Regulatory Compliance

Effective Date: April 28, 2026

AttendMe Pty Ltd is an Australian company operating under Australian regulatory frameworks. This page describes our regulatory classification, compliance standards, and privacy practices.

Australian Regulatory Classification (TGA)

Primary Regulatory Framework: AttendMe is an Australian healthcare-professional research and evidence-support service. Medical-device/CDSS obligations depend on intended purpose and actual use.

As an Australian company (AttendMe Pty Ltd, ABN 94 688 321 637), our primary regulatory framework is governed by the Therapeutic Goods Administration (TGA) under the Therapeutic Goods Act 1989.

TGA CDSS / Medical-Device Boundary

AttendMe is designed to remain inside a conservative evidence-support boundary:

Professional Use Only: The software is intended exclusively for licensed healthcare professionals, not patients
De-Identified Scenarios Only: The service accepts de-identified clinical scenarios but prohibits patient names, dates of birth, contact details, medical record numbers, addresses, insurance identifiers, and other direct patient identifiers
Does Not Replace Clinical Judgment: All outputs are recommendations and synthesized literature analysis that must be verified and evaluated by healthcare professionals using independent clinical judgment
Information Can Be Verified: All responses include full citations to peer-reviewed medical literature, enabling professional verification against primary sources
Supports, Not Directs: The software augments clinical decision-making by providing rapid access to medical literature but does not make autonomous clinical decisions

Regulatory Implications

Current operating controls include:

Change-Control Trigger: ARTG inclusion, exemption, notification, and Essential Principles obligations must be reassessed before any patient-specific diagnosis, monitoring, triage, or treatment-selection feature is supplied
Current Evidence Boundary: The product must not process medical images, waveforms, monitoring signals, IVD data, or patient identifiers
Professional Review: Outputs remain citation-backed and independently reviewable by the healthcare professional user
Post-Market Monitoring: Complaints, safety events, and materially misleading outputs are reviewed through the documented product-safety process

Healthcare Professional Acknowledgment: By using AttendMe, you acknowledge that you are a licensed healthcare professional who retains full responsibility for all clinical decisions. You understand that AttendMe provides consultation support similar to literature databases and clinical reference tools, accepts de-identified clinical scenarios only, and must not be used with direct patient identifiers.

New Zealand Regulatory Classification (Medsafe)

In New Zealand, medical devices are regulated by Medsafe under the Medicines Act 1981. AttendMe is intended as an information and research-support service for healthcare professionals. If a New Zealand deployment or marketing claim gives the service a therapeutic purpose as a medical device, the supplier must assess Medicines Act and WAND notification obligations before supply. The current product boundary is:

Information Tool: AttendMe provides literature synthesis and research support, not diagnosis, treatment, or monitoring functions
Professional Verification Required: All outputs require independent professional verification against cited primary sources
No Patient Interface: The software is designed for healthcare professional research, not direct patient care or patient-facing use

WAND notification requirements must be reassessed before any New Zealand supply or integration that changes this intended-use boundary.

New Zealand Privacy: AttendMe complies with the Privacy Act 2020 and the Information Privacy Principles (IPPs), including the Health Information Privacy Code 2020 where applicable.

United States Regulatory Classification (FDA)

In the United States, the FDA regulates software as a medical device under the Federal Food, Drug, and Cosmetic Act. AttendMe is designed to support a Non-Device Clinical Decision Support (CDS) posture under the 21st Century Cures Act, Section 3060(a), only when the deployed use case satisfies the applicable non-device CDS criteria.

21st Century Cures Act Criteria

AttendMe is designed to align to the following non-device CDS criteria:

Criterion 1: Does not acquire, process, or analyze medical images, IVD device signals, or signal acquisition system patterns
Criterion 2: Displays, analyzes, or prints medical information (synthesized literature and evidence summaries)
Criterion 3: Intended for supporting or providing recommendations to healthcare professional users
Criterion 4: Enables healthcare professionals to independently review the basis for recommendations (full citations provided) so they do not rely primarily on the software

Any US feature that acquires or analyzes medical images, IVD data, or device signals, gives time-critical outputs, hides the basis for an output, or directs patient-specific diagnosis/treatment requires reassessment before release.

Information Security Certification

ISO/IEC 27001:2022 certified information security management system. AttendMe is certified by Global Compliance Certification. The certification body is accredited by JAS-ANZ for ISO/IEC 27001 certification.

ISO/IEC 27001:2022 is an information security management system standard. AttendMe publishes this certification claim as a security and procurement signal alongside privacy, access-control, audit, and de-identification controls.

Verification is available through the JAS-ANZ register. This certification does not by itself constitute HIPAA certification, SOC 2 certification, TGA medical-device registration, or approval to accept PHI or patient identifiers.

HIPAA-Aligned Safeguards (US Healthcare Providers)

For healthcare providers operating in the United States, AttendMe maintains HIPAA-aligned security measures for healthcare settings. AttendMe is designed as a research and evidence-support tool and does not accept Protected Health Information (PHI) or patient identifiers. We implement safeguards consistent with HIPAA requirements:

Administrative Safeguards: Security officer designation, risk assessment procedures, incident response planning
Physical Safeguards: cloud providers with secure data centers and SOC 2 Type II certified hosting where applicable
Technical Safeguards: Encryption (TLS 1.3, AES-256), access controls, audit logging

Organizations that require formal HIPAA documentation or Business Associate Agreement review should contact us during procurement so requirements can be assessed case by case.

Privacy Commitment

AttendMe is committed to protecting the privacy and security of our users' information. AttendMe is designed as a research tool and does not accept Protected Health Information (PHI) or patient identifiers. We maintain HIPAA-aligned safeguards as part of our commitment to healthcare data protection. Current application controls block common direct patient identifiers before normal chat processing.

Important Notice About PHI

AttendMe does NOT accept, store, or process Protected Health Information (PHI) or patient identifiers. Users should not input patient names, medical record numbers, or any other patient-identifiable information into the system. The service is intended for medical research and education only.

How We Protect Your Information

Because AttendMe does not accept PHI or patient identifiers, users must keep all prompts and uploads de-identified. We implement comprehensive security measures:

Physical Safeguards: Secure data centers with controlled access
Technical Safeguards: Encryption, access controls, and audit logs
Administrative Safeguards: Employee training, access policies, and security procedures

Security Measures

Encryption

All data transmitted between your device and our servers is encrypted using TLS 1.3
Data at rest is encrypted using AES-256 encryption
Encryption keys are managed using industry best practices

Access Controls

Role-based access control (RBAC) for all system components
Multi-factor authentication available for user accounts
Regular access reviews and privilege audits
Automatic session timeouts for inactive users

Audit Logging

Comprehensive logging of all data access and modifications
Tamper-proof audit trails
Regular review of access logs
Retention of audit logs for minimum of 6 years

User Rights and Responsibilities

As a user of AttendMe, you have the right to:

Access your account information and usage history
Request corrections to your account information
Request deletion of your account and associated data
Receive notifications of any security breaches
File a complaint if you believe your privacy rights have been violated

Your responsibilities include:

NOT entering any PHI or patient-identifiable information
Maintaining the security of your account credentials
Reporting any suspected security incidents immediately
Using the service only for its intended research purposes

Business Associate Agreements

AttendMe does not accept PHI. We are committed to reviewing Business Associate Agreement (BAA) requirements with prospective healthcare organizations before deployment. We do not market executed BAAs as a standard self-serve product feature.

Our infrastructure providers maintain strong security programs. Provider-specific contractual requirements, including any BAA review, are handled as part of enterprise due diligence.

Breach Notification

In the unlikely event of a data breach, we will:

Notify affected users within 72 hours of discovery
Provide details about what information was involved
Describe steps we are taking to investigate and mitigate
Offer guidance on protective measures you can take
Comply with all applicable breach notification laws

Workforce Training

All AttendMe employees and contractors with access to user data receive:

Initial HIPAA privacy and security training
Annual refresher training
Role-specific security training
Regular updates on privacy best practices

Compliance and Auditing

We maintain our security posture through:

Regular security risk assessments
Use of infrastructure providers with SOC 2 Type II certified hosting where applicable
Continuous security monitoring via automated tools
Dependency vulnerability scanning
Continuous improvement of security measures

Independent penetration testing and third-party security audits are planned as part of our security roadmap.

Questions and Complaints

If you have questions about our privacy practices or believe your privacy rights have been violated:

Email: harry@attendme.ai

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:

www.hhs.gov/ocr/privacy/hipaa/complaints/

Changes to This Notice

We reserve the right to change this notice and our privacy practices. Any changes will be posted on our website and will apply to all information we maintain. The effective date of the notice is listed at the top of this page.

Remember:

AttendMe is a research and educational tool. Never input patient-identifiable information. Always maintain patient privacy in accordance with your professional obligations and applicable laws.