Privacy Policy

Last updated: 8 June 2026

InQuiry AI processes letter body text only — no patient names, dates of birth, Medicare numbers, or referring doctor details are ever transmitted. Letter text passes through our Australian server and to an AI provider; it is never stored, logged, or retained beyond the duration of the request.

Privacy & security compliance

Australian Privacy Principles
Australian Privacy Principles Compliant
Privacy Act 1988 (Cth)
NZ Privacy Act 2020
NZ Privacy Act 2020
New Zealand compliant
PIPEDA Canada
PIPEDA Aligned
Canada — eScription One users
ACSC Essential Eight
ACSC Essential Eight — Level 1
Australian Cyber Security Centre
stripe
PCI DSS Level 1
Payments by Stripe
AWS
Hosted on AWS Sydney
ap-southeast-2 — data stays in Australia
Chrome Web Store
Google-reviewed & published
Letter text only
No InQuiry login access

How we protect your data

Letter Content Never Retained
Letter text passes through for processing — never stored, never logged anywhere on any server
No Patient Identifiers Transmitted
Names, DOBs, Medicare numbers never sent — architectural guarantee, not policy
AI Providers Don't Train on Your Data
Anthropic & OpenAI API terms — your content is never used for model training
API Keys Server-Side Only
AI provider keys are held on our Australian server — never embedded in the extension or exposed in your browser
MFA Protected Infrastructure
Multi-factor authentication on all privileged access
TLS Encrypted in Transit
All data encrypted — HTTPS enforced on every endpoint
Notifiable Data Breach Scheme
Covered by Australia's NDB Scheme — affected individuals and the OAIC are notified of any eligible breach

Privacy claims describe InQuiry AI Letter Review's design and operating practices. InQuiry AI is not OAIC-approved, ISO 27001 certified, or SOC 2 audited unless separately stated.

This Privacy Policy describes how InQuiry AI Letter Review ("we", "us", "our") collects, uses, and protects information when you use our Chrome extension and related services (collectively, the "Service").

We are committed to handling personal and clinical information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Health information is treated as sensitive information under Australian law and afforded the highest standard of protection.

Summary for clinicians: InQuiry AI processes letter body text only — no patient names, dates of birth, Medicare numbers, or referring doctor details are ever transmitted to our service. Letter text passes through our Australian server and to an AI provider for processing; it is never stored, logged, or retained beyond the duration of the request.

1. What Information We Collect

Account information: When you register, we collect your name and email address. This is used solely to authenticate you and manage your account.

Usage data: We record aggregate token counts (input and output) for each AI review you perform. This is used for billing purposes and to display your usage history. We do not record the content of any letter.

Billing information: Credit top-up payments are processed by Stripe. We receive confirmation of successful payment and the email address used at checkout. We do not store card numbers or full payment details — these are handled entirely by Stripe in accordance with PCI-DSS standards.

Letter content: When you click a review button, the body text of the currently open letter is transmitted to our server and forwarded to an AI service for processing. We do not store, log, or retain letter content beyond the duration of the request (typically under 60 seconds).

2. What Letter Content Contains

InQuiry AI is architecturally designed to process letter body text only. The following information is never transmitted to InQuiry AI:

Letter body text is clinical content — diagnoses, findings, medications, and management plans — which may occasionally include incidental quasi-identifiers such as a patient's approximate age or a generic first name used in dictation. This clinical content constitutes health information under the Privacy Act and is treated accordingly.

3. AI Processing and Overseas Disclosure

Letter content is forwarded from our Australian server to one of the following third-party AI providers for processing:

Provider Country Data used for AI training? Policy reference
Anthropic, PBC United States No — API data is not used to train models anthropic.com/legal/privacy
OpenAI, LLC United States No — API data is not used to train models by default openai.com/policies/api-data-usage-policies

This transmission constitutes a cross-border disclosure of health information under APP 8 of the Australian Privacy Principles. By creating an account and using the Service, you acknowledge that letter body text will be transmitted to AI providers in the United States for processing.

Neither Anthropic nor OpenAI use data submitted via their API to train their AI models. Letter content is not retained by these providers beyond the duration of the processing request.

4. Data Storage and Security

Account data, usage records, and transaction history are stored on servers located in Australia (AWS ap-southeast-2, Sydney region). All data in transit is encrypted using HTTPS/TLS.

Letter content is not stored on our servers at any point. Our web server access logs record request metadata (IP address, URL path, HTTP status code) but do not capture POST body content — letter text is never written to any log file.

Session tokens are stored locally in your browser using Chrome's secure extension storage and are never accessible to web pages you visit.

5. Data Retention

Account information and transaction records are retained for as long as your account remains active and for a reasonable period thereafter for billing and audit purposes. You may request deletion of your account and associated data at any time by contacting us.

Letter content is not retained beyond the processing request duration. No letter text exists in our systems after a review is complete.

6. Clinician Obligations and Responsibility

InQuiry AI is a tool used by clinical professionals in the course of their practice. Clinicians remain responsible for:

By creating an account, you confirm that you have appropriate authorisation to submit letter content to third-party AI processing services, and that your practice privacy policy covers AI-assisted processing of clinical correspondence.

The following consent language is provided for clinicians to adapt for use with patients:

Suggested patient consent wording

"Your specialist correspondence may be reviewed and edited using AI-assisted software to improve clarity and structure. Only letter body text is processed — your personal details and identification information are not included. Letter content is not stored by the AI service and is not used for AI training."

7. Your Privacy Rights

Under the Australian Privacy Act, you have the right to:

To exercise any of these rights, contact us at inquiryreviewai@gmail.com.

8. Cookies and Tracking

The InQuiry AI website does not use tracking cookies or third-party analytics. The Chrome extension uses Chrome's built-in secure local storage for session tokens — this is separate from browser cookies and is not accessible to websites.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. Continued use of the Service after changes are posted constitutes acceptance of the updated policy. The "Last updated" date at the top of this page will always reflect the most recent revision.

10. Contact and Complaints

For privacy-related enquiries, please contact:

InQuiry AI Letter Review
Email: inquiryreviewai@gmail.com

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.