Effective date: Sunday January 1, 2023
Personal information includes information or an opinion about an individual that is reasonably identifiable. For example, this may include your name, age, gender, postcode and contact details. It may also include financial information, including your credit card information.
If you participate in one of our challenges, we may also collect health information from you in order to provide you with our services. Health information is considered to be sensitive information. This may include information regarding any health conditions you have, and information regarding any medications you are taking.
You can always decline to give us any personal information we request, but that may mean we cannot provide you with some or all of the services you have requested. If you have any concerns about personal information we request, please contact us.
What personal information do we collect?
We may collect the following types of personal information:
- mailing or street address;
- email address;
- telephone number and other contact details;
- age or date of birth;
- credit card information;
- your device ID, device type, geo-location information, computer and connection information, statistics on page views, traffic to and from the sites, ad data, IP address and standard web log information;
- details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services and respond to your enquiries;
- any additional information relating to you that you provide to us directly through our website or app or indirectly through your use of our website or app or online presence or through other websites or accounts from which you permit us to collect information;
- information you provide to us through customer surveys; or
- any other personal information that may be required in order to facilitate your dealings with us, including health information through questionnaires.
We may collect these types of personal information either directly from you, or from third parties. We may collect this information when you:
- register on our website or app;
- communicate with us through correspondence, chats, email, or when you share information with us from other social applications, services or websites;
- respond to surveys or questionnaires requesting information from you;
- interact with our sites, services, content and advertising; or
- invest in our business or enquire as to a potential purchase in our business.
Why do we collect, use and disclose personal information?
We may collect, hold, use and disclose your personal information for the following purposes:
- to enable you to access and use our website, services and/or app;
- to provide services to you through our website and/or app;
- to operate, protect, improve and optimise our website, services and/or app, business and our users’ experience, such as to perform analytics, conduct research and for advertising and marketing;
- to carry out quality improvement activities;
- statistical analysis and reporting;
- training staff, contractors and other workers;
- to send you service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you;
- to send you marketing and promotional messages and other information that may be of interest to you, including information sent by, or on behalf of, our business partners that we think you may find interesting;
- to administer rewards, surveys, contests, or other promotional activities or events sponsored or managed by us or our business partners;
- to obtain advice from consultants and other professional advisers;
- for risk management and management of legal liabilities and claims (eg, liaising with insurers and legal representatives);
- to comply with our legal obligations, resolve any disputes that we may have with any of our users, and enforce our agreements with third parties; and
- to consider your employment application.
We may also disclose your personal information to a trusted third party who also holds other information about you. This third party may combine that information in order to enable it and us to develop anonymised consumer insights so that we can better understand your preferences and interests, personalise your experience and enhance the products and services that you receive.
We may request health information from you so as to enable us to provide services to you. Health information you provide to us will not be disclosed to any third parties without your consent.
Can you deal with us anonymously?
We will provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us where it is lawful and practicable (for example, when making a general enquiry). Generally, it is not practicable for us to deal with individuals anonymously or pseudonymously on an ongoing basis. If we do not collect personal information about you, you may not be able to utilise our services or participate in our events, programs or activities we manage or deliver.
Do we use your personal information for direct marketing?
We and/or our carefully selected business partners may send you direct marketing communications and information about our services and products. This may take the form of emails, SMS, mail or other forms of communication, in accordance with the Spam Act and the Privacy Act. You may opt-out of receiving marketing materials from us by contacting us using the details set out below or by using the opt-out facilities provided (eg an unsubscribe link).
Health information will not be used for direct marketing.
To whom do we disclose your personal information?
- our employees and related bodies corporate;
- third party suppliers and service providers (including providers for the operation of our websites and/or our business or in connection with providing our products and services to you);
- professional advisers, dealers and agents;
- payment systems operators (eg merchants receiving card payments);
- our existing or potential agents, business partners or partners;
- our sponsors or promoters of any competition that we conduct via our services;
- anyone to whom our assets or businesses (or any part of them) are transferred;
- specific third parties authorised by you to receive information held by us; and/or
- other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorised or permitted by law.
Unless required by law, health information you provide to us will not be disclosed to third parties without your consent.
Disclosure of personal information outside Australia
We may disclose personal information outside of Australia to cloud providers or third party suppliers located in Asia and Europe.
Unless we have your consent, or an exception under the Australian Privacy Principles (“APPs”) applies, we will only disclose your personal information to overseas recipients where we have taken reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to your personal information.
Using our website and cookies
We may collect personal information about you when you use and access our website.
While we do not use browsing information to identify you personally, we may record certain information about your use of our website, such as which pages you visit, the time and date of your visit and the internet protocol address assigned to your computer.
We may also use ‘cookies’ or other similar tracking technologies on our website that help us track your website usage and remember your preferences. Cookies are small files that store information on your computer, TV, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser but our websites may not work as intended for you if you do so.
We store information in paper-based files or other electronic record keeping methods in secure databases (including trusted third-party storage providers based in Australia and overseas). Personal information may be collected in paper-based documents and converted to electronic form for use or storage (with the original paper-based documents either archived or securely destroyed). Personal and health information may be collected electronically and stored electronically. We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.
We take reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your personal information. We also maintain computer and network security, eg, we use firewalls (security measures for the Internet) and other security systems such as user identifiers and passwords to control access to our computer systems. However, we cannot guarantee the security of your personal information.
Our websites do not necessarily use encryption or other technologies to ensure the secure transmission of information via the internet. Users of our websites are encouraged to exercise care in sending personal information via the internet.
Accessing or correcting your personal information
You are entitled to access your personal information held by us on request. To request access to your personal information please contact our Privacy Officer using the contact details set out below.
You will not be charged for making a request to access your personal information but you may be charged for the reasonable time and expense incurred in compiling information in response to your request.
We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and letting us know if your personal details change.
However, if you consider any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your information.
We may decline your request to access or correct your personal information in certain circumstances in accordance with the APPs. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction.
We may also need to verify your identity when you request your personal information.
Making a complaint
If you think we have breached the Privacy Act, or you wish to make a complaint about the way we have handled your personal information, you can contact us using the details set out. Please include your name, email address and/or telephone number and clearly describe your complaint. We will endeavour to acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take.
If you are not satisfied with our response to your complaint, or you consider that we may have breached the APPs or the Privacy Act, a complaint may be made to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted by telephone on 1300 363 992 or by using the contact details on the OAIC website.
All staff are responsible for protecting the confidentiality of client information and business information. Any data breaches, or suspected data breaches, are to be referred to the Privacy Officer as soon as possible.
What is an eligible data breach?
An eligible data breach, defined in s 26WE(2) of the Act, is when:
- both of the following conditions are satisfied:
- there is unauthorised access to, or unauthorised disclosure of, the information;
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- the information is lost in circumstances where:
- unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
- assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;
If there is a suspicion of a breach
If we suspect that there has been an eligible data breach, a reasonable and expeditious assessment will be conducted within 30 days.
If we believe or have reasonable grounds to believe there has been a breach then a statement will be prepared setting out:
- the business’s details;
- a description of the breach;
- the kind or kinds of information concerned; and
- recommendations about the steps that we will take in response to it.
If practicable, we will advise the contents of the statement to each of the affected clients who may be at risk from the breach. If this is not practicable we will publish the statement on our website and take other reasonable steps to publicise its contents. Communications with individuals will be via their preferred communication method.
The statement will be submitted to the Privacy Commissioner.
Exception to reporting
Mandatory notification requirements are waived if remedial action can be taken that results in a reasonable person concluding that the access or disclosure is not likely to result in serious harm to any of those individuals.
The PCOS Project welcomes the General Data Protection Regulation (“GDPR”) of the European Union (“EU”) as an important step forward in streamlining data protection globally. Although we do not operate an establishment within the EU and do not target any offering of services towards customers/clients in the EU specifically, we intend to comply with the data handling regime laid out in the GDPR in respect of any personal information of data subjects in the EU that we may obtain.
The requirements of the GDRP are broadly similar to those set out in the Privacy Act and include the following rights:
- you are entitled to request details of the information that we hold about you and how we process it. For EU residents, we will provide this information for no fee;
- you may also have a right to:
- have that information rectified or deleted;
- restrict our processing of that information;
- stop unauthorised transfers of your personal information to a third party;
- in some circumstances, have that information transferred to another organisation; and
- lodge a complaint in relation to our processing of your personal information with a local supervisory authority; and
- where we rely upon your consent as our legal basis for collecting and processing your data, you may withdraw that consent at any time.
- If you object to the processing of your personal information, or if you have provided your consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations. However, please be aware that:
- such objection or withdrawal of consent could mean that we are unable to provide our services to you, and could unduly prevent us from legitimately providing our services to other customers/clients subject to appropriate confidentiality protections; and
- even after you have chosen to withdraw your consent, we may be able to continue to keep and process your personal information to the extent required or otherwise permitted by law, in particular:
- to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact on your rights, freedoms or interests; and
- in exercising and defending our legal rights and meeting our legal and regulatory obligations.