Open main menu

Privacy Policy

Last updated: 28 April 2026

Creative Thinking Institute Pty Ltd (CTI, we, us, our) is the parent company behind Regenemm Healthcare. CTI and Regenemm Healthcare build clinically grounded, AI-native healthcare technology across digital health, biosensors, clinical documentation, patient-facing summaries, consent-aware workflows, interoperability, auditability and related services.

This Privacy Policy explains how we collect, use, disclose, store and protect personal information when you access or use:

  • the Creative Thinking Institute website at www.creativethinkinginstitute.com (Website);
  • Regenemm Healthcare products, platforms, applications, spokes, hubs, portals and related services (Platform);
  • Regenemm Voice and related voice capture, transcription, summarisation and documentation workflows;
  • research, pilot, waitlist, newsletter, demo, support, implementation, operational and governance activities; and
  • any other CTI or Regenemm Healthcare products or services.

This Policy is intended to describe our privacy posture in plain language. It should be reviewed with qualified legal, privacy and clinical governance advisers before being relied on as the final legal position for any particular deployment, jurisdiction or customer contract.

Privacy and Governance Commitments

We are building healthcare AI with privacy, security, consent, auditability and human oversight as operating requirements. Our approach is guided by:

  • the Australian Privacy Principles in the Privacy Act 1988 (Cth);
  • the General Data Protection Regulation (GDPR) where it applies;
  • the Health Insurance Portability and Accountability Act (HIPAA) where it applies;
  • healthcare privacy, security and clinical safety expectations relevant to the jurisdictions and customers we serve;
  • our Artificial Intelligence Management System (AIMS) work aligned with ISO/IEC 42001;
  • our information security governance work aligned with ISO 27001; and
  • our Vanta-supported accreditation and assurance pathway across ISO 27001, ISO 42001, HIPAA, GDPR and SOC 2 readiness.

Where a customer agreement, data processing agreement, business associate agreement, consent form, clinical trial protocol or deployment-specific privacy notice applies, that document may contain additional or more specific terms.

What Personal Information We Collect

The information we collect depends on your relationship with us and how you use our Website, Platform or services. It may include:

  • contact and identity details, such as name, email address, phone number, organisation, role and professional details;
  • account and authentication information, such as user IDs, role assignments, access records and security events;
  • communications with us, including enquiries, demo requests, support requests, forms, feedback and correspondence;
  • device, browser, analytics and usage information from the Website or Platform;
  • clinical workflow information, where relevant to the service, including consultation context, notes, transcripts, summaries, letters, patient education, FHIR resources, referral information, medication information, care plans, handover information, discharge information and related documentation;
  • voice, audio or transcript information where Regenemm Voice or a similar capture workflow is used;
  • biometric, psychometric, wearable, movement, rehabilitation, sleep, circadian, biosensor, medical IoT or health-related information where collected through a Platform feature, study, integration or customer deployment;
  • consent, provenance and audit information, including who created, reviewed, approved, edited, exported, shared or accessed a record;
  • operational telemetry, logs and security events needed to operate, secure, monitor and audit the Platform; and
  • other information you provide to us or authorise us to collect.

Some of this information may be sensitive information, health information, protected health information (PHI) or special category data under applicable privacy laws.

Sensitive Information, Health Information and PHI

We only collect sensitive information, health information or PHI where it is reasonably necessary for our services, research, support, legal obligations, security obligations, clinical workflow support or another permitted purpose.

Where required, we will seek consent or rely on another lawful basis before collecting or processing sensitive information. In clinical or customer deployments, consent and lawful basis may also be governed by the relevant healthcare provider, customer agreement, clinical workflow, patient consent process, research protocol or deployment notice.

How We Use Personal Information

We may use personal information to:

  • provide, operate, maintain and improve the Website, Platform and services;
  • support clinical documentation, patient-facing summaries, clinician-reviewed outputs, consent-aware sharing, structured records, FHIR-ready outputs and care-team communication;
  • enable account management, authentication, authorisation, role-based access and security controls;
  • process enquiries, waitlist requests, demo requests, implementation requests, support requests and customer communications;
  • generate, review, edit, validate, export or distribute clinical workflow outputs where authorised;
  • provide patient-facing education or summaries where authorised;
  • support interoperability, integrations, reporting, auditability, provenance and operational workflows;
  • monitor quality, safety, security, reliability, performance, misuse, abuse, drift, error rates and operational issues;
  • comply with legal, regulatory, contractual, audit, security, privacy, clinical safety and governance obligations;
  • conduct privacy, security, AI impact, risk, compliance, incident, assurance and governance processes;
  • communicate changes to our services, policies, security posture or operational notices;
  • send marketing communications where permitted and where you have not opted out; and
  • de-identify, aggregate or anonymise information for analytics, research, service improvement, safety monitoring or governance purposes.

AI Systems, Clinical Review and Human Oversight

Regenemm Healthcare is designed to support clinical workflow, documentation and communication. It is not intended to replace clinical judgement.

AI-assisted outputs may include transcripts, summaries, letters, structured documentation, patient-facing summaries, education material, FHIR-ready records, review prompts or workflow suggestions. These outputs are intended for appropriate human review, approval and accountability before clinical reliance, sharing or use in care decisions.

Our AI governance approach includes, where applicable:

  • intended-purpose records;
  • AI system impact assessments;
  • system cards or model cards;
  • data lineage and provenance records;
  • testing, validation and monitoring evidence;
  • release approvals and rollback plans;
  • audit logs and operational monitoring;
  • incident and change records;
  • human-in-the-loop controls; and
  • executive oversight of high-impact AI risk and release decisions.

Model Training and Improvement

We do not use identifiable patient information, PHI or sensitive clinical content to train external foundation models unless authorised by the relevant agreement, consent, lawful basis and safeguards.

Where third-party AI or infrastructure providers are used, we assess their privacy, security, contractual and supplier controls. Where possible and appropriate, we configure services to limit retention, restrict training use, minimise data exposure and preserve auditability.

We may use de-identified, aggregated or anonymised information to improve safety, performance, usability, reliability, monitoring, research, model evaluation and service quality, provided the information is handled in accordance with applicable law and governance controls.

Disclosure and Sharing

We may disclose personal information:

  • to authorised users, clinicians, care teams, patients, customers, administrators or recipients as directed by the relevant workflow, consent, role, entitlement or customer instruction;
  • to service providers who support hosting, cloud infrastructure, analytics, communications, security, monitoring, support, payment, compliance, audit, identity, AI processing or operational services;
  • to professional advisers, auditors, insurers, regulators or legal authorities where required or permitted;
  • where necessary to prevent or lessen a serious threat to life, health or safety;
  • where reasonably necessary to establish, exercise or defend legal claims;
  • where required or authorised by law;
  • with your consent; or
  • in de-identified, aggregated or anonymised form where individuals are not reasonably identifiable.

We do not sell personal information. We do not disclose sensitive information for third-party direct marketing without consent.

Consent-Aware Distribution and Entitlements

Regenemm is being built around consent-aware, role-aware and entitlement-aware information flow. This means that access and sharing should be limited to authorised users and recipients based on their role, relationship, consent status, customer configuration, legal basis and workflow context.

The Platform may record audit events showing who accessed, created, reviewed, approved, edited, exported or shared information. These records support security, clinical accountability, privacy compliance, provenance and incident investigation.

Security and Storage

We use administrative, technical and organisational safeguards designed to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

Depending on the service and deployment, safeguards may include:

  • encryption in transit and at rest;
  • identity and access management;
  • role-based and least-privilege access controls;
  • audit trails and security monitoring;
  • logging and alerting;
  • network boundary controls;
  • secrets management;
  • backup, recovery and retention controls;
  • vulnerability and incident management;
  • supplier due diligence; and
  • governance and evidence records maintained through our compliance program.

No system can be guaranteed to be completely secure. We continue to improve our controls as our products, customers, infrastructure and regulatory obligations evolve.

Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide services, maintain auditability, comply with legal and contractual obligations, support clinical governance, resolve disputes, enforce agreements, conduct assurance activities and meet recordkeeping requirements.

Retention periods may differ depending on the type of information, applicable law, customer agreement, clinical context, research protocol or deployment setting. When information is no longer required, we will take reasonable steps to delete, de-identify or securely archive it in accordance with applicable requirements.

Cross-Border Processing

We may store or process information in Australia or other countries where we or our service providers operate. Where personal information is transferred or accessed across borders, we take steps designed to ensure appropriate contractual, technical, organisational and legal safeguards are in place.

Specific deployments may use defined cloud regions or data residency arrangements under customer agreements.

Cookies and Analytics

Our Website may use cookies and similar technologies to operate the Website, remember preferences, understand site usage, improve content and support analytics.

We may use analytics tools such as Google Analytics or similar services. These tools generally provide aggregated usage information and do not by themselves identify a visitor to us. You can control cookies through your browser settings, although disabling cookies may affect some Website functionality.

Our cookie banner and consent settings may provide additional choices where required.

Marketing Communications

We may use contact details to send updates, newsletters, product information, research updates or event information where permitted. You can opt out of marketing communications at any time by using the unsubscribe link in an email or contacting info@creativethinkinginstitute.com.

We will not use sensitive health information for direct marketing unless permitted by law and supported by consent where required.

Your Rights and Choices

Depending on where you are located and which laws apply, you may have rights to:

  • access personal information we hold about you;
  • request correction of inaccurate or incomplete information;
  • request deletion or erasure in certain circumstances;
  • restrict or object to processing in certain circumstances;
  • request data portability in certain circumstances;
  • withdraw consent where processing is based on consent;
  • complain to us or to a privacy regulator; and
  • ask questions about how your information is handled.

To exercise privacy rights, contact us at privacy@creativethinkinginstitute.com.

If your information is processed on behalf of a healthcare provider, employer, research sponsor, customer or other organisation, we may need to direct your request to that organisation or work with them to respond.

Third-Party Links and Services

Our Website or Platform may link to third-party websites, services or integrations. We are not responsible for the privacy practices of third parties. You should review their privacy policies and terms.

Children

Our Website and general business services are not directed to children. If a product, service, study or clinical deployment involves children or minors, additional consent, legal, clinical and customer-specific requirements may apply.

Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will publish the updated Policy on the Website or otherwise notify users where required.

Contact Us

If you have questions, concerns or complaints about this Policy or our handling of personal information, please contact:

Privacy Officer
Creative Thinking Institute Pty Ltd
378 Victoria Parade
East Melbourne, Victoria 3002
Australia
privacy@creativethinkinginstitute.com

We will aim to respond within a reasonable time. If you are not satisfied with our response, you may contact the relevant privacy or data protection authority.

For Australia, the relevant authority is the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au.