Your privacy is important

This Privacy Policy outlines how Biomecentric Pth Ltd and its related bodies corporate and associates collects, holds, uses, protects and discloses personal data that we obtain about you directly or indirectly in accordance with applicable data protection laws.

We are very aware of the sensitivity of some of the information that we process by virtue of the services we provide and take the security of personal data very seriously. We appreciate that your privacy is very important, and we are strongly committed to handling your personal data (including your health information and any other sensitive information about you) in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles, the General Data Protection Regulation (EU) 2016/679, the Data Protection Act 2018 and any applicable data protection legislation as amended, replaced or superseded from time to time.

Where you use our services, or your personal data is processed in connection with such services, and we control the purpose for which such personal data is processed, Biomecentric will be the data controller of such information.

From time to time, there may be more than one data controller of your information within our group where you have engaged different parts of our broader organisation to provide different or jointly delivered services.

This Privacy Policy does not apply to, and Biomecentric is not responsible for, any third-party websites which may be accessible through links from this website (please see Online services - Links to third party sites, services and content section below for more information).

Scope of Privacy Policy

This Privacy Policy explains and describes:

• When this Privacy Policy applies.

• How we collect your personal data.

• Legal basis for usage of your personal data.

• How we use the personal data we collect.

• How and when we may disclose personal data that we collect.

• What happens if your personal data is transferred overseas.

• How long we hold your personal data.

• How we protect your personal data and keep it secure.

• What cookies are and how we use them.

• What happens when you access third-party services and content.

• Your legal choices and rights.

• The status of this Privacy Policy and any changes that are made to it.

• How to request further information.

• Our contact details.

When this Privacy Policy applies

This Privacy Policy applies:

• to your use of any of our services where we are performing a data controller function;

• where you apply to us for a job or work placement;

• to your supply of services to us where this involves any personal data; and/or

• to any personal information collected from third parties where we are the controller of such information.

This Privacy Policy additionally applies to our website and online services, including www.biomecentric.com.au, and any other website, mobile app or other online service created or hosted by us from time to time on which this Privacy Policy appears (together, our “online services”) through which we may collect certain details if, for example, you want to subscribe to any publications or newsletters that we may periodically issue. Please note that our online services make use of cookies and similar technologies, as described in more detail in the Cookies section below.

Kinds of personal data we collect and the purposes for which we process it

We collect and hold personal data about customers and potential customers, contractors, employees and other people who come into contact with us (you or your). Where we intend to use your personal data, we rely on the following legal grounds:

Performance of a contract: We may need to collect and use your personal data to enter into a contract with you or to perform a contract that you have with us. For example, provision of a microbiome test ordered by or for you, and where we respond to your requests and provide you with services in accordance with our terms and conditions or other applicable terms of business agreed with you or with your employing organisation.

Legitimate interests: Where we consider use of your information as being (a) non-detrimental to you, (b) within your reasonable expectations, and (c) necessary for our own, or a third party’s legitimate purpose, we may use your personal data, which may include:

• for our own direct marketing or continued communication;

• the prevention of fraud;

• our own internal administrative purposes;

• personalisation of the service(s) we provide to you;

• ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems; and/or

• reporting possible criminal acts or threats to public security to a competent authority.

Compliance with a legal obligation:

We may be required to process your information due to legal requirements, including employment laws, tax laws and other regulatory provisions applicable to Biomecentric as a provider of Microbial Genomics Services.

Consent: You may be asked to provide your consent in connection with certain services that we offer, for example in respect of any processing of your personal data for our marketing purposes where you or your employing organisation is not a client of Biomecentric, or in respect of certain special categories of personal data such as your health or racial background for which we are legally obliged to gain your consent due to the sensitive nature of such information and the circumstances in which it is gathered or transferred. Where we are reliant upon your consent, you may withdraw this at any time by contacting us in accordance with the Contact Us section below, however please note that we will no longer be able to provide you with the products or services that rely on having your consent.

The following table sets out the kinds of personal data about you that we may collect, hold and process, along with our legal basis for doing so:

Communication Data:

Communication Data includes data derived from any communication that you may send to us, whether through our website, through email or any other communication that you send us. We process this data for the purposes of communicating with you, facilitating our internal business operations (including fulfilment of any legal requirements). Our lawful basis for processing Communication Data is contractual obligation, which in this case are to reply to communications sent to us, to keep records and facilitate internal business operations.

Customer Data:

Customer Data includes data relating to any purchases of goods and/or services and may include data such as your name, title, billing address, delivery address, email address, phone number, contact details, purchase details and your credit card details. We process this data to supply our goods and/or services to you, to keep records of such transactions and for answering any questions or inquiries you direct to us. Our lawful basis for processing Customer Data is the performance of a service between you and us and/or taking steps at your request to enter into such a service.

User Data:

User Data includes data about how you use our website (including which of our pages or other web pages you have visited) and any services we provide. We process this data to operate our website and our online services, to ensure relevant content is provided to you, to ensure the security of our website, to maintain back-ups of our website and/or databases, and to enable publication and administration of our website, our business, and any other online services that we may provide. Our lawful basis for processing User Data is our legitimate interests which in this case are to enable us to properly administer our website, our online services and our business.

Technical Data:

Technical Data includes data about your use of our website and online services such as your IP address, your geographic location, your login data, details about your browser, length of visit to pages on our website, page views and navigation paths, details about the number of times you use our website, time zone settings and other technology on the devices you use to access our website. We may source this data from our analytics tracking system. We process this data to analyse your use of our website and other online services, to administer and protect our business and website, to deliver relevant website content and advertisements to you and to understand the effectiveness of our online services and advertising. Our lawful basis for processing Technical Data is our legitimate interests, which in this case are to enable us to properly administer our website, our online services and our business, and to grow our business and to decide our marketing strategy.

Marketing Data:

Marketing Data includes data about your preferences in receiving marketing from us and our third parties and your communication preferences. We may process this data to enable you to partake in any of our promotions, to deliver relevant website content and advertisements to you, and to measure or understand the effectiveness of this advertising. Our lawful basis for processing Marketing Data is our legitimate interests, which in this case are to study how customers use our products/ services, to develop them, to grow our business and to decide our marketing strategy.

Sensitive Data:

Sensitive Data is data about your race, ethnicity, religious or philosophical beliefs, political opinions, trade union membership, sex life or sexual orientation, and includes information about your health and genetic and biometric data. We process this data to supply our goods and/or services to you and for other purposes as reasonably necessary in connection with the delivery of our services. Our lawful basis for processing Sensitive Data is your informed consent and/or the performance of a contract between you and us (including, where applicable, by providing you with a microbiome report generated using the sample you may supply to us). If you participate in any research study or studies that we conduct from time to time, then we will collect, hold and use personal data about you for the purposes of that research study and as described in our Participant Information Sheet.

How we collect your personal data

‘Personal data’ means any information capable of identifying an individual. It does not include anonymised or de-identified data. We will generally collect personal data about you directly from you, including where you have submitted a microbiome request, responded to our online survey(s) or questionnaire(s), or provided us with samples. We may also collect personal data about you by way of forms and other documents or information that you submit to us (whether in paper or electronic form), correspondence you provide to us and telephone calls or meetings with you. We collect information that you voluntarily provide to us, including when you communicate with us via email or other channels; when you sign up for or request that we send you newsletters, alerts, or other materials; when you sign up for a webinar or event; and when you respond to our communications or requests for information. We may collect information from other sources, such as social media platforms that share information about how you interact with our social media content, and any information gathered through these channels will be governed by the privacy settings, policies, and/or procedures of the applicable social media platform, which we strongly encourage you to review. We will handle any unsolicited information in accordance with law, including destroying or de-identifying such information where we are required to do so. When you use our online services, we may collect details of visits made to our online services including, but not limited to, the volume of traffic received, logs (including, where available, the IP address and location of the device connecting to the online services and other technical information and identifiers about the device and the nature of the visit) and the resources accessed.

If you apply for a job or work placement with Biomecentric, you may need to provide information about your education, employment, racial background and state of health. By submitting a job application with us including the relevant information, you acknowledge that you are providing your express consent to our use of this information to assess your application and to allow us to carry out both recruitment analytics and any monitoring activities which may be required of us under applicable law as an employer. In certain circumstances (e.g. where you are located, the type of information required to assess your application) you may separately be asked to provide your express consent. We may also carry out screening checks (including reference, background, directorship, financial probity, identity, eligibility to work, vocational suitability and criminal record checks) and consider you for other positions.

We may exchange your personal data with academic institutions, recruiters, screening check providers, health service providers, professional and trade associations, law enforcement agencies, recruitment analytics providers, referees and your current and previous employers. We may also gather additional information about you from publicly available resources such as LinkedIn or other social or professional media platforms and collate this with the information that you provide to us. Without your personal data, we may not be able to progress considering you for positions with us.

In some instances, personal data must be provided to us in order for us to legally or contractually perform services to you, for example where we deliver a report consultation. Where relevant we will highlight to you those details that we are obligated to collect.

If we are unable to collect personal data about you, we may be unable to provide you with some or all of our services.

How we use your personal data

Depending upon the circumstances in which we gather your personal data, we may use your information to provide you with services and information, or for any of the following purposes:

•To provide you with Biomecentric’s services (as noted above) that you or your employing organisation request.

• To respond to your enquiries.

• To carry out our obligations arising from any contracts entered into between you and us.

• To facilitate our internal business operations, including to fulfil our legal or regulatory requirements.

• To maintain and develop our relationship with you.

• For our business purposes, including data analysis, submitting invoices, detecting, preventing, and responding to actual or potential fraud, illegal activities, or intellectual property infringement.

• To maintain and update our records including our database of contacts.

• To provide you on an ongoing basis with information and services, including relevant marketing communications related to Biomecentric, and other information or materials, that you request from us or which we feel may interest you where you have indicated that you would like to receive these from us.

• To evaluate, recruit, and hire personnel.

• To help us to improve our services, products or online services

• To measure the popularity and effectiveness of services such as newsletters and seminar invitations, in order to improve what we offer to you and other recipients.

• To ensure that content from our online services is presented in the most effective and secure manner for you and the device on which you are accessing our services, and to troubleshoot, and improve such online services.

• To allow you to use or access interactive features or secure areas of our online services, when you choose to do so.

• For research, planning, service development, security or risk management.

• As we believe reasonably necessary or appropriate to: comply with our legal obligations; respond to legal process or requests for information issued by government authorities or other third parties; or protect your, our, or others’ rights. We may not be able to do some or all of these things without your personal data.

If at any time we intend to change the purpose for which we hold your personal data, for example to offer you with a complimentary service that we may provide in the future, we will give you prior information of that new purpose so you are aware of this.

Throughout all of our processing, specific attention is paid to all instances in which sensitive information, including health information is processed by Biomecentric as we have increased duties wherever such categories of data are provided to, or gathered by us.

Disclosure of personal data

Before we disclose your personal data to any third party, we require each third party to respect the security of your personal data and to comply with all applicable laws in handling your personal data. When such third parties no longer need your personal data to fulfil the service they provide you on Biomecentric’s behalf, they will dispose of such details in line with Biomecentric’s procedures unless they are themselves under a legal obligation to retain information (provided that this will be in accordance with applicable data privacy laws). If we wish to pass your sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.

We may disclose personal data about you with third-party service providers contracted to Biomecentric where any of the following apply:

• In providing our services and operating our business, we may allow access to your personal data to the different entities within Biomecentric’s group for our internal administrative purposes such as billing, promoting our events and services, and providing you or your organisation with services, provided in all instances that such processing is consistent with the legal basis for usage of personal data above and applicable law.

• You have consented to us sharing your personal data in this way.

• We deem it reasonably necessary to provide you with the services that you have required at any particular time.

• Such sharing is provided for under contract, including our terms and conditions for any particular service that we may provide to you.

• Such sharing is to law enforcement bodies or other government authority.

• We need to enforce or apply our terms and conditions to which you have agreed (or other terms that have been agreed to apply to our relationship with you or your employing organisation).

• It is necessary to protect the rights and interests, property, or safety of Biomecentric, our clients or others.

• It is relevant in the circumstances to disclose the information to parties with whom we have co-promotional arrangements (such as jointly sponsored events, external venues, or caterers).

• Our agents or contractors who assist us in providing our services require such information, for example in fulfilling requests for information, receiving and sending communications, updating marketing lists, analysing data, providing support services or in other tasks from time to time. Our agents and contractors will only use your information to the extent necessary to perform their functions.

• We use third party service providers to provide services that involve data processing, for example archival, web-hosting, analytics providers in connection with the operation of our services, event hosting, information technology providers, auditing, reference checking, professional advisory (including legal, accounting, financial and business consulting), mailing vendor, delivery, technology, website, research, banking, payment, client contact, data processing, insurance, forensic, litigation support, marketing and security services.

• All, or most, of the assets of Biomecentric or any single business unit within Biomecentric are merged with or acquired by a third party, or we expand or re-organise our business, in which case your personal data may form part of the transferred or merged assets.

• We are under a legal, regulatory or professional obligation to do so (for example, in order to comply with a Court Order). We may also disclose to Postal Services certain personal data you provide us (such as your email address, phone number and/or residential address) in connection with us providing our services to you (this information may be used by Postal Services for the purposes of providing notification of tracking events and collecting any relevant feedback in relation to the delivery or tracking service). We may also provide anonymous statistical information about users of our websites and related usage information to reputable third parties, including analytics and search engine providers. We own the database rights in the information collected via our online services. We do not sell, rent, or otherwise share information that reasonably identifies you or your organisation with unaffiliated entities for their independent use except as expressly described in this Privacy Policy or with your express prior permission. We may share information that does not reasonably identify you or your organisation as permitted by applicable law.

International transfers

For individuals in Australia, we do not typically or routinely disclose personal data to recipients located outside of Australia, although this may change over time. We will only disclose your personal information to recipients located outside of Australia where we have taken reasonable steps to ensure that the recipient has adequate safeguards in place to protect your personal data and ensure your privacy rights continue to be protected.

For individuals in the European Economic Area (EEA), we may transfer your personal data to recipients located outside of the EEA. Where your personal data is transferred to a third party outside of the EEA, we put certain safeguards are in place to ensure your data is subject to a similar degree of security to the provisions of the EU General Data Protection Regulations.

As such:

• we may transfer such of your personal data to countries that have been approved as providing an adequate level of protection for such data by the European Commission; or

• if we use US-based providers that are part of EU-US Privacy Shield, we may transfer such of your personal data to them, as they have equivalent safeguards in place; or

• where we use certain service providers who are established outside of the EEA, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give your personal data the same protection it has under the General Data Protection Regulations.

We may request your prior express consent to a specific transfer of your personal data outside of the EEA where none of the above safeguards are available. You may withdraw this consent at any time.

Referral Codes

We may enter referral arrangements with certain third parties that provide health-related services to their patients or clients (“Referring Practitioners”). Under these arrangements, a Referring Practitioner may be given a unique referral code (“Referral Code”), which the Referring Practitioner can then provide to their patients or clients for their use in connection with the purchase of our services.

If you have been provided with a Referral Code, and you decide to use it in connection with the purchase of our services, you acknowledge, consent and agree that:

a) we may disclose the Microbiome Report produced with respect to those services (if any), including the personal data contained in the Microbiome Report, to the Referring Practitioner associated with that Referral Code and any of their associates or contractors that might be involved in providing health-related services to you (each, a “Healthcare Provider”);

b) we may send the Microbiome Report via email to the relevant Healthcare Provider or allow them to view the Microbiome Report online; and

c) we and our personnel may hold, access and use the Microbiome Report for the purposes of facilitating the delivery of the Microbiome Report to the relevant Healthcare Provider, and assisting them to interpret the Microbiome Report, in accordance with our Terms and Conditions.

How we hold personal data and data security

We may hold personal data in different ways, including in paper form, electronic form and/or in other mediums.

Our information security is supported by a variety of processes and procedures, and we store information in access-controlled premises or electronic databases requiring logins and passwords. All employees, officers or contractors of Biomecentric and third-party providers with access to confidential information are subject to access controls and confidentiality obligations, and we require our third-party data storage providers to comply with appropriate information security industry standards.

While we have taken steps that are reasonable in the circumstances to protect the personal data we hold from misuse, interference and loss and from unauthorised access, modification or disclosure, we cannot guarantee that such misuse, interference, loss, or unauthorised access, modification or disclosure will not occur.

Whilst we continually strive to ensure that our systems and controls are updated to reflect technological changes, the transmission of information via the internet is not completely secure, and as such we cannot guarantee the security of your data transmitted to our online services, which is at your own risk.

If you communicate with us using non-secure web platforms, you assume the risks that such communications between us are intercepted, not received, delayed, corrupted or are received by persons other than the intended recipient.

Once we have received your information, we will take reasonable steps to use procedures and security features to try to prevent unauthorised access, modification or disclosure.

You can help us to keep your information secure by ensuring that any username or password in relation to our online services is kept strictly personal to you and not made available to any other person. You should stop using your username and password and notify us immediately if you suspect that someone else may be using your user details or password.

Retention

We retain personal data only as long as necessary to fulfil the purpose it was collected for in accordance with our internal data retention policies or to comply with our legal and regulatory obligations. Following this period, we will destroy or de-identify the relevant personal data. A maintained copy of our Retention and Disposal policy is available upon request. Should you wish to review our retention policy then please contact us in accordance with our contact details below.

De-identified information

We may de-identify your personal data or aggregate it in such a way that it cannot be used to identify you. We may disclose de-identified information for any purpose we see fit, including to conduct, publish and/or present research studies, and/or to develop diagnostics, therapeutics or other products/services. Our de-identification procedure involves:

• removing personal identifiers;

• removing or altering other information that may allow you to be identified; and

• continuously assessing and managing the risk of re-identification.

Direct marketing communications

We will not use personal data about you for direct marketing without your consent. If you would like to withdraw your consent, you can do so at any time, by emailing info@biomecentric.com.au

Cookies

A cookie is a data file that a website transfers to your computer when you visit that website. This enables the website to track the pages you have visited. A cookie only contains information you supply. It cannot read data on your computer. There are many types of cookies that may be used for different purposes. For example, some cookies help a website to remember information about your visit, like your preferred language and other settings while others may identify which pages are being visited or offer security features.

Our website and services delivered online use cookies and other similar technologies, for example, to distinguish you from other users when you browse our website(s) or use our online services and to allow us to improve our online services. We may, for example, collect information about the type of device you use to access our online services, the operating system and version, your IP address, your general geographic location as indicated by your IP address, your browser type, the content you view and features you access on our online services, the web pages you view immediately before and after you access our online services, whether and how you interact with content available on our online services, and the search terms you enter on our online services.

Biomecentric’s website sets cookies which remain on your computer for differing times. Some expire at the end of each session and some remain for longer so that when you return to our website, you will have a better user experience.

Control of cookies

You can set your browser to refuse cookies through the browser settings, however, this may mean you are unable to take full advantage of our website or our services. Most browsers enable you to block cookies or to block cookies from particular sites. Browsers can also help you to delete cookies when you close your browser. You should note however, that this may mean that any opt-outs or preferences you set on our website will be lost. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org which includes information on how to manage your settings for the major browser providers.

Online Services – Links to third party sites, services and content

In addition to our online services, which we control directly, we also use and provide links to websites which are controlled by third parties, which may include:

• Twitter, LinkedIn and YouTube, where we have certain Biomecentric accounts and profiles.

• Facebook and Instagram, where we have a social page.

• Google

If you use or follow a link to any of these third-party websites, please be aware that these websites have their own privacy policies and that we cannot accept any responsibility for their use of information about you.

Our online services may include integrated content or links to content provided by third parties (such as video materials). This Privacy Policy does not address the privacy, security, or other practices of the third parties that provide such content. We engage third parties that support the operation of our online services, such as analytics providers and technologies. These third parties may use technologies to track your online activities over time and across different websites and online platforms. Please see Cookies section above for more information.

Your Rights

Under applicable data protection legislation, we have a duty of care to ensure that your personal data is accurate and up to date. Therefore, please contact us to update or correct your information if this changes or if you believe that any information that we have collected about you is inaccurate at info@biomecentric.com.au

You can request:

• access to the personal data we hold about you

• corrections or updates to your details;

• the erasure of your personal data;

• the portability of personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to object to, or request the restriction of, our use of your personal data. You also have the right to object to, or request the restriction of, our use of your personal data. You may access the personal data we hold about you, upon making a written request using the contact detail set out at the end of this Policy. We will initially respond to your request within a reasonable period, but no later than one calendar month from receiving your request. We may charge you a reasonable fee in exceptional circumstances for processing your request if relevant legislation allows us to do so, in which case we will provide reasons for our decision. We may decline a request for access to personal data where we have a legitimate reason for doing so under applicable data privacy laws, and if we do, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to provide those reasons). If you intend to exercise your rights and Biomecentric does hold personal data about you, you can request the information below by contacting us:

• Identity and the contact details of the person or organisation that has determined how and why to process your data.

• The purpose of the processing as well as the legal basis for processing.

• If the processing is based on the legitimate interests of Biomecentric or a third party, information about those interests.

• The categories of personal data collected, stored and processed.

• Recipient(s) or categories of recipients that the data is/will be disclosed to.

• How long the data will be stored.

• The source of personal data if it wasn’t collected directly from you.

• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

In order to verify the identity of those who make a request to us, we will accept the following forms of ID when information on your personal data is requested:

• Passport;

• Driving licence, Birth certificate;

• Utility bill dated within the last 3 months.
If, upon receiving access to your personal data or at any other time, you believe the personal data we hold about you is inaccurate, incomplete or out of date, please notify us immediately. Authorised persons acting on behalf of individuals whose personal data we hold (for example a parent or legal guardian) will be required to:

• verify their identity in accordance with the verification requirements above; and

• provide proof of their relationship with the individual whose personal data we hold.

Where you have consented to our processing of certain personal data, you may at any time, by using the contact details set out below, notify us in writing that you withdraw such consent. Please be aware, where you withdraw your consent, we will no longer be able to provide you with some or all of our services that rely on having your consent.

How to make a complaint about a breach of your privacy rights by us

If you wish to make a complaint, please contact us using the details at the end of this Policy and we will take reasonable steps to investigate the complaint and respond to you.

For individuals in Australia, you may submit a complaint to the Office of the Australian Information Commissioner, details of which can be found at

https://www.oaic.gov.au/about-us/contact-us/.

For individuals in the European Economic Area (EEA), you may submit a complaint to the Information Commissioners Office, details of which can be found at

https://ico.org.uk/global/contact-us.

If you make a privacy complaint, we will respond to let you know how your complaint will be handled. We may ask you for further details, consult with other parties and keep records regarding your complaint.

Anonymity and pseudonyms

You have the option of not identifying yourself or using a pseudonym when dealing with us in relation to privacy matters unless we are required by law or a court/tribunal to deal with individuals who have identified themselves or it is impractical for us to deal with you if you have not identified yourself in the circumstances.

Changes to this Privacy Policy

Your provision of personal data to us or use of our services constitutes your acceptance of the terms of this Privacy Policy. We may, from time to time, review and update this Privacy Policy to take account of new laws, information governance practices and technology developments, as data privacy laws (and surrounding guidance) evolve, as our functions and activities change, and to ensure it remains appropriate. We recommend you visit our website regularly to keep up to date with any changes.

We will post any Privacy Policy changes on this page and, if the changes are significant or may materially impact upon your rights, we will provide a more prominent notice or contact you by other means (including, for certain services, email notification of Privacy Policy changes).

Contact us

Please direct all queries and complaints in relation to your privacy or this Privacy Policy via the following means: Quality Manager, Biomecentric Pty Limited, Phone:07 5621 0097 , e-mail address: info@biomecentric.com.au