1 PURPOSE OF OUR POLICY
1.1 Healthlab Online Limited (Company Number 10616389) of East Witheridge Penn Road, Knotty Green, Beaconsfield, Buckinghamshire, United Kingdom, HP9 2TW and/or each of its subsidiaries (as applicable), including Prescribed Investments Pty Ltd trading as HealthLab Australia (ABN 92 169 233 916) (we, us or our) provides health, nutrition and fitness programs, which may consist of online information, forums and services (Online Services), diet plans, recipes, exercises, forums and professional in-person training and consultation (Programs). Our websites include www.cleverguts.com, http://www.ifast12.com, www.ifast12online.com; https://www.thebloodsugardiet.com.au, www.thebloodsugardiet.com, www.fast-exercises.com and any other URL operated by the Company.
1.2 A participant in any Program (Participant) may also engage services from a qualified health professional independent of the Company (Professional).
(a) Providing the system and services that we offer (including Programs); and
(b) The normal day-to-day operations of our business.
2 WHO AND WHAT THIS POLICY APPLIES TO
2.2 We handle Personal Information of adults and in our own right and also for and on behalf of our customers and users.
2.3 We do not knowingly solicit data from or market to children under the age of 18. If a parent or guardian becomes aware that his or her child has provided us with information or may be receiving communications, we ask that this be brought to our immediate attention. We will make it our priority to address this situation and delete information relating to a child as soon as practicable. In such an event, please contact us.
3 CONSENT TO COLLECTION OF DATA
3.1 An individual may withdraw consent or opt to not have us collect their data and communicate with them at certain times by not providing express content This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us.
(a) Opt In – Consent. Where relevant, the individual will have the right to consent to having information collected and/or receive information from us; or
(b) Opt Out. Where relevant, the individual will have the right to exclude himself or herself from some or all collection of information and/or receiving information from us. An individual may revoke their consent at any time, and the decision to opt out will be made through the same media which allowed the individual to opt in (and potentially other media).
3.2 We may send an individual important notices, such as changes to our terms, conditions and policies. Because this information is important to the individual’s interaction with us, they may not opt out of receiving these communications.
3.3 If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us on the details below.
4 THE INFORMATION WE COLLECT
4.2 This information allows us to identify who an individual is for the purposes of our business, share Personal Information when asked of us, contact the individual in the ordinary course of business and transact with the individual.
4.3 In connection with our Online Services and the Programs, we will collect and process the following information:
(a) Website: When you use our websites, whether for browsing, looking at free content, signing up to one of our Programs, accessing the free forums or to sign up to any one of our newsletters or promotional emails, you may be asked to fill in forms to create your own account – we may ask you to provide us with the following information: name (first name and surname), email address, account user name, phone number, address.
(b) Purchases: To complete your online purchase for any Program you will also be asked to provide our third party payment service provider with: phone number, billing address, shipping address (if different), payment details (e.g. credit card details). We do not store any credit card or other payment details ourselves.
(c) Online services and Programs: We may also obtain additional personal data, which could include more sensitive data, health information and EHR when you supply information through our websites, forums, sign-up forms, emails, Facebook community groups, programs or when completing a quiz. We also collect information regarding program completion and progression.
(d) Social Media: We may also interact with social media accounts. By interacting with us on social media platforms by way of “liking”, “following”, commenting, “retweeting” or “sharing”, you consent to our interaction with you.
(e) Website Analytics: We use website analytics to evaluate and improve our websites, offer and improve our service to all of our customers. To do this, we track anonymised usage of our websites. We may also collect your IP address and device-specific information, such as the hardware model, operating system version, advertising identifier, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information (including the mobile phone number).
(f) Marketing: Our third party service providers collect information when you visit our Website, in order to track browsing behaviour and shopping intent, so we can show you relevant and targeted advertising across advertising networks such as Google, Facebook and several others, and for analytics purposes and other statistical information. This information is pseudonymised to protect your privacy.
4.4 Most information will be collected in association with an individual’s use of our website or a Program, an enquiry about a Program or generally dealing with us. However we may also receive Personal Information from staff, recruitment agencies and our business partners when consent has been obtained from an individual for that purpose. In particular, information is likely to be collected as follows:
(a) Contact Information. We may collect information such as an individual’s email address, address and other information that allows us to contact the individual;
(b) Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities.
(c) Access. When an individual accesses us physically we may require them to provide us with details for us to permit them such access. When an individual accesses us through the internet we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services; and/or
4.5 third party provides data or other information about any individual, we ensure that third party warrants has obtained necessary consent to provide such information to us for the purpose specified.
4.6 We will publish changes to the way that information is collected at the point of collection and within this policy.
4.7 As there are many circumstances in which we may collect information both electronically and physically, we will ensure that an individual provides express consent when their Personal Information is being collected in any other way.
4.8 Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information.
5 WHEN PERSONAL INFORMATION IS USED & DISCLOSED
5.1 We will not use any Personal Information other than for the purpose for which it was collected other than with the individual’s permission, pursuant to contract or where we have a legitimate interest. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
5.2 The primary reason Personal Information is used or disclosed is to deliver the website and any Programs.
5.3 Information is also used to enable us to operate our business, especially as it relates to an individual. This may include, subject to express consent (as required):
(a) The provision of goods and services between an individual and us;
(b) Verifying an individual’s identity;
(c) Communicating with an individual about:
i Their relationship with us;
ii Our goods and services;
iii Our own marketing and promotions to customers and prospects;
iv Competitions, surveys and questionnaires, for which we will get express consent at the point of submission;
(d) Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
(e) As required or permitted by any law (including applicable Privacy Law).
5.4 It is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with applicable Privacy Law in the course of our business. This may include releasing the Personal Information in EHRs to Professionals if authorised by the Participant, by giving them access to the EHR.
5.5 We will not disclose or sell an individual’s data to unrelated third parties under any circumstances unless applicable consent has been obtained for us to engage other companies to perform tasks on our behalf and we need to share your information with them to provide products and services to you. We will ensure that any such providers comply with the principles of applicable Privacy Law.
5.6 There are some circumstances in which we must disclose an individual’s information:
(a) As part of a sale (or proposed sale) of all or part of our business;
(b) Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of; and/or
(c) As required or permitted by any law (including applicable Privacy Law).
6 HOW & WHERE DATA IS STORED
6.1 The data that we collect from you may be transferred to, and stored outside of Australia and/or the European Economic Area (EEA) (as applicable) including with third parties. Personal information may also be transferred, processed and stored outside Australia and/or the EEA for data processing. By submitting your personal data, you agree to this transfer, processing and/or storage.
6.2 We utilise third-party service providers to process information, communicate with individuals to store Personal Information and to host or transmit basic health information. These servicesinclude:
(a) Amazon Web Services: operated by Amazon Web Services Inc. (a company incorporated in the United States of America) that host on servers that may be located in Australia, The United States of America and/or the United Kingdom; and
(b) Media Cloud: who provide us with email and website hosting services.
(c) Mailchimp: who store and manage website user and program user email addresses and other information, as well as providing with email automation services.
(d) PayPal: who provide payment processing services.
(e) Google Analytics: who monitor anonymisedwebsite browser behaviour and navigation across the Website.
(f) Signifi Media: for direct marketing and statistical purposes.
(g) Stopforumspam.com and Akismet for spam filtering purposes.
(h) WordPress: for website and program building along with content and user management.
(i) LearnDash- learning management system used in some of our programs;
(j) HotJar: used to monitor user interaction on websites and programs. This data is anonymised.
(k) Facebook: to track Facebook advertising conversion analytics (utilising the Facebook pixel plugin)
6.4 We are not responsible for the privacy practices of third parties providing services to you directly (for example, Facebook) and the information we may obtain from those services often depends on your settings or their privacy policies. You should read the privacy policies of third party service providers so you can understand the manner in which your personal information will be handled by these providers.
6.5 We will retain data for the period necessary to fulfil the purposes outlined in this Policy unless a longer retention period is required or permitted by law. Whilst the retention vary according to the type of record, in respect of certain EHR in Australia and the United Kingdom we allow for 8 years from (i) the date of last treatment for adult records and (ii) for children eight years after their 18 birthday or until 25 years of age. In certain circumstances we may be legally required to maintain records indefinitely.
7 THE SAFETY & SECURITY OF PERSONAL INFORMATION
7.1 We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
7.2 The Online Services of our Programs use SSL encryption to store and transfer Personal Information. We also help keep your data secure by following our internal policies of best practice and data protection. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk.
7.3 We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
7.4 If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.
7.5 To the extent permitted by law: we cannot accept responsibility for misuse or loss of, or unauthorised access, where the security of information is not within our control; and we are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorised to provide that person with the Personal Information.
7.6 In the unlikely event of a criminal breach of our security we will inform the relevant regulatory body within 72 hours and, if your personal data were involved in the breach, we shall also inform you.
8 HOW TO ACCESS AND/OR UPDATE INFORMATION
8.1 Users of a Program can update their Personal Information from within their Online Service account or profile.
8.2 Subject to applicable Privacy Law, an individual has the right to request from us the Personal Information that we have about them, and we have an obligation to provide them with such information within 28 days of receiving their written request.
8.3 If an individual cannot update its own information, we will correct any errors in the Personal Information we hold about an individual within 7 days of receiving written notice from them about those errors.
8.4 It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.
8.5 We may charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them if such a request is manifestly unfounded or excessive. We reserve the right to clarify the specific information your request relates to.
8.6 Information will be provided within one month of receipt of the request.
9 YOUR RIGHTS, COMPLAINTS AND DISPUTES
9.1 You have the right to object to processing not based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); and direct marketing, unless we hold legitimate grounds for processing or the processing is for the establishment, exercise or defence of legal claims.
9.2 You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes the General Data Protection Regulation.
9.3 You have the right to object to:
(a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
(b) direct marketing; and
processing for purposes of scientific/historical research and statistics
unless we hold legitimate grounds for processing or the processing is for the establishment, exercise or defence of legal claims.
9.4 If an individual has an objection or complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.
9.5 If we have a dispute regarding an individual’s Personal Information, we both must first attempt to resolve the issue directly between us.
9.6 If we become aware of any unauthorised access to an individual’s Personal Information which is likely to result in a high risk for the rights and freedoms of the data subjects we will inform the individual without undue delay after becoming aware of it once we have established what was accessed and how it was accessed.
10 CONTACTING US
10.1 Any correspondence regarding privacy should be sent by email to:
10.2 If email is not possible, correspondence should be addressed to:
HealthLab Online Limited
East Witheridge Penn Road, Knotty Green,
United Kingdom, HP9 2TW
11 ADDITIONS TO THIS POLICY