Welcome to XRHealth and thank you for visiting us! XRHealth is the first VR/AR Telehealth platform in the world which consists of innovative, immersive, therapeutic applications combined with an advanced data portal which utilises artificial intelligence and cloud-computing algorithms to deliver meaningful data analytics for monitoring and managing patients remotely (“the Platform”). The Platform also enables live, two-way interactions between patients and their healthcare providers.
We are bound by laws governing how we collect and use your Personal Information including the Privacy Act 1988 (Cth), the Australian Privacy Principles (APP’s) and other State and Territory laws such as the Health Records Act 2001 (Vic), Health Records (Privacy and Access) Act 1997 (ACT) and the Health Records and Information Privacy Act 2002 (NSW) (Privacy Laws).
PERSONAL INFORMATION, SENSITIVE INFORMATION AND NON-PERSONAL INFORMATION
WHO THIS POLICY APPLIES TO
all current and past users or patients of XRHealth whose Personal Information we have collected;
all current and past members of your health insurer whose Personal Information has been provided to us by your health insurer;
all individuals whose Personal Information is collected in relation to the products and Services offered by us;
all health professional and clinicians whose Personal Information we have collected to enable us to provide the Services to you; and
all individuals whose Personal Information is collected by us in the course of our functions and activities (including demonstrations of our Services), such as, service providers, contractors, prospective employees and potential users (such as hospitals, clinics or companies interested in referring their patients to XRHealth).
Non-Personal Information is any unconcealed information which does not enable identification of an individual, and which is available to us when you install and/or use our Platform. This may include (but not be limited to) Non-Personal Information collected by us such as technical information, behavioural information and aggregated information, and may contain, among other things, information pertaining to your activity on the Platform, type of operating system, device type, your ‘click-stream’ on the Platform, keyboard language, screen resolution and time spent on various screens of the Platform.
We also use third-party service providers such as Mixpanel and Google Analytics (and other providers from time to time) to obtain detailed analytics on your behaviour on the Platform.
THE TYPES OF PERSONAL INFORMATION WE MAY COLLECT
Most Personal Information we collect about you will be received from you directly or, to optimise the functionality of our Services, from the health professional which you have booked an appointment with.
The type of Personal Information we may collect may include:
identifying information such as name, date of birth and employment details;
identification information for identity verification, such as your driver’s licence;
contact information such as home address, home and mobile phone numbers and email address, password, marital status, gender and in some cases your work contact details;
health insurance information, including details of your policy or claims;
government-issued identifiers including Medicare numbers;
financial information, such as bank account and credit card details;
information about your general practitioner, including the general practitioner’s name, contact number, facsimile and clinic address.
sensitive information, particularly if you are using our Services as one of our patients, including:
information about your health and health services provided to you;
information about your symptoms or diagnosis; specialist reports and test results; prescriptions and other pharmaceutical purchases; your wishes about future health services and appointment and billing details;
biometric information and templates, such as voice recognition information and eye-recognition information;
lifestyle, diet, exercise and health related information that you self input into our app;
other sensitive information – such as your race, ethnic origin or sexual orientation where we are required to collect it;
information about your activities, including sporting and other lifestyle interests;
information about your physical movements and performance when wearing the Hardware;
information about your employment and education history and any Personal Information contained in you curriculum vitae;
your IP and/or IMEI information to detect unauthorised access to the Platform and identify potential fraud and criminal behaviour; and
WHEN WE NEED INFORMATION WHICH IDENTIFIES YOU
You generally have the right not to identify yourself when dealing with us and to use a pseudonym, where it is lawful and practicable for us to allow it. However, in many instances we will need your identity details. For example, we will need your name and date of birth, if you want to receive the applicable government rebate from Medicare or private health insurance after using our Services.
If you do not provide or authorise the provision of Personal Information we request, we may be unable to provide you with some or all of our products and Services. If you ask us, we will tell you what Personal Information we must have in order to provide you with a particular product or service.
HOW WE COLLECT YOUR PERSONAL INFORMATION
We will only collect Personal Information about you by lawful and fair means. Where practicable, we will collect your Personal Information directly from you.
We may collect Personal Information from you at various times, including:
when you open and start to complete – or complete – an enrolment form or other type of form in relation to our products and Services;
when you sign-up to our Platform through third-party accounts, such as Google+, LinkedIn, Facebook and Instagram;
when you contact us in person, by phone, mail, email or online;
when you wear and use the Hardware;
when you make an appointment; and
when you visit our website or subscribe to or use one of our apps.
We may collect your Personal Information from you or from a person authorised to provide us with your Personal Information on your behalf.
We may also collect information about you from other sources, such as:
a third party such as a hospital, dentist or optometrist or other health professionals who has treated you;
an employer, educational institution, government agency or adviser who has dealt with you (or their authorised representatives);
insurance companies, insurance brokers and financial planners, private medical insurers, financial institutions, medical or health professionals and other similar organisations that are permitted to share your Personal Information with us for the purposes of providing our Services;
for overseas customers, your migration or other agent;
a service provider engaged by us – or a third party who partners with us – to assist us in providing goods or services or administering our business (such as mailhouses, printing, and IT service providers and platforms, or marketing, planning and product or service development);
if you are a health professional, from relevant databases and directories; or
publicly available sources or networking services (including for the purpose of contacting you to offer our products and Services, and you can let us know your preferences in relation to such contact, or to confirm information provided by you – such as publicly available job history (eg via LinkedIn), or to verify identity and prevent fraud).
We also obtain information from other sources where:
we provide products and Services on behalf of or in conjunction with others, including business partners;
we need information from third parties relating to a product or service we provide to you;
we need information to prevent or minimise the risk of fraud; or
you have consented to third parties sharing it with us.
Where we engage with you multiple times over a short period in relation to the same matter, we may not provide you with a separate notice about privacy each time we engage with you.
If we collect information about you from someone else we will, whenever possible, make you aware of this.
HOW WE STORE YOUR PERSONAL INFORMATION
We take reasonable measures to maintain the security and integrity of our Platform and prevent unauthorised access to it or use thereof through generally accepted industry standard technologies and internal procedures. Personal Information is hosted on Amazon Web Server (AUS), and servers provided by Salesforce and Cliniko which provide advanced strict security standards (both physical and logical). In addition, we employ highly secure services design and implementation using state of the art encryption and architectures mechanisms. Furthermore, we implement a secure permission management and auditing system using specific and proprietary firewall and network access filtering as well as security group mechanisms. Please note, however, that there are inherent risks in transmission of information over the Internet or other methods of electronic storage and we cannot guarantee that unauthorised access or use will never occur.
In the case of information that forms part of a health or medical record, your information will be held for at least seven years from the last time a health service was provided, in accordance with the Health Records Act. If someone under the age of 18 used the health service, the information will be held at least until that person has turned 25.
HOW WE DISPOSE OF YOUR PERSONAL INFORMATION We seek to keep your Personal Information for only as long as it is required in order to provide you with products and Services or to legitimately comply with our business and legal obligations and requirements. When it is no longer needed for these purposes, we may destroy or permanently de-identify this Personal Information. Consequently, if you request access to your old Personal Information, we may not be able to provide you with your records where they have been destroyed or de-identified.
ACCESS TO YOUR PERSONAL INFORMATION
You can ask us for access to your medical record and other health information we hold about you at any time. We will endeavour to respond to your request in a reasonable time, being within 30 days of your request and as soon as is reasonably possible.
We may charge a fee to access information where your request is particularly onerous. We will let you know in advance of levying any fee to confirm that you still wish to proceed with your request.
When you contact us to seek access to your Personal Information, we will need to be reasonably satisfied it is you and may require you to substantiate your identity to protect you from fraud and privacy breaches.
We may not always give you access to certain information you have requested, such as where:
we no longer hold or use the information and have destroyed or de-identified it;
providing access would be unlawful;
we are required or authorised by law to deny access;
providing access would unreasonably impact on the privacy of others; or
we cannot adequately identify you.
It would assist us to ensure we properly understand your request, and allow us to respond more promptly, if requests are made in writing and include as much detail as possible.
WHY WE COLLECT AND USE YOUR PERSONAL INFORMATION
We collect your Non-Personal Information in order to:
use it for statistical, analytical and research purposes and for customisation, developing and improvement of our Services; and
enhance your experience while using the Services.
We collect your Personal Information in order to:
provide you with medical treatment or Services;
enable XRHealth and our third party suppliers and partners to provide you with the Services;
manage our relationship with you;
operate the Services (including sending receipts to you, etc.);
verify your identity when you sign in to the Platform;
personalize and enhance your experience while using the Platform;
respond to any enquiries made by you;
assess your suitability for and contact you about treatment or consultation that we believe may be of benefit to you;
provide you with commercial materials, updates about XRHealth’s developments, new offerings, news regarding the Services and other services/products that may be of an interest to you;
manage and develop our business and operational processes and systems;
contact you and remind you of an upcoming appointment for treatment or health care services;
enable payment through third party Online Payment Processors;
communicate with you;
conduct marketing (such as emails, advertisements on websites and social media platforms that you access) and provide you with technical assistance;
obtain feedback, and engage in analytic and research activities;
enable you to use social features;
manage and resolve any legal, clinical or commercial complaints or issues;
respond to claims that contact information (e.g. name, e-mail address, etc.) of a third-party has been posted or transmitted without their consent or as a form of harassment;
to protect the rights, property, or personal safety of XRHealth, its users or the general public;
for internal operations such as record keeping, database management, data analytics or training;
perform other functions and activities relating to our business such as for quality assessment activities, training of medical students, necessary credentialing, and for other essential activities;
comply with our legal obligations or enforce our legal rights;
as otherwise required or authorised by law, including the Privacy Laws; and
keep the Platform safe and secured and for prevention of fraud and crime.
We only collect, hold, use and disclose sensitive information for the following purposes:
any purpose you consent to;
the primary purpose for which it is collected;
secondary purposes that are directly related to the primary purpose for which it was collected, including disclosure to the below listed third parties as reasonably necessary to provide our Services to you;
to contact emergency services, or to speak with your family, partner or support person where we reasonably believe there is a serious risk to the life, health or safety of you or another person and it is impracticable for us to obtain your consent; and
if otherwise required or authorised by law.
We may also be required by law to collect Personal Information for other purposes which we will advise at the time of collection.
Where you provide Personal Information to XRHealth as a service provider, contractor or prospective employee, we collect your Personal Information to enable us to fulfil the purpose and related purposes for which you provided the information.
Note, that we collect, use, and/or manage your Personal Information through XRHealth’s authorised third parties’ vendors of certain products or services (such as hosting cloud services) (including, as applicable, their affiliates) solely and limited to providing us with such requested services, and not for any other purposes. Such vendors will treat any such Personal Information in compliance with the Australian Privacy Principles under the Privacy Act.
DE-IDENTIFYING YOUR INFORMATION Where both possible and in our view appropriate, where using your Personal Information, we will seek to de-identify it, so that your identity is not readily ascertainable from the de-identified information.
DISCLOSING YOUR PERSONAL INFORMATION
If we disclose your Personal Information it will only be for the primary purpose for which it was collected or for a related secondary purpose where you would reasonably expect us to disclose the information. We may disclose Personal Information, and you consent to us disclosing your Personal Information, to the following parties:
our agents and service providers;
our professional advisors;
health professionals. For example, your health information will be disclosed to the nurses, physiotherapists, doctors and other allied health professionals who participate in your care. We may disclose your health information to another health professional for the purpose of a consultation. We may also disclose your health information to your physician or another health professional to be sure those parties have all the information necessary to diagnose and treat you;
potential or actual buyers of our assets or business, such as by means of merger, acquisition or purchase of all or substantially all of the assets of XRHealth, so long as such potential or actual buyer maintains the same privacy terms hereunder;
payment system operators and financial institutions. For example, a bill may be sent to you, your insurance company, or a third-party payer which contains Personal Information;
pharmaceutical company patient assistance programs and patient support organisations in order to assist you in obtaining payment for your care or payment for certain parts of your care;
your agents and advisors or other persons authorised by, or responsible for, you;
the health insurer of which you are a member and/or other third party insurers from time to time;
third parties and other patients of XRHealth with whom XRHealth partners or works with – to improve your opportunities or improve your wellbeing and/or the value you get from our Platform;
your employer (or their authorised representatives) if you are a prospective employee; and
government, regulatory and law enforcement agencies as required, or as otherwise authorised or permitted by law;
other health funds, service providers or other third parties who assist us to detect, prevent, or otherwise address fraud, security or technical issues;
other parties that you explicitly provide your approval to prior to the disclosure; and/or
our employees, related bodies corporate and employees of those entities, third parties, contractors and other suppliers who provide services to us from time to time, including customer enquiries and support services, manufacturing services, shipping and freight services, debt-recovery functions, information technology service providers, marketing and advertising services.
In addition to clause 14.1, we will disclose your Personal and Sensitive information to third parties where:
the disclosure is necessary because you are at risk of harm without treatment and you are unable to give consent (eg. you might be unconscious after an accident); or
your health service provider is legally obliged to disclose the information (e.g. notification of certain infectious diseases or suspected child abuse, or a subpoena or court order); or
the information is necessary to obtain Medicare payments or other health insurance rebates; or
as otherwise required or authorised by law, including the Privacy Laws.
For the avoidance of doubt, XRHealth may transfer and disclose Non-Personal Information to third parties at its discretion including without limitation for statistical, analytical and research purposes and for customisation, developing and improvement of our Platform.
we will collect, use and disclose your self-inputted personal, biometric, health, exercise and diet information and automatically inputted information from connected apps and devices for the purposes of that app in helping you to achieve your goals;
to facilitate the operation of the app, the app provider will also handle your information on our behalf; and
CLOSING YOUR ACCOUNT
In the event that you wish to cancel your Account you can send us an e-mail of your request to our Privacy Officer (details below), and we will close your Account and delete any Personal Information therein pursuant to any applicable privacy laws.
We will retain and use your Personal Information for a reasonable time after termination as necessary to comply with our legal or business requirements or obligations (including as required by applicable law), to resolve disputes, to enforce our Terms and/or to enable you to reinstate your Account. Aggregate and/or anonymous data derived from your Account information or from your use of the Platform may remain on XRHealth servers indefinitely.
Note that unless you instruct us otherwise we may retain your Personal Information for as long as required to provide you the related services, all as permitted under any applicable privacy laws.
If you reside in Australia, in the event that there is a data breach and we are required to comply with the Notifiable Data Breaches scheme (under Part IIIC of the Privacy Act 1988), we will take all reasonable steps to contain the suspected or known breach where possible and follow the process set out in this clause.
If we have reasonable grounds to suspect that the data breach is likely to result in serious harm to any individuals involved, then we will take all reasonable steps to ensure an assessment is completed within 30 days of the breach or sooner if possible. We will follow the guide published by the Office of the Australian Information Commissioner (if any) in making this assessment. If we reasonably determine that the data breach is not likely to result in serious harm to any individuals involved or any remedial action we take is successful in making serious harm no longer likely, then no notification or statement will be made.
In the case of a Personal Information breach that affects an EU citizen, we shall without undue delay and where feasible, not later than 72 hours after having become aware of the breach, notify you and the Information Commissioner’s Office, unless the breach is unlikely to result in a risk to your right and privacy.
From time to time, we may collect and use your Personal Information so that we can promote and market our Services to you and keep you informed of special offers or updates.
You can opt out of us sending you marketing emails or push notifications. These communications may be sent in various forms, including mail, over the phone, via SMS or via email, in accordance with applicable marketing laws, such as the Spam Act 2004 (Cth) and the Do Not Call Register Act 2006 (Cth). If you opt out of receiving marketing messages from us, we may still send you newsletters and updates about your account. We only send you marketing material if you’ve agreed to it, but if you’d rather we don’t, you can easily unsubscribe at any time.
You can unsubscribe from our marketing communications or change your communications preferences by contacting us as set out below. If you wish to opt out of marketing in our app you will need to do so in the privacy settings of the app.
HOW WE COMMUNICATE WITH YOU To keep you informed quicker, where you provide us with an email address, we send most service-related communications to you by email. Service-related communications are the essential things you need to know about our Platform, like progress updates on your performance, changes to Services and appointment reminders.
HOW WE MANAGE YOUR PERSONAL INFORMATION WHEN YOU RECEIVE HEALTH-RELATED SERVICES
The health professional may provide such services to you including telephonic services, health management programs and online health-related services.
The health professional may collect and use your Personal Information to provide these services to you including to:
manage their relationship with you and contact you for follow up purposes;
manage, review, develop and improve their health-related services and their business and operational processes and systems
provide information about the services to the funders of those services (for example, your insurer); and
perform any of their other disclosed functions or activities.
The health professional may collect your Personal Information from XRHealth, from you or from a person authorised by or responsible for you.
If you use health-related services, the health professional may disclose your Personal Information to XRHealth in order for us to ensure that you are eligible for services and that our records for you are accurate.
In order to perform the above functions, health professionals may disclose your Personal Information to each other and to third parties such as their agents, service providers and professional advisors, health service providers, persons authorised by or responsible for you, and to other parties to whom they are authorised or required by law to disclose information including government agencies, and these parties may collect that information.
WE MAY DISCLOSE YOUR PERSONAL INFORMATION OVERSEAS
If your Personal Information is sent to a recipient in a country with data protection laws which are at least substantially similar to the APP, and where there are mechanisms available to you to enforce protection of your Personal Information under that overseas law, we will not be liable for a breach of the APP if your Personal Information is mishandled in that jurisdiction.
If your Personal Information is transferred to a jurisdiction which does not have data protection laws as comprehensive as Australia, we will take reasonable steps to secure a contractual commitment from the recipient to handle your information in accordance with the APP.
On occasion, we may also disclose your Personal Information to overseas organisations where you instruct us or expressly consent to us doing so. In such cases, we may not be able to ensure adequate protection in relation to those organisations’ management of your information.
Please see below the countries to which we may disclose Personal and Sensitive Information about you in the course of our functions and activities. We may also disclose Personal and Sensitive Information about you to recipients in other countries from time to time that are not on this list, where our service providers or relevant third parties, or their (or our) computer systems and/or IT services may be located:
United States of America;
UPDATING YOUR PERSONAL INFORMATION
To enable us to provide the best services to you, it is important the information we hold about you is up to date. If you believe any information we hold about you is inaccurate, incomplete or out of date, please let us know. You may contact us or update your settings to correct, delete or update your Personal Information.
You may have your information, where technically feasible, sent to another organization, where we hold this information with your consent or for the performance of a contract with you.
We will not normally charge a fee for processing a request unless the request is complex or is resource intensive. We do, however, reserve the right to charge an administration fee if an individual requests access to their Personal Information more than once in a 3 month period.
IF YOU HAVE CONCERNS ABOUT YOUR PERSONAL INFORMATION
XRHealth has a designated Privacy Officer. If at any time you have a privacy related issue or wish to make a complaint, please contact our Privacy Officer on the details below.
You should put any complaint you have in writing and give as much detail as you can about the nature of your complaint and the information affected.
The Privacy Officer will manage the investigation of your complaint or concern and communicate with relevant parties. XRHealth will respond to you within a reasonable period, which will generally be within 30 days of receiving your complaint.
If you are not satisfied with our resolution of your complaint, you can contact the Office of the Australian Information Commissioner and can find more information on the Commissioner’s website at www.oaic.gov.au to enquire about your privacy rights or to lodge a complaint about how we have handled your Personal Information. The Privacy Commissioner has the power to investigate the matter and make a determination.