1.     EMPOVA PRIVACY POLICY (Visual Ascent Pty Ltd)

This Privacy Policy sets out how Empova (a trading name of Visual Ascent Pty Ltd ACN 664 350 707) (referred to in this Privacy Policy as ‘Empova’, ‘we’, ‘us’ or ‘our’) manages your personal information in Australia. In this Privacy Policy, ‘you’ refers to any individual about whom we collect personal information.

Empova is committed to managing personal information in accordance with the Australian Privacy Principles (‘APPs’) in the Privacy Act 1988 (Cth) (‘Privacy Act’). We will only collect, use or disclose personal information in accordance with the Privacy Act and this Privacy Policy.

In addition to the Privacy Act 1988 (Cth), Empova complies with any applicable state or territory health records legislation governing the handling of health information, to the extent that such laws apply to our services.

Because Empova provides allied health services, we may collect and hold ‘sensitive information’ under the Privacy Act, including health information, where necessary to provide safe, appropriate, and tailored care.

2.     What is covered by this Privacy Policy?

This Privacy Policy sets out our policies for managing your personal information, specifically:

• the kinds of personal information we collect and hold,

• how we collect and hold it;

• the purpose for which we collect, hold, use and disclose it;

• how you can seek access to and correct it;

• how you can contact us to make a complaint and how such complaints will be dealt with; and

• how, and to whom your personal information will be disclosed to overseas, and why.

• If you need to contact us to discuss this policy, our contact details can be found below.

This Privacy Policy applies when you contact us, use our website, book an appointment, complete intake forms, attend a consultation (in person or via telehealth), participate in strength/physical activity support, communicate with us by phone/email/SMS, or interact with Empova via social media or other online platforms.

3.     What is personal information?

In Australia, ‘personal information’ is any information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Some personal information is ‘sensitive information’ under the Privacy Act. Sensitive information includes health information.

4.     What kinds of personal information does Empova collect and how does it collect this personal information?

Empova will, from time to time, collect personal information in the course of operating our clinic and providing allied health and related services.

When you use our services or interact with us, either electronically (e.g. via websites, online platforms, social media, chats, telephone, emails and/or SMS), telephone or as otherwise permitted by law, we may collect and hold personal information about you. We may also collect personal information about you from third parties where you have agreed with them that your information may be disclosed to us, and with whom we have business relationships.

Some examples of the types of information that Empova collects about you and how we collect this personal information are outlined below.

If you book an appointment, complete an intake form or become a client: we may collect your name, date of birth, preferred name, sex assigned at birth (if provided), contact details, address, emergency contact details, appointment information, and communications with us. We may also collect health information you provide (or that is provided to us with your consent) that is relevant to delivering safe and appropriate care.

If you participate in allied health services: we may collect health information including information disclosed in intake forms or consultations, such as medical history relevant to dietetic and lifestyle support, symptoms relevant to nutrition and physical activity, allergies/intolerances, dietary patterns, goals, relevant measurements (e.g. weight/height where provided), medications and supplements (as disclosed by you for context and safety), and clinical notes and care plans created by our practitioners.

If you participate in strength and physical activity support: we may collect information relevant to delivering general strength and physical activity support, such as exercise history, physical limitations, injury status and program-related notes. Personal trainers do not diagnose injuries or provide rehabilitation. Where clinical complexity or safety concerns are identified, Empova may recommend referral to a GP, Accredited Exercise Physiologist (AEP) or other appropriate provider.

If we communicate with other healthcare providers (optional): where you consent (or where permitted by law), we may collect and exchange relevant information with your GP or other treating providers to support coordinated and safe care.

If you sign up as a customer on our website: if we offer online accounts in future, we may collect your name, date of birth, gender, contact details, and account/login information (such as usernames and passwords) and other user IDs for integrated services.

If you do not sign up as a customer: we may collect general site traffic data (see the paragraphs on “When you use our websites” below).

When you place an order or browse our sites or platforms: if we offer retail products or merchandise in future, we may collect information needed to process transactions and deliver goods, such as billing/delivery details, order history, payment transaction details, and communications about your order.

If you elect to pay online using your credit card: your credit card details are not stored by us. They are handled by our third-party payment providers in accordance with their security processes.

When you use our websites: General site traffic data is collected for the purpose of site maintenance and improvement and provides information about which and how often certain pages are viewed. This helps us to understand how visitors use our site and alerts us to any areas of the site that may be difficult to navigate. The data we collect may include your IP address, your approximate geographic location, and data sent to us by your web browser, such as your operating system, browser type and version, computer type, MAC address and screen resolution. We may also collect metadata including social media content (including tags, handles and other social media profile information). This information may be collected directly and/or via cookies. Cookies and other tracking technologies are used by us and our third-party partners, such as our advertising and analytics partners and our fraud prevention service provides, to provide functionality and to recognise you across different services and devices. You may opt out of sending us cookie data but this may adversely affect your experience using our services.

We may use practice management software (e.g., Cliniko) to manage bookings, appointment reminders, client communications, invoices/receipts, and clinical notes. Cliniko (and other service providers we use) may collect and process personal information on our behalf in accordance with their own privacy and security practices and our contractual arrangements with them.

Voluntary third-party apps/devices: Some clients choose to use third-party apps or devices (such as nutrition/activity trackers or wearables). Sharing information from these tools with Empova is voluntary. If you choose to share screenshots/exports or reports, we may store them as part of your clinical record. Empova does not require, manage, or continuously monitor external tracking platforms.

Empova does not control, verify, or guarantee the accuracy of information generated by third-party apps, devices, or platforms. Any information shared from such tools is used only to support discussion and context during care and does not replace professional assessment or clinical judgement.

When you apply for a job with us: Personal information collected from employment applications by post or by email to Empova (Visual Ascent Pty Ltd) will only be used for the purpose of assessing a person’s suitability for available employment positions. Your employment application will be stored by us on file for the duration that it is relevant to the role you have applied for and then destroyed. This information will be disclosed to third parties as required for the purpose of assessing your application. The range of personal information that may be collected about applicants for employment include name, contact information (including email address, telephone number and postal address,) employment and training history and other information included as part of an application, resume or curriculum vitae. Information may also be obtained from psychological or aptitude tests and from referees.

When you engage in business with us: Empova may collect personal information from you when you provide it to us in the ordinary course of business, for example when you contract with us or otherwise engage with our business.

Enquiries: when you make an enquiry of us online or by phone, we may collect your name and contact details in order to respond to your enquiry.

In each case, by giving us access to this information, you are consenting to our ability to collect, store, use and disclose such information strictly in line with our Privacy Policy.

5.     What happens if you do not provide personal information?

The main consequence for you, if some or all of the above personal information is not collected by us is that we may not be able to provide services or information to you, or be able to provide them to the same standard as if we had the information requested.

In an allied health context, if you do not provide relevant health information, we may not be able to assess suitability of services or provide care safely and appropriately.

6.     Why does Empova collect personal information?

The personal information that we collect about you may be used by us for a number of purposes connected with our business including to:

1.      provide you with information that you have requested;

2.      verify your identity;

3.      contact you;

4.      manage bookings and appointments, including sending appointment reminders and service communications (including via email/SMS);

5.      provide allied health services, including dietetic services and behaviour change support delivered within dietetic scope;

6.      deliver general strength and physical activity support by qualified personal trainers, and manage participation safely;

7.      create and maintain clinical and practice records (including consultation notes and care plans);

8.      coordinate care with your nominated healthcare providers (e.g., GP/specialist/AEP or other allied health providers) where you have consented or where permitted by law;

9.      process payments and issue invoices/receipts;

10.   improve the website experience of our visitors;

11.   provide a personalised experience and tailored recommendations;

12.   provide goods or services to you or to receive goods or services from you;

13.   address any issues, problems or complaints that we or you have regarding our relationship;

14.   contract with you; and

15.   comply with our legal obligations.

For clarity, “personalised experience” may include tailoring communications, resources or service information based on the information you provide and your interactions with our services and website (including through cookies/analytics where enabled).

We also use personal information for our own internal business purposes including:

1.      for data analysis to improve our products, services and business;

2.      auditing our internal processes to ensure they function as intended and that we comply with regulatory requirements;

3.      for fraud and security monitoring;

4.      developing new products and services;

5.      identifying usage trends so we can understand which part of our services are of most interest to our customers;

6.      determining the effectiveness of marketing campaigns so that we can adapt to the needs and interests of our customers; and

7.      operating and expanding our business activities such as understanding which of our products and services are of most interest to our customers, so we can focus on our customers’ needs.

We may also use de-identified information for quality improvement and service development.

Empova does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. Any clinical decisions are made by qualified practitioners exercising professional judgement.

7.     Do you collect my sensitive information?

The Privacy Act defines some types of personal information as “sensitive information”. Sensitive information is personal information which is information or opinion about a person’s racial or ethnic origin, political opinions or memberships, religious or philosophical beliefs or religious affiliations, professional or trade association or union memberships, sexual orientation or practices, criminal record or health (including genetic and biometric information or templates).

Because Empova is an allied health clinic, we may collect sensitive information, including health information, where necessary to provide our services safely and appropriately.

If you provide sensitive information to us for any reason you consent to us collecting, using and disclosing that information for the purpose for which you disclosed it and as permitted by the Privacy Act.

We handle health information with additional care, including restricting access to authorised staff/practitioners and service providers who require access to perform their roles.

8.     Do we engage in direct marketing?

As part of our promotional, educational and remarketing campaigns, we may contact you using the email address you have provided. If you prefer not to hear from us, you can opt-out at any time. To do so please click on the “unsubscribe” link at the bottom of any email we send you and you will be removed from any future communications.

If you opt-out of receiving marketing material from us, Empova may still contact you in relation to any ongoing relationship with you.

We may use cookies and advertising tools to measure marketing effectiveness and show ads to people who have visited our website (remarketing/retargeting), where enabled.

9.     Who do we disclose your personal information to?

We do not provide any personal information provided by you to any third parties other than as set out in this Privacy Policy, where required by law or as otherwise permitted by the Privacy Act.

In the course of conducting our business we may provide your personal information to third parties, such as fraud prevention providers, web hosting providers, IT systems administrators, practice management and clinical record system providers (e.g., Cliniko), mailing houses, couriers, payment processors, data entry service providers and electronic network administrators, professional advisers, such as lawyers, auditors, accountants, insurers, and other suppliers or service providers who support our clinic operations.

We may disclose your personal information to third parties:

1.      to enable our websites to function in the manner it is intended;

2.      for fraud detection and security detection or to prevent payment fraud;

3.      as part of our business processes and for the purposes described above in ‘Why does Empova collect personal information’;

4.      to meet the purpose for which your personal information was submitted;

5.      if we have your consent to do so or otherwise when we are authorised by law;

6.      to comply with any applicable law, regulation, court order or other legal requirements, including supplying such information to third parties such as lawyers, regulators or law enforcement where applicable law compels us to do so;

7.      conduct promotional activities, provide special offers, and send you marketing communications from us (subject to your right to opt out at any time);

8.      to coordinate care with your nominated healthcare providers (e.g., your GP, specialist, AEP or other allied health providers) where you have consented or where permitted by law; and

9.      as generally required when we need their assistance in our day-to-day business operations or so can work with them to provide goods or services to you.

Website hosting / website platform:

We may disclose personal information to Squarespace to power and host our website. Squarespace may collect and process data (including via cookies) in accordance with its privacy practices. You can read more about how Squarespace uses personal data here: https://www.squarespace.com/privacy

We may also use and share your personal information:

1.      to transfer your information to a third party as a result of a sale, merger or consolidation of us, insofar as the third party has agreed to comply with all privacy laws applicable to it and adhere to terms similar to this Privacy Policy;

2.      with our related bodies corporate only where necessary for permitted operational purposes (e.g., finance, governance, insurance, legal), and only to the extent required; and

3.      with any other persons and entities permitted under the Privacy Act.

We will not supply, sell or in any other knowing way, make available your personal information to other parties other than in the circumstances outlined above, unless you authorise us to do so.

10.  Does Empova store personal information outside of Australia?

Some personal information may be transferred to, stored in, or processed in countries outside of Australia in the course of operating our clinic and related services.

We may disclose personal information overseas where:

we engage third-party service providers to assist with technology, data storage, practice management, communications, analytics, website hosting, or payment processing; and those service providers store or process information using servers or infrastructure located outside Australia.

Empova’s primary place of business is in Australia. We do not disclose personal information to related entities for general group marketing purposes. Any disclosure to a related body corporate (if ever required) would be limited to what is reasonably necessary for permitted operational purposes (such as governance, finance, insurance, or legal compliance), and only to the extent required.

Your personal information may be subject to the laws of the country in which it is stored or processed. By providing us with personal information, you acknowledge that your information may be transferred, processed, or stored outside Australia and that overseas jurisdictions may have different data protection regimes. In certain circumstances, courts, law enforcement agencies, regulatory authorities, or security bodies in those countries may be entitled to access personal information.

Where we disclose personal information outside Australia, we take reasonable steps, where required under the Privacy Act 1988 (Cth), to ensure that overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles.

If you do not agree to the transfer of your personal information outside Australia, please contact us using the details set out under “Contacting Us”. In some circumstances, this may mean we are unable to provide certain services to you.

11.  Can you deal with Empova anonymously or using a pseudonym?

Where it is lawful and practicable, Empova will provide individuals with the option of dealing with us anonymously or using a pseudonym (for example, when making a general enquiry that does not involve clinical services).

However, because Empova provides allied health and physical activity services, it is generally not practicable for us to deal with individuals anonymously or pseudonymously on an ongoing basis. In particular, we may need to collect personal information (including health information) to:

·        assess whether our services are safe and appropriate for you;

·        provide allied health care and physical activity support;

·        maintain accurate clinical and administrative records;

·        communicate with you about appointments and care;

·        process payments and meet insurance, professional, and legal obligations; and

·        coordinate care with other healthcare providers where relevant.

If you choose not to provide personal information, we may be unable to provide some or all of our services to you.

12.  How does Empova hold and protect your personal information?

Empova holds personal information in paper-based records and in electronic systems, including secure cloud-based systems operated by us or by third-party service providers on our behalf (which may be located in Australia or overseas).

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, in accordance with our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

These steps include, where appropriate:

·        implementing and maintaining policies, procedures, and systems designed to ensure compliance with privacy and health-record obligations;

·        using secure practice management and clinical record systems (such as Cliniko) to manage bookings, clinical notes, and communications;

·        restricting access to personal information to authorised personnel only, based on role and necessity;

·        using technical safeguards such as passwords, access controls, firewalls, encryption, and secure hosting environments;

·        maintaining physical security over any paper records or devices that store personal information; and

·        regularly reviewing security measures to reflect changes in technology, risk, and regulatory requirements.

While we take reasonable steps to protect personal information, no data transmission over the internet or electronic storage system can be guaranteed to be completely secure. To the extent permitted by law, Empova excludes liability for unauthorised access to personal information caused by factors beyond our reasonable control.

If you become aware of a suspected or actual data breach involving your personal information, please notify us as soon as practicable. We will assess and respond to any data breach in accordance with our obligations under the Privacy Act 1988 (Cth), including mandatory notification requirements where applicable.

13.  For how long does Empova keep your personal information?

Empova retains personal information only for as long as it is necessary or permitted, having regard to the purpose for which the information was collected.

In determining how long personal information is retained, we consider factors including:

·        the length of time we have an ongoing relationship with you and provide services to you;

·        our professional, clinical, insurance, and legal obligations to retain certain records (including health records);

·        requirements under applicable laws and professional standards; and

·        legal advice we receive, including in relation to complaints, disputes, investigations, or litigation.

Health records and clinical information are retained in accordance with applicable Australian laws, professional standards, and insurer requirements, including minimum retention periods where required. Health records may be retained for longer periods where required by law, professional standards, or insurance obligations applicable to allied health practitioners.

When personal information is no longer required for any permitted purpose, we take reasonable steps to securely destroy or permanently de-identify the information in a manner that prevents re-identification.

14.  How can you access your personal information?

You are entitled to request access to the personal information that Empova holds about you.

If you would like to request access to your personal information, or to request a copy of your personal information in electronic form (including where applicable for the purpose of transmitting it to another organisation), please contact us using the details set out under “Contacting Us”.

We will not charge you for making a request to access your personal information. However, to the extent permitted by law, we may charge a reasonable fee to cover the time and costs involved in locating, compiling, and providing access to the information.

For your protection, we may need to verify your identity before processing your request. We will respond to access requests within a reasonable period and in accordance with the Privacy Act 1988 (Cth).

In some circumstances, we may refuse access to personal information where permitted or required by law (for example, where providing access would pose a serious threat to the life, health, or safety of any individual, or would unreasonably impact the privacy of others). If we refuse access, we will provide you with written reasons for our decision, to the extent required by law.

15.   How can you correct your personal information?

Empova takes reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, complete, and up to date.

You can help us maintain accurate records by notifying us if your personal details or circumstances change, or if you believe any information we hold about you is incorrect.

If you believe that any personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct the information. To do so, please contact us using the details set out under “Contacting Us”, and clearly identify the information you believe requires correction.

For your protection, we may need to verify your identity before processing your request. We will respond to correction requests within a reasonable period and in accordance with the Privacy Act 1988 (Cth).

In some circumstances, we may decline to correct personal information where permitted or required by law. If we do so, we will provide you with written reasons for our decision and, where appropriate, take reasonable steps to associate a statement with the relevant information noting your request for correction.

16.  What about links to other websites or third-party platforms?

This Privacy Policy applies only to personal information collected, held, used, or disclosed by Empova in the course of providing our services.

Our website, communications, or social media pages may contain links to third-party websites, platforms, applications, or services (including social media platforms, booking or payment services, or external resources). Empova does not control, and is not responsible for, the privacy practices, content, or security of those third-party websites or platforms.

Any personal information you provide to third-party websites or platforms is governed by their own privacy policies and terms. We encourage you to review the privacy policies of any third-party websites or services you access through links from our website or communications.

Empova is not liable for the privacy practices or content of third-party websites or platforms.

Empova does not provide clinical advice, care, or monitoring through social media platforms or public messaging services. Social media accounts should not be used for urgent matters, clinical concerns, or personal health information. Messages sent via social media may not be monitored in real time and are not a substitute for direct communication with Empova or appropriate medical care.

17.  Minors

Empova’s services are primarily designed for adults. We do not knowingly collect personal information from individuals under the age of 16 years without the consent of a parent or legal guardian, except where permitted or required by law.

Where services are provided to a person under 18 years of age, we may require consent from a parent or legal guardian and may collect personal information from that parent or guardian for the purpose of providing safe and appropriate care.

If we become aware that we have collected personal information from a child under 16 without appropriate consent, we will take reasonable steps to delete or de-identify that information, unless we are required by law to retain it.

If you believe that a child has provided personal information to Empova without appropriate consent, please contact us using the details set out under “Contacting Us”.

Empova may rely on information provided by a client or their guardian regarding age and consent unless we have reason to believe that such information is inaccurate.

18.  Information that is not personal information (De-Identified Data)

Empova may use, analyse, or create information derived from personal information in a way that removes identifying details, so that the information can no longer reasonably identify an individual (“De-Identified Data”).

De-Identified Data may be created through aggregation, anonymisation, or other de-identification techniques and may be used for purposes such as:

·        quality assurance and clinical governance;

·        service evaluation and improvement;

·        training and professional development;

·        research, reporting, or analytics; and

·        business planning and operational improvement.

De-Identified Data is not personal information for the purposes of the Privacy Act 1988 (Cth) because it does not identify an individual and cannot reasonably be re-identified.

If De-Identified Data is combined with other information in a way that could reasonably identify an individual, Empova will treat that information as personal information and handle it in accordance with this Privacy Policy and applicable privacy laws.

19.  How can I complain about the management of my personal information?

If you have any questions, concerns, or complaints about this Privacy Policy or about how Empova manages your personal information, you may contact us at any time using the details set out under “Contacting Us”.

If you wish to make a complaint about a potential breach of the Privacy Act 1988 (Cth) or the Australian Privacy Principles, you may be asked to submit your complaint in writing and provide relevant details to assist us in investigating the matter.

Empova will investigate all complaints and aim to respond within 30 days of receiving your complaint. If the matter is complex or requires additional time to investigate, we will let you know and keep you informed of the progress.

If you are located in Australia and are not satisfied with our response or how your complaint has been handled, you may refer the matter to the Office of the Australian Information Commissioner (OAIC):

Email: enquiries@oaic.gov.au

Website: www.oaic.gov.au

20.  Are there any other privacy terms that may apply?

There may be additional privacy notices, consent forms, or terms that apply to you depending on how you interact with Empova and the nature of the services you receive (for example, intake forms, consent forms, or service-specific notices).

This Privacy Policy does not apply to the personal information of Empova’s employees, contractors, or practitioners in their capacity as team members, which is managed separately in accordance with applicable employment and workplace laws.

Where additional privacy notices apply, those notices should be read together with this Privacy Policy.

21.  Changes to this Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in our practices, services, legal requirements, or regulatory obligations.

When we make changes, we will update this Privacy Policy by publishing the revised version on our website or otherwise making it available to you. The updated version will take effect from the date it is published, unless stated otherwise.

We encourage you to review this Privacy Policy periodically to ensure you are aware of any changes and how your personal information is managed.

22.  Contacting Us

If you have any questions, concerns, requests, or complaints about this Privacy Policy or about how Empova manages your personal information, you can contact us using the details below:

Privacy Officer - Empova

Visual Ascent Pty Ltd

Email: privacy@empova.com.au

We will respond to privacy-related enquiries within a reasonable timeframe and in accordance with our obligations under the Privacy Act 1988 (Cth).

23.  Copies of this Privacy Policy

You may request a copy of this Privacy Policy at any time, including a hard copy, by contacting us using the details set out under “Contacting Us”.

This Privacy Policy is available on our website and may also be provided to you upon request.