Privacy Policy

DocWorks Pty Ltd ACN 685 553 664 (“we”, “us”, “our”) values your privacy and is committed to protecting personal and health information. This Privacy Policy explains how we collect, use, store and protect information when you use OnScribe™ (the “Service”), including our mobile application and web interface.


This Policy complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

By using the Service, you consent to the practices described below.


Last updated: 04 November 2025

About OnScribe

OnScribe provides secure medical transcription and documentation assistance to healthcare professionals through:


  • Mobile applications (iOS and Android).

  • Web interface (Platinum tier).

  • AI-powered transcription and documentation support.

The Service is intended for use only by healthcare professionals, not patients or the public.

How we use collected information

User (Healthcare Professional) Information

  • Account details: Full name, email, occupation.


  • Provider information : Provider Number and Clinic Details (Optional, for Investigation Slip generation, not encrypted, not shared)


  • Templates: User-uploaded PDF templates (stored in cloud for syncing).

  • Short forms: User-defined acronyms.

  • Healthcare worker contacts (Pro/Platinum): Full name, practice details (not encrypted, not shared).

  • Primary GP details of a patient: Encrypted – not traceable by us.

  • Appointments (Platinum): Encrypted – not traceable by us.

  • Usage data: Interaction logs, feature usage, device info.

  • Authentication: Login via Google Authentication. Passphrases are never stored. A user-generated passphrase (OnKey) creates an encrypted master key stored in Microsoft Azure Key Vault.

  • Billing data: Subscription details processed by third-party payment providers.

Patient Information (handled on behalf of users)

  • Health Information (PHI): Patient-identifiable medical information dictated or entered by the healthcare professional. All data is encrypted, and OnScribe has no access to its contents.


  • Audio recordings: Encrypted and stored for the user’s own playback (Plus, Pro and Dictation mode in Platinum, Consult mode in Platinum does not retain audio recordings). Recordings are transferred in an encrypted state via a secure channel virtual private network (VPN) to an Australian-based transcription engine (Microsoft Azure, Sydney), processed in memory for transcription, and then permanently deleted. OnScribe has no access to its contents.


  • Transcripts: AI-generated notes, encrypted and stored. OnScribe has no access to its contents.

Technical Information

  • Device identifiers, operating system, app version.

  • Security logs (access attempts, encryption events).

  • Service performance and error reports.

Unsolicited Personal Information

On rare occasions, we may receive personal information that we have not actively requested (for example, where a user or third party provides additional details in error). In such cases, we will promptly assess whether the information could lawfully have been collected as part of our Service. If it is relevant and necessary, we will handle it in accordance with this Privacy Policy. If it is not required, and where lawful and reasonable, we will securely destroy or de-identify the information as soon as practicable. Due to our zero-knowledge encryption model, any patient health information (PHI) uploaded in this manner remains inaccessible to us and under the sole control of the authorised healthcare professional.

How We Use Information

  • Service provision: Account management, transcription, syncing (Pro/Platinum).

  • Service improvement: Analytics, feature development, performance optimisation.

  • Legal/compliance: Maintain audit trails, comply with regulations, prevent fraud.


  • Communication:

    - Essential notifications: Account management, security alerts, two-factor authentication, billing notices, critical service updates

    - Marketing communications (can be unsubscribed): Product updates, new feature announcements, educational videos, training materials, service tips

    - Customer support: Responses to inquiries and technical assistance


  • You may opt out of marketing communications at any time using unsubscribe links in emails or by contacting support@docworks.com.au.


  • Essential service communications cannot be disabled while your account is active.

Data Processing and Artifical Intelligence (AI) Services

  • Audio encrypted client-side before transmission.


  • Processing occurs on Microsoft Azure servers in Sydney, Australia.

  • Audio processed in-memory and immediately deleted after transcription.

  • Large Language Model (LLM) services run on Microsoft Azure in Sydney servers only.

  • Zero-knowledge: we cannot decrypt PHI at any time.


Smart PDF Import (referral letters) and Smart Scanner follows the same encrypted client-side transmission, in-memory processing, and immediate deletion process as audio recordings.

AI Accuracy and Clinical Responsibility

While OnScribe’s AI systems are designed to assist with transcription and summarisation, they may occasionally generate additional or imprecise content (“hallucinations”), including statements that could appear to provide diagnostic or therapeutic guidance.

Such content is unintended and outside the scope of the Service.


OnScribe does not analyse or interpret clinical information for therapeutic purposes, and AI outputs are processed transiently without being used to train models or influence patient care.

Healthcare professionals must not rely on AI-generated or summarised content for diagnosis, prognosis, or treatment decisions and remain fully responsible for verifying all clinical information before use.

Data Storage and Security

  • Encryption: AES-256-GCM with built-in authenticated encryption, monthly key rotation, and tamper detection.

  • Storage: Encrypted data stored on Google Cloud (Sydney/Melbourne).

  • Access controls: MFA for admins, principle of least privilege, user OnKey passphrases never stored.


  • Monitoring: Continuous logging and threat detection.

Exported Documents

When you choose to export (via Share PDF / Print on Soft Copy buttons) a transcript (e.g. as a DOCX or PDF file), the file leaves the OnScribe encrypted environment. At that point, it is no longer protected by OnScribe’s zero-knowledge architecture and will not be encrypted by us. Responsibility for securing, storing, or transmitting exported files rests with you, the authorised healthcare professional.

Data Sharing and Disclosure

Third-Party Service Providers

We use carefully selected third-party service providers under strict data processing agreements to deliver and support the Service:


  • Microsoft Azure (Sydney, Australia) – AI transcription and document enhancement services. Data processed in-memory and immediately deleted. Services used are HIPAA compliant.

  • Google Cloud Platform (Sydney and Melbourne, Australia) – encrypted storage of user and patient data. A Business Associate Agreement (BAA) is in place.


  • RevenueCat (global data centres) – subscription and billing management for in-app purchases. RevenueCat processes only account and subscription details and does not access or process any patient data.

  • SendGrid (United States) – delivery of secure authentication and login emails (e.g. two-factor authentication codes). No patient data is transmitted; only basic account details such as email and security tokens.

  • Zoho (Australia) – customer support and ticketing system.

All providers are contractually bound to handle information securely and in compliance with privacy requirements.

No Data Sharing

  • We do not sell, rent, or share personal information with third parties for marketing purposes.

  • Patient health information (PHI) is encrypted with a zero-knowledge architecture, ensuring it is inaccessible to OnScribe and cannot be shared.

  • Microsoft, Google, RevenueCat, SendGrid, and Zoho cannot access or decrypt patient data due to our zero-knowledge encryption architecture.

Legal Disclosure

We may disclose limited information when:


  • Required by Australian law or legal process.

  • Necessary to protect our rights or prevent illegal activity.

  • Responding to valid government or regulatory requests.

  • Protecting the safety of users or the public.

Because of our encryption model, we cannot provide decrypted patient health information (PHI) to any third party, including regulators, courts, or government agencies. Only the authorised healthcare professional (user) controls and can decrypt this data.

Data Retention and Deletion

  • Plus (free): Recordings and transcripts remain only on the user’s device. The user decides retention or deletion. No automatic deletion applies.

  • Pro/Platinum:

    • Local device recordings auto-delete after 14 days.

    • Cloud recordings auto-delete after 21 days (Pro) or 28 days (Platinum) - Dictation Mode only. Consult mode audios are not stored.


  • Transcripts: Stored until the user deletes them.

  • Account data: Retained for as long as the account is active or as required by law.

  • Deletion requests: Full deletion (including backups) completed within 30 days.


  • If you participate in a free trial, the same data handling and security measures apply. Trial usage (minutes/pages) is tracked only for quota management and does not alter our retention or deletion policies.

Patient Consent & Responsibility

  • Users must obtain patient consent before recording or entering health data.

  • OnScribe provides consent prompts but does not collect patient consents directly.

  • Patients wishing to exercise privacy rights must contact their healthcare provider (the user), not DocWorks Pty Ltd.

International Data Transfers

  • All PHI and user data processed and stored within Australia.

  • Exception: SendGrid (US) may process limited personal information (email, 2FA code) for login/verification purposes. No PHI is transferred.

Cookies and Web Data

  • Essential cookies maintain sessions and preferences.


  • Device trust tokens: For OnScribe webapp (www.onscribe.app) users who opt in, we may store a secure token in your browser's local storage to remember your device for 30 days and skip two-factor authentication on subsequent logins. This token is hashed and cannot be used to access your account without proper authentication.


  • Analytics cookies may be used; users can disable in browser settings.

Children’s Privacy

OnScribe is for use by healthcare professionals only. It is not intended for individuals under 18.

User and Patient Privacy Rights

User Privacy Rights (Healthcare Professionals)

As a user of OnScribe, you have rights under the Australian Privacy Act 1988 to:


  • Access your personal information and request a copy.

  • Correct inaccurate or incomplete details.

  • Delete your account and personal data (subject to legal obligations).

  • Restrict or object to certain types of processing.

  • Withdraw consent where processing is based on consent.

  • Lodge complaints about our privacy practices.

To exercise these rights:


  • Use the data management tools in your account settings.

  • Email our Privacy Officer at privacy@docworks.com.au.

  • Write to us at our postal address.

Patient Health Information

OnScribe processes patient health information only on behalf of the treating healthcare professional. We act as a secure technology provider, not as the custodian of patient medical records.


  • Patients who wish to access, correct, or delete their health records should contact their healthcare provider directly.

  • OnScribe cannot access, view, or decrypt patient health information at any time.

  • We ensure that all patient data remains encrypted, secure, and under the control of the healthcare professional who created it.

This approach ensures patients’ health information is safe while respecting the legal and professional responsibility of clinicians as custodians of medical records.

Privacy Complaints and Contact

  • Privacy Officer: privacy@docworks.com.au

  • Postal: DocWorks Pty Ltd,2/234 South Road, Mile End SA 5031

  • Complaints acknowledged within 7 days, resolved within 30.

If unresolved, complaints may be referred to the Office of the Australian Information Commissioner (OAIC) www.oaic.gov.au.

Updates to this Policy

  • Updated as required to reflect law or technology changes.

  • Material updates notified to users 30 days in advance.

  • Date of last revision is published at the top.

Regulatory Compliance

  • Full compliance with the Privacy Act 1988 and APPs.


  • Regular audits and training.

  • Incident response and breach notification procedures in place.

Security Measures

  • Technical: AES-256 encryption, Azure Key Vault, penetration testing.

  • Operational: Staff training, background checks, privacy-by-design processes.


  • Physical: Secure Australian data centres, environmental and access controls.

Contact Information

For all privacy matters:


  • Privacy Officer: privacy@docworks.com.au

  • General contact: support@docworks.com.au

  • Postal address: DocWorks Pty Ltd,2/234 South Road, Mile End SA 5031


© 2025 Docworks Pty Ltd. All rights reserved.

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC

Medical transcription, redefined.

Copyright © 2025 OnScribe. All Rights Reserved.

A Product of Docworks Pty Ltd - Built in Shepparton VIC