Mondrian Health
Sign In Pricing Start Free Trial

Privacy Notice

Mondrian EstiMate™ MBS-to-DRG Estimator · Mondrian Health Pty Ltd

Last updated: 2026-04-17

This Privacy Notice explains how Mondrian Health Pty Ltd ("Mondrian", "we", "us" or "our") handles personal information in connection with Mondrian EstiMate™ MBS-to-DRG Estimator (the "Service"). It is written to support transparent handling of information in line with the Privacy Act 1988 (Cth), including the Australian Privacy Principles ("APPs"), to the extent they apply to Mondrian.

This Notice is directed to organisational users of the Service, including hospital employees, contractors, analysts, finance teams, operational staff, health information managers and administrators. It does not override any separate data processing schedule, Order Form, security schedule or other written agreement that expressly applies to a particular Customer environment.

1. The approach we take

The Service is intended for administrative, operational and analytical use. It is not designed to require directly identifiable patient information for ordinary use. Our privacy approach is built around that principle: 1. we collect the information needed to operate, secure, support and bill for the Service; 2. we expect Customers not to upload identifiable patient data unless a written agreement expressly permits it; and 3. where personal information is processed, we apply governance, access controls and security measures appropriate to the nature of the Service and the information involved.

2. The information we collect

2.1 Information you provide directly

We may collect: 1. account and registration details, such as name, work email address, role, organisation name and account preferences; 2. billing and commercial details, such as billing contacts, subscription details, invoices and transaction history; 3. support and communications content, such as enquiries, tickets, meeting notes and feedback; 4. configuration information, including tenant settings, user roles, permissions and integration settings; and 5. information included in files, form fields or other inputs submitted to the Service.

2.2 Information generated through use of the Service

We may collect: 1. MBS item numbers, estimation parameters, administrative inputs and related metadata submitted to the Service; 2. generated outputs, reports and export history; 3. timestamps, access history, API activity, rate-limit events and feature usage data; 4. device, browser, operating system, IP address and approximate geolocation derived from technical connection data; 5. authentication, session and audit log information.

2.3 Payment information

If you buy a paid subscription, payment card information is processed by our payment processor, Stripe. Mondrian does not store full payment card numbers on its own application servers.

2.4 Information we do not seek for ordinary use

For ordinary use of the Service, we do not seek directly identifiable patient information. Unless we expressly agree otherwise in writing, you should not submit: 1. patient names or contact details; 2. Medicare numbers or insurer identifiers; 3. dates of birth or addresses; 4. free-text clinical narratives containing identifiable health information; or 5. any information that is not reasonably necessary for a permitted administrative use case.

3. Why we collect and use information

We collect and use information to: 1. provide, host, operate and secure the Service; 2. authenticate users and manage access control; 3. process subscriptions, billing and payments; 4. provide customer support, onboarding, training and communications; 5. investigate misuse, abuse, fraud, incidents and suspected security events; 6. monitor service health, performance and reliability; 7. comply with legal, regulatory, audit and contractual obligations; 8. maintain records, enforce our Terms and protect our rights and the rights of others; 9. improve the Service using de-identified, aggregated or otherwise non-identifying usage patterns; and 10. carry out internal administration, risk management and business operations.

We do not sell personal information.

4. Data roles and Customer responsibility

4.1 Customer responsibility for uploaded data

Where you upload or provide personal information or health information to the Service, you are responsible for ensuring that: 1. the information is lawfully collected and disclosed; 2. you have any required notices, consents, contractual rights or other lawful basis; 3. the information is accurate, relevant and limited to what is reasonably necessary; and 4. your use of the Service complies with applicable privacy, health records, confidentiality and employment laws.

4.2 Mondrian's role

Mondrian generally handles account, usage, billing and support information as a principal service provider for its own business operations and as the service operator of the platform. For Customer-submitted content, Mondrian processes the data as needed to provide and secure the Service in accordance with the applicable contract.

4.3 Unauthorised personal information

If we become aware that identifiable patient data or other sensitive information has been submitted contrary to the intended use of the Service or the parties' contract, we may refuse to process it, quarantine it, delete it, seek remediation instructions, or take other reasonable protective action.

5. How information flows through the Service

5.1 Core workflow data

The Service generally processes information through the following flow: 1. a User signs in using Mondrian's identity and access controls; 2. the User submits administrative inputs, such as MBS items and related estimation parameters; 3. the Service stores, processes and returns estimation outputs, logs and audit information; 4. outputs may then be viewed, exported or incorporated into the Customer's own internal workflow.

5.2 Operational data sets

Depending on configuration, the following categories of information may be stored or processed: 1. account and user profile data; 2. authentication and session data; 3. application content, inputs and outputs; 4. audit logs and security logs; 5. billing and invoicing data; 6. support and communication records; 7. backups and disaster recovery copies.

6. Storage locations and international handling

6.1 Storage locations

The Service may be hosted in Australia and, depending on deployment model, support tooling, payment flows or contracted infrastructure, in other jurisdictions used by Mondrian or its service providers.

The exact storage and processing footprint for a Customer environment may differ depending on: 1. the hosting architecture selected for that Customer; 2. the infrastructure and security services used at the time; 3. payment processing pathways; and 4. support, logging, backup and notification services engaged for that environment.

6.2 Cross-border disclosure

Where Mondrian discloses personal information to an overseas recipient, Mondrian will take steps that are reasonable in the circumstances to ensure the recipient handles that information in a manner consistent with applicable privacy obligations.

6.3 Practical expectation

Because internet-based software commonly relies on distributed infrastructure and support systems, personal information associated with accounts, billing, telemetry, notifications or support may be processed outside Australia even where the primary application environment is hosted in Australia.

7. Service providers, subprocessors and third parties

We may disclose information to service providers and subprocessors that help us operate the Service and our business. Those may include providers in the following categories: 1. payment processing; 2. hosting and infrastructure; 3. identity and authentication; 4. cloud storage and backup; 5. transactional email and notifications; 6. logging, monitoring and observability; 7. customer support and service management; 8. professional advisers, auditors and insurers.

7.1 Named provider identified in the supplied materials

The current supplied platform materials identify Stripe as Mondrian's payment processor.

7.2 Identity services

The supplied platform materials identify a Keycloak-based identity layer for authentication management. Depending on deployment, that identity layer may be operated by Mondrian within its own environment or through contracted infrastructure used for the relevant Customer deployment.

7.3 Government and reference datasets

The Service may reference or interact with public-sector schedules, classifications and other third-party materials, including MBS and AR-DRG-related materials. That does not mean Mondrian is endorsed by, affiliated with, or acting on behalf of the relevant agency.

7.4 Disclosures required or permitted by law

We may disclose information where reasonably necessary to: 1. comply with law, regulation, court order or lawful request; 2. detect, investigate or prevent unlawful activity, security issues or fraud; 3. exercise or defend legal rights; or 4. complete a merger, acquisition, financing, restructure or asset transfer, subject to appropriate confidentiality measures.

8. Data quality, access, correction and retention

8.1 Data quality

We take reasonable steps to keep personal information accurate, up to date and relevant for the purposes for which we use it. We also rely on Customers and Users to provide accurate information and to request corrections where needed.

8.2 Access and correction requests

Subject to applicable law, you may request access to personal information we hold about you and ask us to correct inaccurate, out-of-date, incomplete, irrelevant or misleading information. We may ask you to verify your identity before acting on a request.

8.3 Retention

We retain information for as long as reasonably necessary for the purposes described in this Notice, including to: 1. maintain active accounts and subscriptions; 2. provide service history and support; 3. comply with finance, tax, audit and legal obligations; 4. maintain backups, security records and incident response capability; and 5. enforce agreements and resolve disputes.

When information is no longer required, we will delete, de-identify or otherwise handle it in accordance with our retention processes and legal obligations.

9. Security

We use technical and organisational measures designed to protect personal information and platform data, including measures such as: 1. encryption in transit; 2. access controls and least-privilege access management; 3. authentication and session controls; 4. logging and monitoring; 5. backup and recovery measures; 6. vendor and infrastructure controls, where applicable; 7. incident response processes.

No method of transmission over the internet or electronic storage is completely secure. We do not promise that the Service will be immune from every security risk, but we do maintain measures designed to reduce and manage those risks.

10. Notifiable Data Breaches and incident handling

If Mondrian becomes aware of a data breach involving personal information and the Privacy Act 1988 (Cth) requires notification, Mondrian will comply with the Notifiable Data Breaches scheme, including by notifying the OAIC and affected individuals where the breach is likely to result in serious harm and notification is legally required.

Where a Customer incident affects information processed in the Service, Mondrian may: 1. investigate, contain and remediate the incident; 2. restrict access, rotate credentials or suspend functionality where reasonably necessary; 3. request information or cooperation from the Customer; and 4. coordinate notifications and communications where appropriate.

Nothing in this Notice prevents Mondrian from taking urgent action to secure the Service.

11. Cookies and similar technologies

The Service may use cookies, tokens and similar technologies for: 1. authentication and session management; 2. security and fraud prevention; 3. service preferences; 4. load balancing, reliability and performance monitoring.

We do not describe ordinary essential platform cookies as advertising trackers. If Mondrian later introduces optional analytics, marketing or advertising cookies, we will update this Notice and any required consent flows.

12. Children's privacy

The Service is intended for business use and not for children. We do not knowingly collect personal information from children through the ordinary operation of the Service.

13. Changes to this Notice

We may update this Notice from time to time. If we make a material change, we will take reasonable steps to notify affected Customers or Users through the Service, by email, or by another appropriate means. The "Last updated" date at the top of this Notice indicates when the current version took effect.

14. Contact, complaints and enquiries

For privacy requests, complaints or enquiries, please contact:

Privacy Officer
Mondrian Health Pty Ltd
ABN 28 670 479 044
ACN 670 479 044
Email: enquiry@mondrianhealth.com

If you are dissatisfied with our response to a privacy complaint, you may have the right to raise the matter with the Office of the Australian Information Commissioner.

Legal

Terms of Service Privacy Notice Disclaimers