Privacy Policy
How we collect, use, store, and protect your personal and health information — and the rights you have over it.
1. About Solitaire Travel and this Policy
Solitaire Travel Pty Ltd (Solitaire Travel, ST, we, us, our) is an Australian medical tourism booking agency registered in Queensland (ACN 693 081 935). We help Australian patients access cosmetic surgery in Indonesia through The Solitaire Medical Centre in Bali, and operate the Snatched Waist brand for ultrasound-guided rib remodelling.
This Privacy Policy explains how we handle your personal information, including health information, in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).
This Policy applies to all information collected by Solitaire Travel through:
- Our websites (including solitairetravel.com and snatchedwaist.com)
- Online forms (enquiry, screening, medical history, finance application)
- Direct communications (phone, SMS, email, video consultation)
- Engagement with our Client Advisors and Patient Coordinators
- Our Snatched Waist clinical assessment pathway
2. What information we collect
Personal information
- Name, date of birth, gender
- Contact details (address, phone, email)
- Emergency contact details
- Government identification (when required for travel bookings)
- Payment information (processed by our payment partners — we do not store full card details)
Sensitive information — health information
When you complete a medical screening or history form, we collect information about your health, including:
- Medical conditions, past and current
- Surgical and anaesthesia history
- Current medications, allergies, and blood-thinning treatments
- Mental health information relevant to surgical suitability
- Alcohol, smoking, and substance-use history relevant to surgical risk
- Pregnancy and breastfeeding status
- Height, weight, BMI
- Reference photographs of relevant body areas for surgical assessment
Health information is sensitive information under the Privacy Act and is given additional protection. We only collect it with your express consent and only what is reasonably necessary for our work.
Information about your engagement with us
- Records of our communications (calls, SMS, emails, video consultations)
- Notes made by our team during your patient journey
- Travel, accommodation, and procedure preferences
- Finance application data (where you choose to apply through our partner TLC Finance)
- Technical information when you use our websites (IP address, browser type, pages visited)
3. Why we collect it and how we use it
Primary purposes
We collect and use your information to:
- Assess your eligibility and suitability for cosmetic surgery
- Provide that information to the clinical team responsible for your surgical assessment
- Quote, book, and coordinate your procedure, flights, accommodation, and care
- Communicate with you before, during, and after your procedure
- Provide aftercare and recovery follow-up
- Process payments and, where you choose, facilitate finance applications
- Meet our legal, regulatory, insurance, and record-keeping obligations
Secondary purposes
With your consent, or where permitted by law, we may also use your information to:
- Improve our services and patient experience
- Send you marketing communications (only if you opt in — easy to opt out at any time)
- Respond to your questions and feedback
4. Who we share it with, including overseas
We share your information only as necessary to deliver our service, with parties who are bound by appropriate confidentiality and security obligations. The main recipients are:
| Recipient | What they receive | Where they're located |
|---|---|---|
| The Solitaire Medical Centre — the surgical facility | Your full medical file and reference photographs, for clinical review and surgical assessment | Indonesia (Bali) |
| PT Snatched Waist Clinic — our Indonesian clinical operator (Snatched Waist patients only) | Your full medical file and reference photographs, for clinical review and surgical assessment | Indonesia (Bali) |
| The treating surgeon and anaesthetic team | Your full medical file, photographs, and consultation records, for clinical care | Indonesia (Bali) |
| GoHighLevel (GHL) — our customer relationship management platform | A summary of your submission, contact details, and our communications history | United States |
| Supabase — our primary data storage provider | Your medical submissions, photographs, and consent records (data stored in Sydney, Australia) | Australia (Sydney data centre) |
| Travel Beyond Group (TBG) — our flight booking partner | Name, contact details, dates, passport details (where required for booking) | Australia |
| Bali Beach Hotel and Meru Sanur — our accommodation partners | Name, contact details, dates, room preferences | Indonesia (Bali) |
| TLC Finance — our finance partner (only if you apply) | The information you provide on your finance application | Australia |
| Medical Travel Shield Australia — travel insurance partner (only if you elect cover) | Name, dates, procedure type | Australia (underwritten by Lloyd's of London) |
| Professional advisers and insurers (accountants, lawyers, insurers) | Only what is necessary, on a confidential basis | Australia |
| Regulators or law enforcement | Where required by law or court order | Australia or overseas as applicable |
Disclosure outside Australia
To provide our service, we must disclose your information to overseas recipients — principally the clinical team in Indonesia and our US-based CRM platform. We disclose only what is necessary for each recipient's role, and we ask for your express consent to these overseas disclosures before collecting your health information.
When information is held by overseas recipients, the privacy laws of that country may differ from Australian law. We take reasonable steps to ensure recipients handle your information consistently with the APPs, including through written agreements, technical safeguards, and minimising what is shared.
We do not sell your information
We do not, and will not, sell your personal information to anyone.
5. How we protect your information
We take the security of your information seriously. Our protections include:
- Australian-hosted storage for your medical submissions and reference photographs (Supabase, Sydney data centre)
- Encryption in transit (HTTPS / TLS) and at rest
- Access controls — only the people who need your information to do their job can access it
- Row-level security on our database — anonymous and unauthorised parties cannot read records
- Private storage buckets for photographs — no public links
- Audit logging of access to sensitive records
- Vendor due diligence on our service providers, including written agreements covering data handling
- Staff training on privacy obligations
No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in serious harm, we will follow the process described in section 8.
6. How long we keep your information
We keep your information only as long as we need it for the purposes set out in this Policy, or as required by law.
- Medical and clinical records for patients who proceed: 7 years from the date of your last engagement (aligned with Australian medical record-keeping conventions and limitation periods for civil claims).
- Form submissions and medical history records where you do not proceed, or where the engagement is abandoned or declined: 24 months from the date of your last contact.
- Marketing contact information: until you opt out, then deleted within 30 days.
- Financial records: 7 years (as required by Australian tax law).
At the end of these retention periods, we destroy or de-identify the information unless we are required by law to retain it for longer.
7. Your rights — access, correction, withdrawal
Access
You can request a copy of the personal information we hold about you at any time by contacting our Privacy Officer. We will usually respond within 30 days. There is no charge for a reasonable request.
Correction
If anything we hold about you is wrong or out of date, contact us and we will correct it.
Withdrawal of consent
You can withdraw your consent for our collection, use, or disclosure of your personal information at any time. Note that withdrawing consent does not affect anything we have already lawfully done, and it may mean we can no longer provide some or all of our services.
Deletion
You can ask us to delete your information. We will do so unless we are required by law to keep it, in which case we will tell you why.
Marketing opt-out
You can opt out of marketing communications at any time by using the unsubscribe link in any marketing email, replying STOP to any marketing SMS, or contacting us directly.
8. Data breaches and notification
If we become aware of a data breach involving your personal information that is likely to result in serious harm to you, we will:
- Contain and investigate the breach
- Notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in line with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act
- Tell you what happened, what information was involved, what we are doing in response, and what steps you can take
9. Changes to this Policy
We may update this Policy from time to time. The current version is always available at hub.solitairetravel.com/privacy/. Material changes will be communicated to active patients by email. The effective date and version are at the top of this page.
10. Complaints
If you have a complaint about how we have handled your personal information, please contact our Privacy Officer first. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.
If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
11. Contact us
Privacy Officer
Email: privacy@solitairetravel.com
Phone: 1300 973 921
Post: Solitaire Travel Pty Ltd, 29/97 Creek St, Brisbane City QLD 4000
ACN 693 081 935 · ABN 78 693 081 935