Privacy Policy

1. Respecting your privacy

Your privacy is important to Pryzm Health Pty Ltd (ACN 614 808 767) of Unit 30609, 9 Lawson St, Southport, Queensland, Australia, (‘we’, ‘us’ or ‘our’). This privacy policy sets out how we collect, hold, use and disclose your personal information.

We provide the following Platforms:

(a) a platform to conduct and manage a process, project, workflow or task which includes a clinical trial (each a Project, together the Project Platform);

(b) a platform for users to track their COVID19 symptoms available at http://covidaware.me (COVID19 Platform),

(together, the Platforms).

To become a registered user of any of our Platforms, you will be required to agree that your personal information will be collected, held, used and disclosed by us in accordance with this policy. We may amend this policy from time to time, and the amended policy will be made available in the Platforms. You may be asked to accept the new policy before you can continue to use the Platforms. If you are not asked, we will treat your continued use of the Platforms, or your provision of further personal information to us, as your acceptance of the amended policy.

2. Collection

We collect personal information from:

(a) individuals and businesses who want to use the Project Platform to conduct a Project (Project Customers);

(b) individuals who want to use the Project Platform through the access provided by a Project Customer in relation to a Project in which they are involved (Project End Users). Project End Users can include patients, employees and contractors of the Project Customer, and other third parties to whom the Project Customer grants access to the Project Platform in relation to a Project; and

(c) individuals who use the COVID19 Platform (COVID 19 Users).

The types of personal information that we collect and hold about you will depend on our relationship with you and the circumstances of collection. The information will generally include:

(a) full name (for Project Customers and Project End Users only);

(b) email address;

(c) mobile phone number;

(d) your date of birth (for Project End Users only);

(e) other information about you and your health including age, gender, symptoms, pre-existing conditions, medications taken, dietary habits, specialist reports, test results, notes of your diagnosis (for Project End Users and COVID19 Users only);

Generally, we collect personal information directly from you. This may occur in a number of ways, including:

(a) when you sign up to become a registered user of any of the Platforms;

(b) when you update your information on any of the Platforms; and

(c) when you make an enquiry or provide feedback to us.

Sometimes we collect personal information from a third party or from a publicly available source, but only if you have consented to your information being used in this way, or would reasonably expect us to collect it in this way. We only collect this information from companies or sources that are allowed to disclose it to us.

3. Providing personal information of others to us

You must not provide us with personal information about any other individual unless you have the express consent of that individual to do so. If you do provide us with such information, before doing so, you:

(a) must tell that individual that you will be providing their information to us and that we will handle their information in accordance with this privacy policy; and

(b) warrant that you have that individual’s consent to provide their information to us.

4. Use of your personal information

We use the personal information (which is not sensitive information) we collect for the purposes for which it is collected and for other related purposes, and as permitted or required by law. Our general purposes may include:

(a) to provide the services you request, and to administer and manage those services;

(b) to respond to your enquiries or requests for assistance from us;

(c) to improve and develop the Platforms, including expanding the functionality and offerings available through the Platforms;

(d) otherwise to facilitate our business operations and processes.

5. How do we use sensitive information?

Sensitive information is a type of personal information that includes information about an individual’s health, racial or ethnic origin or sexual orientation or practices. We will only use your sensitive information for the purpose for which you have provided it to us and to the extent that it is reasonably necessary for us to provide the Platforms.

6. Disclosure of your personal information

Generally, we will obtain consent before we disclose any personal information other than as specified in this policy. Such consent may be given expressly or it may be implied by conduct.

In the specific case of Project End Users, your personal information will be disclosed to our Project Customers for their business purposes and to allow them to conduct the Project. More generally, your personal information may also be disclosed to:

our related entities, representatives and business partners for our business purposes; our third party service providers to permit them to provide services to us such as provision of infrastructure, information systems and IT services, data analysis, customer services and operation of call centres, and other similar services; our external advisers who have been engaged to provide us with legal, administrative, financial, insurance, research, marketing or other services; other parties as permitted or required by law or as we believe to be appropriate: (1) to enforce any applicable terms of use or end user licence agreements with us; (2) to protect our operations or those of any of our related entities; (3) to protect our rights, privacy, safety, confidentiality, reputation or property and/or that of our related entities, you or others; (4) to prevent fraud or cyber-crime; (5) to permit us to pursue available remedies or limit the damages that we may sustain; and (6) in connection with a merger or sale involving all or part of Pryzm Health Pty Ltd or as part of a corporate reorganisation or share sale or other change in corporate control; and any other person authorised, implicitly or expressly, when the personal information is provided to or collected by us. Some of our related entities or other third parties to whom we may disclose your personal information, may be located in countries outside Australia or may hold your data on servers located outside of Australia, including the United States of America.

We reserve the right to disclose any personal information (including sensitive information) to law enforcement or other government officials where such disclosure is required by law, or where we reasonably believe that disclosure is necessary or appropriate.

We will not share your personal information with third parties for their marketing purposes. We will never sell, trade, lease or rent your personal information to third parties. We may share de-identified, aggregated information with third parties for their marketing and business purposes, but such information will not individually identify you.

7. Payment providers

As set out in our Terms of Use, payments made by Project Customers must be made through one of our third-party payment providers (e.g. Stripe, Braintree) which are separate companies not owned or controlled by us.

In order to make such a payment, you will need to provide personal information to a third party payment provider who will handle your personal information in accordance with their privacy policy then in force. If you have questions about how your personal information is collected, used and disclosed by any third party payment provider, please review their privacy policy (which is generally available on their website) and/or contact the provider directly.

8. What happens if I do not provide personal information?

If you do not provide your personal information to us, you will not be able to use our Platforms.

9. Cookies

We may also collect data from you by using ‘cookies’, which are small data files deposited by the Platforms on your phone, computer, or other device. Cookies are sent back only to the servers that deposited them when a visitor returns to the relevant page. With the information we receive through cookie technology, we hope to improve the Platforms.

In addition, we may gather information about you that is automatically collected by our server, such as your IP address and domain name. We may use this information to customise our offerings, to make information more readily accessible to you, and to make the Platforms easier for you to use.

You can always disable the use of cookies by changing the security settings of your browser, but please bear in mind that this may affect how some items are displayed in the Platforms.

10. Data security

We take the security of your personal information seriously. We take reasonable steps to protect the personal information we hold, whether in electronic or other form, against loss, unauthorised access, use, modification or disclosure, and against other misuse.

When no longer required by us or when requested by you, we will take reasonable steps to destroy, delete or permanently de-identify personal information in a secure manner.

11. Access and correction

You may request access to the personal information we hold about you by contacting us using the contact details below. We will process such requests within a reasonable time. If we deny an access request as permitted or required by law, we will provide reasons to the extent we are required by law to do so.

We will take reasonable steps to ensure the personal information we hold about you is up to date and accurate. Please let us know promptly if any changes are required to be made to the personal information we hold about you by contacting us using the contact details below.

You may ask us at any time to correct personal information we hold about you. On request, we will take reasonable steps to correct the information so that it is accurate, complete and up to date, or will provide reasons for not doing so to the extent required.

Of course, you may also update your personal information at any time through the Platforms.

12. Complaints handling

If you wish to make a complaint about a breach of this policy or the Australian Privacy Principles, you can contact us using the contact details below. You will need to provide sufficient details regarding your complaint, together with supporting evidence and information. Our Privacy Officer will investigate your complaint and determine what steps we need to take to resolve your complaint. We will contact you if we require further information from you, and will notify you in writing of the outcome of our investigation. If you are not satisfied with the outcome, you may contact us to discuss the matter further, or you may make a complaint to the Information Commissioner using the details below:

Office of the Australian Information Commissioner: GPO Box 5218 Sydney NSW 2001 Email: enquiries@oaic.gov.au Telephone: 1300 363 992 Fax: 02 9284 9666

13. How to contact us

If you have any questions or concerns about this policy or our practices you may contact us by email sent to contact (at) covidaware.me.

Version No: 1 Date: 25 March 2020