Effective as of 1 August 2019
C2U is committed to protecting the safety and security of the Personal Information of individuals whose information C2U has access to, including members and users of the C2U Platform (defined below) and other persons with whom C2U interacts (each a ‘User’ or ‘you’).
“Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.”
1. ABOUT CHEMIST2U
C2U is a distribution provider that operates a website, mobile applications, an online platform and related services that connect members with pharmacies to ensure the convenient and dependable delivery of a range of goods to members, including without limitation therapeutic goods pursuant to medical scripts (collectively ‘C2U Platform’).
In providing the C2U Platform, we are sensitive to Users’ concerns about the safety of their Personal Information.
In essence, C2U will typically only:
collect, use or share your Personal Information with your consent (unless it is not reasonable in the circumstances to obtain your consent andit is legally permissible for us to do so) or when required by a legal obligation; and
interact with your Personal Information in order to (a) provide you with the C2U Platform and information regarding associated goods and services; and (b) help us improve and develop the C2U Platform and our service offering generally.
C2U has developed our privacy framework to assist Users, and to comply with privacy legislation and regulations applicable to us and our management of your Personal Information.
2. HOW CHEMIST2U COLLECTS YOUR PERSONAL INFORMATION
C2U collects Personal Information from individuals in one of three main ways:
(a) Directly from Users, when they interact with C2U or the C2U platform (e.g. provide feedback or register a User account);
(b) Passively from Users, when they interact with and use the C2U Platform;
(c) From third-parties in certain, specific circumstances (e.g. if you sign up to the C2U Platform through a third-party service or platform they may provide us with information you have consented to them sharing).
The types of Personal Information collected in each situation are discussed further below.
3. WHEN CHEMIST2U COLLECTS INFORMATION FROM USERS AND WHAT WE COLLECT
(a) Personal Information collected directly
When Users sign up to components of the C2U Platform we collect the following types of Personal Information directly and consensually:
Basic User information, including your name, email and date of birth, and your gender;
Basic account information, including any display picture or other information you choose to associate with your account;
If you access the C2U Platform throughathird-party service or platform(e.g. Facebook), we will collect information that is made available to C2U bythose services or platforms. You can generally control the information we receive from these sources by using the privacy settings on the third-party services or platforms.
We will collect the following types of information from Users as they use the C2U Platform:
Basic account preferences, such as your settings (e.g. whether you use Touch ID or our repeats feature);
Content that you post and submit to the C2U Platform and oursocial media pages, which includes any content from third-party platforms (e.g. a profile picture you may use).
If a User decides to make a purchase over the C2U Platform we will collect the following types of Personal Information directly and consensually from you:
Purchase delivery information, such as your preferred delivery date and time, your full address and contact number;
Information about transactions, such as records of your purchases, deliveries and any preferences relevant to the online store component of the C2U Platform; and
Payment related information that is required to support your ability to make purchases over the C2U Platform (e.g. PayPal account information).
If a User decides to purchase a product that is subject to governmental health benefit schemes (e.g. Medicare), we may collect relevant health benefit identifier information directly and consensually from you (e.g. your Medicare card number and expiry date).
If a User decides to purchase a product that requires a valid doctor’s script (‘Pharmacy Product’), will additionally collect the following types of Personal Information related to the purchase directly and consensually from you:
Script Information, such details contained in the relevant script, a scan of the relevant script, and the hardcopy original of the script; and
Identity Confirmation Information, such as a photograph or scan of valid photo ID (e.g. your Driver Licence), or other associated information contained on it;
(NB– In the case that you are lawfully making a purchase for a minor these types of Personal Information will relate to the minor, and not yourself.)
When a User make an enquiry or sends us unsolicited feedback we may collect the following types of Personal Information directly and consensually:
Basic contact information, including your name and email; and
Feedback information and the details of your interactions with us, including communications with customer support or other C2U personnel (e.g. the contents of an in-app “contact us” message, or an email sent to firstname.lastname@example.org) or other information provided by you regarding your enquiry.
When you respond to a survey we may directly and consensually collect the Personal Information disclaimed on the survey form.
When you make an application for employment at C2U, we may collect any Personal Information provided within that application, such as the contents of a personal statement made in support of your application.
(b) Personal Information collected passively
As you interact with the C2U Platform or advertisements, we may collect the following types of Personal Information about your usage:
Content that you post in-app, including search terms;
Background account information, such as your notification settings; and
The following types of browser, system and device information regarding devices you link to the C2U Platform or use to access our digital content:
Locational information, regarding which country you’re accessing the platform from, (e.g. the form of the IP address from which you access the C2U Platform);
Web data tracking information, such asdata from cookies stored on your device, including cookie IDs and settings, as well as logs of your access of the C2U Platform;
Device information provided by devices you use to access your C2U Platform accounts (e.g. device information from a smartphone); and
System usage information, such as logs of your searches and navigation across the C2U Platform.
(c) Personal Information collected from third-parties
In certain specific situations, C2U may collect Personal Information about you from third-parties. The types of Personal Information that may be collected include:
Third-party account information made available to us if you register with C2U through a third-party service or platform; and
Web data tracking information provided to us that fits certain parameters of who we think could become C2U Users (e.g. information about the interests of individuals in the demographic of C2U Users). Ordinarily the web data tracking information we may collect or receive from third parties will be pseudonymised (as outlined below).
4. WHY CHEMIST2U COLLECTS YOUR PERSONAL INFORMATION AND WHAT WE USE IT FOR
Although C2U collects Personal Information from Users in a number of circumstances, C2U will use or disclose this information as described in this section in order to provide and develop the C2U Platform, and consistently with this policy.
Communicating with Users.
C2U will use basic User, account and contact information to communicate with individuals about their feedback or issues with the C2U Platform.
If Users have consented, C2U will also use these types of Personal Information to share relevant news and updates about C2U and the C2U Platform.
Administration and delivery of C2U Platform and products.
C2U will use basic User and account information, as well as other basic preferences to provide you with the baseline experience over the C2U Platform (e.g. allowing you to access and browse the C2U platform).
If you have registered using a third-party service or platform information C2U will also use this for the same reasons.
C2U will use your basic User informationfor simple administrative tasks, such as resetting account passwords.
C2U will use your payment related information to facilitate your access to the online store and purchase of products.
C2U will use your health benefit identifier information to organise the purchase of relevant products from pharmacies. In the case of Pharmacy Products, C2U will also use your script information and identity confirmation information for this purpose.
C2U will use your basic User and purchase delivery information to facilitate delivery of your products. In the case of Pharmacy Products, C2U will also use your script information and identity confirmation information for this purpose.
C2U will use your account preferences and information about transactions to provide you with a tailored experience when using the C2U Platform.
C2U will use your Personal Information and information about transactions undertaken by you for the purpose of calculating fees payable or receivable by C2U to third parties or to improve the platform, products, and services provided by C2U and those third parties.
Ensuring User safety
C2U will also use any type of information collected to prevent and address risks to all Users (e.g. C2U will use information to investigate suspicious or threatening activity).
Research and development
C2U will use the following types of information to develop, test and improve the C2U Platform:
Survey and feedback information, as well as any content that is submitted in relation to products or features of the C2U Platform;
Basic account and online store preferences;
Content you submit, either directly through the C2U Platform or through third-party platforms or services.
Background account, browser, system and device information; and
Third-party web tracking information.
Together these types of Personal Information are used to provide us with an overview of how the C2U Platform is being used, any shortcomings it may have, and subsequently to highlight what will be the best means of improving the experience for all Users.
C2U’s preference will be to de-identify these types information first, and then use it for this purpose in conjunction with de-identified browser and device information (see section 6 below for an explanation of what we mean by “de-identified”).
By signing up to C2U, C2U or our third-party service providers will use basic contact, enquiry, account, third-party account and web data tracking information to provide Users with relevant marketing materials and offers about C2U and the C2U platform. Users can always opt out of this through the functionality provided in each marketing communication (e.g. by clicking “unsubscribe” at the bottom of an email, or an unsubscribe link at the bottom of a SMS).
In some instances, where Users have expressly consented, we will also use these types of information to provide Users with personalised health intervention content and messages.
We use some basic information collected from our platform to enable us to display advertisements for Chemist2U that may be of interest to you on other websites via third parties (such as Google, YouTube, Facebook).
Any data matched with these platforms is used strictly in relation to Chemist2U activity and will not be used for any other marketing or advertising of third party services. We do not share any health related data with these platforms.
For more information and the ability to control your preferences on these platforms, visit:
5. CHEMIST2U’S DISCLOSURE OF PERSONAL INFORMATION
Generally, C2U does not disclose Personal Information to any third-parties except:
Pharmacies and service providers (e.g. delivery personnel and Payment Card Industry Data Security Standard (‘PCI DSS’) compliant third-party payment operators) C2U engages to help us provide and develop the C2U Platformand process the Personal Information we collect; and
Law enforcement agencies, or another party that has a legitimate legal right to access the information.
third-party-service providers that have referred a User to the C2U Platform, in which case the Personal Information of that User (or de-identified information relating to that User) may be shared with that third-party
Some of the third-parties C2U discloses Personal Information to are located overseas. This is particularly the case for our third-party software and cloud service providers which are currently located in the United States.
As with disclosures to third-party service providers, overseas disclosures are always made once C2U has taken all reasonable steps to determine the information will be treated at least as favourably under the Act and other applicable privacy laws.
6. CHEMIST2U’S TREATMENT AND STORAGE OF INFORMATION
C2U’s general approach
C2U will keep your Personal Information confidential and not sell or knowingly divulge User information to any external third-parties, unless:
We believe, in good faith, that we are required to share the Personal Information with a third party in order to comply with legitimate legal obligations;
The disclosure is to a third-party processor of Personal Information that acts on our behalf and/or under our instruction in order to enable us to develop and deliver the C2U Platform (e.g. a cloud service provider or local marketing and development partner);
Other entities acquire ownership or operation of C2U or the C2U Platform; and/or
We need to protect the safety of Users, and the security of our C2U Platform.
C2U seeks the informed and voluntary consent of individuals whenever it collects their Personal Information, or as soon as possible after.
Users can always refuse or revoke this consent, but sometimes this will affect C2U’s ability to provide them with the C2U Platform and other offerings. C2U will advise Users if this is the case.
De-identified information refers to information that cannot reasonably be used to identify a particular individual.
De-identified information that will neverbe able to personally identify particular individuals is referred to as anonymised information (e.g. statistics that show 90% of Users were happy with the C2U Platform). Additionally, de-identified information that can identify individuals only if it is combined with another, separate piece of information is referred to as pseudonymised information (e.g. account ID numbers).
Where possible C2U will aim to collect, store and use anonymised information as a first preference, and if not, then pseudonymised information.
However, sometimes it will be impractical for User information to be de-identified or treated in this way, and in this case, C2U will continue to use and hold the information in a personally identifiable state. For example, if C2U needs to reply to a User enquiry we will have to use the contact information provided.
C2U is committed to information security. We will use all reasonable endeavours to keep the Personal Information we collect, hold and use in a secure environment. To this end we have implemented technical, organisational and physical security measures that are designed to protect Personal Information, and to respond appropriately if it is ever breached (e.g. C2U has developed an extensive Data Breach Response Plan which we use to prepare and respond to data breaches).
When information collected or used by C2U is stored on third-party service providers (e.g. Azure or AWS cloud servers), C2U takes reasonable steps to ensure these third-parties use industry standard security measures that meet the level of information security C2U owes Users.
As part of our privacy framework we endeavour to routinely review these security procedures and consider the appropriateness of new technologies and methods.
In the circumstances where C2U suffers a data breach that contains Personal Information, we will endeavour to take all necessary steps to comply with the Notifiable Data Breach Scheme outlined under the Act.
7. CHEMIST2U’S RETENTION OF INFORMATION
C2U retains Personal Information until it is no longer needed to provide or develop the C2U Platform, or until the individual who the Personal Information concerns asks us to delete it, whichever comes first. It may take up to 30 days to delete Personal Information from our systems following a valid request for deletion.
However, C2U will retain:
Personal Informationin circumstances where we have legal and regulatory obligations to do so (e.g. for law enforcement purposes, employment law, corporate or tax record keeping, or where the information is relevant to legitimate legal proceedings); and
anonymised information for analytic and service development purposes.
The information we retain will be handled in accordance with this PrivacyPolicy.
8. MANAGING YOUR PERSONAL INFORMATION
Accessing and ensuring the accuracy of Personal Information
C2U takes reasonable steps to ensure that the Personal Information we collect and hold is accurate, up to date and complete.
Users have a right to access and request the correction of any of their Personal Information we hold about them at any time. Any such requests should be made by directly contacting us at the details set out below. C2U will grant access to the extent required or authorised by the Act and applicable laws, and will take all reasonable steps to correct the relevant Personal Information where appropriate.
There may be circumstances in which C2U cannot provide Users with access to information. We will advise you of these reasons if this is the case.
C2U has appointed a Privacy Officer to be the first point of contact for all privacy related matters and to assist in ensuring our compliance with our privacy obligations.
702, 10-14 Waterloo Street Surry Hills NSW 2010
The Privacy Offer will respond to your query or complaint as quickly as possible. C2U will contact you if we require any additional information from you and will notify you in writing (which includes electronic communication via email) of the relevant determination. If you are not satisfied with the determination you can contact us to discuss your concerns or complain to the Australian Privacy Commissioner via www.oaic.gov.au.