RareJourney Privacy Policy

Effective date: 22 June 2026

Last updated: 22 June 2026

Version: 1.1

RareJourney is a digital companion for people living with rare diseases and the people who care for them. It helps you record symptoms, store documents, prepare for clinical appointments, and connect with others. Some features use artificial intelligence.

This Privacy Policy explains what personal and health information we collect, how we use it, who we share it with, how we protect it, and the rights you have over it.

1. Who We Are and How to Contact Us

The RareJourney app and related services (App) are operated by RareJourney Pty Ltd, ACN 697 146 535 (RareJourney, we, us, our). RareJourney is the data controller for personal information collected through the App.

For privacy questions, requests, or complaints:

2. Scope and Applicability

This Policy applies to personal and health information collected through the App and related services. We comply with:

  • The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
  • The General Data Protection Regulation (GDPR) and the UK GDPR for users in the European Economic Area and the United Kingdom.
  • Applicable US state privacy laws, including the California Consumer Privacy Act (as amended by the CPRA) and the Washington My Health My Data Act, for users in relevant states.
  • Other privacy laws that apply in jurisdictions where we make the App available.

Where law in your country provides stronger protection than this Policy describes, the law of your country applies.

Depending on the context, RareJourney may act as a data controller or as a data processor. When you create an account, enter health information, or use the App's features, we act as a controller. Where an organisation provides the App to users under a separate agreement (for example, a clinical or research partner), we may act as a processor on that organisation's behalf.

3. Anonymity and Pseudonymity

RareJourney works best when information is personalised to you. This requires us to identify you and to hold accurate information about you.

Some interactions with RareJourney do not require identification (for example, browsing public pages or resources). You can use those without identifying yourself. To use the core features of the App, you must create an account.

4. Information We Collect

We collect different categories of information depending on how you use the App.

4.1 Account information. Information identifying the person who holds and manages the account, including: first name and surname; date of birth; relationship to the person living with a rare disease (if you are a parent or caregiver); email address (entered directly or via sign-in with an email or identity provider); phone number; location (country and region).

4.2 Profile of the person living with a rare disease. If you create or manage a profile for a person living with a rare disease, we collect information about that person, including: first name and surname; date of birth; sex at birth and gender; country location; diagnosis details (condition, diagnosis date, diagnosis method); birth and early life history; growth information; health summary covering affected body systems, management, and impact on daily life; health history including surgeries, major interventions, medications, and therapies.

4.3 Day-to-day health information. As you use the App, you may add: timeline events (symptoms, medications, appointment notes, test results); uploaded files (discharge summaries, support worker notes, clinical reports, doctor letters, medication referrals); journal notes, milestones, and free-text observations; community contributions (posts, lived experience stories, comments).

4.4 Information generated by AI features. When you use AI features, we collect the inputs you submit and the outputs generated in response. Inputs and outputs are stored as part of your account.

4.5 Automatically collected information. Device type, operating system, and app version; crash reports, log data, and performance information; usage analytics such as features used, frequency of use, and session length; approximate location derived from your device or IP address. This information keeps the App secure, helps us understand how it is used, and improves performance.

4.6 Information from others. With your authorisation, we may collect information from people you connect to your account, such as healthcare providers, caregivers, or other family members. We only collect health information from third parties where you have asked us to do so or otherwise consented.

4.7 Connected devices and wearables. Features that allow you to connect devices and wearables (for example, sleep, activity, or heart-rate trackers), where available, are optional and require your express consent.

4.8 Unsolicited or inappropriate information. If we receive personal information we did not request, or that appears unrelated to our services, we assess whether we are permitted to retain it under this Policy and applicable law. Where we cannot keep it, we take reasonable steps to destroy or de-identify it. If information has been submitted without authority or appropriate consent, we may verify, limit access to, or remove it.

5. How We Use Your Information

We use personal and health information to:

  • Provide the features of the App
  • Personalise responses, summaries, and insights to your circumstances
  • Communicate with you about your account and the App
  • Maintain security, prevent fraud, and protect our systems
  • Improve the App's design, reliability, and AI features
  • Comply with our legal and regulatory obligations
  • Conduct or support research, where you have opted in
  • Send marketing communications, where you have not opted out (and, where required, only with your consent)

5.1 De-identified and aggregated data

We may use de-identified or aggregated information derived from your data to improve the quality, safety, and reliability of the App, including its AI features. Before this use, direct identifiers are removed or transformed so the data cannot reasonably be used to identify you or the person living with a rare disease.

Participation in AI improvement is optional. You can opt out at any time through your account settings or by emailing privacy@therarejourney.com. Opting out does not affect your ability to use the App.

We do not use identifiable personal information to train AI models. Information relating to children is used for service improvement only in de-identified or aggregated form.

Where de-identified data has already been used to train or improve a model, it may not be possible to fully remove its influence from the model. The data does not identify you. We will respect opt-out requests for future use where feasible.

5.2 Pilot reporting

During pilot phases of the App, we may share usage reports with pilot partners (for example, research institutes or rare disease organisations). Pilot reports contain only aggregated, non-identifiable usage metrics such as number of sessions, number of users, number of chats, number of documents uploaded, and number of timeline events saved. Pilot reports do not contain personal, identifiable, or medical content.

6. How AI Features Handle Your Information

AI features use Microsoft Azure OpenAI Service in a closed configuration. This means: your inputs are processed within an environment controlled by RareJourney; data logging by the AI service is disabled where the service permits; your inputs are not used to train the underlying AI model; access is tightly controlled and monitored.

AI features combine your information with curated reference material, including published research and, where users have consented, lived experience content from other community members. Responses are informational only. They are not medical advice and do not replace professional care. AI can produce information that is incomplete, outdated, or incorrect.

Use of AI features is optional. You can use other parts of the App without engaging the AI features.

7. Who We Share Information With

We share personal and health information only as described in this Policy and only with the minimum information reasonably necessary.

7.1 Service providers

We work with trusted service providers to operate the App. Categories include: cloud hosting and storage (Microsoft Azure, Supabase on Amazon Web Services); AI processing (Microsoft Azure OpenAI Service); analytics and performance monitoring (in de-identified or aggregated form); communication and notification services (email, SMS, in-app messaging); customer support tools. Service providers are contractually required to handle your information securely, only for the purposes we authorise, and in line with applicable privacy laws. A current list is available on request by emailing privacy@therarejourney.com.

7.2 People you authorise

You can choose to share your information with people you authorise, such as healthcare providers, caregivers, or family members. You control who has access and can change or revoke access at any time.

7.3 Research partners

Research is a core part of why RareJourney exists, and it is also part of how we fund our work. We only contribute your information to research where you have opted in. This is always optional, and you can use the full App without opting in.

Research data contribution operates in two layers.

Base research consent. If you opt in — at onboarding or later in settings — you consent to us preparing de-identified information from your account (both information you have already recorded and information you record in future) and licensing or otherwise providing it to research partners. We may receive payment for this, and that funding sustains RareJourney and the research it enables. Partner categories include academic and university researchers, clinical research organisations, registry coordinators, rare disease research consortia, and pharmaceutical and biotechnology sponsors of research. We provide this information under data use agreements that prohibit any attempt to re-identify you.

Per-study consent. For research that involves information that could identify you, direct contact with you, or any use beyond the base consent, we will tell you about the specific study — including who is involved — and ask for separate, specific consent before anything is shared. You decide each time. The base consent above does not authorise these uses on its own.

Consent for people under 18. Where the person whose information would be contributed is under 18, research data contribution requires the consent of a parent or guardian (see Section 13).

The limits of de-identification. De-identified information is information from which we have removed or transformed details that identify you. Because rare conditions involve very small numbers of people, de-identification cannot be guaranteed to be perfect, and a determined party with other information could in theory attempt to re-identify someone. We reduce this risk both technically and by contract, and we are honest with you that the risk is reduced rather than eliminated.

Changing your mind. You can change your research preferences at any time in settings or by emailing privacy@therarejourney.com. Withdrawal stops future contributions. Information that has already been included in a research dataset, or already shared for a specific study, cannot be removed from datasets that have already been created or distributed; that information continues to be handled under the relevant dataset or study data management plan. Withdrawal does not affect the lawfulness of anything done before you withdrew.

7.4 Legal and safety disclosures

We may disclose information where: required by law, court order, or regulatory request; necessary to prevent or lessen a serious threat to a person's life, health, or safety; necessary to investigate or respond to suspected unlawful activity; necessary to protect our rights, property, or the integrity of the App.

7.5 What we will not do

We do not sell or share information that identifies you, and we do not use or share your information for advertising or third-party marketing. With your separate opt-in (Section 7.3), we may license de-identified information to research partners, including commercial and pharmaceutical sponsors, to support rare disease research and sustain RareJourney. This is always optional, and "de-identified" means information from which we have removed details that identify you — with the limits described honestly in Section 7.3.

8. International Data Transfers

RareJourney is based in Australia, and your information is stored and processed in Australia. Our core infrastructure runs in Microsoft Azure (Australia East) and Supabase (Australia East, on Amazon Web Services in Sydney). Some limited processing may occur in other regions where particular service providers operate — for example, certain communication or support tools.

Where you opt in to research data contribution (Section 7.3), the de-identified information we share with research partners may be received by partners located in other countries, including the United States and Europe.

Cross-border transfers of personal and health information are protected by:

  • Contractual safeguards, including data processing agreements with our providers
  • Technical safeguards, including encryption in transit and at rest, access controls, and monitoring
  • Organisational safeguards, including staff training and security policies

For users in the European Economic Area, the United Kingdom, or other jurisdictions with cross-border transfer rules:

  • Transfers are made on the basis of Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) entered into with our sub-processors, or
  • Your explicit consent to the transfer, where you have provided it.

Under Australian law, RareJourney remains accountable for personal information we disclose to overseas recipients, except in the limited circumstances permitted by the Privacy Act.

9. How We Secure Your Information

We protect your information with security measures designed to prevent loss, misuse, unauthorised access, modification, and disclosure: encryption in transit and at rest; role-based access controls; closed-environment AI processing; logging and monitoring of access to personal and health information; regular review of our security practices.

No digital service is completely immune to risk. You are also responsible for keeping your account credentials confidential and using the App securely on your devices.

9.1 Data breach notification

Where a data breach is likely to result in serious harm and is otherwise notifiable under the Notifiable Data Breaches scheme of the Privacy Act, we will notify affected individuals and the Office of the Australian Information Commissioner. For users in the United States, we comply with the Federal Trade Commission's Health Breach Notification Rule, which applies to health apps not covered by HIPAA. For users in other jurisdictions, we comply with applicable breach notification laws.

10. How Long We Keep Your Information

We retain personal information only for as long as reasonably necessary to: provide the App and the services you have requested; support your ongoing relationship with us; meet legal, regulatory, and clinical record-keeping requirements.

When personal information is no longer required, we take reasonable steps to destroy or permanently de-identify it, unless we are required by law to retain it for a longer period.

Specific retention periods:

  • Account information and profile: for as long as your account is active, plus a reasonable period afterwards for legal and operational purposes.
  • Health information you enter: for as long as your account is active, or until you delete the specific information.
  • AI chat inputs and outputs: for as long as your account is active, or until you delete them.
  • Community contributions: for as long as your account is active, or until you delete them.
  • Device and usage data: typically retained for up to 24 months for analytics and security purposes.
  • Backups: residual copies may persist in backup systems for a reasonable period after deletion.

Where data has been de-identified or aggregated for service improvement, it may continue to be used in that form even after your account is closed. Where de-identified information has been included in a research dataset under your opt-in (Section 7.3), it remains part of datasets already created or shared and is retained as described in that section, even if you later withdraw or close your account.

11. Your Rights and Choices

Depending on your jurisdiction, you have rights to:

  • Access. Request a copy of the personal and health information we hold about you.
  • Correct. Ask us to correct information that is inaccurate or out of date.
  • Delete. Request deletion of your account and information, subject to legal and clinical record-keeping obligations.
  • Object or restrict. Object to certain uses of your information, or ask us to restrict processing in some circumstances.
  • Portability. Receive a copy of certain information in a structured, commonly used, machine-readable format, where technically feasible.
  • Withdraw consent. Where we rely on your consent to process information, withdraw that consent at any time.
  • Opt out of marketing. Stop receiving marketing communications at any time using the unsubscribe link or your account settings.
  • Opt out of AI improvement. Stop having de-identified data from your account used to improve AI features.
  • Opt out of research. Stop contributing data for research purposes, or change your per-study consents.
  • Lodge a complaint. With us first, and then with the relevant privacy authority for your jurisdiction if you are not satisfied with our response.

Withdrawing from research is not the same as deleting your account. Withdrawing from research stops future contributions and is described in Section 7.3. Deleting your account removes the identifiable information we hold about you, subject to legal and record-keeping obligations. However, de-identified information that has already been included in a research dataset, or already used to improve our services, cannot be removed from datasets already created or shared, because it no longer identifies you.

To exercise these rights, contact us at privacy@therarejourney.com. We may need to verify your identity. We aim to respond within 30 days (within one month for EU and UK users, extendable by a further two months in complex cases).

We may decline a request in limited circumstances permitted by law, including where granting the request would adversely affect another person's rights, where the request is frivolous or vexatious, or where we are required by law to retain information.

12. Direct Marketing

With your consent, or where permitted by law, we may send you communications about RareJourney services and features. We use a three-tier approach:

  • Service communications. Messages about your account, security, and the operation of the App. These are necessary to provide the service and you cannot opt out of them while you have an active account.
  • General marketing. Newsletters, product updates, surveys, and event invitations. You can opt out at any time using the unsubscribe link or your account settings.
  • Targeted communications using health information. Messages that use information from your profile or health history to suggest relevant opportunities, such as clinical trials or condition-specific resources. These require your express opt-in consent. You can withdraw consent at any time.

All marketing communications include clear sender identification and an easy way to opt out, in accordance with the Spam Act 2003 (Cth) and equivalent laws in other jurisdictions.

13. Children and Families

Many people who use RareJourney are parents or caregivers managing a profile on behalf of a child. We support this use and have designed the App with families in mind.

  • Parents or caregivers can create and manage profiles for children or dependents, provided they have the legal right to do so.
  • We do not knowingly allow people under 16 to create their own accounts.
  • Where information about a child is used for service improvement, it is used only in de-identified or aggregated form.
  • Research and children. Where the person whose information would be contributed to research is under 18, research data contribution (Section 7.3) requires the consent of a parent or guardian. Information about a person under 18 is not included in the research datasets we license unless a parent or guardian has provided that consent.
  • Reaching adulthood. When a young person who was added as a minor reaches 18, we will ask them to confirm their own research and privacy preferences.

If you believe a child has provided information to us without parental authorisation, contact us at privacy@therarejourney.com and we will take appropriate steps.

14. Cookies, SDKs, and Similar Technologies

The App uses cookies, software development kits (SDKs), and similar technologies to keep the service secure, understand usage patterns, and improve performance. These technologies collect information such as device identifiers, app version, crash logs, and usage events.

We do not use these technologies to track you across other apps or websites for advertising. Where the law of your jurisdiction requires consent for non-essential cookies or analytics, we will ask for that consent before collecting the relevant data.

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you through the App or by email and update the effective date at the top of this Policy. Continued use of the App after a change means you accept the updated Policy. If you do not accept, you can stop using the App and request deletion of your information.

16. Complaints

If you have a question or concern about how we handle your information, contact us at privacy@therarejourney.com. We aim to acknowledge complaints within 5 business days and resolve them within 30 days.

If you are not satisfied with our response, you can contact the relevant privacy authority for your jurisdiction. Contact details for the main authorities are below in the jurisdictional notices.

17. Jurisdictional Notices

17.1 Australia

RareJourney complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme.

If you are in Australia, you can lodge a privacy complaint with us first. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC), which requires you to raise the complaint with us first. OAIC: www.oaic.gov.au

We collect health information from third parties only where you have consented and the information is reasonably necessary for one or more of our functions. Information is stored and processed in Australia (Microsoft Azure Australia East and Supabase Australia East). Where you opt in to research data contribution, de-identified information may be disclosed to research partners in the United States and other countries; our APP 8 accountability obligations apply to those disclosures.

17.2 European Economic Area and United Kingdom

For users in the EEA and the UK, RareJourney is the data controller for the purposes of the GDPR and the UK GDPR.

Research data contribution (Section 7.3) is not currently offered to users in the EEA or the UK. EEA and UK users may use the App, but we do not contribute their information to research partners or license de-identified data derived from their accounts.

Lawful bases for processing. We rely on the following lawful bases under Article 6 of the GDPR, and the following grounds for special category data (including health data) under Article 9:

PurposeData categoriesArticle 6 basisArticle 9 basis
Providing the App and its core featuresAccount information, profile, timeline, documents, notesContractExplicit consent
Powering AI features in response to your inputsInputs you submit, account informationContractExplicit consent
Improving AI features and service qualityDe-identified or aggregated informationLegitimate interestsNot applicable (de-identified)
Direct notices about RareJourney servicesAccount informationConsent (where required) or legitimate interestsNot applicable
Targeted communications using health informationHealth information, profileConsentExplicit consent
Service notices and security alertsAccount informationLegitimate interestsNot applicable
Fraud prevention, system security, integrityAccount information, device and log dataLegitimate interestsNot applicable
Legal obligations and regulatory complianceAs requiredLegal obligationSubstantial public interest or legal claim
Community discussions, posts, and reviewsUser-generated contentConsentExplicit consent

Your rights. You have rights to access, rectification, erasure, restriction, objection, portability, and to withdraw consent. You also have the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects. We do not make such decisions about you through the App.

Complaints. If you believe we have infringed your privacy rights, please contact us at privacy@therarejourney.com so we can work to resolve your concerns. You can lodge a complaint with the supervisory authority in your country of residence, place of work, or where you believe an infringement occurred. In the UK: Information Commissioner's Office (ICO), www.ico.org.uk. In the EU: your national data protection authority — a list is available at www.edpb.europa.eu.

International transfers. Information collected from you is stored and processed in Australia and may be processed by service providers in other regions. We take all steps reasonably necessary to ensure your personal information is treated securely and in accordance with this Privacy Policy, including Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.

17.3 United States

If you are in the United States, the following applies in addition to the general sections of this Policy.

Health information. RareJourney is not a HIPAA-covered entity and is not a HIPAA business associate. We apply security and privacy controls designed to be consistent with reasonable health information safeguards, but we do not represent that the App meets HIPAA-specific regulatory standards.

California residents. Under the CCPA, as amended by the CPRA, you have rights to know what personal information we collect, to access and delete it, to correct inaccurate information, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. Where you have opted in to research data contribution (Section 7.3), we may license de-identified information, which is not "personal information" under the CCPA/CPRA; should any such information be found to be personal information, you may opt out of its sale or sharing at any time. Exercise these rights by emailing privacy@therarejourney.com. We will not discriminate against you for exercising your rights.

Washington residents. The My Health My Data Act applies to consumer health data we collect about you. You have rights to access, delete, and withdraw consent for the collection and sharing of consumer health data. Genuinely de-identified data is excluded from "consumer health data" under the Act. For any sharing of consumer health data that would constitute a sale, we will obtain the separate valid authorisation the Act requires — identifying the specific recipient — before that sale occurs. Exercise these rights by emailing privacy@therarejourney.com.

Other US states. Other states have enacted privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, and others) that may give residents additional rights. We honour rights granted by applicable state law. Contact us at privacy@therarejourney.com.

17.4 Other jurisdictions

If you use the App from another jurisdiction with applicable privacy laws, those laws may give you additional rights. Contact us at privacy@therarejourney.com for information about rights specific to your jurisdiction.

© 2026 RareJourney Pty Ltd. All rights reserved.