Privacy Policy

Effective 30 April 2026 · Australia

Pharmafy ("we", "us") provides a customer-relationship-management platform to Australian pharmaceutical companies. This policy explains what personal information we handle, how we handle it, and your rights — in line with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

1. What information we hold

Pharmafy users (reps, managers, admins): name, mobile number, email, role, photo, login activity.
Healthcare professionals (HCPs): name, salutation, specialty, phone, email, address, photo, AHPRA-style identifiers if your organisation chooses to record them, and the engagement notes your reps capture about visits.
Practices & hospitals: business contact details, address (with optional geolocation), capacity figures, and the doctors and reps linked to them.
Operational data: visit reports, post-visit feedback survey responses, sample drops, follow-up tasks, outbound emails and SMS sent through the platform.
Integration data: when your administrator connects Xero (or another integration), invoices and contact records from that source are synced into Pharmafy.

2. How we use it

Customer Data is used solely to provide and improve the Service for the organisation that supplied it: powering the CRM, surfacing analytics, sending the emails and SMS messages you ask us to, and integrating with the third-party providers you connect.

We do not sell, rent or share Customer Data with advertisers. We do not use Customer Data to train shared machine-learning models. AI features that operate on Customer Data are run on a per-tenant basis and never expose one organisation's data to another.

3. Where data lives

Application data is stored in a managed MySQL cluster operated for your organisation, with TLS 1.2+ in transit and AES-256 encryption at rest. Sensitive free-text notes are additionally encrypted at the application layer using libsodium (XSalsa20-Poly1305) before being written to the database. Backups are encrypted and stored regionally.

4. How we authenticate you

Pharmafy uses one-time SMS codes (OTP) — there are no passwords. Codes are generated server-side, hashed with bcrypt, and expire after a few minutes. Failed attempts are rate-limited and trigger a 30-minute lockout. Sessions are short-lived, idle-timeout protected, and bound to your device fingerprint.

5. Third parties & integrations

Optional, opt-in integrations include:

Twilio — SMS delivery for OTP login codes (and any rep-initiated SMS).
SMTP / SendGrid (or your chosen provider) — outbound email when a rep sends a document or feedback survey to a doctor.
Xero — read-only OAuth into your accounting org to import invoices.
OpenStreetMap / Nominatim — geocoding of practice addresses for the map view.
Future integrations on our public roadmap: MYOB, QuickBooks, NetSuite, SAP, FHIR-based hospital EHRs, AU 4PL distributors. None are active until your administrator connects them.

Each integration is configured with credentials your organisation provides. Tokens are stored encrypted and can be revoked at any time from the admin panel or the third-party provider.

6. AI & geolocation

Pharmafy's roadmap includes AI features (geo-fencing of visits, language-model extraction of free-text notes, sales-to-prescriber attribution). These features are opt-in per workspace, run only against your tenant's data, and surface their reasoning so a human can verify any inference. Geolocation features only collect location data when a rep explicitly enables them on the device.

7. Your rights (APP 12 & 13)

If you believe Pharmafy holds personal information about you (for example, you are an HCP whose details have been recorded by a customer of ours):

You have the right to ask for access to that information and to have it corrected if inaccurate.
For HCP records, please contact the pharmaceutical company that uses Pharmafy — they are the data controller. If you can't identify the controller, contact us at privacy@pharmafy.com.au and we will route the request.
You can complain to us about how your information is handled. If you're dissatisfied with our response, you can also complain to the Office of the Australian Information Commissioner (oaic.gov.au).

8. Retention & deletion

Customer Data is retained while your organisation's account is active. On termination of the agreement we retain data for 30 days to allow export, after which it is deleted unless legally required to retain it for longer (for example, financial-record obligations).

9. Cookies & session storage

Pharmafy uses a single first-party session cookie (pharmafy_sid) marked HttpOnly, SameSite=Lax and Secure-on-HTTPS to keep you signed in. We do not use third-party tracking, ad pixels or analytics cookies on the application. The marketing landing pages may use minimal analytics; if so, this policy will be updated.

10. Children

The Service is intended for business users aged 18+. It is not designed for, and should not be used by, anyone under 18.

11. International transfers

Production hosting is in Australia. Some integrations (e.g. Twilio, an overseas SMTP provider) may process data outside Australia. We choose providers that offer appropriate safeguards (such as Standard Contractual Clauses or equivalent) and limit shared data to what's strictly necessary.

12. Changes to this policy

We may update this policy from time to time. The current version is always available at https://pharmafy.com.au/privacy with the effective date shown at the top. Material changes will be communicated by email or in-product notice.

13. Contact

Privacy enquiries: privacy@pharmafy.com.au
Security & data-incident reports: security@pharmafy.com.au
General: hello@pharmafy.com.au