Data Retention & Deletion Policy

1. Purpose of This Policy

EzyTCM is a practice management platform operated by EZY TCM Pty Ltd (“EzyTCM”, “we”, “us”, or “our”).

This Data Retention & Deletion Policy explains how EzyTCM manages the retention and deletion of data stored or processed through the platform.

This policy ensures that data is retained only as long as necessary to:

• Support platform functionality
• Meet legal and professional obligations
• Maintain operational integrity and security

This policy should be read together with our Privacy Policy, Data Security Policy, and Terms of Use.

2. Scope of Data Covered

This policy applies to all data processed through the EzyTCM platform, including:

• Patient personal and health information
• Clinical records, consultation notes, prescriptions, and treatment data
• Appointment, billing, invoicing, and transaction records
• Clinic and user account information
• System logs, audit trails, and security records
• Backup and recovery data

3. Roles and Responsibilities

EzyTCM acts as a data processor / service provider.

Clinics using the platform act as data controllers and are responsible for:

• Determining how long patient records must be retained
• Ensuring compliance with applicable healthcare and privacy laws
• Managing patient data access, correction, and deletion requests

EzyTCM does not determine clinical record retention requirements on behalf of clinics.

4. Data Retention Principles

EzyTCM’s data retention practices are guided by:

• Minimum necessary retention — data is retained only as long as required
• Legal and regulatory compliance
• Operational continuity and dispute resolution
• Security and system integrity
• Shared responsibility between EzyTCM and clinics

5. Retention of Patient and Clinical Data

Patient and clinical data is retained:

• For the duration of an active subscription; and
• For a limited period after subscription termination as described in Section 8

EzyTCM:

• Does not modify or delete clinical data without instruction (except where required by law)
• Stores data on behalf of clinics

Clinics remain solely responsible for compliance with medical record retention laws in their jurisdiction.

6. Retention of Account and Operational Data

EzyTCM may retain:

• Account and user information
• Subscription and billing records
• Payment history and invoices
• Support communications

Such data is retained for as long as reasonably necessary to:

• Maintain the business relationship
• Comply with legal and financial obligations
• Resolve disputes and enforce agreements

7. System Logs and Audit Records

EzyTCM maintains system logs for:

• Security monitoring
• Troubleshooting
• Compliance and audit purposes

Log data:

• Is retained for a limited and reasonable period
• Is accessible only to authorised personnel

8. Backup Data and Disaster Recovery

EzyTCM maintains encrypted backups for disaster recovery.

• Backup data is retained on a rolling basis
• Deleted data may remain in backups temporarily
• Backup data is not actively processed or accessed in normal operations
• Backup data is overwritten or deleted in accordance with backup cycles

9. Account Termination and Data Deletion

When a subscription is cancelled or terminated:

• Platform access will be disabled at the end of the billing period
• Clinics may export their data within a reasonable period (e.g. 14–30 days) after termination
• After this period, EzyTCM may delete data from active systems

EzyTCM:

• Does not guarantee immediate or irreversible deletion
• Is not responsible for data loss if data is not exported within the allowed period

Some data may be retained where required for:

• Legal obligations
• Security purposes
• Backup systems

10. Deletion Requests

• Clinics are responsible for managing patient data deletion requests
• EzyTCM will act only when authorised by the clinic or required by law
• Certain data may be retained despite deletion requests due to legal or regulatory obligations

11. Legal and Regulatory Holds

EzyTCM may retain data beyond normal retention periods where necessary to:

• Comply with legal obligations
• Respond to regulatory requests
• Investigate disputes or security incidents

Data will only be retained for as long as necessary.

12. Policy Updates

This policy may be updated periodically.

The latest version will be published on the EzyTCM website with the updated date.

13. Contact Information

For questions regarding data retention or deletion:

Email: privacy@ezytcm.com

Operator: EZY TCM Pty Ltd

Location: Adelaide, South Australia