twodoPrivacy policy

Plain English, like the rest of the site.

twodo handles health information for New Zealand practices, so this page is written to be read — built for the Privacy Act 2020 and the Health Information Privacy Code. Last updated July 2026.

What we hold

twodo processes the documents your practice forwards to its twodo address — referrals, faxes, results and letters, which typically contain patient details such as names, dates of birth, NHIs, ACC claim numbers and clinical notes. We also hold your practice's account details (name, contact email, settings) and the messages twodo sends and receives on your behalf.

What we do with it

Documents are read to extract the details your team needs: who the patient is, what the referral asks for, whether it's complete and fundable. Extracted details are shown to your team with a link back to the exact spot on the original document. Anything twodo isn't certain about waits for a human decision. Every automated document action is written to an audit trail your practice can inspect.

What we never do

Your documents are never used to train AI models, never sold, and never shared beyond the processors listed below. NHIs never appear in links or logs. Patient-facing links use opaque tokens that expose no patient details.

Where it lives

All data is encrypted in transit and at rest. Original documents and inbound email are stored in Australian data centres (Google Cloud and AWS, Sydney regions). Some processing and structured data currently runs in secure US cloud regions while we complete our migration to full Australian hosting. The Health Information Privacy Code permits health information to be held overseas where it is adequately protected — and we're happy to walk your team through the details.

Who touches it

We use a small set of processors to run the service: Google Cloud (document reading and AI extraction, under terms that exclude training on customer data), Amazon Web Services (email receiving and sending, Sydney), Vercel (web hosting), Clerk (sign-in), and Twilio (text messages, where your practice enables them). Each processes data only to provide the service.

Your practice stays in control

The practice owns its data. You can export it or ask us to delete it at any time — switching off twodo leaves your PMS exactly as your team left it. Patients can ask your practice (or us at the address below) to access or correct information we hold, as the Privacy Act 2020 provides.

If something goes wrong

We treat a privacy breach as a clinical-grade incident: we'll tell you promptly, tell you plainly what happened, and notify the Office of the Privacy Commissioner where the Privacy Act 2020 requires it.

Questions

Email hello@twodo.ai — you'll get the founder, not a ticket queue. If we can't resolve a concern, you can contact the Office of the Privacy Commissioner (privacy.org.nz).

twodo Ltd, New Zealand · hello@twodo.ai