Privacy Policy

Effective date: 24 May 2026 · Operated by Work Healthy Australia Pty Ltd

1. Overview

MSK Atlas is a workforce musculoskeletal (MSK) risk intelligence platform operated by Work Healthy Australia Pty Ltd (ABN 30 094 368 162) ("WHA", "we", "us", "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the MSK Atlas platform at atlasmsk.com.

MSK Atlas processes aggregate, de-identified occupational health cohort data. No individually identifiable patient or worker records are stored or transmitted through the platform. All uploaded data is de-identified at the point of ingestion before any storage or AI processing takes place. See Section 3a for details of our de-identification pipeline.

2. Information we collect

Account information

When you create an account, we collect your name, work email address, job role, and organisation name. This information is used to authenticate your access and configure your organisation's workspace.

Organisation data

We collect organisation-level metadata including industry sector, approximate workforce size, and data region preference. This is used to generate relevant benchmarks and configure your analytics workspace.

Usage data

We automatically collect standard web log data including IP address, browser type, pages visited, and timestamps. This data is used for platform security, performance monitoring, and product improvement.

Uploaded workforce data

If you use the data upload feature (CSV claims exports or treatment notes documents), our platform automatically scans for and removes personal identifiers before any data is stored or processed. Names, dates of birth, email addresses, phone numbers, company names, and addresses are detected and replaced with anonymous references. You will be notified of any redactions made. Only de-identified cohort records are retained.

3. How we use your information

  • Providing, maintaining, and improving the MSK Atlas platform
  • Authenticating users and enforcing access controls
  • Generating risk scores, benchmarks, and AI-powered insights
  • Sending transactional emails (account confirmation, password reset)
  • Responding to support requests
  • Complying with legal obligations

We do not sell personal information to third parties. We do not use personal information for direct marketing without explicit consent.

3a. How we de-identify your data

When data is uploaded to MSK Atlas, it passes through a multi-layer de-identification pipeline before anything is stored or sent to any AI service:

  • PII detection and removal — names, dates of birth, email addresses, phone numbers, street addresses, and company names are automatically detected and replaced with anonymous tokens before storage.
  • Precision reduction — dates are truncated to year and month only; ages are stored as 5-year bands (e.g. 45–54) rather than exact ages; compensation amounts are rounded to the nearest $100; tenure is rounded to the nearest year.
  • Free-text removal — verbatim clinical narratives, mechanism descriptions, and prognosis comments are not stored. All analytics are derived from coded and structured fields only.
  • AI processing boundary — only the de-identified, scrubbed text is sent to any third-party AI service. Raw data never leaves the platform.

The secondary use of occupational health treatment data for workforce risk benchmarking is directly related to the primary clinical purpose for which data was originally collected (Australian Privacy Act 1988, APP 6.2(a)). Our de-identification approach follows the OAIC De-identification Decision-Making Framework. Data processed through this pipeline does not meet the definition of personal information under section 6(1) of the Privacy Act 1988 (Cth).

4. Data security

MSK Atlas implements industry-standard security controls including:

  • TLS 1.3 encryption in transit
  • AES-256 encryption at rest (Supabase managed infrastructure)
  • Row-level security enforcing strict multi-tenant data isolation
  • Role-based access controls within organisations
  • SOC 2 Type II aligned operational controls (in progress)

No system is perfectly secure. If you discover a security vulnerability, please report it to privacy@workhealthyaus.com.au.

5. Data residency

MSK Atlas data is stored on Supabase infrastructure in the ap-northeast-1 (Tokyo, Japan) region. Account and authentication data is stored within the same region. Enterprise customers may request alternative data regions subject to availability.

6. Third-party services and overseas disclosure

We use the following third-party sub-processors. Where data is transferred overseas, we have taken reasonable steps to ensure those recipients handle it in accordance with the Australian Privacy Principles (APP 8).

  • Supabase Inc. (United States / Japan) — database, authentication, and file storage. Your data is stored in the ap-northeast-1 (Tokyo) region. Supabase is SOC 2 Type II certified.
  • Vercel Inc. (United States) — platform hosting, serverless functions, and edge delivery. Application code and server-side logic run on Vercel infrastructure. No persistent user data is stored by Vercel.
  • Anthropic PBC(United States) — AI inference for MSK Analytics Insights. Only de-identified, scrubbed text is transmitted to Anthropic. Raw or personally identifiable data is never sent. Anthropic's API terms prohibit use of inputs for model training without consent.
  • Resend Inc. (United States) — transactional email delivery (account invitations, password resets, notifications). Your name and work email address are transmitted to Resend solely for the purpose of delivering emails you have requested or that are necessary for your account.

7. Your rights

Under the Australian Privacy Act 1988 and applicable state legislation, you have the right to access, correct, and in certain circumstances request deletion of personal information we hold about you. To exercise these rights, contact us at privacy@workhealthyaus.com.au.

For EU/UK users, you may also have rights under the General Data Protection Regulation (GDPR) including data portability and the right to lodge a complaint with a supervisory authority.

8. Cookies

MSK Atlas uses strictly necessary cookies for authentication session management. We do not use tracking or advertising cookies. A single secure, HTTP-only session cookie is set upon login and cleared on logout.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to account administrators at least 14 days before taking effect. Continued use of the platform after that date constitutes acceptance.

10. Contact

Privacy enquiries: privacy@workhealthyaus.com.au
Work Healthy Australia Pty Ltd
Australia

HomeTerms of ServiceSign in