Last updated: July 2026
CliniMerge is an Australian service that compiles patient records from Cliniko into a single PDF, operated from Victoria, Australia. This policy explains what information we collect, how we handle it, and your rights. We are committed to handling information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and applicable state health records legislation.
When you create an account we store your email address, a cryptographic hash of your password (we never store the password itself), your subscription status, and billing identifiers issued by our payment processor. If you connect Cliniko, we store your Cliniko API key in encrypted form; it is decrypted only at the moment it is used to retrieve records at your request.
When you run a merge, patient records are retrieved from your Cliniko account, processed on our server, and compiled into a PDF for you to download. These files are deleted from our server immediately after you download them, and any undownloaded files are automatically deleted within two hours. We do not retain patient clinical records. We keep a minimal activity log for each merge — the patient name, date range, and document count — so your clinic has an audit record of file productions. You remain the health information custodian for all patient records processed through the service; CliniMerge acts only on your instruction as a processing tool.
Payments are processed by Stripe. Your card details are provided directly to Stripe and never touch our servers; we store only a customer reference and subscription status. Stripe's handling of your data is governed by Stripe's privacy policy.
The service is hosted on Render's cloud infrastructure. Depending on service region, processing may occur on servers located outside Australia. Patient records transit these servers only for the duration of a merge and are then deleted as described above. Clinics should consider their obligations under APP 8 (cross-border disclosure) when using any cloud processing service, including this one.
We do not sell, share, or use your data or your patients' data for marketing, analytics products, or AI training. We do not access your Cliniko account except when you initiate an action that requires it.
All traffic is encrypted in transit (HTTPS). Passwords are stored as salted hashes. Cliniko API keys are encrypted at rest. Access to production systems is restricted to the operator of the service.
You may request access to, correction of, or deletion of your account data at any time by emailing support@clinimerge.com.au. Deleting your account removes your email, encrypted API key, and merge history. If you have a privacy concern we can't resolve, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au).