Healthcare Compliance
Routiq is built for Australian allied-health practices. Our primary compliance frameworks are the Australian Privacy Act 1988 (and the Australian Privacy Principles) and AHPRA’s advertising guidelines, backed by industry-standard security controls to protect patient data.
AHPRA advertising compliance
AHPRA’s Guidelines for advertising a regulated health service and section 133 of the National Law govern how regulated health services are advertised — and they apply to anyone who advertises a regulated health service, including a platform sending patient communications on a practice’s behalf. Routiq is built so the messages it sends for you stay inside those rules. Your patient communications:
- contain no false, misleading or deceptive claims;
- use no testimonials about the clinical aspects of care (genuine non-clinical reviews — about service or experience — are fine);
- create no unreasonable expectation of beneficial treatment;
- don’t encourage the unnecessary or indiscriminate use of services; and
- state the terms of any offer or discount.
Review (draft) mode means your team approves every message before it sends, so nothing goes out that doesn’t fit your obligations. AHPRA registers practitioners, not software — so Routiq isn’t “AHPRA registered”, but it is built to keep your patient communications inside AHPRA’s advertising rules.
HIPAA Alignment
While Routiq is not currently HIPAA certified, we implement HIPAA-aligned security controls:
- Data Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
- Access Controls: Role-based permissions and row-level security
- Audit Logs: Complete tracking of all data access (retained for 7 years)
- Secure Infrastructure: SOC 2 Type II certified cloud providers
If you’re subject to HIPAA requirements, consult your compliance officer before using messaging features for Protected Health Information (PHI).
GDPR (estimated Q4 2026)
For practices in the EU or treating EU patients, Routiq is actively working toward GDPR alignment, estimated Q4 2026. For EU practices today we can put a Data Processing Agreement (DPA) in place; the data-subject rights below are already supported:
Patient Rights
- Right to access (data export available)
- Right to erasure (account deletion)
- Right to data portability
- Right to rectification
Data Protection
- Privacy by design
- Data minimization (we only collect what’s needed)
- Encryption and secure storage
- Breach notification within 72 hours
Regional Standards
Australia
- Privacy Act 1988
- Australian Privacy Principles (APPs)
- Spam Act 2003 compliance
United States — Routiq is not HIPAA-certified and HIPAA is not on our roadmap; US clinics handling PHI should review our controls with their compliance officer.
Data Privacy
What We Collect
Required for patient reactivation:
- Patient name and contact information
- Appointment history
- Treatment types
We do NOT collect:
- Medical diagnoses
- Test results
- Clinical notes
- Payment information
How We Use Your Data
- Patient reactivation campaigns - The core purpose
- Service improvements - Analytics to improve Routiq
- Compliance - Required record keeping
How We Protect Your Data
Encryption
- All data encrypted at rest (AES-256)
- All data encrypted in transit (TLS 1.2+)
- API keys encrypted before storage
Access Control
- Multi-factor authentication (2FA) available
- Role-based access control (Owner, Admin, Member)
- Row-level security (you only see your practice data)
Infrastructure
- Hosted on AWS (SOC 2 Type II certified)
- Daily automated backups
- 24/7 security monitoring
Data Retention
| Data Type | Retention Period |
|---|
| Patient data | While account is active |
| Message history | 24 months |
| Audit logs | 7 years (compliance) |
| Deleted accounts | 30 days (recovery period) |
Data Sharing
We NEVER:
- Sell your patient data
- Share data with advertisers
- Use data for non-service purposes
We ONLY share with:
- Services you connect (Cliniko, Chatwoot)
- Service providers bound by data processing agreements
- Law enforcement (when legally required)
Security Best Practices
For Practice Owners
Enable Two-Factor Authentication
Turn on 2FA for all admin accounts in Settings → Security
Use Strong Passwords
Use unique passwords (12+ characters) or a password manager
Review Team Access
Regularly audit team member roles and remove inactive users
Secure API Keys
Store Cliniko/Chatwoot credentials securely, never share them
For Team Members
- Lock your device when stepping away
- Don’t share login credentials
- Report suspicious activity to your practice owner
- Only access Routiq from approved devices
Audit Logs
All security-relevant events are logged and available for review:
- User logins and failed attempts
- Patient record access
- Campaign actions
- Settings changes
- Integration updates
Access logs: Settings → Security → Audit Logs (Owner access only)
Third-Party Services
Routiq uses trusted service providers:
| Service | Purpose | Security posture |
|---|
| Vercel | Application hosting | SOC 2, ISO 27001 |
| Supabase | Database and authentication | SOC 2 Type II |
| Cliniko | Patient data source | ISO 27001 |
| Chatwoot | Messaging platform | Open source, self-hostable; US-based subprocessor; covered by SCCs. |
Certifications & Compliance Status
Current
- GDPR alignment — estimated Q4 2026
- APP-compliant today (Australian Privacy Principles); HIPAA is not a target
- SOC 2 Type II — audit in progress with Vanta (estimated Q3 2026)
- ISO 27001 — working toward certification (estimated Q3 2026)
Questions?
For all support, compliance, and security questions:
Vulnerability Disclosure
Found a security issue? We appreciate responsible disclosure:
- Email: support@routiq.ai
- Include: Detailed description, steps to reproduce, impact
- Don’t: Publicly disclose before we’ve fixed the issue
- We will: Acknowledge within 48 hours and work to remediate
