Privacy Policy

This Privacy Policy explains how Preview Health Pty Ltd and its related bodies corporate (ACN 673 075 842) (“Preview Health”, “we”, “us”, or “our”) collects, holds, uses, and discloses your personal information when you use our Service.

Preview Health is an Australian health-tech company based in Sydney, NSW. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Policy has been prepared in accordance with our obligations under the Privacy Act, including APP 1 (open and transparent management of personal information).

We may also be subject to the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”) where we deal with individuals in those jurisdictions. Supplementary provisions for those frameworks are set out in Parts B and C below.

By using our website at www.preview.health (“Service”), you acknowledge that you have read and understood this Privacy Policy.

Definitions

In this Privacy Policy:

• Personal Information has the meaning given in the Privacy Act and means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in a material form or not.

• Sensitive Information has the meaning given in the Privacy Act and includes health information, genetic information, biometric information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal record.

• Health Information is a subset of sensitive information and includes information or an opinion about the health, disability, or health services provided to an individual.

• Service refers to the Preview Health website, accessible at www.preview.health.

• Device means any device that can access the Service, such as a computer, mobile phone, or tablet.

• Usage Data means data collected automatically when using the Service, such as IP address, browser type, pages visited, and time spent on those pages.

• Cookies are small files placed on your Device by a website, used to store information about your browsing activity.

• OAIC means the Office of the Australian Information Commissioner.

Part A — Australian Privacy Law

This Part sets out our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. It applies to all users of our Service.

Open and Transparent Management of Personal Information (APP 1)

Preview Health is committed to managing your personal information openly and transparently. This Privacy Policy describes:

• the kinds of personal information we collect and hold;

• how we collect personal information;

• the purposes for which we collect, hold, use, and disclose personal information;

• how you can access and correct your personal information;

• how you can complain about a breach of your privacy and how we will handle that complaint; and

• whether we disclose personal information to overseas recipients.

Kinds of Personal Information We Collect

Depending on how you interact with our Service, we may collect the following kinds of personal information:

Personal Data You Provide

• your name;

• your email address;

• any other information you voluntarily provide to us (for example, through forms, waitlist sign-ups, or correspondence); and

• health or sensitive information, if you provide it to us (see the Sensitive Information section below).

Usage Data (Collected Automatically)

• your Device’s Internet Protocol (IP) address;

• browser type and version;

• the pages of our Service that you visit, the time and date of your visit, and time spent on those pages;

• unique device identifiers and other diagnostic data; and

• if you access the Service via a mobile device: your mobile device type, unique ID, IP address, mobile operating system, and mobile browser type.

How We Collect Personal Information

We collect personal information:

• directly from you — for example, when you sign up to our waitlist, create an account, fill out a form, or contact us;

• automatically — through cookies and similar tracking technologies when you use our Service (see the Cookies and Tracking Technologies section below); and

• from third parties — for example, from analytics providers such as Google Analytics.

Where it is reasonable and practicable to do so, we collect personal information directly from you. We will not collect personal information by unlawful or unfair means.

How We Store and Secure Personal Information

We store personal information in a combination of cloud-based systems (including servers operated by third-party service providers) and internal systems. We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (see the Security section below for further detail).

Notification of Collection (APP 5)

At or before the time we collect your personal information (or as soon as practicable afterwards), we will take reasonable steps to notify you of the following:

• Our identity: Preview Health Pty Ltd and its related bodies corporate (ACN 673 075 842), Level 17/123 Pitt St, Sydney NSW 2000.

• How to contact us: Email: info@preview.health

• Purposes of collection: We collect your personal information for the purposes set out below.

• Disclosure: We may disclose your personal information to the parties described below.

• Overseas disclosure: We may disclose your personal information to overseas recipients as described in the Cross-Border Disclosure section.

• Consequences of not providing information: If you do not provide us with the personal information we request, we may not be able to provide you with our Service, respond to your enquiries, or communicate with you about our products and services.

• Access and correction: You can request access to and correction of your personal information as described in the Access and Correction section.

• Complaints: You can make a complaint about our handling of your personal information as described in the Complaints section.

Purposes of Collection, Use, and Disclosure

We collect, hold, use, and disclose your personal information for the following purposes:

• to provide and maintain our Service, including monitoring its usage;

• to manage your account and registration as a user;

• to communicate with you, including responding to your enquiries, providing updates, and sending service-related notifications;

• to send you marketing and promotional communications where you have consented to receiving them (see the Direct Marketing section);

• to manage our waitlist and related communications;

• to analyse how our Service is used and to improve our products and services;

• to detect, prevent, and address technical issues, security incidents, and fraudulent or illegal activity;

• to comply with our legal obligations; and

• for any other purpose to which you have consented.

Disclosure of Personal Information

We may disclose your personal information to:

• Service providers who assist us in operating our Service (for example, hosting providers, analytics providers, and email marketing platforms);

• professional advisors such as lawyers, accountants, and auditors;

• government authorities or law enforcement agencies, where required or authorised by law;

• related entities, including any parent company, subsidiaries, or affiliated entities; and

• any other party with your consent or as otherwise permitted or required by law.

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

Sensitive Information and Health Information

Under the Privacy Act, health information is classified as sensitive information and is afforded a higher level of protection.

Preview Health operates in the health-tech sector. We recognise the importance of handling health and sensitive information with the utmost care. We will only collect sensitive information (including health information) where:

• you have given express consent to the collection of that information; and

• the information is reasonably necessary for one or more of our functions or activities.

If we collect health or sensitive information from you, we will:

• clearly inform you at the time of collection about what information we are collecting and why;

• obtain your express consent before collecting it;

• only use or disclose it for the purpose for which it was collected, unless you consent to another use or an exception under the Privacy Act applies;

• take additional steps to protect it from misuse, loss, and unauthorised access; and

• not use or disclose it for direct marketing purposes unless you have expressly consented.

If our Service does not currently collect health information, we will update this Policy before doing so and will obtain your express consent at that time.

Direct Marketing (APP 7) and Spam Act 2003 Compliance

Direct Marketing

We may use your personal information to send you marketing and promotional communications about our products, services, and events that may be of interest to you. We will only do so where:

• you have provided your express consent to receive marketing communications (for example, by signing up to our waitlist or opting in to receive updates); or

• we are otherwise permitted to do so under the Privacy Act.

You may opt out of receiving marketing communications from us at any time by:

• clicking the “unsubscribe” link included in every marketing email we send;

• contacting us at info@preview.health and requesting to be removed from our mailing list; or

• updating your communication preferences in your account settings (if applicable).

We will process your opt-out request as soon as reasonably practicable. Please note that even after opting out of marketing, we may still send you transactional or service-related communications (for example, updates to our terms or important security notices).

Spam Act 2003 (Cth) Compliance

Preview Health complies with the Spam Act 2003 (Cth). This means we will:

• only send commercial electronic messages (including emails) with your consent;

• include accurate sender identification in every commercial electronic message, including our name and contact details;

• include a functional unsubscribe mechanism in every commercial electronic message, allowing you to opt out easily; and

• honour unsubscribe requests promptly.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as web beacons, tags, and scripts) to collect information about how you use our Service and to improve your experience.

Types of Cookies We Use

• Necessary / Essential Cookies

Type: Session Cookies. Administered by: Us.

These cookies are essential to provide you with services available through the Website and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.

• Cookies Policy / Notice Acceptance Cookies

Type: Persistent Cookies. Administered by: Us.

These cookies identify if users have accepted the use of cookies on the Website.

• Functionality Cookies

Type: Persistent Cookies. Administered by: Us.

These cookies allow us to remember choices you make when you use the Website, such as remembering your login details or language preference. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you use the Website.

• Tracking and Performance Cookies

Type: Persistent Cookies. Administered by: Third-Parties.

These cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these cookies to test new pages, features or new functionality of the Website to see how our users react to them.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of our Service.

Cross-Border Disclosure of Personal Information (APP 8)

Some of the third-party service providers we use may store or process your personal information outside Australia. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information.

Our personal information may be disclosed to recipients in the following countries:

• United States — We use Google Analytics (operated by Google LLC) for website analytics and Mailchimp (operated by The Rocket Science Group LLC) for email marketing. Both services may store data on servers located in the United States.

We may also disclose personal information to recipients in other countries if additional third-party services are engaged in the future. We will update this Policy to reflect any changes.

For more information about how these service providers handle personal information, please refer to:

• Google Privacy Policy: https://policies.google.com/privacy

• Mailchimp Privacy Policy: https://mailchimp.com/legal/privacy/

Security of Personal Information (APP 11)

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) encryption on our website;

• restricting access to personal information to authorised personnel on a need-to-know basis;

• maintaining secure password and access control policies;

• using reputable cloud-based service providers with appropriate security certifications; and

• regularly reviewing and updating our security practices.

However, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

We will take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed for any purpose for which it may be lawfully used or disclosed.

Access to and Correction of Personal Information (APP 12 and APP 13)

Access (APP 12)

You have the right to request access to the personal information we hold about you. To make an access request, please contact us at info@preview.health.

We will respond to your request within a reasonable period (and in any event within 30 days). We will provide access in the manner you request, if it is reasonable and practicable to do so.

We may refuse to provide access in certain circumstances permitted by the Privacy Act, including where:

• providing access would pose a serious threat to the life, health, or safety of any individual or to public health or safety;

• providing access would have an unreasonable impact on the privacy of other individuals;

• the request is frivolous or vexatious; or

• the information relates to existing or anticipated legal proceedings and would not normally be accessible through the discovery process.

If we refuse access, we will provide you with written reasons for the refusal and the mechanisms available to you to complain about the refusal.

Correction (APP 13)

You have the right to request correction of any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. To request a correction, please contact us at info@preview.health.

We will respond to your correction request within a reasonable period (and in any event within 30 days). If we correct information that has previously been disclosed to a third party, we will take reasonable steps to notify that third party of the correction (unless it is impracticable or unlawful to do so).

If we refuse to correct your personal information, we will provide you with written reasons for the refusal and the mechanisms available to you to complain.

Notifiable Data Breaches

Preview Health complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

If we become aware that there are reasonable grounds to believe that an eligible data breach has occurred (that is, a breach that is likely to result in serious harm to any individual whose personal information is involved), we will:

• as soon as practicable, notify the Office of the Australian Information Commissioner (OAIC) of the breach;

• as soon as practicable, notify the affected individuals of the breach; and

• include in the notification a description of the breach, the kinds of information involved, and recommendations about the steps individuals should take in response.

We maintain an internal data breach response plan and take proactive steps to assess and contain suspected breaches in accordance with OAIC guidance.

Complaints

Complaining to Us

If you believe that we have breached your privacy or mishandled your personal information, you have the right to make a complaint. In the first instance, please contact us at info@preview.health with details of your complaint. We will:

• acknowledge your complaint within 5 business days;

• investigate your complaint and keep you informed of progress; and

• respond to your complaint within 30 days.

Complaining to the OAIC

If you are not satisfied with our response, or if you wish to make a complaint directly, you can contact the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au

• Phone: 1300 363 992

• Email: enquiries@oaic.gov.au

• Post: GPO Box 5218, Sydney NSW 2001

Part B — Supplementary Provisions for EU/EEA Users (GDPR)

This Part applies in addition to Part A if you are located in the European Union (EU) or European Economic Area (EEA). Where there is any inconsistency between this Part and Part A, this Part prevails to the extent of the inconsistency for EU/EEA users.

Data Controller

For the purposes of the GDPR, Preview Health Pty Ltd and its related bodies corporate (ACN 673 075 842) is the Data Controller responsible for your personal data.

Legal Basis for Processing Personal Data under GDPR

We may process your personal data under the following legal bases:

• Consent: You have given your consent for processing your personal data for one or more specific purposes.

• Performance of a contract: Processing is necessary for the performance of an agreement with you or for pre-contractual obligations.

• Legal obligations: Processing is necessary for compliance with a legal obligation to which we are subject.

• Vital interests: Processing is necessary to protect your vital interests or those of another person.

• Public interest: Processing is related to a task carried out in the public interest.

• Legitimate interests: Processing is necessary for the purposes of our legitimate interests, provided they are not overridden by your rights and interests.

Your Rights Under the GDPR

If you are located in the EU or EEA, you have the following rights in relation to your personal data:

• Right of access. You have the right to request a copy of the personal data we hold about you.

• Right to rectification. You have the right to request that we correct any inaccurate or incomplete personal data.

• Right to erasure. You have the right to request that we delete your personal data, subject to certain exceptions.

• Right to restriction. You have the right to request that we restrict the processing of your personal data in certain circumstances.

• Right to data portability. You have the right to receive your personal data in a structured, commonly used, machine-readable format.

• Right to object. You have the right to object to the processing of your personal data for direct marketing or based on legitimate interests.

• Right to withdraw consent. Where processing is based on consent, you have the right to withdraw your consent at any time.

To exercise any of these rights, please contact us at info@preview.health. We will respond to your request within one month.

You also have the right to lodge a complaint with your local data protection authority in the EEA.

Part C — Supplementary Provisions for California Residents (CCPA/CPRA)

This Part applies in addition to Part A if you are a resident of the State of California, United States. It supplements the information in this Privacy Policy in accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

Categories of Personal Information Collected

We may collect the following categories of personal information (as defined in the CCPA/CPRA) from California residents:

• Category A: Identifiers.

Examples: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.

Collected: Yes.

• Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

Examples: A name, signature, address, telephone number, or other similar information. Some personal information included in this category may overlap with other categories.

Collected: Yes.

• Category C: Protected classification characteristics under California or federal law.

Collected: No.

• Category D: Commercial information.

Collected: No.

• Category E: Biometric information.

Collected: No.

• Category F: Internet or other similar network activity.

Examples: Interaction with our Service or advertisement.

Collected: Yes.

• Category G: Geolocation data.

Collected: No.

• Category H: Sensory data.

Collected: No.

• Category I: Professional or employment-related information.

Collected: No.

• Category J: Non-public education information.

Collected: No.

• Category K: Inferences drawn from other personal information.

Collected: No.

• Category L: Sensitive personal information.

Examples: Account login and password information.

Collected: Yes.

Sale and Sharing of Personal Information

Preview Health does not sell your personal information in the traditional sense of the word. We do not exchange your personal information for monetary consideration.

We use third-party service providers (such as Google Analytics) to help us analyse website traffic and improve our Service. These service providers may use cookies and similar technologies to collect data about your activity on our website. Under the broad definition of “sale” in the CCPA/CPRA, this activity may be deemed a “sale” or “sharing” of personal information.

You have the right to opt out of this activity. To do so, you may:

• adjust your cookie preferences using the cookie settings on our website;

• use your browser settings to block third-party cookies; or

• contact us at info@preview.health.

Your Rights Under the CCPA/CPRA

If you are a California resident, you have the following rights:

• Right to know. You have the right to request information about the categories and specific pieces of personal information we have collected about you, as well as the sources, purposes, and third parties involved.

• Right to delete. You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.

• Right to correct. You have the right to request that we correct any inaccurate personal information.

• Right to opt out of sale/sharing. You have the right to opt out of the sale or sharing of your personal information.

• Right to limit use of sensitive data. You have the right to limit the use and disclosure of your sensitive personal information.

• Right to non-discrimination. We will not discriminate against you for exercising any of your rights under the CCPA/CPRA.

To exercise any of these rights, please contact us at info@preview.health. We will respond to your verifiable request within 45 days.

Sale of Personal Information of Minors

We do not knowingly collect personal information from minors under the age of 16. We do not sell the personal information of consumers we know are under 16 years of age.

“Do Not Track” Policy as Required by CalOPPA

Our Service does not respond to Do Not Track signals. However, you can manage your cookie and tracking preferences through your browser settings.

California’s Shine the Light Law

Under California Civil Code Section 1798 (California’s Shine the Light law), California residents with an established business relationship with us can request information once a year about sharing their personal data with third parties for the third parties’ direct marketing purposes. If you are a California resident, you can contact us using the contact information provided below.

Part D — General Provisions

Children’s Privacy

Our Service is not directed at anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you become aware that your child has provided us with personal information, please contact us at info@preview.health. If we become aware that we have collected personal information from anyone under 13 without verification of parental consent, we will take steps to remove that information from our systems.

Links to Other Websites

Our Service may contain links to third-party websites that are not operated by us. If you click on a third-party link, you will be directed to that party’s website. We strongly advise you to review the privacy policy of every website you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services.

Retention of Personal Information

We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy, or as required or permitted by law. When personal information is no longer needed, we will take reasonable steps to destroy it or permanently de-identify it.

Usage Data is generally retained for a shorter period, except where it is used to strengthen security, improve our Service, or where we are legally required to retain it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Privacy Policy on this page and updating the “Last updated” date at the top of this Policy.

Where changes are significant, we may also notify you by email or by a prominent notice on our Service prior to the change becoming effective.

You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise any of your rights, or would like to make a complaint, please contact us:

Preview Health Pty Ltd and its related bodies corporate

ACN: 673 075 842

Level 17/123 Pitt St, Sydney NSW 2000

Email: info@preview.health

‍