Regulatory Compliance

Effective Date: November 26, 2025

AttendMe Pty Ltd is an Australian company operating under Australian regulatory frameworks. This page describes our regulatory classification, compliance standards, and privacy practices.

Australian Regulatory Classification (TGA)

Primary Regulatory Framework: AttendMe is classified as an exempt Clinical Decision Support System (CDSS) under the Australian Therapeutic Goods Administration (TGA).

As an Australian company (AttendMe Pty Ltd, ABN 94 688 321 637), our primary regulatory framework is governed by the Therapeutic Goods Administration (TGA) under the Therapeutic Goods Act 1989.

TGA Exempt CDSS Classification

AttendMe qualifies as an exempt Clinical Decision Support System (CDSS) under Section 14G of the Therapeutic Goods (Excluded Goods) Determination 2018. This classification applies because:

Professional Use Only: The software is intended exclusively for licensed healthcare professionals, not patients
Does Not Replace Clinical Judgment: All outputs are recommendations and synthesized literature analysis that must be verified and evaluated by healthcare professionals using independent clinical judgment
Information Can Be Verified: All responses include full citations to peer-reviewed medical literature, enabling professional verification against primary sources
Supports, Not Directs: The software augments clinical decision-making by providing rapid access to medical literature but does not make autonomous clinical decisions

Regulatory Implications

Under TGA regulations, exempt CDSS status means:

No ARTG Registration Required: The software is not required to be included in the Australian Register of Therapeutic Goods (ARTG)
Ongoing Compliance: We maintain compliance with applicable adverse event reporting and quality management standards consistent with exempt CDSS requirements
TGA Oversight: While exempt from registration, the software remains subject to TGA oversight including advertising standards and post-market surveillance

Healthcare Professional Acknowledgment: By using AttendMe, you acknowledge that you are a licensed healthcare professional who retains full responsibility for all clinical decisions. You understand that AttendMe provides consultation support similar to literature databases and clinical reference tools.

New Zealand Regulatory Classification (Medsafe)

In New Zealand, medical devices are regulated by Medsafe under the Medicines Act 1981. AttendMe is classified as non-device software under Medsafe guidelines because:

Information Tool: AttendMe provides literature synthesis and research support, not diagnosis, treatment, or monitoring functions
Professional Verification Required: All outputs require independent professional verification against cited primary sources
No Patient Interface: The software is designed for healthcare professional research, not direct patient care or patient-facing use

AttendMe is not required to be notified in the WAND (Web Assisted Notification of Devices) database as it does not meet the definition of a medical device under New Zealand law.

New Zealand Privacy: AttendMe complies with the Privacy Act 2020 and the Information Privacy Principles (IPPs), including the Health Information Privacy Code 2020 where applicable.

United States Regulatory Classification (FDA)

In the United States, the FDA regulates software as a medical device under the Federal Food, Drug, and Cosmetic Act. AttendMe qualifies as Non-Device Clinical Decision Support (CDS) software under the 21st Century Cures Act, Section 3060(a).

21st Century Cures Act Criteria

AttendMe meets all four criteria for Non-Device CDS exclusion:

Criterion 1: Does not acquire, process, or analyze medical images, IVD device signals, or signal acquisition system patterns
Criterion 2: Displays, analyzes, or prints medical information (synthesized literature and evidence summaries)
Criterion 3: Intended for supporting or providing recommendations to healthcare professional users
Criterion 4: Enables healthcare professionals to independently review the basis for recommendations (full citations provided) so they do not rely primarily on the software

As Non-Device CDS software, AttendMe is excluded from the FDA medical device definition and is not subject to FDA premarket review requirements (510(k), De Novo, or PMA).

HIPAA Compliance (US Healthcare Providers)

For healthcare providers operating in the United States, AttendMe maintains HIPAA-aligned security measures to protect healthcare information. While AttendMe is designed as a research tool and is not intended to process Protected Health Information (PHI), we implement safeguards consistent with HIPAA requirements:

Administrative Safeguards: Security officer designation, risk assessment procedures, incident response planning
Physical Safeguards: SOC 2 Type II certified cloud providers with secure data centers
Technical Safeguards: Encryption (TLS 1.3, AES-256), access controls, audit logging

Business Associate Agreements (BAAs) are available for healthcare organizations requiring formal HIPAA compliance documentation.

Privacy Commitment

AttendMe is committed to protecting the privacy and security of our users' information. While AttendMe is designed as a research tool and users should not input Protected Health Information (PHI), we maintain HIPAA-compliant security measures as part of our commitment to healthcare data protection.

Important Notice About PHI

AttendMe is NOT designed to store or process Protected Health Information (PHI). Users should not input patient names, medical record numbers, or any other patient-identifiable information into the system. The service is intended for medical research and education only.

How We Protect Your Information

Even though PHI should not be entered into our system, we implement comprehensive security measures:

Physical Safeguards: Secure data centers with controlled access
Technical Safeguards: Encryption, access controls, and audit logs
Administrative Safeguards: Employee training, access policies, and security procedures

Security Measures

Encryption

All data transmitted between your device and our servers is encrypted using TLS 1.3
Data at rest is encrypted using AES-256 encryption
Encryption keys are managed using industry best practices

Access Controls

Role-based access control (RBAC) for all system components
Multi-factor authentication available for user accounts
Regular access reviews and privilege audits
Automatic session timeouts for inactive users

Audit Logging

Comprehensive logging of all data access and modifications
Tamper-proof audit trails
Regular review of access logs
Retention of audit logs for minimum of 6 years

User Rights and Responsibilities

As a user of AttendMe, you have the right to:

Access your account information and usage history
Request corrections to your account information
Request deletion of your account and associated data
Receive notifications of any security breaches
File a complaint if you believe your privacy rights have been violated

Your responsibilities include:

NOT entering any PHI or patient-identifiable information
Maintaining the security of your account credentials
Reporting any suspected security incidents immediately
Using the service only for its intended research purposes

Business Associate Agreements

While AttendMe is not intended to handle PHI, we are committed to establishing Business Associate Agreements (BAAs) with service providers who handle user data. BAAs are available upon request for healthcare organizations requiring formal HIPAA compliance documentation.

Our infrastructure providers (Supabase, Vercel, OpenAI, Sentry) maintain SOC 2 Type II certifications. We pursue BAAs with these providers as part of our ongoing compliance program.

Breach Notification

In the unlikely event of a data breach, we will:

Notify affected users within 72 hours of discovery
Provide details about what information was involved
Describe steps we are taking to investigate and mitigate
Offer guidance on protective measures you can take
Comply with all applicable breach notification laws

Workforce Training

All AttendMe employees and contractors with access to user data receive:

Initial HIPAA privacy and security training
Annual refresher training
Role-specific security training
Regular updates on privacy best practices

Compliance and Auditing

We maintain our security posture through:

Regular security risk assessments
Use of SOC 2 Type II certified infrastructure providers
Continuous security monitoring via automated tools
Dependency vulnerability scanning
Continuous improvement of security measures

Independent penetration testing and third-party security audits are planned as part of our security roadmap.

Questions and Complaints

If you have questions about our privacy practices or believe your privacy rights have been violated:

Email: harry@attendme.ai

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:

www.hhs.gov/ocr/privacy/hipaa/complaints/

Changes to This Notice

We reserve the right to change this notice and our privacy practices. Any changes will be posted on our website and will apply to all information we maintain. The effective date of the notice is listed at the top of this page.

Remember:

AttendMe is a research and educational tool. Never input patient-identifiable information. Always maintain patient privacy in accordance with your professional obligations and applicable laws.