WEBSITE PRIVACY POLICY

Rx Property Australia (ACN: 652 946 953) (we, us, our) is committed to protecting your personal information and complying with the Privacy Act 1988 (Cth) (the Act) and the Australian Privacy Principles (APPs).

This policy applies to personal information collected through our website (rxproperty.com.au), paid social media and search advertising, lead generation, and our core business of healthcare property brokerage conducted by Stickland Realty Pty Ltd trading as Rx Property Australia. We operate across VIC, ACT, NSW and QLD.

1. What personal information we collect

We collect information that is reasonably necessary to provide our specialist healthcare property services, including:

  • Name, phone number and email address
  • Business name, professional role and contact details
  • Healthcare property requirements and transaction details
  • Enquiry content and correspondence with us
  • Device identifiers, IP address and browser data from website visits
  • Information submitted via paid advertising lead forms (e.g. Meta/Facebook, Instagram, LinkedIn)

We collect government identifier data (such as drivers licence, passport and other identity document information) for the purpose of identity verification where required by our compliance obligations under applicable real estate legislation. This information is processed through Scantek and handled in accordance with APP 3 and APP 11. We do not collect other sensitive information unless specifically required and with your express consent.

2. How we collect your information

We collect personal information when you:

  • Submit an enquiry through our website or a social media lead form
  • Contact us by phone, email or in person
  • Engage with our paid advertising on Meta (Facebook/Instagram) or LinkedIn
  • Attend a property inspection, presentation or transaction meeting
  • Interact with our email marketing, campaigns or content

We may also receive personal information from referrers, professional advisors, publicly available sources, or advertising platforms in connection with our campaigns.

3. Why we collect your information

We collect and use your personal information to:

  • Respond to your healthcare property enquiry
  • Source and present relevant property opportunities
  • Connect buyers, tenants, landlords and vendors in the health sector
  • Facilitate leasing, sales and development transactions
  • Deliver, target and measure our paid advertising campaigns
  • Send you relevant property opportunities and marketing communications
  • Analyse and improve our website and advertising performance
  • Comply with our legal and regulatory obligations

We do not sell your personal information.

4. Paid advertising and tracking technologies

We run paid campaigns on social media and search platforms. In connection with these campaigns, we use the following tracking technologies:

  • Meta Pixel (Facebook/Instagram) — tracks website visits, measures ad performance, and enables retargeted advertising to people who have engaged with our content or visited our site
  • LinkedIn Insight Tag — tracks conversions from LinkedIn advertising and supports audience building
  • Google Analytics and Google Ads tags — measures website traffic and advertising performance

These tools may collect device identifiers, IP addresses, browser type, pages visited, and interactions with our ads. This data may be shared with Meta Platforms Inc., LinkedIn Corporation and Google LLC, who process it under their own privacy policies.

Cookie management: You may manage or opt out of non-essential cookies via your browser settings. You can also adjust ad preferences directly at facebook.com/adpreferences and linkedin.com/psettings.

5. Disclosure of your information

We may disclose your personal information where reasonably necessary to:

  • Property owners, landlords, tenants, buyers or other parties in a transaction
  • Our employees, contractors and professional partners
  • CRM systems, IT providers and marketing platforms (see Section 7 for overseas detail)
  • Professional advisors including lawyers and accountants
  • Advertising platforms for campaign delivery and measurement (Meta, LinkedIn, Google)
  • Government or regulatory authorities where required by law
  • Scantek — Australia — identity verification platform used to conduct ID checks; government-issued identity document data is processed within Scantek and is not transferred to cloud storage. Where 100-point identification is completed in person, physical documents are not retained and destruction is recorded on our POLI form
  • Commonwealth Bank of Australia — Australia — business banking and trust accounts maintained in VIC, ACT, NSW and QLD in accordance with applicable state real estate licensing legislation; holds transaction records and client funds on trust in connection with property transactions
  • Domain Holdings Australia — Australia — property listings portal; listings data is pushed from our CRM and enquiry data including names, contact details and property interests flows back into our systems via API
  • REA Group (realestate.com.au) — Australia — property listings portal; listings data is pushed from our CRM and enquiry data including names, contact details and property interests flows back into our systems via API
  • REIForms Live / Realworks (REINSW and REIACT) — Australia — industry forms platform used to prepare and execute agency agreements, leases and other transaction documents; holds executed forms containing client names, addresses, signatures and transaction details

We only disclose information where required to respond to your enquiry, progress a transaction, or fulfil a legitimate business purpose.

6. Direct marketing

We may contact you about healthcare property opportunities or services relevant to your enquiry or interests. All marketing emails include an unsubscribe function in compliance with the Spam Act 2003 (Cth).

You can opt out at any time by:

  • Using the unsubscribe link in any marketing email
  • Contacting us at support@rxproperty.com.au or 1300 272 199
  • Adjusting your ad preferences directly on Meta or LinkedIn

We will not use sensitive information for direct marketing without your express consent.

7. Overseas disclosure

In operating our business we disclose personal information to the following overseas recipients under APP 8. Before doing so, we take reasonable steps to ensure each recipient does not breach the Australian Privacy Principles in relation to that information. The recipients, their country of operation, and the purpose of disclosure are set out below:

  • Microsoft 365 and SharePoint — United States — email, document storage and internal collaboration
  • Google Workspace, Google Analytics and Google reCAPTCHA — United States — email, productivity tools, website analytics and spam protection (reCAPTCHA on contact forms); reCAPTCHA processes behavioural data to verify users are human
  • Meta Platforms Inc. (Facebook/Instagram) — United States — paid advertising delivery, audience targeting, retargeting and campaign measurement via Meta Pixel and lead forms
  • LinkedIn Corporation — United States — paid advertising delivery, audience targeting and campaign measurement via LinkedIn Insight Tag and lead forms
  • MRI Software — United States — property management CRM; holds contact details, property preferences, transaction records and communication history for clients and prospects
  • Zapier — United States — automated workflow integration that orchestrates data flows between our CRM, advertising platforms, portals and other business tools; acts as a central data transit layer and may transfer personal information between platforms as part of automated processes
  • Supabase — data hosted in Australia (AWS Sydney, ap-southeast-2); Supabase Inc. is a United States company — backend database and application platform used to support our internal business applications; authorised Supabase personnel may have access to data for support and maintenance purposes. Data primarily remains in Australia; limited overseas access for support is governed by Supabase’s Data Processing Addendum
  • Vercel — United States — web application hosting and deployment platform used to host our internal applications and front-end services; may process visitor IP addresses, device and request metadata, and any personal information submitted through hosted application interfaces
  • GitHub (owned by Microsoft Corporation) — United States — source code repository and version control platform used to store and manage the source code for our applications; holds developer account information and code commit metadata. We take reasonable steps to ensure that client personal information is not committed to source code repositories
  • Anthropic Claude AI — United States — used for internal drafting and operational tasks only; we take reasonable steps to ensure identifiable client personal information is not submitted to this tool
  • OpenAI (OpenAI OpCo, LLC) — United States — used for internal drafting and operational tasks only; we take reasonable steps to ensure identifiable client personal information is not submitted to this tool. Where Customer Data is processed by OpenAI, this is governed by OpenAI’s Data Processing Addendum (DPA), under which OpenAI acts as a Data Processor on our behalf, processes data only on our instructions, maintains confidentiality obligations, and will notify us without undue delay of any personal data breach. The DPA provides protections broadly comparable to the Australian Privacy Principles
  • HubSpot — United States — customer relationship management and marketing automation platform; processes client and prospect contact details, enquiry and communication history, email marketing engagement data, and lead source and pipeline information
  • ai — United States — AI-powered meeting transcription; admitted to meetings as a visible participant and notifies all parties throughout the call. Verbal consent is sought by the meeting host at the commencement of each meeting before recording begins. Transcripts may contain personal information discussed during meetings
  • Stripe — United States — payment processing for purchases made via smsfreports.com.au; processes cardholder name, email address, billing details and transaction data
  • Xero — New Zealand — accounting and invoicing platform; processes client names, ABNs, email addresses, invoice amounts and payment records
  • DEXT — United Kingdom — accounting data capture and receipt management; processes invoice, receipt and supplier data including names, ABNs and amounts, fed into Xero for bookkeeping purposes. Processed under UK GDPR
  • Xeta (Virtual CFO and bookkeeping services) — India and Australia — provides bookkeeping services including trust account reconciliation; staff may access client transaction records, trust ledger data and invoicing information. Xeta is ISO 27001 certified, APP-compliant, does not use sub-contractors or third-party processors, and operates under strict physical and digital security controls. Data is governed by Xeta’s Privacy Policy at xeta.com.au
  • GoDaddy Airo — United States — website hosting for smsfreports.com.au; processes account registration data, order history and contact form submissions from that site
  • GoDaddy — United States — domain name registration for all Rx Property Australia domains (with exception of the Website Blue hosted domain); holds business registration and contact details associated with domain records
  • RP Data / CoreLogic — United States (parent entity) — property market data platform used for comparable sales analysis and market appraisals including SMSF rental reports; connected via API to our CRM. Primarily processes property data; where property addresses are linked to identified individuals this constitutes personal information under the Act
  • Calendly — United States — appointment scheduling platform; collects name, email address, phone number and meeting details from individuals booking appointments with Rx Property Australia staff
  • DocuSign — United States — electronic document execution platform; holds executed agreements, leases, agency authorities and transaction documents containing signatory names, email addresses, signatures and transaction terms
  • VicForms 2.0 (REIV) — United States (hosting unconfirmed at time of publication; being verified with REIV) — Victorian real estate forms platform used to prepare and execute agency agreements and transaction documents; holds executed forms containing client names, addresses, signatures and transaction details. E-signing via REIVInk (Annature, Australian)

Personal information disclosed to overseas recipients may be transferred to the United States, New Zealand, the United Kingdom, India, and such other countries as identified above. Where data is hosted in Australia (such as Supabase’s Sydney region), it may still be accessible by overseas personnel of the service provider for support and maintenance purposes. The United States does not have a data protection regime substantially similar to the Australian Privacy Principles. New Zealand, the United Kingdom and India have privacy frameworks that provide meaningful but not identical protections. By providing your personal information to us, you acknowledge that it may be disclosed to overseas recipients in the countries listed. We take reasonable steps to ensure those recipients do not breach the APPs, including by reviewing vendor privacy policies, data processing terms, and standard contractual protections where available. If an overseas recipient handles your information in a way that breaches the APPs, we may still be accountable under Australian privacy law.

8. Automated decision-making

From 10 December 2026, APP 1.7 requires disclosure of automated decision-making (ADM). We do not currently use automated systems to make decisions that significantly affect individuals’ rights or interests in connection with our property brokerage services.

We use advertising platform algorithms (e.g. Meta and LinkedIn audience targeting tools) to deliver ads to relevant audiences. These are managed through platform tools and do not constitute decisions made by us about identifiable individuals.

We will update this section if we introduce ADM systems that affect individuals.

9. Security

We take reasonable steps to protect your personal information from misuse, interference, loss and unauthorised access. This includes secure cloud systems, access controls and staff training.

No internet transmission is completely secure. Any transmission of personal information online is at your own risk.

10. Access and correction

You have the right to request access to, or correction of, the personal information we hold about you. Please contact our Privacy Officer in writing (see Section 12). We will respond within a reasonable timeframe and may refuse access where permitted by law.

We may charge a reasonable fee for providing access but will not charge for corrections. We will notify you of any fee before proceeding.

11. Anonymity

General visitors may browse our website without identifying themselves. However, we may not be able to provide brokerage services or respond to enquiries if you do not provide personal information.

12. Complaints and Privacy Officer contact

If you have a privacy concern or complaint, please contact our Privacy Officer:

Privacy Officer Bryce Stickland
Organisation Rx Property Australia (Stickland Realty Pty Ltd)
Email support@rxproperty.com.au
Phone 1300 272 199
Post PO Box 54, Balmain NSW 2041

We aim to respond within 30 days. If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Phone: 1300 363 992 (Mon–Thu, 10am–4pm AEST)
  • Post: GPO Box 5288, Sydney NSW 2001
  • Online: oaic.gov.au

13. Updates to this policy

We may update this policy from time to time to reflect changes in our business, technology or the law. The current version will always be available at rxproperty.com.au/privacy-policy.