← Back

Privacy Policy

Last updated: 18 March 2026

1. Introduction

Glaxier AUNZ Pty Ltd (ABN 93 652 028 745) trading as EsterRx ("we", "us", "our") operates the EsterRx platform ("Platform"), an application that facilitates medication scripting and audit workflows for beauty and cosmetic clinics in Australia.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal information (including sensitive and health information) in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It also addresses our obligations under the Therapeutic Goods Administration (TGA) regulatory framework where applicable.

By creating an account, submitting a patient questionnaire, or otherwise using the Platform, you consent to the collection and handling of your personal information as described in this policy.

2. Our Role

The Platform is a workflow facilitation tool. It enables clinics, nurses, and doctors to manage medication scripting and audit processes more efficiently. The Platform does not provide medical advice, clinical diagnoses, or treatment recommendations.

We are not responsible for:

  • The clinical decisions made by practitioners using the Platform;
  • The maintenance, validity, or currency of any practitioner's professional registration, qualifications, or credentials;
  • Ensuring that practitioners comply with applicable laws, professional standards, or scope of practice requirements; or
  • The appropriateness, accuracy, or outcomes of any medication, dosage, or script created, reviewed, or approved through the Platform.

All clinical and regulatory responsibilities rest with the individual practitioners and the clinics that employ them.

3. Definitions

In this Privacy Policy:

  • Platform means the EsterRx application and all associated services accessible at esterrx.com.
  • User means any person who creates an account on the Platform, including clinic managers, practitioners, and administrative staff.
  • Patient means a person who submits a medical questionnaire via a link provided by a clinic. Patients do not create accounts on the Platform.
  • Personal information has the meaning given in the Privacy Act 1988 (Cth).
  • Sensitive information has the meaning given in the Privacy Act 1988 (Cth) and includes health information.
  • Health information means information about an individual's health, including medical questionnaire responses, medication details, and clinical audit records.

4. What Personal Information We Collect

We collect different categories of personal information depending on how you interact with the Platform.

4.1 Patient information

When a patient completes a medical questionnaire through a link provided by a clinic, we collect:

  • Identity information — such as name and date of birth;
  • Contact information — such as email address, phone number, and address;
  • Emergency contact details;
  • Health and medical information — including responses to medical screening questions; and
  • Digital signature — captured within the questionnaire.

Patient health and medical information constitutes sensitive information under the Privacy Act 1988 (Cth) and is subject to stronger protections as described in this policy.

4.2 Platform user information

When you create an account, we collect:

  • Identity and contact information — such as name, email address, and phone number;
  • Account credentials — your password is stored in a securely hashed form only;
  • Professional details — such as registration and prescriber numbers (for practitioners); and
  • Profile content — such as electronic signatures, avatars, or clinic logos you choose to upload.

4.3 Billing information

Subscription and payment processing is handled by a third-party payment processor. We do not store your payment card details. We receive limited billing information from the payment processor, such as subscription status and transaction identifiers.

4.4 Automatically collected information

When you visit or use the Platform, we may automatically collect:

  • IP address, browser type, device type, and operating system;
  • Pages visited and actions taken on the Platform;
  • Referring URL; and
  • Date and time of access.

We use analytics services to understand how the Platform is used (see section 10).

4.5 Information generated through platform use

Through the normal operation of the Platform, clinical workflow records are generated and stored, including medication scripts, audit records, and system activity logs.

5. How We Collect Personal Information

We collect personal information:

  • Directly from patients — when a patient completes and submits a medical questionnaire;
  • Directly from users — when a user registers, updates their profile, or uses Platform features;
  • Automatically — through cookies, analytics tools, and server logs; and
  • From third-party service providers — such as billing event data from our payment processor.

6. Why We Collect and Use Personal Information

We collect and use personal information for the following purposes:

6.1 Providing the Platform

  • To facilitate medication scripting and audit workflows;
  • To generate clinical workflow documents;
  • To create and manage user accounts and clinic configurations;
  • To verify practitioner credentials; and
  • To process subscriptions and billing.

6.2 Communication

  • To send transactional and service-related communications (such as questionnaire confirmations and account notifications); and
  • To deliver push notifications where you have opted in.

6.3 Platform improvement and security

  • To analyse usage patterns and improve the Platform;
  • To monitor security, detect abuse, and prevent fraud; and
  • To comply with legal and regulatory obligations.

6.4 Sensitive information

We only collect sensitive information (including health information) where:

  • The individual has consented to the collection (in the case of patients, by submitting a questionnaire); or
  • The collection is required or authorised by Australian law (including for TGA compliance).

We do not use sensitive information for direct marketing or any purpose unrelated to the clinical workflow services provided through the Platform.

7. Patient Consent

Patients interact with the Platform without creating an account. By completing and submitting a medical questionnaire, a patient consents to the collection, use, storage, and disclosure of their personal and health information as described in this Privacy Policy.

A link to this Privacy Policy is displayed on the patient questionnaire page before submission.

Patients may withdraw consent or request access to, correction of, or deletion of their personal information by contacting us at support@esterrx.com. Withdrawal of consent does not affect the lawfulness of any processing that occurred before withdrawal. Certain information may be retained where required by law (see section 11).

8. Disclosure of Personal Information

8.1 Within the Platform

Personal information is shared between authorised users within a clinic as necessary to facilitate clinical workflows. Data is isolated between clinics through access controls. Users cannot access data belonging to clinics they are not members of, except for Platform administrators who may access data for administration, support, and compliance purposes.

8.2 Third-party service providers

We engage third-party service providers to help us operate the Platform. These providers process personal information on our behalf and are required to handle it in accordance with applicable privacy laws. The categories of providers we use include:

  • Cloud infrastructure and hosting providers — for database hosting, authentication, file storage, and application deployment;
  • Payment processor — for subscription billing and payment processing (we do not store your payment card details);
  • Email delivery provider — for transactional emails such as questionnaire confirmations and account notifications;
  • Security and anti-abuse provider — for bot protection on public-facing forms; and
  • Analytics provider — for understanding Platform usage (see section 10).

8.3 Other disclosures

We may also disclose personal information:

  • Where required or authorised by Australian law, including in response to a court order, subpoena, or regulatory request;
  • To the Office of the Australian Information Commissioner (OAIC) in connection with a notifiable data breach (see section 13); and
  • To professional advisers (such as lawyers or auditors) where necessary for legal compliance or dispute resolution.

We do not sell personal information to third parties. We do not disclose personal information for direct marketing by third parties.

9. Cross-Border Disclosure of Personal Information (APP 8)

Our primary infrastructure is hosted in Australia.

Some third-party service providers we use (such as analytics and email delivery services) may process data on servers located outside Australia as part of their global operations. Where personal information is transferred overseas, we take reasonable steps to ensure that the recipient handles the information in a manner consistent with the APPs, including through contractual arrangements and provider security assessments.

Under APP 8, we remain accountable for any acts or practices of overseas recipients that would breach the APPs.

10. Cookies and Analytics

10.1 Cookies

The Platform uses cookies and similar technologies for:

  • Authentication — to maintain your session after login;
  • Security — to support anti-abuse protections on public-facing forms; and
  • Analytics — to collect usage data (see below).

10.2 Analytics

We use third-party analytics tools to understand how the Platform is used, including page views, user flows, and device information. These tools use cookies to collect aggregated and anonymised usage data. Analytics data may be processed on servers located outside Australia.

You can limit analytics tracking by adjusting your browser settings or by using available opt-out tools provided by the analytics provider.

11. Data Retention

11.1 General retention

We retain personal information for as long as reasonably necessary to fulfil the purposes for which it was collected, or as required by law. When personal information is no longer needed, we will take reasonable steps to destroy or de-identify it.

11.2 Regulatory retention

Certain records created through the Platform's audit functionality are retained for a minimum of seven (7) years in accordance with TGA requirements. These records are non-deletable and immutable — they cannot be altered or removed after submission. This retention obligation applies regardless of account termination or subscription cancellation.

11.3 Patient data retention

Patient questionnaire submissions and associated clinical workflow records are retained for the duration of the clinic's use of the Platform and for such further period as is required to comply with applicable record-keeping laws. Patients may request deletion of their personal information (see section 12), subject to our legal retention obligations.

11.4 Account closure

Upon account termination, we retain data for a period necessary to comply with our legal obligations. Clinic data associated with a terminated account may be retained for as long as other clinic members remain active.

12. Your Rights (APPs 12 and 13)

12.1 Access to your information (APP 12)

You have the right to request access to the personal information we hold about you. To make an access request, contact us at support@esterrx.com. We will respond within 30 days. We may charge a reasonable fee for complex or resource-intensive requests.

We may refuse access where permitted by law, including where providing access would pose a serious threat to health or safety, unreasonably interfere with the privacy of another individual, or prejudice legal proceedings.

12.2 Correction of your information (APP 13)

If you believe personal information we hold about you is inaccurate, incomplete, out of date, or misleading, you may request correction. Platform users can update most profile information directly within their account settings. For other corrections, contact us at support@esterrx.com.

Certain records, including submitted audit data and finalised clinical workflow documents, are immutable by design and cannot be retrospectively altered. If an error exists in an immutable record, we will annotate the record accordingly where technically feasible.

12.3 Deletion requests

You may request the deletion of your personal information by contacting us at support@esterrx.com. We will comply with deletion requests except where we are required or authorised to retain the information by law, including:

  • Regulatory audit records subject to mandatory retention periods;
  • Healthcare record-keeping obligations; and
  • Records necessary for the establishment, exercise, or defence of legal claims.

Where full deletion is not possible, we will de-identify or restrict access to the information to the extent practicable.

12.4 Patients

Patients who do not have accounts on the Platform may exercise any of the above rights by contacting us at support@esterrx.com. We will verify the patient's identity before processing any request.

13. Data Security

13.1 Technical measures

We implement reasonable technical and organisational security measures to protect personal information held on the Platform, including:

  • Encryption of sensitive personal information at the application layer before storage;
  • At-rest encryption of all stored data;
  • Role-based and row-level access controls to restrict data access to authorised users;
  • Secure hashing of user passwords;
  • Session management controls, including the ability to sign out all devices;
  • Rate limiting on public-facing endpoints; and
  • Anti-abuse protections on public forms.

13.2 Notifiable Data Breaches

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

13.3 Limitations

No system is completely secure. While we take reasonable steps to protect your personal information, we cannot guarantee that unauthorised access, disclosure, or loss will never occur.

14. Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint by contacting us at:

Email: support@esterrx.com

We will acknowledge your complaint within 7 days and investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by email and/or by displaying a notice on the Platform. The "Last updated" date at the top of this policy will be revised accordingly.

Your continued use of the Platform after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Platform and close your account.

16. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights, contact us at:

Glaxier AUNZ Pty Ltd trading as EsterRx ABN: 93 652 028 745 Email: support@esterrx.com Website: esterrx.com