Skip to content

Vitavo Data Collection and Privacy

City of Melbourne logo B&W-3
Uniting logo B&W-2
City of Logan logo B&W-2
Central Goldfields Shire Council logo B&W-2
Buloke Shire Council logo B&W-2
Shoal Bay Pharmacy logo B&W-2
Hume City Council logo B&W-2
Prime Pharmacy Group logo Colour
AHS Pharmacy logo B&W-2
Your Chemist Shop logo B&W-2

 

Data Collection Notice

Date of last update: 3 February 2026


Quick Summary

  • We collect personal and health information to deliver vaccination and health services
  • Your information is stored securely in Australia
  • We share information with your health services provider, AIR (mandatory by law for vaccinations), and program payors
  • You can access, correct, or request deletion of your information
  • Contact us: security@vitavohealth.com or 1300 068 463

 

This notice explains how Vitavo Health Pty Ltd (Vitavo, we, us) collects and handles your personal and health information when you register and use our platform to access health services, in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and applicable Australian state and territory legislation.

Vitavo recognises that health and immunisation data is considered sensitive information, and we handle it with a high standard of protection.

 

What information do we collect?

When you create an account and use Vitavo, we collect the following information relevant to the health service you are accessing. Not all fields apply to every service:

Personal information:

  • First name, last name, date of birth, gender
  • Email address, phone number, residential address
  • Medicare number and Individual Reference Number
  • Individual Healthcare Identifier (IHI)
  • Department of Veterans Affairs (DVA) card

Unique identifiers:

  • Medicare number and Individual Reference Number
  • Individual Healthcare Identifier (IHI)
  • Department of Veterans Affairs (DVA) card

Health and medical information (sensitive information):
The following information may be requested to determine your medical eligibility or government-funded health programs eligibility:

  • Medical history and medical information
  • Immunisation history
  • Information relevant to the health services you are receiving
  • Are you an Aboriginal or Torres Strait Islander?
  • Are you an Asylum Seeker or Refugee?

Usage and technical information:

  • How you access and interact with our platform
  • IP address, device type, browser type, operating system
  • Location data (where you access our services from)
  • Pages visited and actions taken within the platform

 

Why do we collect your information?

We collect your information to:

  • Enable your health services provider to deliver health services, including the assessment of medical eligibility
  • Create and manage your account
  • Verify your eligibility for vaccinations and health services, including government funding available to your health service provider that may cover part or all of the cost of the service
  • Report vaccination data to the Australian Immunisation Register (AIR) as required by law
  • Enable program administrators and payors to verify service delivery, this could be your workplace, or state or commonwealth government funding source
  • Comply with legal and regulatory obligations
  • Respond to your enquiries and provide customer support
  • Improve our services and platform functionality

 

Who do we share your information with?

Your health services provider has complete access to your personal and health information stored in Vitavo. They use this information to provide healthcare services to you.

Australian Immunisation Register (AIR): Your health services provider is required under the Australian Immunisation Register Act 2015 to report all vaccinations you receive to the AIR, a national register maintained by Services Australia. This reporting is automatic and mandatory for legal compliance.

Program payors: Where your vaccination or health service is funded by a government program (federal or state) or workplace program, service delivery information may be shared with the program administrator or payor to verify service delivery and enable payment.

Service providers: We use trusted technology providers to store and process your information:

  • Amazon Web Services (AWS) – cloud infrastructure and hosting in Australia
  • Microsoft Azure – cloud infrastructure and hosting in Australia

These providers can only access your information to perform specific services for us and must protect it according to strict security standards.

Other disclosures: We may disclose your information:

  • Where required or authorised by law (e.g., to health authorities, law enforcement)
  • With your express consent
  • In an emergency affecting your health or safety
  • If our business ownership or control changes, subject to the same privacy protections

 

Is your information sent overseas?

No. Your personal information is stored exclusively in secure data centres in Australia operated by AWS and Microsoft Azure. We configure our systems to keep your data within Australia and do not transfer information overseas.

If overseas disclosure ever becomes necessary, we will ensure appropriate safeguards are in place and comply with Australian privacy laws (APP 8).

 

What happens if you don't provide your information?

All information requested during registration is mandatory for the selected health services. If you choose not to provide the required information:

  • We cannot create your account
  • Your health provider cannot deliver the health services safely and effectively to you
  • Vaccination records cannot be reported to the Australian Immunisation Register as required by law

 

Your rights and choices

Access and update: You can view and update your profile information by logging into your Vitavo account at any time.

Correction: If your information is inaccurate or out of date, you can correct it through your account or by contacting your health services provider.

Deactivation: If you no longer wish to use Vitavo, contact your health services provider or email security@vitavohealth.com. Note that deactivating your account doesn't delete your health service records, which must be retained for legal data retention compliance.

Deletion: You can request deletion of your information by contacting your health services provider or emailing security@vitavohealth.com. However, some health records must be retained by law under state and federal health record legislation (typically 7 years from the date of last service, or longer for certain records).

Access AIR records: You can access your complete immunisation history by contacting the Australian Immunisation Register on 1800 653 809 or through the myGov portal.

 

Age requirements and parental consent

You must be at least 14 years of age to create a Vitavo account or be assessed as a mature minor by your health services provider.

For individuals under 18 years of age, your health services provider will seek parental or guardian consent where required by law.

 

How we protect your information

We take security seriously and protect your personal and health information using:

  • Encryption during transmission and when stored (in transit and at rest)
  • Secure identity and access controls
  • Regular security monitoring and audits
  • Staff training on privacy and security obligations
  • Compliance with Australian Privacy Principles and health record legislation

Despite our security measures, no system is completely secure. If we become aware of a data breach that may result in serious harm, we will notify you and the Office of the Australian Information Commissioner as required by law

 

How long we keep your information

We retain your health records in accordance with:

  • Australian health records legislation (state and territory requirements)
  • National health record retention standards
  • Legal minimum retention periods (typically 7 years from last service)

We hold your records on behalf of your health services provider for the duration of our service agreement with them. Your health services provider remains responsible for compliance with applicable retention requirements.

After the required retention period expires, your information will be securely destroyed or de-identified.

 

Questions or complaints?

If you have questions about how we handle your information, or wish to make a complaint, please contact:

Vitavo Security & Privacy
Email: security@vitavohealth.com
Telephone: 1300 068 463

We aim to respond to your enquiry within 30 days.

If you're not satisfied with our response, you can contact the
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

 

 

Privacy Policy

Date of last update: 28 November 2025

This Privacy Policy is designed to comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and applicable Australian state and territory legislation. Vitavo Health Pty Ltd (“Vitavo”) recognises that health and immunisation data are considered sensitive information, and we handle it with a higher standard of protection.

This user agreement and consent (the “UAC”) sets out the rules governing:  

  • the use of the website at www.vitavohealth.com and subdomains or web-based applications, any successor website, and the services available on that website or any successor website (the “Services”); and  

  • the transmission, storage and processing of content by you, or by any person on your behalf, using the Services (“Content”).  

References in this UAC to “you” are to any customer for the Services and any individual user of the Services (and “your” should be construed accordingly); and references in this UAC to “us” are to Vitavo (and “we” and “our” should be construed accordingly).  

By using the Services, you agree to the terms of this UAC.  

We will ask for your express agreement to the terms of this UAC before you upload or submit any Content or otherwise use the Services.  

 

PART 1 – USE  

General usage rules  

You must not use the Services in any way that causes, or may cause, damage to the Services or impairment of the availability or accessibility of the Services.  

You must not use the Services:  

  • in any way that is unlawful, illegal, fraudulent, deceptive or harmful; or  

  • in connection with any unlawful, illegal, fraudulent, deceptive or harmful purpose or activity.  

You must ensure that all Content complies with the provisions of this UAC.  

 

Unlawful Content  

Content must not be illegal or unlawful, must not infringe any person’s legal rights, and must not be capable of giving rise to legal action against any person (in each case in any jurisdiction and under any applicable law).  

Content, and the use of Content by us in any manner licensed or otherwise authorised by you, must not:  

  • be libelous or maliciously false;  

  • be obscene or indecent; 

  • infringe any copyright, moral right, database right, trade mark right, design right, right in passing off, or other intellectual property right;  

  • infringe any right of confidence, right of privacy or right under data protection legislation; 

  • constitute negligent advice or contain any negligent statement; 

  • be in contempt of any court, or in breach of any court order; 

  • constitute a breach of any legislation; or 

  • constitute a breach of any contractual obligation owed to any person. 

 

Factual accuracy  

Content must not be untrue, false, inaccurate or misleading.  

Statements of fact contained in Content and relating to persons (legal or natural) must be true; and statements of opinion contained in Content and relating to persons (legal or natural) must be reasonable, be honestly held and indicate the basis of the opinion.  

 
PART 2 – PRIVACY  

We comply with the Australian Privacy Principles (APPs) and applicable Australian state and territory legislation in the collection, handling, use, and disclosure of your personal information. 

We collect, hold, use and disclose your personal information on behalf of your health services provider and in accordance with the agreement we have with them. 

 

Consent  

You consent to us collecting, holding, using and disclosing your personal information in accordance with this Privacy Policy, the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and applicable Australian state and territory legislation. Where we collect health or immunisation data, this is handled as sensitive information and requires express consent. 

Personal information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be personal information regardless of whether it is true.  

 

What personal information do we collect and hold?  

We collect information about you and your interactions with us, for example, when you use any of our services or otherwise visit our website or web-based application. The information we collect from you may include your identity and contact details, and your health and medical information, including your immunisation history.  

We may collect information about how you access, use and interact with the website or web-based application. This information may include:  

  • the location from which you have come to the site and the pages you have visited; and 

  • technical data, which may include IP address, the types of devices you are using to access the website or web-based application, device attributes, browser type, language and operating system.  

 

Children & Mature Minors 

You must be at least 14 years of age to use the Services, or be deemed a mature minor by your health services provider. Where required by law, providers will seek parental or guardian consent for individuals under 18 years of age. 

 

Cookies  

We use cookies. A cookie is a small text file that the website or web-based application may place on your device to store information. We may use persistent cookies (which remain on your computer even after you close your browser) to store information that may speed up your use of our website or web-based application for any of your future visits to the website or web-based application. We may also use session cookies (which no longer remain after you end your browsing session) to help manage the display and presentation of information on the website or web-based application. You may refuse to use cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of the website or web-based application.  

 

Why do we collect, hold and use your personal information?  

We collect, hold and use your personal information so that we can support your health services provider to:  

  • provide you with products and services, and manage their relationship with you; 

  • contact you, for example, to respond to your queries or complaints, or if they need to tell you something important; 

  • comply with their legal obligations and assist government and law enforcement agencies or regulators. 

If you do not provide us with your personal information, we will not be able to provide you with our services, communicate with you or respond to your enquiries.  

 

How do we collect your personal information?  

We will collect your personal information directly from you whenever you interact with us.  

We may collect information from third parties, such as your health services provider.  

 

How do we store and hold personal information?  

We store most information about you in computer systems and databases operated by either us or our external service providers such as Amazon Web Services and Microsoft Azure. We configure these services so that your data is stored in Australian regions, and we take reasonable steps to ensure no cross-border disclosure occurs. If cross-border disclosure is ever required, we will ensure compliance with APP 8 and apply appropriate contractual and security safeguards. Some information about you is recorded in paper files that we store securely.  

We use encryption (in transit and at rest), identity access controls, and regular monitoring to protect your information. 

We implement and maintain processes and security measures to protect personal information which we hold from misuse, interference or loss, and from unauthorised access, modification or disclosure.  

These processes and systems include:  

  • the use of identity and access management technologies to control access to systems on which information is processed and stored; 

  • requiring all employees to comply with internal information security policies and keep information secure; 

  • requiring all employees to complete training about information security; and 

  • monitoring and regularly reviewing our practice against our own policies and against industry best practice. 

We will also take reasonable steps to destroy or de-identify personal information once we no longer require it for the purposes for which it was collected or for any secondary purpose permitted under the relevant laws.  

We retain your personal information only as long as required by law (e.g., health record retention periods under state and federal legislation). After this time, data will be securely destroyed or de-identified. 

 

Who do we disclose your personal information to, and why?  

We hold your personal information on behalf of your health services provider , and they have complete access to your personal information.  

Your health services provider reports all vaccines administered to the Australian Immunisation Register (AIR). You can access your records by contacting your health services provider or AIR.  

We may disclose personal information to external service providers so that they may perform services for us or on our behalf.  

We may also disclose your personal information to others where:  

  • we are required or authorised by law to do so; 

  • you may have expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances; or  

  • we are otherwise permitted to disclose the information under relevant laws. 

If the ownership or control of all or part of our business changes, we may transfer your personal information to the new owner.  

 

Subprocessors and Service Providers 
Vitavo engages carefully selected third-party service providers (“subprocessors”) to assist in delivering our services, including cloud hosting, IT infrastructure, and support. These providers process personal information only on Vitavo’s instructions and under strict contractual and security obligations. 

Our current key subprocessors include: 

  • Amazon Web Services (AWS) – cloud hosting and storage (Australia regions) 

  • Microsoft Azure – hosting and infrastructure (Australia regions) 

A full list of subprocessors and their functions is available on request by contacting security@vitavohealth.com. 

 

Do we disclose your personal information to overseas recipients?  

Our systems are hosted with service providers such as AWS and Microsoft Azure. We configure these services to store your data in Australia. 

 

Do we use your personal information for marketing?  

We do not use your personal information for marketing.  

Your immunisation and health services provider may use your personal information to provide you with information about their products and/or services directly or through our Services.  

 

Access, control to and correction of your personal information   

You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.   These rights are provided under the Privacy Act 1988 (Cth) and APPs 12–13. 
  

Your Choices:   

Where applicable under local law, you may have certain rights with respect to your personal information.  
 
Depending on which jurisdiction you live in, you may have the right to request information about our processing of your information, to request a copy of your information, to request the deletion or restriction of your information, to request to correct or update your information and to request to opt out of certain profiling activities.  Below, we describe the tools and processes for making these requests.  You can exercise some of the choices by logging into the system and updating your profile.  
  
Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we are permitted by law or have compelling legitimate interests to keep.  If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work or where you feel your rights were infringed.   
  
Access and update your information: Our portal gives you the ability to access and update certain information. For example, you can access your profile information from your account and update those details at any time.   
  
Deactivate your account:   If you no longer wish to use our service, your health provider may be able to deactivate your account. Otherwise, please contact security@vitavohealth.com and we will action this on your behalf. Please be aware that deactivating your account does not delete your information; your information remains visible to providers based on your past participation.  Please note that even if your account is deactivated, we may be required to retain certain health records for legal compliance. These will be de-identified where possible once no longer needed. 

Delete your information: Deletion and de-identification requests will be actioned in accordance with APP 11 and applicable health record laws. Some information may be retained where legally required. All request for deletion or deidentification of your information should be addressed to security@vitavohealth.com. Please note, however, that we may need to retain certain information for record-keeping purposes, to complete transactions or to comply with our legal obligations, in all cases these records will be deidentified to ensure your personal identifiable data is no longer attached to the record.  

To contact Vitavo about any inquiries, complaints or disputes about this Privacy Policy please email security@vitavohealth.com.  If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) by visiting www.oaic.gov.au or calling 1300 363 992 

 

 

We've updated our Privacy Policy. Please review the changes to understand how we handle your information.