Privacy Policy

1. Collection Notice

Who is collecting your information

Ci (OrthoSport Victoria Institute PTY, LTD trading as Centaur Institute, ABN listed on centaur.com.au) collects your personal and health information through the CORDi platform.

What we collect

Identity and contact details (name, email, date of birth)
Health information including PROM survey responses and clinician-entered data
Account activity and consent records

Why we collect it

program

To manage your enrolment and participation in an HREC-approved research
To enable your treating clinicians to monitor your rehabilitation progress
To meet legal and regulatory record-keeping obligations

Who we share it with

program

agreements

Your treating clinical team (surgeons, physiotherapists, coaches) within your
Authorised Ci platform staff for support and compliance purposes
AWS cloud infrastructure in Sydney, NSW under binding data processing

Your rights

You have the right to access and request correction of your personal information. To exercise these rights or lodge a complaint, contact Ci at [cordi@centaur.com.au] or see Section 5 of this Privacy Policy.

2. Overview

Ci operates the CORDi platform. This Privacy Policy describes how Ci collects, uses, stores, and protects personal and health information in accordance with the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic).

By using the CORDi platform or participating in an HREC-approved programme managed through it, you agree to the collection and use of your information as described in this policy.

3. What We Collect

Identity and contact details required to create and manage your account
Health information and PROM responses submitted through the platform
Clinician-entered data linked to your treatment journey
Consent records and audit logs of system access and edits

4. Why We Collect It

Act 2001 (Vic)

To manage your participation in an HREC-approved research programme
To support treating clinicians in reviewing your progress and outcomes
To maintain consent, audit, and account records required by applicable law
To meet Ci's obligations under the Privacy Act 1988 (Cth) and Health Records

5. Who Can Access It

arrangements

time (see Section 6)

Your treating clinicians and authorised Ci platform staff
AWS infrastructure hosted in Sydney, NSW under Ci's data processing
You may request access to or correction of your personal information at any

6. Your Rights

You have the right to:

incomplete, or misleading

Access the personal and health information Ci holds about you
Request correction of information that is inaccurate, out of date,
Lodge a complaint if you believe Ci has mishandled your information

To exercise these rights, contact the Privacy Officer:

3121

Email: [cordi@centaur.com.au]
Mail: Privacy Officer, Centaur Institute, 132A Bridge Road Richmond, VIC

Ci will respond to all written requests within 30 days. If you are not satisfied with Ci's response, you may escalate to:

1300 363 992

Office of the Australian Information Commissioner (OAIC): oaic.gov.au /
Health Complaints Commissioner (Vic): hcc.vic.gov.au / 1300 582 113

Full details of how Ci handles access and correction requests are set out in the internal Participant Data Rights Process.

7. Data Retention

Ci retains personal and health information for a minimum of 7 years as required by the Health Records Act 2001 (Vic). After the retention period, data is securely destroyed in accordance with the Data Retention & Deletion Policy.

8. Security

Ci uses industry-standard security measures to protect your information, including encrypted storage on AWS infrastructure (Sydney, NSW), role-based access controls, and audit logging of all access and edits. Further detail is set out in the Vulnerability Management Policy and Secure Software Development Policy.

9. Contact

For all privacy enquiries, contact Ci at:

Email: [cordi@centaur.com.au]
Website: centaur.com.au