Clara privacy.

Clara is STAT's clinical-reflection product, accessible at stat-clara.online. This policy sits alongside STAT's main privacy policy at stat.care/policies/privacy-and-policy and applies in addition to it. Where this document is silent, the parent policy applies.

What we collect

When you sign up at stat-clara.online/reflect, we collect: your first and last name, email address, primary profession, secondary profession (optional), AHPRA registration number (optional), and phone number (optional).

When you submit content to reflect on, we collect: the URL, PDF, or text you've chosen to reflect on, and your written answers to the reflection questions we generate.

Why we collect it

To generate personalised reflection questions through AI, to produce your AHPRA-format CPD Record of Activity, to match your reflection back to your STAT app account for STAT CoPay™ credit, and to email you the resulting CPD record.

Health information

Your reflection responses may contain clinical opinions or contextual information about your professional practice. Under the Privacy Act 1988, content of this kind may meet the definition of sensitive information ("health information"). We treat it accordingly: it is encrypted at rest, encrypted in transit, and access is limited to the purposes set out above.

Where Clara's AI runs

By default, all AI processing for Clara runs inside Amazon Web Services' Australian regions (Sydney and Melbourne), under the AWS Business Associate Addendum. Anthropic's Claude model is hosted within AWS and inherits the same residency. Your reflection content does not leave Australia under normal operating conditions.

Just-in-time overseas processing (rare)

If both AWS Australian regions are unavailable at the moment you submit a reflection, Clara will pause and ask for your specific consent before processing your content through an overseas AI provider (currently OpenAI, US-hosted). You may decline and try again later; the pause does not penalise you.

If you decline, your content is not sent overseas. If you accept, the content is processed under OpenAI's terms in addition to ours, and is subject to United States law for the duration of that processing. We never send content overseas without your in-the-moment consent.

AI providers

Our AI providers process your reflection content for the sole purpose of generating questions and summarising your responses for your CPD record. We do not allow them to retain content for training, and our agreements with them prohibit secondary use.

CPD record delivery

Your CPD record is emailed to the address you provided. We retain the record server-side so we can re-send it on request.

Retention

We retain your account details (name, email, profession, AHPRA) for as long as your STAT app account is active, plus 12 months.

We retain your reflection content (questions, answers, generated CPD records) for 7 years from the date of the reflection — this aligns with AHPRA's record-keeping expectations for CPD activities. After that, we delete or de-identify it. You may request earlier deletion (see below).

Access and correction

You may request a copy of the information we hold about you, or ask us to correct or delete it, by emailing info@stat.care. We will respond within a reasonable period (no more than 30 days).

Cross-border disclosure summary

Personal information we collect through Clara is held in AWS Australian regions by default. We do not routinely disclose it overseas. The only overseas disclosure scenario is the just-in-time consent path described above, and it requires your explicit confirmation on each affected reflection.

Security

All Clara data is encrypted in transit (TLS) and at rest (AWS KMS-managed keys on RDS and S3). Database access is restricted to private subnets within our virtual private cloud and is audited. Secrets and credentials are held in AWS Secrets Manager. We do not store passwords; sign-in uses one-time codes emailed to the address you registered.

Complaints

If you believe we have mishandled your information, contact us at info@stat.care. If your complaint is not resolved to your satisfaction, you may refer it to the Office of the Australian Information Commissioner at oaic.gov.au.

Data breach notification

STAT maintains a documented procedure for assessing and notifying eligible data breaches under the Privacy Act's Notifiable Data Breaches scheme. Where a breach is likely to result in serious harm and we cannot remediate it, we will notify affected individuals and the OAIC as soon as practicable.

Changes to this policy

We may update this policy from time to time. When we do, we'll change the "last updated" date at the top of this page. Material changes will also be communicated via email to anyone with an active Clara account.