Privacy Policy
Effective date: 10 April 2026
The key point: Your Booking does not store patient data. Patient information passes through our servers in real time to facilitate bookings, but is never saved to our database. Your patients' health information stays in your practice's Optomate system.
1. Who we are
Your Booking ("we", "us", "our") is an online appointment booking platform for Australian optometry practices. The service is operated by Robert McQualter Pty Ltd (ABN 49 126 850 851) and is accessible at yourbooking.au.
We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For Victorian practices, we also comply with the Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs) where applicable.
2. What personal information is involved
When a patient uses Your Booking, the following personal information may be transmitted through our servers:
- Name (given name and surname)
- Date of birth
- Mobile phone number
- Email address
- Medicare number (if entered during booking)
- Appointment details (date, time, type, optometrist)
This information originates from the practice's Optomate system and is relayed in real time. None of this patient data is stored in our database.
3. What we do store
Our database stores only:
- Practice configuration — branding, appointment types, scheduling rules, optometrist profiles, business hours
- Booking audit records — an Optomate patient ID number and appointment ID number for each booking, with no patient name, contact details, or health information
- Notification records — a log of reminders and recalls sent, referencing Optomate ID numbers only, to prevent duplicate sends
- Practice administrator credentials — hashed passwords for practice admin and staff login
4. How patient information flows
Your Booking acts as a relay between the patient's browser and the practice's Optomate system:
- The patient's browser connects to our server over HTTPS (encrypted in transit)
- Our server forwards requests to a lightweight agent installed at the practice, via an encrypted WebSocket connection
- The agent queries the practice's local Optomate system and returns the response
- Patient data passes through our server's memory only and is not written to any database or log file
At no point does patient data leave Australia. Our servers are hosted in Melbourne.
5. Temporary session data
When a patient identifies themselves to make a booking, a short-lived session is created in our Redis cache containing their Optomate patient ID and basic details. This session expires automatically (typically within 30 minutes) and is not backed up or persisted to disk.
6. SMS and email communications
When Your Booking sends appointment reminders, recall notifications, or manage links on behalf of a practice:
- SMS messages are delivered via Kudosity (transmitsms.com), an Australian SMS gateway. The patient's mobile number and message content are transmitted to Kudosity for delivery. Kudosity's privacy policy applies to their handling of this data.
- Email messages are sent via the practice's own SMTP server where configured, or via our central mail relay (Mailroute) for system notifications. Patient email addresses are used only for delivery and are not retained beyond the send.
Patients can reply STOP to any SMS to opt out of further messages. Stop requests are propagated to the practice's Optomate system.
7. Third-party service providers
We use the following third-party providers to operate the service:
- Binary Lane (Melbourne, Australia) — server hosting
- Cloudflare — DNS and SSL certificate management
- Kudosity (Australia) — SMS delivery
- Mailroute — outbound email relay for system notifications
Each provider processes only the minimum data necessary for their function. All hosting and primary data processing occurs within Australia.
8. Data security
We take reasonable steps to protect information in our care:
- All connections use HTTPS/TLS encryption
- Server access is restricted to SSH key authentication only
- A firewall permits only web traffic (ports 80/443) and SSH
- Intrusion prevention (fail2ban) is active
- Security headers (HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are enforced
- Database backups are encrypted in transit and stored on infrastructure within Australia
- The agent connection from the practice is outbound-only — no inbound ports need to be opened at the practice
9. Data retention and deletion
Because we do not store patient data, there is no patient data to retain or delete.
Practice configuration data is retained for the duration of the service agreement. If a practice discontinues the service, their configuration data and associated audit/notification records are deleted upon request.
10. Access and correction
Patients seeking access to or correction of their personal information should contact their optometry practice directly, as the practice is the custodian of their health records in Optomate.
Practice administrators can view and update their practice configuration through the admin dashboard at any time.
11. Notifiable data breaches
In the unlikely event of a data breach that is likely to result in serious harm, we will notify affected practices and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988.
12. Cookies and analytics
Your Booking uses browser local storage to maintain login sessions. We do not use third-party tracking cookies or analytics services on the patient booking pages.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to practices via email. The effective date at the top of this page indicates when the policy was last revised.
14. Contact
If you have questions about this privacy policy or how we handle personal information, contact us at:
Your Booking
Email: rob@yourbooking.au
Web: yourbooking.au