Omi Scribe Cloud — Australia and New Zealand Privacy Addendum
Version: 1.0
Effective: 11 May 2026
Provider: Omi Health B.V., Eindhoven, Netherlands
Australian entity (sales/contracting): Omi Health Pty Ltd, Perth, Australia
Contact: [email protected] · [email protected]
This addendum supplements the Omi Scribe Cloud — Privacy Notice at /legal/cloud-privacy and the Omi Scribe Cloud — Data Processing Addendum (DPA) for Customers established in, or processing personal information subject to the laws of, Australia or New Zealand.
Where this addendum conflicts with the Privacy Notice or DPA, this addendum controls for ANZ personal information.
1. Applicable law
Australia
- Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in Schedule 1
- Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act
- My Health Records Act 2012, where Customer Content includes My Health Record data
- State and territory health records legislation, where applicable (for example: Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); Health Records (Privacy and Access) Act 1997 (ACT))
New Zealand
- Privacy Act 2020 and the Information Privacy Principles (IPPs)
- Health Information Privacy Code 2020
- Notifiable privacy breaches under Part 6, Privacy Act 2020
2. Hosting region
ANZ Customers are served from the ANZ region (Azure Australia East). Customer Content is stored and processed in Australia. Where a New Zealand Customer prefers in‑country hosting, the Australia East region is offered as the closest available region; in‑country NZ hosting is on the roadmap.
For Customers selecting the ANZ region:
- Database storage, audio recordings, and audit logs are hosted in Australia East
- AI processing uses dedicated GPU VMs and Azure AI Foundry within Australia East
- Email delivery uses Azure Communication Services in Australia
3. International transfers
3.1 Customer Content
Customer Content for ANZ Customers does not leave Australia East in the ordinary course of operation. Where authorised remote support access from outside Australia is required:
- Access is logged and time‑limited
- Encryption in transit and at rest is preserved
- The remote operator does not download Customer Content unless required for incident response and approved by the Customer
3.2 APP 8 (Cross-border disclosure)
For Australian Customers, Omi Health takes reasonable steps to ensure that overseas recipients (where any apply, principally Microsoft Corporation in its capacity as cloud provider) do not breach the APPs in relation to the information. Microsoft’s commitments under the Microsoft Online Services Data Protection Addendum (https://aka.ms/DPA) form part of those steps.
3.3 NZ IPP 12 (Disclosure of personal information outside New Zealand)
For New Zealand Customers, disclosure to the Australia East region is treated as a disclosure outside New Zealand. Omi Health relies on the safeguards that Microsoft Corporation provides under Microsoft’s DPA, which the Office of the New Zealand Privacy Commissioner has previously assessed as providing comparable privacy safeguards.
4. Notifiable data breaches
4.1 Australia (NDB scheme)
Where a data breach occurs that is likely to result in serious harm to one or more individuals, Omi Health will, without undue delay:
1. Notify the affected Customer in accordance with the DPA
2. Provide the Customer with the information required to make an eligible data breach notification under Part IIIC of the Privacy Act
3. Assist the Customer in any notification to the Office of the Australian Information Commissioner (OAIC) at https://oaic.gov.au
Where Omi Health is the entity required to notify under Part IIIC (for example, where Omi Health is the APP entity in respect of its own Service Data), Omi Health will notify the OAIC and affected individuals as required.
4.2 New Zealand (Privacy Act 2020 Part 6)
Where a notifiable privacy breach occurs in respect of Customer Content of an NZ Customer, Omi Health will:
1. Notify the Customer in accordance with the DPA
2. Assist the Customer in any notification to the Office of the Privacy Commissioner at https://privacy.org.nz and to affected individuals
5. Supervisory authorities and complaints
- Australia — OAIC: https://oaic.gov.au · 1300 363 992
- New Zealand — Office of the Privacy Commissioner: https://privacy.org.nz · 0800 803 909
ANZ data subjects may exercise rights of access and correction by contacting [email protected]. Where Omi Health is a Processor for Customer Content, data subject requests should be directed to the Customer (the Controller) in the first instance; Omi Health will assist the Controller in fulfilling such requests as required by the DPA.
6. My Health Record and ADHA conformance
Where Customer Content includes information from the My Health Record system:
- The Customer (the healthcare provider organisation registered with the Australian Digital Health Agency, ADHA) remains the participating provider
- Omi Health does not connect directly to the My Health Record system
- Customers are responsible for compliance with the My Health Records Act 2012 and ADHA Conformance and Compliance requirements
Omi Health will support customer audits, DSPT-equivalent self‑assessments, and DPIA inputs on request under NDA.
7. Aboriginal and Torres Strait Islander health data
Customers handling health information relating to Aboriginal and Torres Strait Islander peoples are subject to additional principles, including the AIATSIS Code of Ethics, Maiam nayri Wingara Indigenous Data Sovereignty Principles, and (where applicable) state-level guidance. Omi Health does not make secondary use of any Customer Content. The Customer retains full control over consent, governance, and use of Indigenous health data within the Service.
8. Sub‑processors
The list of sub‑processors at /legal/sub-processors applies, with the ANZ region detail in Section 1.2 of that document.
9. Liability and order of precedence
In the event of conflict between this addendum and the Privacy Notice or DPA, this addendum controls for ANZ personal information. All other terms of the Privacy Notice and DPA remain in full force and effect.
10. Contact
- General privacy enquiries: [email protected]
- Australian contracting / DPA execution: [email protected] (Omi Health Pty Ltd, Perth)
- Security incidents: [email protected]
Omi Health Pty Ltd — Perth, Australia
Omi Health B.V. — Eindhoven, Netherlands