Daobook

Legal

Privacy Policy

How Daobook collects, uses, discloses, and safeguards personal information.

Last updated April 13, 2026

Daobook is operated by Emba Digital (ABN 89 683 319 486) from Australia. We provide practice-management software for registered Traditional Chinese Medicine practitioners. This Privacy Policy explains what personal information passes through Daobook, why, where it goes, and what choices you have.

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For a clause-by-clause description of how we apply each APP, see our Australian Privacy Principles statement.

Who this policy is for

  • Practitioners and clinic staff who hold a Daobook account.
  • Clients (patients) whose information is entered into Daobook by the clinic that treats them. The clinic is the primary holder of those records — Daobook hosts and processes that information on the clinic's behalf.
  • Visitors to daobook.com.au and to public booking and prescription pages a clinic chooses to expose.

What we collect

From practitioners and clinic staff

  • Name, email address, phone number
  • Profession, qualifications, and AHPRA registration number
  • Login credentials (passwords are stored as bcrypt hashes; two-factor secrets are encrypted)
  • Billing details for the Daobook subscription, processed by Stripe
  • Communication preferences and the contents of support requests you send us
  • Technical information such as IP address, browser, device, and pages visited

About clients (patients) entered by clinics

  • Name, contact details, date of birth, and demographic information
  • Health information: clinical history, consultation notes, prescriptions and formulas, treatment outcomes, intake-form answers
  • Appointments and attendance history
  • Invoices, payments, and (where used) health-fund details
  • Consent records — what consent was given, when, and through which channel

Automatically

  • Standard server logs (IP address, user agent, timestamps)
  • Cookies and local storage as described in our Cookie Policy
  • Error and performance data (sent to Sentry, see below)

How we use information

For practitioners and clinic staff:

  • To provide the Daobook platform and the features you turn on
  • To bill you for your subscription and any usage-based add-ons (e.g. SMS top-ups)
  • To respond to support requests and notify you of service-impacting issues
  • To send transactional and (where you've opted in) educational or product-update emails
  • To monitor security, prevent abuse, and meet our legal obligations

For client/patient information entered by clinics:

  • Only to operate the practice-management features the clinic uses (records, appointments, prescriptions, communications, invoicing).
  • We do not use patient information for marketing, profiling, model training, or sale, and we do not share it across clinics.

Third parties that process information for us

Some processing is performed by reputable service providers acting on our instructions. We rely on each provider's contractual commitments and applicable privacy framework. The current list:

  • Amazon Web Services — application hosting, database, file storage. Australia (ap-southeast-2, Sydney).
  • Stripe — billing and payment processing for Daobook subscriptions and SMS top-ups. United States.
  • Square — used by clinics that opt in to take card payments from their own clients. United States.
  • Twilio — SMS delivery (appointment reminders, confirmations, and other clinic-to-client SMS). United States.
  • ZeptoMail (Zoho) — transactional email delivery (account emails, receipts, intake forms, appointment notifications). India / global.
  • Sentry — application error and performance monitoring. May incidentally include practitioner user IDs and request context. United States.
  • Google — only when a practitioner opts in to Google Calendar sync; appointment metadata (time, duration, names, location) is sent to that practitioner's own Google Calendar. United States.
  • Anthropic and OpenAI — used for narrowly scoped features (assisted column mapping during data import; tutorial search embeddings). Patient identifiers are not sent for general AI processing or model training. United States.
  • Cliniko, Xero, Shopify — only when a clinic opts in to the corresponding integration, and only the data scoped by that integration. Cliniko (data import) is hosted in Australia; Xero is Australia/New Zealand; Shopify is global.

Where information is processed outside Australia, we take reasonable steps to ensure overseas recipients handle it consistently with the Australian Privacy Principles, but you acknowledge that your information may be subject to the laws of those jurisdictions.

How we protect information

Daobook is hosted on AWS in Sydney. Data is encrypted in transit (TLS) and at rest (AWS-managed AES-256). Database, cache, and file storage sit on private subnets. Two-factor authentication and passkey sign-in are available for every account, and access inside the application is restricted by role. The full set of technical and operational measures is described in our Data Security page.

No system is impenetrable. If we become aware of an eligible data breach affecting personal information, we will assess and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

When we share information

Outside the third-party processors listed above, we share personal information only:

  • With your consent, including any integration you turn on yourself.
  • When required by law — for example, in response to a valid court order, subpoena, or regulator request.
  • To protect rights or safety where we reasonably believe disclosure is necessary to prevent fraud, harm, or unlawful activity.
  • In the event of a sale or restructure of Emba Digital. Any successor would be bound by privacy terms no less protective than these.

We do not sell personal information.

Your rights

Under the Australian Privacy Principles you can ask us to:

  • Access the personal information we hold about you (APP 12)
  • Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
  • Stop direct marketing from us at any time
  • Receive a copy of your data in a portable format (we provide CSV exports for the main entities in Daobook)

Email admin@daobook.com.au to make a request. We aim to respond within 30 days. If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

If you're a patient of a clinic that uses Daobook

The clinic that treats you is the primary controller of your record. To access, correct, or request deletion of information held about you, contact the clinic directly. If the clinic is unable or unwilling to help and you have already contacted them, you can email us with the clinic's name and we will assist where we are able to do so under privacy law.

Data retention

  • Active accounts: information is retained for as long as the account is active.
  • After cancellation: data enters a structured retention lifecycle (active → grace period → optional paid retention → scheduled deletion). The lifecycle is designed to give clinics time to export or migrate, and to support the long retention obligations TCM practitioners have under Australian health-records legislation (commonly seven years from the last entry, or until age 25 for minors).
  • Billing and tax records: retained for the period required by Australian tax law.
  • Server logs and error data: retained for short, rolling windows for security and operational purposes.
  • De-identified usage data may be retained for product analytics.

Children

Daobook accounts are for adult practitioners and clinic staff. Clinics do, of course, treat children — when they do, the child's information is held in the clinic's record and protected by the same measures as any other patient record. A parent or guardian should make access or correction requests through the treating clinic.

Changes to this policy

We will update this policy from time to time. The "last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated through the Daobook platform.

Contact

Questions, requests, and complaints about privacy can be sent to:
Emba Digital — admin@daobook.com.au
ABN 89 683 319 486