Data Retention & Deletion Policy

1. Purpose of This Policy

EzyTCM is a practice management platform operated by EZY TCM Pty Ltd (“EzyTCM”, “we”, “us”, or “our”).

This Data Retention & Deletion Policy explains how EzyTCM manages the retention and deletion of data stored or processed through the EzyTCM platform.

The purpose of this policy is to ensure that data is retained only for as long as necessary to support platform services, meet legal and professional obligations, and manage operational and security requirements.

This policy should be read together with our Privacy Policy, Data Security Policy, and Terms of Use.

2. Scope of Data Covered

This policy applies to all data handled through the EzyTCM platform, including but not limited to:

• Patient personal information and health information
• Clinical records, consultation notes, prescriptions, and treatment data
• Appointment, billing, invoicing, and transaction records
• Clinic and user account information
• System logs, audit trails, and security records
• Backup and recovery data

3. Data Retention Principles

EzyTCM’s data retention practices are guided by the following principles:

• Minimum necessary retention — data is retained only for as long as required for its intended purpose
• Legal and professional compliance — retention reflects applicable healthcare, privacy, and business record obligations
• Operational continuity — retention supports service delivery, dispute resolution, and system integrity
• Shared responsibility — clinics remain responsible for determining how long patient records must be retained under applicable laws

EzyTCM does not determine clinical record retention periods on behalf of clinics.

4. Retention of Patient and Clinical Data

Patient and clinical data entered into the EzyTCM platform is retained for the duration of the clinic’s active subscription.

• Clinics control the creation, use, and management of patient records
• EzyTCM acts as a service provider and does not independently modify or delete clinical data
• Clinics are responsible for complying with healthcare record retention requirements applicable to their profession and jurisdiction

EzyTCM will not delete patient records during an active subscription unless instructed by the clinic or required by law.

5. Retention of Account and Operational Data

The following data types may be retained for operational purposes:

• User account details and role assignments
• Subscription, billing, and payment-related records
• Support communications and service requests

Such data is retained for as long as reasonably necessary to manage the business relationship, comply with financial and regulatory obligations, and resolve disputes.

6. System Logs and Audit Records

EzyTCM maintains system logs and audit records to support security monitoring, troubleshooting, and compliance.

• Logs may include access records, authentication events, and system activity
• Log data is retained for a limited period consistent with security and operational requirements
• Access to log data is restricted to authorised personnel

7. Backup Data and Disaster Recovery

EzyTCM maintains regular system backups as part of its data protection and disaster recovery practices.

• Backups are stored in secure and encrypted environments
• Backup data is retained for defined rolling periods
• Data contained in backups is not immediately deleted upon record deletion or account termination

Backup data is gradually overwritten or removed in accordance with backup retention cycles.

8. Account Termination and Data Deletion

When a clinic’s subscription is cancelled or terminated:

• Access to the platform will be disabled in accordance with the Terms of Use
• Clinics may be provided with a reasonable opportunity to export their data prior to termination
• Following termination, data may be retained for a limited period before deletion, subject to legal, operational, and backup requirements

EzyTCM does not guarantee immediate or irreversible deletion of all data upon account termination.

9. Deletion Requests

Deletion requests may arise from clinics or, in some cases, from patients.

• Clinics are responsible for handling patient deletion requests in accordance with applicable laws
• EzyTCM will act on deletion requests only when authorised by the clinic or required by law
• Some data may need to be retained despite a deletion request due to legal, regulatory, or security obligations

10. Legal and Regulatory Holds

EzyTCM may retain data beyond standard retention periods where required to:

• Comply with legal obligations or court orders
• Respond to regulatory enquiries
• Investigate or resolve disputes or security incidents

Such data will be retained only for as long as necessary for these purposes.

11. Policy Review and Updates

This policy may be updated from time to time to reflect changes in legal requirements, platform features, or industry practices.

The current version will be published on the EzyTCM website and will include the updated “Last Updated” date.

12. Contact Information

For questions about data retention or deletion, please contact:

privacy@ezytcm.com

EZY TCM Pty Ltd

Adelaide, South Australia