Privacy Policy

Account information: Your name, email address, phone number, and password when you create an account.

Health information (sensitive): E-prescription token reference strings, medication category labels (e.g. "blood pressure medicine"), prescription issue dates, expiry dates, and repeat numbers. Full clinical data is held exclusively by the partner pharmacy's dispensing system — Dava stores only the minimum data necessary to schedule your deliveries.

Delivery information: Your delivery address(es) and delivery preferences.

Payment information: Processed and stored securely by Stripe. Dava does not store your full credit card number at any time.

Subscription information: Your chosen subscription tier, renewal dates, and transaction history.

Communication preferences: Your marketing email opt-in status (always opt-in, never pre-checked).

Usage information: Aggregated, anonymised platform usage data via Vercel Analytics. No health information is included.

Prescription records constitute sensitive information under section 6(1) of the Privacy Act 1988. We apply heightened protections:

• Column-level encryption using pgcrypto for all prescription tokens and health-related fields.
• Explicit, separate consent is required before we collect any health information — never bundled with general terms acceptance.
• Health information is used exclusively for the purpose of scheduling and facilitating your prescription deliveries.
• Zero health data is shared with Google Analytics, Facebook, advertising networks, or any third-party analytics platform.
• Medicine names never appear in email subjects or URL paths.
• All access to prescription records is logged in an immutable audit trail.

We use your personal information only for the purposes for which it was collected:

• To create and manage your Dava account and subscription.
• To facilitate the verification and dispensing of your prescriptions by our licensed partner pharmacy.
• To schedule, process, and track your medicine deliveries.
• To alert you when prescriptions are approaching expiry (T-14 and T-7 day alerts).
• To process payments through Stripe.
• To send transactional emails (delivery confirmations, prescription status updates, renewal reminders).
• To send marketing communications — only if you have separately opted in.
• To comply with legal obligations, including pharmacy and TGA record-keeping requirements.
• To improve the platform through aggregated, de-identified analytics.

We will never use your health information for advertising, profiling, or any purpose unrelated to your dispensing and delivery needs.

Our licensed partner pharmacy: Prescription token references and category labels are shared with our registered pharmacy partner for dispensing purposes.

Technology service providers (overseas disclosure — APP 8):

We do not sell your personal information. We do not disclose your information to any third party for marketing purposes.

We take reasonable steps to protect your information, including:

• TLS 1.3 encryption for all data in transit.
• Encryption at rest for all stored data via Supabase.
• Column-level encryption for all health and prescription fields using pgcrypto.
• Row-Level Security (RLS) policies ensuring you can only access your own data.
• Mandatory multi-factor authentication (MFA) for all pharmacy staff accounts.
• An immutable audit log for all prescription access and sensitive actions.
• An independent penetration test before public launch.

• Prescription and dispensing records: 7 years from date of supply, as required under TGA regulations.
• Account information: For the duration of your account, plus 7 years after closure.
• Payment records: As required by Stripe and Australian tax law (generally 7 years).
• Audit logs: 7 years, non-deletable.

Right to erasure: You may request deletion of your personal information under APP 13. However, dispensing records subject to the 7-year mandatory retention obligation cannot be deleted. We will delete all other personal information (account data, delivery addresses, payment tokens) upon request.

• Access (APP 12): Request a copy of the personal information we hold about you via your account settings or by contacting us.
• Correction (APP 13): Update inaccurate information directly in your account settings, or contact us for corrections we need to make.
• Deletion: Request deletion of your personal information, subject to our legal retention obligations (see Section 6).
• Opt out of marketing: Use the unsubscribe link in any email or update your notification preferences in account settings.
• Complaints: Lodge a complaint about our handling of your information.

Dava does not directly access or integrate with My Health Record. Dispensing records are uploaded by our partner pharmacy as part of their standard obligations under the My Health Records Act 2012. Patients wishing to opt out should do so through My Health Record or directly with the partner pharmacy.

If a data breach occurs that is likely to result in serious harm to you, we will notify the Office of the Australian Information Commissioner (OAIC) within 30 days of becoming aware of the breach, and notify affected individuals as soon as practicable. We maintain a documented Incident Response Plan for this purpose.

If you have a complaint about how we handle your personal information, please contact us first using the details below. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the platform. Continued use of Dava after changes are posted constitutes acceptance of the revised policy.

For privacy-related enquiries, access requests, or complaints: