Commonality Privacy Policy

Introduction

This Privacy Policy explains how Commonality Health Pty Ltd (“Commonality”) generally handles your personal information.

Australian Privacy Policy 1 (as detailed in Privacy Act 1988) requires that Commonality Health Pty Ltd has a clearly expressed and up-to-date policy about the management of personal information.

We will update this policy on our website if we change the way we handle personal information.

Information we collect

The kind of information we collect and process about you depends upon your usage of our services and products.

It will include some or all of the following:

• General information about you: your name, gender, year of birth
• Contact details: such as email address or phone number
• Health information: including symptoms, medications, activity levels
• Payment details: including credit or debit card details
• Website and mobile apps: details of how you use our website and app including third party analytic software (eg Google analytics)

How we collect and hold personal information

We principally collect information directly from you, for example, when you use our website or mobile phone apps, when you email us or write to us. When you visit our website (“Site”), we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site.

“Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org. - “Log files” track actions occurring on the website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps. - “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the website. Additionally when you make a purchase or attempt to make a purchase through the website, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit card numbers), email address, and phone number.

There may be occasions when we collection information about you from someone else, such as if you use a third party login service (e.g. a Google login).

Personal information is stored on secure (and where possible, anonymised) cloud servers using third party storage providers. Database storage is encrypted at rest. We maintain procedural and electronic safeguards to protect your personal information in accordance with data protection legislative requirements and industry standards.

Health data is considered sensitive information under many privacy laws and needing additional protection. We will ask you for your consent to handle this type of personal information, to the extent required under applicable laws, for example under the Australian Privacy Act or the European General Data Protection Regulation.

How we use your personal information

We may use your personal information for any of the following purposes:

1. To provide to you our health products and services: to provide analysis of your health data; to analysis data in such a manner (eg via machine learning) in an anonymised manner to assist other individuals or entities; to contact you about orders or payments; and to process payments.
2. To provide customer support: to address your queries or requests.
3. To market other offerings: to provide you with updates and offers (if you have chosen to receive these); to distribute other communications or newsletters.

On an anonymised basis we may disclose health data to third parties.

We may disclose your personal information to comply with our legal obligations, respond to complaints and claims, and investigate and protect ourselves and third parties against any activity that we reasonably suspect to be fraudulent.

We may transfer your information between our related bodies corporate who comply with this Privacy Policy.

How you can access personal information we hold

If you would like to request access to, or correction of your personal information that we hold about you, you may contact us via our website or via email nigel@commonality.me

To the extent required by applicable law, we will provide you with access to the information we hold about you, including for the purpose of correcting or updating that information, within a reasonable timeframe (or any time frame stipulated by the laws that apply to your request).

If we are permitted to withhold some of your personal information and we choose to do so, we will advise you when responding to your request. If we refuse to provide you with access to, or to amend, the information, to the extent required we will notify you of our reasons for the refusal and how you may complain about the refusal.

Where permitted by law, we may recover from you our reasonable costs of supplying you with access to this information. However, we will not charge you for the making of the request or to correct or update your personal information.

Disclosure of information to overseas recipients

Your data is stored on secure servers which may be outside Australia housed in countries such as the United States of America.

In addition we may from time to time provide anonymised data to companies outside of Australia for analysis or assessment of health data.

How you can make a complaint

Should you have a concern about your privacy or you have any query on how your personal information is collected or used please contact us via our website or address below.

We will respond to your query or complaint within a reasonable time.

If you are not satisfied with our response, you may also contact the body responsible for administering the privacy laws in your country. If you are in Australia, you can contact the Office of the Australian Information Commissioner.

European General Data Protection Regulation (GDPR)

This section applies to citizens of the European Union and members of the European Economic Area (EEA). The EU General Data Protection Regulation (GDPR) provides certain rights regarding the processing of personal data of EU/EEA data subjects.

Commonality is the data controller for the processing of your personal data, as defined under GDPR, collected by Commonality as described in this policy.

The purposes for which personal data is collected is described in this policy. The legal basis upon which we collect your personal data is as follows: 1. It is necessary for Commonality to provide you with health services to collect data from you by which analysis and representations can be made; 2. necessary for our legitimate interests (eg to improve our site or apps). In all cases, where collecting health data we rely upon you providing consent as the primary legal basis for collecting personal data.

Under GDPR and consistent with this policy you have a number of rights related to your personal data:

The right to access and rectification. You have the right to access, correct and update your personal data at any time.

The right to object to or restrict processing. Under certain circumstances, you have the right to object to or restrict our processing of your personal data.

The right to lodge a complaint with a Supervisory Authority. You have the right to lodge a complaint directly with the relevant Supervisory Authority about how we process your personal data.

The right to ‘be forgotten’. Under certain circumstances, you have the right to request that we delete your data. If you wish to delete the personal data we hold about you, please let us know and we will take reasonable steps to respond to your request in accordance with legal requirements.

The right to data portability. With respect to the personal data you have provided to us, in addition to the general right of access described above, you may have, subject to certain exceptions, rights to (i) receive a copy of it in a structured, commonly used and machine-readable format, (ii) transmit the data to another data controller, and (iii) depending on the circumstances, have us perform that transmission.

Your personal data will be retained for as long as we need it to fulfil the purpose for which it was obtained, or while there is a legitimate reason for doing so. Anonymised data (‘pseudonymisation’ of your data) may be retained for statistical purposes consistent with your ‘rights to be forgotten’.

When we transfer personal information from inside the EEA to outside the EEA, we may be required by law to take specific measures to safeguard the relevant personal information. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information from the EEA to these jurisdictions. In countries which have not had these approvals, we will use appropriate safeguards to protect any personal information being transferred, such as EU Commission-approved model contractual clauses or binding corporate rules permitted by applicable legal requirements.

Contacting us

Our preferred method for receiving questions about privacy is for you to use our online form. You may also write to us at:

Group Privacy Officer Commonality Health Pty Ltd PO Box 1962 West Perth Western Australia 6872 Australia

If your inquiry relates to European data protection laws you may contact our European Data Protection Officer at PrivacyOfficer@commonality.me