all database tables
• HMAC-SHA256 verified webhooks
• Rate limiting on all authentication endpoints
• HTTP security headers (HSTS, X-Frame-Options, CSP)
• Admin access gated by a separate password-protected session

We retain your personal information for as long as your account is active and for 7 years afterwards to meet our legal obligations, unless you request earlier deletion.

We use the following cookies and analytics tools:

• Google Analytics (GA4) — aggregated, anonymised usage analytics. IP anonymisation is enabled.
• Vercel Analytics — page view tracking, no cross-site tracking
• Session cookie (admin_session) — HTTP-only, used solely for admin portal authentication

We do not use advertising cookies or share data with ad networks.

Under the Australian Privacy Act, you have the right to:

• Access the personal information we hold about you
• Correct information that is inaccurate or out of date
• Request deletion of your information (subject to legal retention requirements)
• Withdraw consent to marketing communications at any time
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

To exercise any of these rights, contact us at privacy@honed.health.

Our services are not directed at persons under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, please contact us immediately.

We may update this policy from time to time. Material changes will be communicated via email to registered users. Continued use of our services after a policy update constitutes acceptance of the new terms.

For privacy-related enquiries:

Honed Health Pty Ltd
Email: privacy@honed.health