Privacy Policy

LUME is a health and wellness marketplace operated by Inevara Pty Ltd (ABN [TBD — confirm with Inevara Pty Ltd before public launch]), a company incorporated in Australia (“Inevara”, “we”, “us”, or “our”). LUME is part of the SINGULARITY family of marketplace platforms operated by Inevara.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use the LUME platform and associated services (collectively, the “Platform”).

We are bound by the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in Schedule 1 of that Act. Because we handle health information, we are subject to the enhanced obligations in APP 3 and APP 6 that apply to sensitive information. For users accessing the Platform from the European Economic Area or United Kingdom, additional rights under the GDPR and UK GDPR may apply as described in Section 12 below.

By creating an account or using the Platform you acknowledge you have read this Policy. If you do not agree, please do not use the Platform.

2.1 Account information

When you register for a LUME account (as a consumer or as a health practitioner), we collect:

• Full name and display name
• Email address
• Password (stored as a salted cryptographic hash — never in plain text)
• Mobile phone number (optional, used for booking notifications)
• Date of birth (to verify minimum age eligibility)

2.2 Health preferences and needs (consumers)

To enable our AI-powered matching service, we collect the following information which may constitute sensitive information under the Privacy Act:

• Health needs and support categories (e.g. mental health, physiotherapy, nutrition)
• Urgency of care (including crisis indicators — see Section 2.4)
• Preferred therapeutic modalities (e.g. CBT, EMDR, DBT)
• Medicare Mental Health Care Plan status and referring GP details (optional)
• NDIS participant status and NDIS number (optional)
• Preferred location and budget per session

This information is collected with your consent and is used only for practitioner matching and to enable Medicare and NDIS-aware pricing. It is not shared with practitioners until you initiate contact or make a booking.

2.3 Practitioner profile information

If you register as a health practitioner, we also collect:

• AHPRA registration number and registration type (where applicable)
• Medicare provider number (optional)
• NDIS provider registration details (optional)
• Specialisations, therapeutic modalities, and service areas
• Service menu, pricing, and session duration
• Business name and ABN or ACN (where applicable)
• Bank account details for payment disbursement (held by our payment processor)

2.4 Crisis and urgent care flags

Where you indicate a crisis urgency level, we record this to enable priority follow-up by a care coordinator. We display the Lifeline crisis line (13 11 14) and emergency services number (000) prominently. Crisis flags are treated as sensitive health information under the Privacy Act and are accessible only to authorised care coordination staff.

2.5 Booking and engagement records

For every engagement initiated through the Platform, we record:

• Date, service type, and session count
• Consumer and practitioner identifiers
• Engagement status history (pending, matched, active, completed, cancelled)
• Match score and matching rationale (for transparency and AI audit purposes)
• Referral source (e.g. GP referral, NDIS plan, self-referral)
• Payment metadata: amount, currency, and transaction reference number

2.6 Reviews

Consumer reviews submitted through the Platform are retained and displayed publicly on practitioner profiles. They are associated with your consumer account. You may request deletion of a review you submitted by contacting us.

2.7 Device and analytics data

When you use the Platform, we automatically collect technical information including IP address (truncated), browser type, device identifiers (anonymised), pages visited, and session identifiers (stored in secure HTTP-only cookies). We use this data for security monitoring, fraud detection, and aggregate analytics. We do not sell this data.

We use personal information only for the following purposes. Where the Privacy Act or GDPR requires a legal basis, we specify it:

We do not sell your personal information. We disclose it only in the following circumstances:

4.1 With practitioners upon matching or booking

When you initiate contact or book with a practitioner, we share your name, contact information, health preferences, and relevant care notes. Practitioners are not permitted to use this information outside the context of delivering services to you through the Platform.

4.2 Payment processors

Payments are processed by third-party payment service providers including Paddle. These processors receive only the payment information necessary to complete your transaction. We do not store full card numbers on our infrastructure.

4.3 AHPRA register (practitioners only)

To verify AHPRA registration status, we transmit practitioner registration numbers to our compliance service, which queries the publicly available AHPRA register. No consumer health information is shared in this process.

4.4 Infrastructure and hosting providers

We host the Platform on Amazon Web Services infrastructure in Australia (Sydney region, ap-southeast-2). We have data processing agreements in place with AWS.

4.5 Legal and regulatory requirements

We may disclose personal information if required by law, court order, regulatory direction, or where necessary to prevent harm to any person or to investigate suspected illegal activity.

4.6 Business transfers

In the event of a merger, acquisition, or asset sale involving Inevara, personal information may be transferred to the successor entity. We will notify you before any such transfer.

Health information is classified as “sensitive information” under the Privacy Act and receives a higher level of protection. We collect health information only:

• With your express consent, and
• Where reasonably necessary to provide the matching and care coordination services you have requested.

You may at any time update or delete your health preferences from your account settings. Updating your health preferences may affect the quality of practitioner matches we can generate for you.

• Account and profile data: retained for the life of your account plus 24 months after closure to support dispute resolution and comply with tax obligations.
• Health preferences (consumers): retained while your account is active. You may delete them at any time in account settings.
• Booking and engagement records: retained for 7 years from the date of the last transaction, as required by Australian taxation law.
• Crisis flags: retained for 7 years from the date of the flag to support any future duty-of-care investigations.
• Device and analytics logs: retained for 13 months in identifiable form, then aggregated and de-identified.

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for sensitive fields
• Passwords stored using cryptographic hashing
• Role-based access controls — Inevara staff access personal data only where required for their role
• Multi-factor authentication required for administrative access
• Regular security assessments and penetration testing
• Data stored in AWS ap-southeast-2 (Sydney) — Australian soil

In the event of a data breach likely to result in serious harm, we will notify the OAIC and affected individuals as required under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC).

To report a suspected security issue, contact [email protected].

• Essential cookies: Maintain your session and authentication state. Cannot be disabled.
• Preference cookies: Remember your settings and search filters.
• Analytics cookies: Help us understand usage patterns to improve the Platform. Used with your consent where required by law.

We also use a single secure cookie ( lume-onboarded ) to track onboarding completion. This cookie does not contain health information and cannot be used to identify you off-platform.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us at [email protected].

• Access: Request a copy of the personal information we hold about you. We will respond within 30 days.
• Correction: Ask us to correct inaccurate or incomplete information. You can update most information in account settings.
• Deletion: Request deletion of your account and associated personal information, subject to the retention obligations in Section 6. Go to Settings → Account → Delete Account, or contact us.
• Withdrawal of consent: Withdraw consent for health preference collection or marketing emails at any time via account settings or by contacting us.
• Restriction and objection (GDPR): Where GDPR applies, request restriction of processing or object to processing based on legitimate interests.
• Data portability (GDPR): Request a copy of personal data you have provided in a structured, machine-readable format.
• Complaint to regulator: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Our primary infrastructure is in Australia. Some service providers (including analytics and monitoring tools) are based overseas. Where personal information is transferred overseas, we ensure it receives equivalent protection through contractual data processing agreements and, for transfers to the US, through SOC 2 Type II certified providers.

If you are located in the European Economic Area or the United Kingdom, Inevara Pty Ltd acts as a data controller for the purposes of the GDPR and UK GDPR respectively. In addition to the rights described in Section 10, you have the right to lodge a complaint with your local supervisory authority. Where we rely on legitimate interests as a legal basis, you have the right to object to that processing.

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or wish to make a complaint, please contact our Privacy Officer:

We aim to respond to all privacy enquiries within 30 days.

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email at least 14 days before the change takes effect. Continued use of the Platform after a change constitutes acceptance of the updated Policy.