1. Introduction

HYPERMOBILITY HEALTH Pty Ltd (ABN 18 679 956 480) trading as HYPERMOBILITY HEALTH CONNECT® (we, our, us) is bound by the Privacy Act 1988 (Cth) (the “Act”) and the Australian Privacy Principles. We recognise the importance of ensuring the confidentiality and security of your personal information and are committed to protecting your privacy when you interact with us using our websites, through direct communication (such as phone calls, emails, or in-person consultations), during events or test participation, or via any other channels through which we collect and process your personal information.

This privacy policy and collection notice (Policy) applies to all personal information (including health-related sensitive information) collected by us. It is provided to make you aware of how and why we collect, use, manage, and protect your personal information and what controls you have over our use of that information.

All third parties (including customers, suppliers, subcontractors, or agents) that have access to or use personal information collected and held by us must abide by this Policy.

By using our services, including completing our Self Screening Test, you consent to the collection, storage, and use of your personal information as outlined in this Policy.

Within this Policy, the following terms have the meanings given under the Privacy Act 1988 (Cth) (Australia) and the Australian Privacy Principles (APPs). References to equivalent concepts in other jurisdictions (including New Zealand’s Privacy Act 2020 and Health Information Privacy Code 2020, Canada’s PIPEDA and applicable provincial statutes, and United States federal and state privacy laws) are provided for context and general alignment only. These references are not intended to modify, expand, or guarantee equivalence with the definitions or obligations under those foreign laws.

• Personal information includes any information or opinion about an identified individual, or an individual who is reasonably identifiable (such as a name, email address, phone number, or other identifier). Unless otherwise indicated, references to personal information also include sensitive information, such as details about your health or health services provided to you.

• Health information includes information or an opinion about:
  – the health, disability, or injury (at any time) of an individual;
  – an individual’s expressed wishes about the future provision of health services;
  – health services provided or to be provided to an individual;
  – information collected in connection with the provision of a health service, including medical conditions, treatments, test results, or clinical notes;
  – genetic or biometric information that is predictive of an individual’s health; and
  – in the context of our Self-Screening Test, the responses and results of your health assessment.
  Health information is treated as sensitive information and receives additional protection under applicable privacy and health-information laws.

• Sensitive information includes information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal record, and (most relevantly) your health information as defined above. Because this information is more private in nature, it is handled with a higher level of protection and requires your express consent for collection, use, or disclosure, unless an exemption applies.

International Privacy Alignment

We acknowledge that individuals accessing our services may reside outside Australia, including in jurisdictions such as New Zealand, Canada, and the United States. Accordingly, while this Policy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles, we also take into account the privacy and data-protection obligations applicable to personal information originating from, or relating to, individuals located in those jurisdictions.

For New Zealand residents, we manage personal and health information in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020 (“HIPC 2020”). These laws regulate how health agencies and organisations collect, store, use, and disclose personal and health information in New Zealand. We apply the principles of lawful and fair collection, purpose limitation, informed authorisation for secondary use, secure storage and retention, and the rights of individuals to access and request correction of their information. Where personal or health information is transferred outside New Zealand, we take reasonable steps to ensure that the recipient is subject to privacy safeguards comparable to those under New Zealand law, consistent with Rule 12 of the Health Information Privacy Code 2020. New Zealand residents who have questions or concerns regarding their personal information may contact us directly or lodge a complaint with the Office of the Privacy Commissioner (New Zealand).

For Canadian residents, we manage personal and health information in a manner consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where relevant, the applicable provincial health-information statutes, including Ontario’s Personal Health Information Protection Act (PHIPA), Alberta’s Health Information Act (HIA), and British Columbia’s Personal Information Protection Act (PIPA). We apply the principles of accountability, informed and express consent for sensitive data, purpose limitation, accuracy, security safeguards appropriate to sensitivity, and individual access and correction rights as contemplated under those statutes.

For United States residents, we recognise the privacy protections established under federal and state law, including the Health Insurance Portability and Accountability Act (HIPAA), to the extent that it may apply to personal or health information collected through our services, and state-level consumer privacy legislation such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Although we are not a HIPAA “covered entity” or “business associate,” we implement administrative, technical, and physical safeguards that are materially consistent with HIPAA’s privacy and security principles and with state consumer-privacy rights, including rights of access, correction, deletion, and restriction of processing.

2. What kinds of personal information do we collect and hold?

More specifically, we may collect and hold a range of personal information about you that is reasonably necessary for, or directly related to, one or more of our functions or activities, including:

General (applies to all persons):

1. Names;
2. Pseudonyms;
3. Personal contact details (e.g. phone or mobile numbers, email addresses, current and previous residential or mailing addresses etc.);
4. Photos and other digital media you upload to our websites;
5. Information about your usage of our websites and services, such as IP addresses, visit dates/times, and interactions with our websites;
6. Browser type, device identifiers, cookies, and analytics data such as session duration, referring URLs, and general geolocation information (e.g. city or region);
7. Information from public sources or third parties to verify representations made by you;
8. Details of specific services or transactions conducted with us;
9. Communication records, such as emails or written correspondence between you and us;
10. Payment or billing information where required for paid services, including limited credit or debit card details processed through secure third-party payment providers.

Self Screening Test participants (in addition to “General”):

1. Demographic information (e.g. date of birth, gender etc.);
2. Country and region of residence;
3. Medicare number, NDIS or other health insurance details, and for international users, equivalent identifiers such as health plan numbers;
4. Health-related sensitive information you provide to us;
5. Test results and any observations related to any medical tests;
6. Any comments, narrative responses, or feedback you provide.

Third party service providers (in addition to “General”):

1. Position and/or job title;
2. Organisations you work for;
3. ABN and/or ACN and for non-Australian organisations, equivalent business registration or tax identification numbers;
4. Associations and membership details;
5. Licences, qualifications, and professional registration details (e.g., AHPRA number, if applicable);
6. Areas of specialisation or expertise;
7. Business contact details, such as work phone number and email address;
8. Practice or clinic location and operating hours;
9. Billing or payment information for service agreements;
10. Insurance coverage details, if relevant (e.g., professional indemnity).

3. How we use your personal information

We may use your personal information for several purposes, including:

1. Providing you with health-related services or information;
2. Assessing your suitability or eligibility for specific programs, treatments, or support services;
3. Communicating with you, including assisting with inquiries, complaints, or concerns you raise;
4. Conducting identity verification processes as required;
5. Improving our services, customer experience, and internal management;
6. Maintaining records after the termination of our services;
7. Complying with legal and regulatory requirements;
8. Conducting data analysis and research to enhance service delivery and better understand community needs;
9. Operating and improving our websites, including personalising content and analysing usage data through analytics and cookies, consistent with applicable privacy laws;
10. Where permitted by law, contacting you about updates, educational resources, or new services that may be relevant to you, provided you have not opted out of such communications;
11. De-identifying or aggregating personal information for research, statistical, or public-interest purposes, ensuring that no individual can be reasonably identified from the results;
12. Meeting obligations under applicable privacy or consumer-protection laws, including Australia’s Privacy Act 1988 (Cth) and the Australian Privacy Principles; New Zealand’s Privacy Act 2020 and Health Information Privacy Code 2020 (HIPC 2020); Canada’s PIPEDA, PHIPA, HIA, and PIPA; and United States state consumer-privacy legislation such as the CCPA and CPRA.

We do not sell, rent, or share personal information with third parties for monetary or other valuable consideration, and we do not engage in cross-context behavioural advertising as defined under applicable U.S. or Canadian privacy laws.

4. How we collect information

We collect personal information only as required to carry on our health-related business, including for one or more of our functions (for example, our Self Screening Test). Without certain details, we may not be able to provide our services effectively. We generally collect personal information directly from you via forms, applications, or interactions with us, such as when you visit our websites, call us, or send correspondence.

We may also collect personal information from:

• Public sources;
• Third parties such as service providers or affiliated organisations; or
• Your representatives, such as your GP, allied health practitioners, or other health professionals.

If you choose not to provide us with personal information, it may restrict or impede our ability to deliver services to you.

When you visit our websites, we use common internet technologies, such as cookies, tracking pixels, and similar tools, to collect general statistical information, improve your user experience, and enhance our online services. These technologies enable us to understand how users navigate our websites, track page interactions, and measure the effectiveness of our content. Additionally, web server logs help us monitor site traffic and assess capacity. These tools do not collect personally identifiable information, such as email addresses or other data that directly identifies you.

5. Disclosure of personal information

We may disclose your personal information to the following parties, but only to the extent necessary for the purposes described in this Policy or as otherwise permitted or required by law:

1. Our related organisations or affiliates (including Areanet Pty Ltd t/a SmarterSoft, our IT service provider);
2. External service providers or contractors engaged to assist in the provision of our services, including cloud hosting, data processing, marketing, analytics, communication, or payment processing services;
3. External service providers who we believe may be able to provide you with a useful alternative or additional health-related service, subject to your consent where required;
4. External organisations that are our assignees, agents, or contractors;
5. Professional advisors, such as accountants, legal representatives, or auditors;
6. Organisations involved in a transfer or sale of our assets or business, or in the provision of funding for our assets or business;
7. External organisations that jointly with us promote or provide products or services to you, or that we may partner with to provide such products or services;
8. Your representatives, for example, your GP, allied health practitioners, or other health professionals, but only where you have authorised or requested such disclosure;
9. Collaborators involved in developing or analysing our tests, programs, or related research activities, but only in a de-identified or aggregated format where individual identities cannot be reasonably determined;
10. Regulatory bodies, government agencies, or law enforcement authorities where required or authorised by applicable law; and
11. Any other person or organisation to whom you have expressly authorised us to disclose your information.

We may further disclose your personal information in circumstances where:

1. you have consented to the use or disclosure;
2. such use or disclosure is required or authorised by law (for example, compliance with a subpoena, a warrant or Court order);
3. we reasonably suspect that unlawful activity has been, is being or may be engaged in and the use or disclosure is a necessary part of our investigation or in reporting the matter to the relevant authorities;
4. we reasonably believe that the use or disclosure is reasonably necessary:

• • to lessen or prevent a serious, immediate threat to someone’s health or safety or the public’s health or safety;
  • or the prevention, investigation, prosecution and/or punishment of crimes or wrongdoings; or
  • or the preparation or conduct of proceedings before any Court or Tribunal or the execution of the orders of a Court or Tribunal.

6. Management and security of personal information

We are committed to securing your personal information. Your personal information is generally stored in our secure computer databases managed by our partner Areanet Pty Ltd t/a SmarterSoft – a specialist provider of database systems to Australian government entities. Significant steps are taken to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

This includes:

1. All employees and contractor’s conduct security awareness training and are background checked;
2. Very strong passwords and multi-factor authentication are required to access systems;
3. Data ownership is clearly defined;
4. We change user’s access capabilities when they are assigned to a new position;
5. Employees have restricted access to certain sections of the system;
6. The system automatically logs and reviews all unauthorised access attempts;
7. All system access and data changes are audited and associated metadata collected;
8. Unauthorised employees are barred from updating and editing personal information;
9. All computers which contain personal information are secured;
10. Vulnerability assessments are performed on critical systems;
11. All data is domiciled within Australia on Amazon Web Services (AWS) in the Asia Pacific (Sydney) Region – AWS is certified and/or has been audited to comply with: PCI DSS Level 1, ISO 27001, SOC1 and SOC2 audit reports as well as various US certifications (FISMA Moderate, FedRAMP, HIPAA);
12. Web application firewall and security groups configured with highly restrictive policies, including geo-blocking;
13. Real-time virus and malware protection runs on all digital media uploaded to our websites;
14. Automated server patching and updates;
15. Data is encrypted during transmission over the network, and at rest;
16. Print reporting of data containing personal information is limited.

Cyber Incident Response and Notification

Through our IT partners SmarterSoft, we maintain a Cyber Incident Response Plan (CIRP) designed to ensure a rapid, coordinated, and compliant response to any suspected or confirmed data-security incident. The plan defines internal escalation procedures, investigation protocols, containment measures, impact assessment, and communication responsibilities, including notification of affected individuals and relevant privacy or regulatory authorities, as required by law.

Our incident-notification obligations are as follows:

• Australia – We notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any “eligible data breach” as required under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth).
• Canada – We notify the Office of the Privacy Commissioner of Canada (OPC) or the appropriate provincial privacy commissioner (e.g., Ontario, Alberta, British Columbia) and any affected individuals of a breach of security safeguards that creates a real risk of significant harm, in accordance with PIPEDA or the applicable provincial health-information statutes.
• United States – We comply with applicable federal and state data-breach notification laws, which may include notifying the relevant state Attorneys General, regulatory authorities, and affected residents.
• New Zealand – We comply with the Privacy Act 2020 and, where health information is involved, the Health Information Privacy Code 2020. We will notify the Office of the Privacy Commissioner (New Zealand) and affected individuals as soon as practicable after becoming aware of any privacy breach that has caused, or is likely to cause, serious harm.

All notifications are made promptly and transparently, and include details of the nature of the incident, the categories of information involved, the steps we have taken to mitigate harm, and advice for individuals on protective actions they can take. We maintain detailed records of all suspected and confirmed incidents and review each event to strengthen our ongoing security posture.

7. Self Screening Test Participants

Self screening test participants are individuals who participate in our self-administered health screening tests and provide personal and sensitive information, including health data and test results, for the purpose of receiving test-related services and follow-up.

Purpose of collection

We collect and use personal information from test participants for the following purposes:

• To provide you with test services and results;
• To deliver any follow-up services or recommendations based on test outcomes;
• To improve the quality and effectiveness of our tests and related services;
• To communicate with you about test-related updates or any services that may be of benefit based on your test results;
• To conduct research;
• To connect you with qualified third-party service providers who may be able to assist you.

De-identification and research

• Your personal information may be de-identified for research, analysis, and reporting purposes to improve our services and provide aggregated insights about test outcomes and participation rates.
• De-identified data may also be shared with external researchers or organisations to support research aligned with our objectives.

8. Third Party Service Providers

Third party service providers are organisations or individuals who provide services to or on behalf of us, including professional, technical, or administrative support, and may be connected with clients, users or test participants to deliver specific health-related services.

Purpose of collection

We collect and use personal information from third party service providers for the following purposes:

• To provide our services effectively and promote your offerings where applicable;
• To verify your identity, qualifications, and licences to meet legal and industry compliance standards;
• To manage contracts, monitor obligations, and maintain accountability in our partnerships;
• To fulfil communication needs, such as updates, support, and addressing queries;
• To comply with regulatory requirements, including audits, reporting, and legal obligations;
• To evaluate and improve our services, ensuring quality and alignment with professional standards;
• To connect you with individuals who may require your professional services.

9. Consent and Withdrawing Consent

By using our services, including completing our Self Screening Test, you consent to the collection, storage, and use of your personal information as outlined in this Policy, including to provide related services, facilitate follow-up actions, conduct research activities, and connect you with other parties or third-party service providers.

We may also seek your explicit consent for specific uses of your personal information, particularly in cases involving sensitive information, e.g. sharing data with third parties. This consent will be obtained in writing or through other clear affirmative actions.

You have the right to withdraw your consent at any time. To withdraw consent, please contact us. Upon receiving your request, we will process it within 14 days and cease using your personal information for the purposes to which the withdrawal applies. Please note that withdrawing consent may limit our ability to provide certain services, such as follow-up recommendations or ongoing test-related support.

In cases where your consent is withdrawn, we will continue to retain your personal information only as required by law or for legitimate business purposes, such as maintaining compliance with regulatory obligations.

10. Children’s Privacy

We recognise the importance of protecting the privacy of children and are committed to handling their personal information, including health-related sensitive information, with the highest standards of care. If you believe a child under 14 years of age has provided personal information without parental or legal guardian consent, please contact us immediately so we can investigate and take appropriate action such as removing the information from our records or providing you with the details of the information collected.

Collection of Children’s Information:

If an individual under the age of 14 uses our services, including completing a Self Screening Test, we may collect their personal information only with the consent of a parent or legal guardian, as required by applicable laws. We do not knowingly collect personal information from children without appropriate consent.

Use and Disclosure:

The personal information of children will be used solely for the purposes outlined in this Policy, such as providing test-related services, generating reports, and facilitating follow-up actions. We will not knowingly use children’s information for direct marketing, nor will we share it with third-party service providers without explicit consent from their parent or guardian.

Parental Involvement:

We encourage parents and guardians to actively supervise their children’s use of our services. If a child attempts to complete a test or assessment, we may require a parent or guardian to confirm consent and oversee the process.

Rights of Parents and Guardians:

Parents or legal guardians have specific rights regarding their child’s personal information to ensure it is accurate, secure, and handled appropriately. These rights include:

1. Access: You may request access to the personal information we hold about your child, including test results, health-related sensitive information, and any other data collected as part of our services.
2. Correction: If you believe the information we hold about your child is inaccurate, incomplete, or outdated, you have the right to request corrections. We will take reasonable steps to update the information promptly.
3. Deletion: You may request the deletion of your child’s personal information if it is no longer required for the purposes outlined in this Policy or if you withdraw consent for its use. However, certain legal or regulatory obligations may require us to retain some information for a specified period.

To exercise these rights, please contact us. We are required to take reasonable steps to verify your identity and confirm your status as the child’s parent or legal guardian before acting on your request. Verification may include providing identification documents or other evidence of guardianship. We aim to respond to all requests within 30 days and will keep you informed if additional time is needed. In cases where we cannot comply with your request, we will provide an explanation, including any legal or regulatory obligations that prevent us from doing so.

Your involvement is critical to ensuring your child’s personal information is protected and managed responsibly. Please contact us with any questions or concerns regarding your child’s privacy.

11. Retention and Disposal of Personal Information

We retain your personal information only for as long as it is necessary to fulfill the purposes for which it was collected or as required by law, regulatory obligations, or legitimate business needs.

Personal information is stored securely and managed in accordance with this Policy. Retention periods may vary depending on the type of information, the purpose for its collection, and any legal or contractual requirements. For example:

• Test results and health information: Retained for a period consistent with applicable health regulations and our internal policies to enable follow-up services and respond to inquiries.
• General personal information: Retained for as long as required to maintain our relationship with you or comply with record-keeping obligations.

Once the retention period expires or the information is no longer required for its original purpose, we securely dispose of or de-identify the information. Disposal methods may include secure deletion of electronic files, shredding physical records, or other industry-standard practices to prevent unauthorised access or use.

We regularly review the personal information we hold to ensure it remains accurate, up-to-date, and necessary. You may contact us at any time to request the deletion of your personal information, subject to any legal or regulatory obligations we must meet.

12. Automated Decision-Making and Profiling

Our tests and assessments (e.g., Self Screening Test) use established methods to analyse your personal information, including health-related sensitive information, to generate reports or outcomes based on the data you provide. These reports are intended to offer insights and guidance but do not constitute a diagnosis or a substitute for professional medical advice. Any automated analysis of your personal information is designed to support your understanding of potential health factors and facilitate informed discussions with qualified healthcare providers.

13. Sending Information Overseas

To enable the provision, improvement, and continuity of our services, your personal information may be transferred to, stored in, or processed within or outside Australia, including but not limited to New Zealand, Canada, the United States, and other countries in which our service providers, contractors, or data-hosting facilities are located. Such transfers may occur both from Australia to other countries and from other countries to Australia.

We take all reasonable steps to ensure that any cross-border transfer of personal information is carried out in accordance with applicable laws, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and that any overseas recipient:

• is subject to a privacy regime that provides protections substantially comparable to those of the Australian Privacy Principles, or

• is contractually bound to implement and maintain equivalent privacy and data-protection safeguards.

For personal or health information originating from New Zealand, we also comply with the Privacy Act 2020 and the Health Information Privacy Code 2020. In particular, we ensure that any overseas recipient provides a level of protection that is, in substance, comparable to that required under New Zealand law, consistent with Rule 12 of the HIPC 2020. Where information is transferred between New Zealand and Australia, or to other jurisdictions, we implement technical measures (including encryption, access controls, and secure data-handling protocols) to ensure that your information remains protected and used only for the purposes for which it was collected.

Where the personal information of individuals located in other jurisdictions (including Canada or the United States) is transferred to or processed in Australia or another country, we take reasonable steps to ensure that such transfers comply with applicable privacy laws in those jurisdictions. This includes ensuring that the personal information continues to receive a level of protection that is, in substance, comparable to that provided under the privacy legislation of the country where it originated.

We further implement technical and organisational measures such as encryption in transit and at rest, access-control restrictions, monitoring, and secure contractual frameworks to protect your personal information regardless of the country in which it is processed.

14. Unsolicited Personal Information

We may receive unsolicited personal information about you. We destroy or de-identify all unsolicited personal information we receive, unless it is relevant to our purposes for collecting personal information. We may retain additional information we receive about you if it is combined with other information we are required or entitled to collect. If we do this, we will retain the information in the same way we hold your other personal information.

15. Links

Our website may contain links to websites operated by third parties. Those links are provided for convenience and may not remain current or be maintained. Unless expressly stated otherwise, we are not responsible for the privacy practices of, or any content on, those linked websites, and have no control over or rights in those linked websites. The privacy policies that apply to those other websites may differ substantially from this Policy, so we encourage you to read them before using those websites.

16. Direct Marketing

You have the right to request us not to use or disclose your personal information for the purposes of direct marketing, or for the purposes of facilitating direct marketing by other organisations. We must give effect to the request within a reasonable period of time. You may also request that we provide you with the source of the personal information used or disclosed for the purpose of direct marketing. If such a request is made, unless it is unreasonable or impracticable to do so, we will notify you of the source of the personal information.

17. How We Keep Personal Information Accurate and Up-to-Date

We take reasonable steps to ensure your personal information is accurate, complete, and up-to-date. We encourage you to contact us if any personal information we hold about you needs to be updated. If we correct personal information that has previously been disclosed to another entity, we will notify the other entity of the correction within a reasonable period. Where we are satisfied personal information is inaccurate, we will take reasonable steps to correct the information within 30 days, unless you agree otherwise. We will not charge you for correcting your personal information.

18. Accessing Your Personal Information

Subject to any exceptions in the Act, you can access the personal information that we hold about you by contacting us . We will generally provide access within 30 days on your request. If we refuse to provide you with access to the personal information, we will provide reasons for the refusal. We will require identity verification and specification of what personal information is required. An administrative fee for search, preparation, and photocopying costs may be charged.

19. Making a Complaint

If you have any questions about this Policy, wish to make a complaint about how we have handled your personal information, or believe we have not complied with the Privacy Act, you can lodge a complaint with us by contacting us.

We will acknowledge your complaint in writing within 7 days and we will aim to investigate and resolve your complaint within 30 days of receiving it.

If you are not satisfied with our response to your complaint, you can also refer your complaint to the Office of the Australian Information Commissioner (OAIC).

The OAIC can accept a complaint:

• On its online privacy complaint form at https://www.oaic.gov.au/contact-us;
• Via mail to GPO Box 5288, Sydney NSW 2001;
• Via phone on 1300 363 992;
• Via fax to +61 2 6123 5145.

20. Jurisdiction

This Privacy Policy is governed by the laws of the State of New South Wales and the Commonwealth of Australia. While we have taken reasonable steps to align our privacy practices and this Policy with comparable privacy and data-protection laws in other jurisdictions (including New Zealand, Canada, and the United States) we cannot guarantee full compliance with the specific legislative requirements of every jurisdiction. References to foreign laws are provided for context and alignment purposes only and do not modify or extend our legal obligations under Australian law.

21. Questions

For questions regarding this Policy, contact us.

22. Updates to this Policy

We may update this Policy from time to time. Updates will be posted on our website with the revision date.