Privacy policy

1. About this Privacy Policy

At Clean Slate, your privacy matters as much as your recovery. We treat your information with care, discretion and without surprises — collecting only what we need, sharing only what helps you, and being clear about how it works.

Clean Slate Clinic (Clean Slate, we, us or our) is committed to protecting your privacy. Clean Slate Clinic is the trading name used by Applied Recovery Co Pty Ltd in Australia and Clean Slate Clinic Ltd in the United Kingdom. The Clean Slate entity that provides services to you is the data controller (in the United Kingdom) or APP entity (in Australia) responsible for your personal information.


We comply with the data protection laws that apply to us, including:

  • the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs), as amended (including the reforms made in 2024), and applicable Commonwealth and State or Territory health-records legislation in Australia; and
  • the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR) in the United Kingdom.

As a healthcare provider, we are also bound by the additional confidentiality, record-keeping and information-handling obligations that apply to health service providers in each jurisdiction.


This Privacy Policy explains how we collect, hold, use, disclose and protect your personal information – including your sensitive or special category health information – when you visit our website, use our client app, receive our at-home alcohol withdrawal and recovery services, or otherwise interact with us.

In particular, it explains:


  • the kinds of personal information we collect and hold, and how we collect and hold it;
  • the lawful bases on which we rely, and the purposes for which we collect, hold, use and disclose your personal information;
  • that we record and transcribe certain calls, and how you can ask us not to;
  • who we share your information with, and when it may be processed overseas;
  • your choices about marketing and how we use cookies and similar technologies;
  • your rights, including how you can access or correct your information, and how to make a complaint.

If you would like this Privacy Policy in an alternative format, please contact us using the details on our website.

​​

2. What we do


Our mission is to improve the health and wellbeing of people experiencing alcohol dependence, and to make withdrawal (detox) and recovery services accessible regardless of where you live or your circumstances.


Clean Slate Clinic delivers at-home alcohol withdrawal and recovery services, supported by a client app and telehealth technology, and by a team of clinicians, nurses and support staff. You can find out more about our services on our website.

​​

3. The Information we collect


Identity and contact details

Your name, date of birth, gender, and contact details (such as address, phone number and email); details of your nominated support person or emergency contact; details of your usual general practitioner or other treating health providers; and identity verification information where we need to confirm who you are.

Health information


Because we provide alcohol withdrawal and recovery care, much of the information we collect is health information. This may include your medical and treatment history; information about your alcohol and other substance use; withdrawal symptoms; mental health and wellbeing; medications, allergies and adverse reactions; pathology and test results; your treatment and care plans, progress and outcomes; and the clinical notes and messages created in the course of your care.

Information from your calls with us


Voice recordings and written transcripts of certain telephone calls – including intake and triage calls, support and aftercare calls, and administrative calls – unless you ask us not to record (see Section 6).

Payment, billing and claims


Payment method and billing details, transaction history, and (where relevant to billing or claiming) any national health or insurance identifier you provide, or private health fund details.

Medication, prescription and delivery information


Where medication forms part of your program, information needed to prescribe, dispense and deliver it safely, including prescription and dispensing records and delivery details.

App, website and device information


Account and app-usage information, device identifiers, IP address, browser and operating-system details, log and analytics data, and approximate location derived from your device or IP address (see Section 10).

Information from connected devices


Where you choose to connect a wearable or health-monitoring device, the data from that device that is relevant to your care.

Recruitment and business contacts


If you apply for a role with us, your application and employment-related information; and, if you are a supplier or business partner, your business contact details.

Sensitive and special category information


Some of the information we collect is treated as sensitive information under the Privacy Act, or as special category data under the UK GDPR. This includes information about your health, genetic information, racial or ethnic origin, sexual orientation, religious or philosophical beliefs and criminal record. Because of the nature of our services, most of the information we hold about you – including the content of recorded calls – is sensitive or special category information.

We only collect sensitive or special category information with your consent, or where the collection is required or authorised by or under law, or otherwise permitted under applicable data protection law – including the provision of healthcare under Article 9(2)(h) of the UK GDPR.

4. How we collect your information


We collect personal information by lawful and fair means, and wherever reasonable we collect it directly from you. We collect it:

  • directly from you – for example, through our website and app, online forms and questionnaires, telephone calls, and your consultations and messages with our team;
  • automatically – through cookies and similar technologies, and from your use of our website and app (see Section 10);
  • from people you authorise – such as your nominated support person or a family member, with your consent;
  • from other health providers involved in your care – such as your general practitioner, hospital, or a pathology or diagnostic provider, where you consent or as otherwise permitted by law;
  • from our service providers and partners – such as our telephony and transcription provider, and any pharmacy or dispensing partner; and
  • from government and official sources where relevant to your care or billing – for example, medical records, public health insurance schemes, healthcare identifier services, or electronic prescription services – where you consent or as permitted by law.


If we collect personal information about you from a third party, we take reasonable steps to ensure you are made aware of the collection and how we will handle the information. If we receive unsolicited personal information, we deal with it in accordance with applicable law and will destroy or de-identify it if we could not have lawfully collected it.

We will only collect personal information about people who may be vulnerable where this is required or authorised by law or otherwise permitted under applicable data protection law, and we apply additional safeguards – including in relation to obtaining valid consent – when we do.

5. Why we collect, use and disclose your information, and our lawful bases


We collect, hold, use and disclose your personal information for purposes including:

​​

  • providing, coordinating and delivering our clinical and support services – including assessing your eligibility and suitability, planning and delivering treatment, conducting telehealth consultations, and providing follow-up and aftercare;
  • recording and transcribing certain calls for staff training and coaching, to improve and train our automated and AI-assisted systems, to analyse common themes across calls, and to investigate incidents and complaints where required (see Section 6);
  • arranging the prescribing, dispensing and delivery of medication, where this forms part of your program;
  • processing payments and managing billing, and any insurance or public health scheme claims;
  • communicating with you about your care – including appointment reminders, results, safety notifications, changes to our services, and support messages;
  • protecting health and safety – where we reasonably believe it is necessary to lessen or prevent a serious threat to your life, health or safety, or that of another person (or, under the UK GDPR, to protect the vital interests of you or another person), we may use or disclose your information, including to contact emergency services or another appropriate person. Given the nature of withdrawal and recovery, this is an important part of providing safe care;
  • improving and evaluating our services – including quality improvement, service evaluation and research, using de-identified or anonymised information wherever practicable;
  • sending you marketing communications, where you have consented or it is otherwise permitted, with an easy way to opt out at any time (see Section 9);
  • meeting our legal, regulatory and professional obligations – including health, record-keeping, identity-verification, mandatory-reporting obligations in each region in which we operate, tax and accounting requirements – and preventing, detecting and investigating fraud, misuse and security incidents; and
  • in connection with a sale, merger, restructure or financing of our business, subject to appropriate confidentiality protections.


Lawful bases under the UK GDPR


Where the UK GDPR applies to our processing of your personal information, the lawful bases on which we rely include:

  • performance of a contract with you (Article 6(1)(b)) – for example, to provide and administer your program;
  • our legitimate interests (Article 6(1)(f)) – for example, to improve and secure our services, where these interests are not overridden by your rights;
  • compliance with a legal obligation (Article 6(1)(c)) – for example, retaining health records as required by law;
  • your consent (Article 6(1)(a)) – for example, for certain marketing or non-essential cookies; and
  • protection of vital interests (Article 6(1)(d)) – in life-or-death situations.

For special category data such as your health information, we rely on:

  • the provision of healthcare and the management of health services (Article 9(2)(h));
  • your explicit consent (Article 9(2)(a)), where appropriate; and
  • the establishment, exercise or defence of legal claims (Article 9(2)(f)), where relevant.

Under the Privacy Act, we will only use or disclose your personal information for a secondary purpose where you would reasonably expect us to and that purpose is related to the primary purpose (or, for sensitive information, directly related), where you have consented, or where the use or disclosure is otherwise permitted or required by law.

6. Call recording and transcription

Which calls we record, and how


We record and transcribe certain telephone calls with us, including intake and triage calls, support and aftercare calls, and administrative calls (such as scheduling and general enquiries). We do this on an opt-out basis: at the start of the call we will tell you that the call is being recorded and transcribed, and you can ask us not to record it.

Asking us not to record


You can ask us not to record a call at any time, before or during the call, and you do not need to give a reason. If you ask us not to record, we will turn off recording for that call, and you will still be able to access our services, although this may affect our ability to provide some or all of our services to you. We may still keep a record that the call took place, but not a recording or transcript of what was said once the recording has been turned off.

Recordings and transcripts are sensitive information


Because our calls often include health information, recordings and transcripts are treated as sensitive information under the Privacy Act and as special category data under the UK GDPR, and we handle them with additional safeguards. Telling you that a call is being recorded and giving you a genuine opportunity to decline is how we seek your agreement to record, in addition to our reliance on the healthcare-purposes basis under Article 9(2)(h) of the UK GDPR where applicable.

Why we record, and the limits on use


We use call recordings and transcripts only for the following purposes:

  • staff training and coaching, to improve the quality and safety of our services;
  • improving and training the automated and AI-assisted systems that support our services (see Section 11);
  • theme analysis – identifying common themes, needs and trends across calls to improve our programs; and
  • investigating incidents and complaints, where required.

We do not use call recordings or transcripts to make clinical decisions about you, and we do not sell them. Where it is practicable, we de-identify recordings and transcripts before using them for theme analysis and to train our systems, so the information used for those purposes does not identify you.

How calls are recorded and where they're processed


Our telephone calls are handled by Freshcaller, the cloud telephony product within the Freshworks platform we use to run our services. Freshcaller is provided by Freshworks Inc. and uses Twilio Inc. as a sub-processor for the underlying carrier-grade voice infrastructure. As a consequence of how that platform is built, call recordings are stored in the United States. This is Twilio's default storage region. It is not a Clean Slate configuration choice, but our choice of telephony supplier means it applies to us, and we have assessed and accepted that transfer with the safeguards described in Section 8.

How calls are transcribed, and where your information is processed


We use a third-party telephony and transcription provider to record and transcribe calls. We have taken steps to protect this information if it is handled outside your country – including contractual data-protection terms (such as a data protection addendum, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses where applicable), encryption in transit and at rest, access controls, vendor due diligence and a transfer risk assessment (see Section 8).

Retention


We keep recordings and transcripts only for as long as necessary for the purposes above and as required by applicable health-records law, after which we securely delete or de-identify them (see Section 13).

7. Who we share your information with


We share your personal information only where it is necessary and permitted under applicable data protection law. Depending on the services you use, we may share it with:

  • our treating clinicians, nurses and support staff who provide your care – some treating practitioners may, in certain circumstances, be independent controllers of your clinical record and subject to their own professional and privacy obligations;
  • our group entities, where this is necessary to operate our services consistently across the regions in which we work;
  • pharmacy and dispensing partners, and delivery or courier providers, to prescribe, dispense and deliver medication where this forms part of your program;
  •  pathology and diagnostic providers, where testing is part of your care;
  • our technology and operational service providers – for example, secure cloud hosting, our telephony and transcription provider, customer-support tools, and analytics, security and identity-verification providers;
  • payment processors, funding providers and financial institutions, to process payments and claims;
  • our professional advisers, such as lawyers, auditors and insurers;
  • government agencies, regulators, courts and law enforcement, where required or authorised by law, including to meet mandatory reporting obligations that apply to us in each region; and
  • a purchaser or successor in connection with a sale, merger, restructure or financing of our business, subject to appropriate confidentiality protections.

We require our service providers to protect your personal information to a standard consistent with applicable data protection law and to use it only for the purposes for which we provide it. We do not sell your personal information.


We will only use or disclose your personal information for another purpose where:

  • you have provided consent
  • it is required by law
  • it is reasonably expected and related to the primary purpose
  • it is necessary to prevent serious harm
  • it is required for law enforcement purposes

​​

8. Sending your information overseas


We store and process most personal information within the country in which you receive our services. However, some of our service providers process or store information outside that country, and we may transfer information between our Australian and UK group entities where necessary to operate our services.

Before disclosing personal information to a recipient outside the country in which you receive our services, and on an ongoing basis, we take reasonable steps to ensure the recipient handles it in a manner consistent with applicable data protection law.

  • For transfers from Australia, this is consistent with APP 8 – including contractual data-protection terms with our providers and the other steps set out below.
  • For transfers from the United Kingdom, we rely on a valid transfer mechanism under Chapter V of the UK GDPR – including UK adequacy regulations where the destination has been recognised as offering adequate protection, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other approved safeguards – supported by a transfer risk assessment where required.

The steps we take include entering into contractual data-protection terms with our providers; requiring encryption in transit and at rest; applying access controls and limiting the information shared to what is necessary; conducting transfer risk assessments; verifying recipients’ privacy practices through vendor due diligence; and monitoring our overseas providers.


For UK clients, the transfer of call recordings to the United States is made to a company that self-certifies under the UK Extension to the EU-US Data Privacy Framework, supported by a Transfer Risk Assessment. For Australian clients, the disclosure is consistent with APP 8 and is recorded in our supplier register.

9. Marketing communications and your choices


Where you have consented, or where it is otherwise permitted by law, we may send you communications about our services, programs, health information, and offers – by email, SMS, push notification or telephone.


In the United Kingdom, if you have been a client, we may occasionally write to you by email or SMS about similar Clean Slate programs or support that could help. You can opt out in any message and at the point we first collect your details. This is the ‘soft opt-in’ permitted under PECR. In Australia, we comply with the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth). For marketing calls and electronic messages that require consent, we will obtain it before sending.

​​

We will not use or disclose your sensitive or special category information, including your health information, for marketing purposes without your consent.

You can opt out of marketing at any time – by using the unsubscribe or opt-out option in any marketing message, by changing your preferences in the app, or by contacting us using the details on our website. We will action your request promptly. Opting out of marketing will not affect the service and care communications we need to send you about your treatment.

​10. Cookies, analytics and online advertising


We use cookies, pixels, software development kits (SDKs) and similar technologies (together, cookies) on our website and app to:

  • operate and secure our website and app, and remember your preferences;
  • understand how our website and app are used and how they perform (analytics); and
  • measure the effectiveness of our communications and, where permitted, deliver and measure advertising.


Recruitment processes and onboarding


Where we use advertising and analytics partners (such as social media and search platforms), this may involve limited identifiers in hashed or pseudonymised form, the creation of audiences (including ‘lookalike’ audiences) and retargeting based on your interactions with our website and app, subject to your choices. We do not use your health information for advertising.

We will seek your consent through our cookie banner before setting non-essential cookies where the law requires it (including under PECR in the United Kingdom). You can manage cookies through our cookie banner or settings and through your browser or device controls. Some parts of our website or app may not work properly if you disable certain cookies.

11. Artificial intelligence and machine learning

We use artificial intelligence (AI) and automated tools to support and improve our services. This section explains how we protect your privacy when we do.


AI-assisted call transcription and analysis


We use AI-assisted tools, provided by a third-party processor, to transcribe recorded calls, to analyse common themes across calls, and to train and improve these and other automated systems. This processing necessarily involves identifiable information, which may include health information, because audio cannot be de-identified before it is transcribed. We will tell you when a call is being recorded and transcribed, and you can ask us not to record (see Section 6). Where it is practicable, we de-identify recordings and transcripts before using them for theme analysis and to train our systems.

How we govern our use of AI


Our use of AI is subject to oversight by our clinical governance function, quality controls, regular accuracy and bias testing, privacy impact assessments, and clinical safety reviews. We aim to use the minimum personal information needed, apply pseudonymisation or de-identification where feasible, apply access and security controls, and keep training and evaluation datasets only for as long as needed before deleting or de-identifying them.


AI does not replace clinical judgment


AI tools support our staff and clinicians but do not replace human clinical judgment. We do not use AI to make decisions about you that produce legal effects or similarly significant effects without human involvement (Article 22, UK GDPR); significant decisions are made by qualified healthcare practitioners or operational staff. Where an AI feature could materially affect you, we maintain appropriate human oversight and a way for you to contact us. You have the right to know when AI is being used, to ask us not to record your calls, to ask how AI affects decisions about you, and to ask us to correct errors.

12. Keeping your information secure


We take reasonable steps – and, where the UK GDPR applies, appropriate technical and organisational measures – to protect your personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Our measures include:

  • multi-factor authentication and role-based access controls;
  • encryption of information in transit and at rest, including encryption of call recordings;
  • security monitoring, regular security assessments and penetration testing;
  • supplier and third-party security assessments;
  • mandatory staff privacy and security training;
  • incident response procedures, including notification of personal data breaches to regulators and affected individuals where required (see Section 16);

13. How long we keep your information


We keep personal information – including health information and call recordings and transcripts – only for as long as it is needed for the purposes for which it was collected, and as required by applicable health-records and other legislation in your country.


As a general rule, we retain adult health records for at least 10 years from the date of last service. This aligns with medical defence and indemnity guidance for healthcare providers in both Australia and the United Kingdom, and meets or exceeds the statutory minimums in each region. Where a longer period is required by law, professional standards, or in response to an ongoing matter (for example, a complaint or claim), we will retain records for that longer period.

When we no longer need your personal information and we are not required by law or professional standards to retain it, we take reasonable steps to securely destroy, delete or de-identify it.

​14. Your rights, including accessing and correcting your information


If you believe that we have breached the Privacy Act, the Code or otherwise mishandled your personal information, you can contact us.

  • access the personal information we hold about you;
  • have inaccurate, out-of-date, incomplete, irrelevant or misleading information corrected;
  • request erasure of your personal information (the ‘right to be forgotten’), where the UK GDPR applies and the conditions are met;
  • restrict or object to our processing of your personal information, where the UK GDPR applies;
  • receive a copy of certain personal information you have provided to us, and have it transmitted to another controller, in a structured, commonly used and machine-readable format (data portability), where the UK GDPR applies;
  • withdraw consent at any time, where we rely on your consent (this will not affect the lawfulness of processing before withdrawal); and
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you.

To make a request, contact us using the details on our website. We will respond within a reasonable time – usually within 30 days for Australian requests, and within one month for UK GDPR requests, with the ability to extend by a further two months where the request is complex. We may need to verify your identity first.

Requests are generally free of charge. We may charge a reasonable fee, or refuse to act, only where a request is manifestly unfounded or excessive (United Kingdom), or where the Privacy Act otherwise permits a reasonable cost-recovery charge for access (Australia). In some cases we may decline access, correction or other rights where applicable law permits – for example, where giving access would unreasonably affect another person’s privacy. If we decline, we will explain why and tell you how to complain, and if we decline to correct information, you can ask us to attach a statement noting that you consider it inaccurate, out of date, incomplete, irrelevant or misleading.

Please keep us informed if your details change, so the information we hold remains accurate and up to date.

15. Anonymity and your other choices

Where it is lawful and practicable, you can deal with us anonymously or using a pseudonym – for example, when making a general enquiry. In many cases, however, we will need to identify you to provide safe clinical care, and it may not be practicable to deal with you anonymously. Where a call is recorded, it cannot be anonymous, because the recording captures your voice and what you say – you can ask us not to record (see Section 6).

Where we rely on your consent to collect or use your information, you can withdraw that consent at any time by contacting us, although this may affect our ability to provide some or all of our services to you. You can also opt out of marketing at any time (see Section 9).

16. Data breaches

We take seriously, and act promptly on, any unauthorised access to, disclosure of, or loss of personal information (a data breach), including any breach involving call recordings or transcripts.

In Australia, we comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any ‘eligible data breach’. In the United Kingdom, we comply with our breach-notification obligations under the UK GDPR and the Data Protection Act 2018 – notifying the Information Commissioner’s Office (ICO) without undue delay, and where feasible within 72 hours of becoming aware of a notifiable personal data breach, and notifying affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

Our response includes containment, risk assessment, notification where required, post-incident review, and steps to prevent recurrence.

17. Complaints

If you believe we have breached applicable data protection law or mishandled your personal information, please contact us first using the details on our website, so we can investigate and try to resolve your concern. We prefer complaints in writing, with enough detail for us to investigate, and your contact details so we can respond. We will acknowledge your complaint, keep you updated, and respond as soon as practicable. You will not be disadvantaged for making a complaint.

If you are not satisfied with our response, you can complain to the data protection regulator in your country.

In Australia – Office of the Australian Information Commissioner (OAIC)

  • Telephone: 1300 363 992
  • Email: enquiries@oaic.gov.au
  • Website: www.oaic.gov.au
  • Post: GPO Box 5218, Sydney NSW 2001

In the United Kingdom – Information Commissioner’s Office (ICO)

  • Telephone: 0303 123 1113
  • Website: www.ico.org.uk
  • Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Both regulators generally ask that you raise your complaint with us before they will investigate.

18. Changes to this Policy

This Privacy Policy was last updated in May 2026. We review it regularly and may update it to reflect changes in privacy law or our practices. Where changes are material, we will take reasonable steps to notify you – for example, through our website, the app, or by direct communication.

19. Contact us

For questions about this Privacy Policy, to exercise any of your rights, opt out of marketing, or make a complaint, please use the regional contact details published on our website.

Subscribe

Join our mailing list for regular, evidence-based insights, practical tools you can use, and real stories from people who've been there.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Company

Our story
Contact us
FAQs
Feedback
Corporate publications
Privacy policy

The program

How home detox works
Our services
Pricing
Resources

Contacts

02 3813 8104
support@cleanslateclinic.com
United Kingdom Union Jack flag
Switch to the United Kingdom website?
Australian Aboriginal flag with black over red horizontal halves and a central yellow circle.
Flag of Torres Strait Islands
Progress Pride Flag
We acknowledge the traditional custodians of the lands on which we live and work. We pay our respects to Elders past, present, and emerging and extend that respect to all Aboriginal and Torres Strait Islander people.