Elite Muscle Therapy ("EMT", "we", "us", "our") is a registered Australian musculoskeletal therapy clinic operated by Yaser Moosavian. As a health service provider, we are required to comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs), regardless of our business size.
This policy explains how we collect, use, store, share, and protect your personal information. It applies to everyone who interacts with us as a patient, a website visitor, a workshop attendee, or in any other capacity.
If you have questions about this policy or about how we handle your information, contact us at [email protected].
We only collect information that is reasonably necessary to deliver our services. The information falls into the following categories.
When you book an appointment, complete an intake form, fill in a website form, or communicate with us, we may collect your name, date of birth, postal address, email address, mobile number, emergency contact details, and any information you choose to share with us.
When you express interest in a workshop, we collect your topic preference (for example, back pain, posture, recovery) and any optional notes you provide. This is treated as a marketing preference rather than clinical health information, but is still handled with care and only used to inform workshop content and relevant communications.
To provide musculoskeletal therapy safely and effectively, we collect health information including your medical history, current symptoms, medications, allergies, injuries, previous treatments, and clinical notes generated during your sessions. This information is sensitive and we treat it with the highest level of care.
When you pay for a session online, payment details are processed by Stripe through our practice management system Cliniko. We do not store your full credit card number or CVV. We retain transaction records (date, amount, last four digits) for accounting and refund purposes.
If you opt in to receive marketing communications, we record your consent, the date of consent, and your communication preferences (email, SMS, or both).
When you visit our website (elitemuscletherapy.com.au) we automatically collect technical information including your IP address, browser type, device, pages visited, referring website, and time on site. This is collected via Google Analytics 4 (GA4) and Google Tag Manager (GTM) using first-party cookies. This information is used in aggregate to understand how our website is performing.
Occasionally we may receive information about you from referring health professionals, your health fund (with your consent), or other people who have a legitimate reason to share it with us.
We collect information directly from you whenever possible. The main collection points are:
When information cannot reasonably be collected directly from you, we may collect it from a third party (for example, a referring practitioner). In those cases we will tell you what was collected and from whom.
We collect personal and health information for the following purposes.
To provide treatment. Your health history, symptoms, and treatment notes allow us to deliver safe and effective musculoskeletal therapy.
To manage your bookings. Your contact details allow us to confirm appointments, send reminders, and manage cancellations.
To communicate with you. We use your contact details for appointment reminders, treatment follow-ups, and, if you have opted in, for newsletters and updates from EMT.
To process payments. Your payment information is used to take and reconcile payments for sessions and any prepaid bookings.
To support health fund claiming. If you are claiming through a private health fund, we may share relevant treatment information with your fund, with your consent.
To meet our legal and professional obligations. As a health service provider we must maintain clinical records to certain standards and may be required to disclose information in specific circumstances (for example, in response to a subpoena or to comply with a mandatory reporting obligation).
To improve our service. Aggregated, de-identified information about our website and bookings helps us understand what is working and where we can improve.
We do not sell your personal information, ever. We share it only with the third parties listed below, only for the purposes described, and only to the extent reasonably necessary.
Cliniko (Red Guava Pty Ltd, Australia). Cliniko is our practice management system. It holds the canonical record of your patient file, appointments, health history, clinical notes, and consent preferences. Cliniko is Australian-owned and Australian-hosted. It complies with the Australian Privacy Principles.
Make.com (Celonis SE, European Union). Make.com runs our cancellation alert workflow. When a cancellation occurs in Cliniko, Make.com triggers an alert email to us. Only minimal information (first name and appointment time) flows through Make.com. No surname, date of birth, address, or clinical content is shared.
GoHighLevel (HighLevel LLC, United States). GoHighLevel hosts our website and our marketing and waitlist communications. First name, last name, mobile number, email, workshop topic preference, and any optional notes you provide on our forms flow through GoHighLevel for workshop and waitlist communications. No date of birth, postal address, clinical notes, or detailed health history is shared with GoHighLevel.
SMS provider. When our cancellation cascade and workshop reminder system goes live, SMS messages will be dispatched through an Australian SMS delivery service (the specific provider will be named here once selected). Until then, any SMS communication is sent via GoHighLevel or directly from Yaser's mobile.
Stripe (Stripe Payments Australia Pty Ltd). Stripe processes online payments via our Cliniko booking integration. Stripe is PCI-DSS compliant. We do not store full card numbers.
Google (Google LLC, United States). Google Analytics 4 and Google Tag Manager collect aggregated website usage information using cookies. We use Google's data processing terms.
Health funds. If you are claiming a session through a private health fund, treatment information may be shared with your fund. This sharing happens with your consent at the point of claiming.
Other health practitioners. If your treatment requires referral or coordination with another practitioner (for example, a GP, physiotherapist, or specialist), we may share relevant information with them, with your consent.
Government bodies and regulators. We may be required to disclose information in response to a court order, subpoena, mandatory reporting obligation, or other lawful request. We will only disclose what is legally required.
Some of the third parties we work with are based overseas or store information on servers outside Australia. The Australian Privacy Principles (APP 8) require us to take reasonable steps to ensure that overseas recipients handle your information consistently with the APPs.
The overseas processors we currently work with are:
| Processor | Location | What is shared | Protections in place |
|---|---|---|---|
| Make.com | European Union | First name and appointment time only | Data Processing Agreement (Celonis DPA, May 2024 template) on file |
| GoHighLevel | United States | First name, mobile, email (where consented) | Customer Data Processing Addendum (HighLevel CDPA, September 2025 template) on file |
| Google (GA4, GTM) | United States | Aggregated, mostly non-identifying website usage data | Google's standard contractual clauses |
| Stripe | Australian entity, with infrastructure in multiple jurisdictions | Payment transaction data | Stripe Australia is a regulated payments provider |
We apply strict data minimisation: only the minimum information needed for each task is shared with each overseas processor. We do not share clinical content, surname, date of birth, or address with any overseas processor.
We take the security of your information seriously and have implemented reasonable measures to protect it.
Cliniko is built specifically for healthcare practices and is certified to relevant security standards. Patient records are encrypted at rest and in transit.
Two-factor authentication is required on all administrator accounts that access patient data.
Credential management. We use a password manager. We never share credentials over email, SMS, or chat.
Access control. Only people who need access to specific information are granted it.
Data minimisation. As described above, only the minimum necessary information is shared with each system or processor.
No system is completely immune to security incidents. If a notifiable data breach occurs that involves your information, we will comply with our obligations under the Notifiable Data Breaches scheme, which includes notifying you and the Office of the Australian Information Commissioner.
We keep your information for as long as it is needed for the purposes described in this policy, and as required by law.
Clinical records: retained for at least 7 years from the date of your last treatment, or, if you were under 18 at the time of treatment, until you turn 25. This aligns with NSW health record retention requirements.
Marketing data: retained until you unsubscribe. After unsubscription we retain a record of the unsubscribe (to honour it) but stop sending you communications.
Financial records: retained for at least 7 years, as required by the Australian Taxation Office.
Website analytics: retained for the period set by Google Analytics 4 (default 14 months).
When information is no longer needed, we securely delete or de-identify it.
You have the right to ask for a copy of the personal information we hold about you. You also have the right to ask us to correct information you believe is inaccurate, out of date, incomplete, or misleading.
To make a request, email [email protected] with the subject line "Privacy request". Please tell us what you are asking for so we can respond efficiently.
We will respond within 30 days. This is the standard set by the Privacy Act.
We may charge a reasonable administration fee for very large or complex requests. We will tell you the fee before doing the work, and you can choose whether to proceed.
In rare cases we may decline a request (for example, if responding would unreasonably impact the privacy of another person, or if the request is frivolous). If we decline, we will explain why in writing.
Our website uses cookies and similar technologies to make the site work and to help us understand how visitors use it.
Essential cookies are needed for the website to function correctly. You cannot opt out of these and still use the site.
Analytics cookies are placed by Google Analytics 4 and Google Tag Manager. They collect aggregated usage information (pages viewed, time on site, referring source) and help us improve the site. The information collected is not used to personally identify you.
You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout) or by configuring cookie controls in your browser.
We will only send you marketing communications if you have given us explicit consent. Consent is captured at intake through our Cliniko form, where you can opt in to receive newsletters, special offers, or updates from EMT.
You can also opt in to marketing through our workshops expression-of-interest form on our website. Both consent records, the date of consent, and your communication preferences are stored in our systems.
You can change your communication preferences at any time by:
When you opt out, we will stop sending marketing communications within a reasonable period (typically a few business days, sometimes immediately). We will still send you essential service communications such as appointment reminders.
If you believe we have not handled your personal information in accordance with this policy or the Privacy Act, we want to know.
Step 1. Email us at [email protected] with the subject "Privacy complaint". Tell us what happened and what you would like us to do. We will acknowledge your complaint within 7 days and respond substantively within 30 days.
Step 2. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC):
We treat children's information with extra care. For patients under 18, we collect consent from a parent or guardian and apply the longer retention period described in section 8.
For any privacy question, request, or complaint:
Elite Muscle Therapy
ABN 33 661 601 823
260 Keira Street (inside Clublime Gym), Wollongong NSW 2500
Email: [email protected]
Practice hours: Monday to Thursday 8:00am to 4:30pm, Friday 8:00am to 12:00pm
We may update this policy from time to time. The "Last updated" date at the top of this policy will reflect the most recent revision.
If we make a material change (for example, adding a new third-party processor, or changing how we use your information), we will notify existing patients by email before the change takes effect.
The current version of this policy will always be available at elitemuscletherapy.com.au/privacy-policy.