Privacy Policy

We understand that protecting your personal information is important. ecovault is committed to protecting the privacy of personal information in accordance with its obligations under the Privacy Act 1988 (Cth) (Privacy Act) and in particular, the Australian Privacy Principles (APPs). This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or otherwise collected by us when providing our Services to you. In this Privacy Policy we, us or our means CBD Clinics Australia Pty Ltd - ABN 63 638 980 300.

In this Privacy Policy, Healthcare Provider means a clinic, medical practitioner, telehealth service, pharmacy, or other healthcare service provider through which you may be accessing our Services. Where you access our Services through a Healthcare Provider, our handling of your information may also be subject to the practices and instructions of that Healthcare Provider, in addition to this Privacy Policy.

Types of information

Personal information: is information or an opinion, whether true or not and whether recorded in a material form or not, about an individual who is identified or reasonably identifiable.

Sensitive information: is a sub-set of personal information that is given a higher level of protection. Sensitive information means information relating to your racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health information or biometric information.

The information we collect

Personal information: The types of personal information we may collect about you include:

  • your name;
  • images of you;
  • your contact details, including email address, mailing address, street address and/or telephone number;
  • your age and/or date of birth;
  • your gender;
  • your credit card or payment details (through our third party payment processor);
  • your preferences and/or opinions;
  • information you provide to us through customer surveys;
  • your sensitive information as set out below;
  • details of products and services we have provided to you and/or that you have enquired about, and our response to you;
  • your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour;
  • information about your access and use of our Services, including through the use of Internet Cookies, your communications with our Online Services, the type of browser you are using, the type of operating system you are using and the domain name of your Internet Service Provider;
  • additional personal information that you provide to us, directly or indirectly, through your use of our Services, associated applications, associated social media platforms and/or accounts from which you permit us to collect information; and
  • any other personal information requested by us and/or provided by you or a third party.

Sensitive information: The types of sensitive information we may collect about you include:

  • general information about your health, any illness, injury, disability or pregnancy;
  • other health information such as:
    • notes of symptoms or diagnosis;
    • whether you suffer from any allergies or sensitivities;
    • information about health services you have received;
    • prescription information or information about other pharmaceutical purchases; and
    • your Medicare details, Health Care Card, Department of Veteran Affairs Card or any other concessional and safety net cards you may hold.

Unless otherwise permitted by law, we will not collect sensitive information about you without first obtaining you or your representatives consent.

How we collect personal information

We collect personal information in a variety of ways, including:

  • Directly: We collect personal information which you directly provide to us, including when you register for an account, through the 'contact us' form on our website or when you request our assistance via email, our online chat or over the telephone.
  • Indirectly: We may collect personal information which you indirectly provide to us while interacting with us, such as when you use our website, in emails, over the telephone and in your online enquiries.
  • From third parties: We collect personal information from third parties, such as details of your use of our website from our analytics and cookie providers and marketing providers. See the “Cookies and tracking technologies” section below for more detail.

Collection and use of personal information

Personal information: We may collect, hold, use and disclose personal information for the following purposes:

  • to enable you to access and use our Services, including to provide you with a login;
  • to provide our Services to you, including to dispatch and deliver products to you, process your order and manage your account;
  • to enable you to access and use our associated applications;
  • to contact and communicate with you about our Services;
  • for internal record keeping, administrative, invoicing and billing purposes;
  • for analytics, market research and business development, including to operate and improve our Services, associated applications;
  • to run promotions, competitions and/or offer additional benefits to you;
  • for advertising and marketing, including to send you promotional information about our products and services and information that we consider may be of interest to you;
  • where you access our Services through a Healthcare Provider, we will not use your personal information to market our own products or services to you, except with your consent or the consent of your Healthcare Provider;
  • to comply with our legal obligations and resolve any disputes that we may have;
  • if you have applied for employment with us; to consider your employment application; and
  • if otherwise required or authorised by law.

Sensitive information: We only collect, hold, use and disclose sensitive information for the following purposes:

  • any purposes you consent to;
  • the primary purpose for which it is collected, to facilitate the management, ordering and delivery of your medication and other pharmacy products.
  • secondary purposes that are directly related to the primary purpose for which it was collected, including disclosure to the below listed third parties as reasonably necessary to provide our Services to you;
  • to contact emergency services, or to speak with your family, partner or support person where we reasonably believe there is a serious risk to the life, health or safety of you or another person and it is impracticable for us to obtain your consent;
  • where you access our Services through a Healthcare Provider, our use of your sensitive information is limited to the purposes for which we are providing those Services on behalf of, or in conjunction with, that Healthcare Provider, together with any purpose required or permitted by law; and
  • if otherwise required or authorised by law.

De-identified information: We may use information that has been de-identified (so that you can no longer be reasonably identified from it) for internal purposes, including platform performance monitoring, service quality, product improvement, and aggregate trend reporting. De-identified information is not personal information under the Privacy Act and may be retained and used after your personal information has been deleted.

Disclosure of personal information to third parties

We may disclose personal information to:

  • third party service providers for the purpose of enabling them to provide their services to us, including (without limitation) IT service providers, data storage, web-hosting and server providers, debt collectors, couriers, maintenance or problem-solving providers, marketing or advertising providers, professional advisors and payment systems operators;
  • the Healthcare Provider through whom you access our Services, and any other doctors, pharmacists or health service providers who are involved in your care;
  • our employees, contractors and/or related entities;
  • our service providers and subcontractors who assist us in operating our Services and who are bound by equivalent confidentiality and data protection obligations;
  • anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;
  • courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you;
  • courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
  • any other third parties as required or permitted by law, such as where we receive a subpoena.

Hosting and overseas disclosure: Our primary data hosting is located in Australia, with edge security, content delivery, and denial-of-service protection services that operate from globally distributed locations. Some of our service providers may store, transfer, or access your personal information outside Australia, including the following categories of providers and locations:

  • analytics services, including Google Analytics (operated by Google LLC): United States and the European Union;
  • error monitoring, performance monitoring, and diagnostic services: United States and the European Union;
  • email, messaging, and notification services: United States and the European Union;
  • edge security and content delivery services: globally distributed locations.

Our payment processing partners may also process payment information through international card network and acquirer routes, as is standard for card payment processing.

We take reasonable steps to ensure that any overseas service provider handles your personal information in accordance with the Australian Privacy Principles, including by entering into contractual arrangements that require them to do so. We do not name individual service providers in this Privacy Policy in order to maintain the security and integrity of our Services. A current list of categories and approximate locations is maintained above and updated from time to time.

Your rights and controlling your personal information

Your choice: Please read this Privacy Policy carefully. If you provide personal information to us, you understand we will collect, hold, use and disclose your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect our ability to provide our Services to you and your use of our Services.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.

Restrict and unsubscribe: To object to processing for direct marketing/unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication.

Access: You may request access to the personal information that we hold about you. We will respond to your request within a reasonable time, and within any timeframe required by applicable law. An administrative fee may be payable for the provision of such information. Where the information you are requesting access to constitutes a health record under applicable state or territory legislation (including the Health Records Act 2001 (Vic), the Health Records and Information Privacy Act 2002 (NSW), and the Health Records (Privacy and Access) Act 1997 (ACT)), our response timeframes and any fees we charge will comply with the requirements of that legislation. Please note, in some situations, we may be legally permitted to withhold access to your personal information.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, out of date, incomplete, irrelevant or misleading. Please note, in some situations, we may be legally permitted to not correct your personal information.

Complaints: If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the relevant privacy authority.

Storage and security

We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures, to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

One of these measures that we have put in place is our data breach plan, to ensure that we comply with the Notifiable Data Breaches (NDB) scheme, as defined in the Privacy Act.

While we are committed to security, we cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk. This statement does not limit our obligations under applicable law or under any agreement we have with your Healthcare Provider to maintain appropriate security practices.

Retention

We retain your personal and sensitive information for as long as is necessary to provide our Services to you, to meet our legal and regulatory obligations, and to resolve any disputes.

Where we hold information that constitutes a health record, we retain it in accordance with applicable health records legislation. This generally requires retention for at least seven (7) years from the date of last service for adults, and until the patient turns 25 for records relating to minors.

Regulatory retention of prescription records: Where information we hold relates to a prescription, dispensing event, or related healthcare identifier transaction, we are required by Australian federal and state regulatory frameworks (including the Australian Digital Health Agency's conformance requirements for Prescription Delivery Services, the Pharmaceutical Benefits Scheme and Medicare record-keeping requirements administered by Services Australia, real-time prescription monitoring requirements, and applicable state Drugs and Poisons legislation) to retain that information as part of our audit and transaction records, for periods that may extend beyond seven (7) years and in some cases indefinitely. Such records are retained solely for regulatory compliance purposes, and continue to be protected by the security and confidentiality measures described in this Privacy Policy.

Where you access our Services through a Healthcare Provider, retention of your information may also be subject to the records management practices and instructions of that Healthcare Provider.

Cookies and tracking technologies

We use cookies and similar technologies on our online Services. Cookies are small text files placed in your browser to store information such as your preferences and session details. Cookies, by themselves, do not generally tell us your email address or other personally identifiable information. Where you choose to provide our online Services with personal information, that information may be linked to the data stored in the cookie.

We use the following categories of cookies and tracking technologies:

  • Essential cookies: necessary for the operation of our Services, including authentication, session management, and security. These cannot be disabled without affecting your ability to use our Services.
  • Analytics cookies: to help us understand how our Services are used so we can improve them. This includes Google Analytics (operated by Google LLC), and may include other privacy-focused analytics tools that do not collect personally identifiable information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
  • Functional cookies: to remember your preferences and settings between visits.
  • Diagnostic and product technologies: we use error-monitoring and product-analytics tools that may collect technical diagnostic information and aggregated usage information from your browser session to help us identify errors and improve our Services.

Email tracking: When we send you emails through our email service providers, those emails may include tracking pixels or similar technologies that allow us to know when you have opened the email or clicked on a link, so we can measure the effectiveness of our communications. You can disable these by configuring your email client to block external images, or by unsubscribing from non-essential communications.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our online Services.

Links to other websites

Our Services may contain links to other websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.

Amendments

We may, at any time and at our discretion, vary this Privacy Policy by publishing the amended Privacy Policy on our website. We will take reasonable steps to notify you of any material changes (for example, by email to your registered email address). We recommend you check our website regularly to ensure you are aware of our current Privacy Policy.

For any questions or notices, please contact us.
CBD Clinics Australia Pty Ltd - ABN 63 638 980 300