Privacy policy

1. INTRODUCTION

Medik8 Pty Ltd ACN 693 381 163 (Medik8, we, our, us) is committed to complying with the Australian Privacy Principles, the Privacy Act 1988 (Cth) (Privacy Act), and as applicable, the New Zealand Information Privacy Principles and the New Zealand Privacy Act 2020 (NZ) (NZ Privacy Act).

This Privacy Policy outlines how Medik8 collects, handles, and protects your personal information in Australia and New Zealand.

We want you to understand your privacy rights and how we ensure your personal information remains safe. We may update this policy periodically. If practical, we will notify you of significant changes. If you have any questions, please contact us.

2. WHAT SORT OF PERSONAL INFORMATION DO WE COLLECT?

The Privacy Act defines personal information as information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.  The NZ Privacy Act defines personal information as information about an identifiable individual.

Personal information includes sensitive information, which is defined under the Privacy Act as information or an opinion about a person's health information, among other things.

We collect the following categories of personal information:

  • Identity and Contact Data: Name, date of birth, gender, addresses, email, and phone numbers

  • Transaction Data: Details of products purchased and payment card/bank details (although card details are only processed by our payment processors)

  • Candidate Data: CVs, qualifications, and employment history

  • Technical and Profile Data: IP addresses, login data, browser types, passwords, purchase history and cookies and analytics

  • Marketing Data: Your marketing preferences 

  • Sensitive Information: Health information such as skin conditions, pregnancy status, allergies, or adverse reaction reports/photos, and Candidate information such as disability or ethnicity for equal opportunity purposes. Under Australian law, we only collect Sensitive Information with your express consent.

The particular types of personal information that we collect will depend on the nature of our relationship with you.

3. HOW DO WE COLLECT YOUR PERSONAL INFORMATION?

We collect personal information from you in 3 ways as follows:

  • Direct Interactions: When you purchase products, create an account, enter a competition, contact us, or apply for a job.

  • Third Parties: From our authorized distributors, clinics, or social media platforms.

  • Automated Technologies: Cookies and traffic logs used during site interaction.  How we collect your personal information using cookies is further detailed in Our Cookies Policy.

Unless it is impracticable, we will provide you with the source of your personal information if requested.

In the event we inadvertently collect or are provided personal information about you in circumstances where we have not requested or solicited that information, and we determine the personal information is not required, we will take reasonable steps to destroy the information or deidentify that information.

4. HOW DO WE USE YOUR PERSONAL INFORMATION?

We only collect and use personal information that is reasonably necessary for our business functions. We use your personal information for:

  • the purpose for which it was collected (as detailed in this policy or as explained to you when we collect your personal information); and

  • related purposes, where permitted by law.

At or around the time we collect personal information form you, we will endeavour to provide you with a collection notice statement detailing how we will use and disclose that personal information.  

Generally, we may use your personal information for the following purposes:

  • to register you as a customer, process and deliver orders, manage payments, and recover debts;

  • to comply with any legal obligations, law, regulation, court order or other legal process;

  • to manage our relationship, including, customer services, notifying you of term changes, managing your points and loyalty, requesting reviews, providing recommendations and marketing, and administering competitions or surveys;

  • to investigate complaints, manage adverse reaction reports (which may involve health data), and improve our product formulas;

  • to establish, exercise, or defend legal claims, and to manage insurance requirements;

  • to analyse your skin characteristics and provide personalized skincare product and routine recommendations, and to allow you to revisit your analysis results;

  • to personalize your experience on our website and in our marketing communications, with your consent where required;

  • to ensure product recommendations are suitable for you; 

  • to fulfil contracts with your employer, provide training and administer business partnerships;

  • to provide and record training, publish your professional profile on our sites, and investigate any service-related complaints;

  • to assess suitability for roles, perform background checks, communicate regarding recruitment, and comply with legal hiring obligations;

  • to manage distribution contracts, accounts, and business records; and to manage payments to our service providers;

  • to protect our business and websites (troubleshooting, security, and fraud prevention) and to perform data analysis to improve the website's performance; and

  • to deliver relevant content and advertisements, and to understand the effectiveness of our marketing strategies.

We may process your personal information using semi- or fully- automated decision-making systems, to make decisions relating to product recommendations, special offers, or your engagement with our goods and services.  Decisions made by computer which may significantly affect your individual rights are subject to human review to ensure fairness and accuracy.


5. HOW WE PROTECT YOUR PERSONAL INFORMATION

We know how much data security matters to everyone. With this in mind we will treat your personal information with the utmost care and take all reasonable steps to protect it.

We put in place appropriate security measures to prevent your personal information from being accidentally lost, misused, interfered with, accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We secure access to all transactional areas of our sites using 'https' technology.

Access to your personal information is password-protected, and sensitive information  (such as payment card information or health data) is secured by other industry standard protections.

We comply with the Notifiable Data Breaches (NDB) scheme under applicable laws. We have established procedures to deal with any suspected personal information breach and will notify you and the Office of the Australian Information Commissioner (OAIC) of a breach where we are legally required to do so.

6. HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION?

Whenever we collect or process your personal information, we'll only keep it for as long as is necessary for the purpose for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

At the end of that retention period, we will take reasonable steps to ensure your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

7. WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH?

We sometimes share your personal information with trusted third parties for the purposes described in this Privacy Policy.  These third parties may include:

  • Group companies: our Related Bodies Corporate and Related Entities pursuant to the Corporations Act 2001 (Cth), including our UK-based parent company Medik8 Limited company number 03783618;

  • IT and software providers: Companies that support our Sites and business systems (including customer services systems, hosting and security)

  • Payment processors: Entities that collect and process customer payments on our behalf in a secure environment

  • Logistics and fulfillment: Operational companies such as warehousing and delivery couriers (e.g., Australia Post or DHL)

  • Marketing partners: Direct marketing companies that help us manage our electronic communications (e.g., Bloomreach)

  • Advertising Platforms: Third party marketing and advertising platforms may be used from time to time (including, without limitation, Google, Meta (Facebook and Instagram), and ByteDance (TikTok)) to show you products that may interest you based on your marketing consent or cookie preferences.

  • Internal teams, contractors and professional advisers: Our employees and professional advisers, agents and collaborators;

  • Other persons: Government agencies, regulatory bodies and law enforcement agencies, where we think it is necessary to: comply with applicable laws or regulations; exercise, establish or defend our legal rights; or protect your interests or those of any other person.  

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

To ensure your information remains safe:

  • We provide only the information necessary to perform the specific service

  • They may only use your personal information for the exact purposes specified in our contract with them

  • If we stop using their services, any of your personal information held by them will be securely destroyed or permanently de-identified.

8. WHERE YOUR PERSONAL INFORMATION MAY BE PROCESSED

As Medik8 is a global brand, we disclose your personal information to recipients located outside of Australia and New Zealand to support our business operations. 

We transfer your personal information to our group companies or third-party service providers located overseas, primarily in the United Kingdom, the European Union and the United States of America. This disclosure may be required to fulfill your order, process your payment details, provide customer support, to conduct marketing activities or for other legitimate business purposes.

Ensuring Personal Information is Protected Overseas

Before we disclose your personal information to an overseas recipient, we take all reasonable steps to ensure that the recipient handles your information in accordance with the Australian Privacy Principles (APPs). This typically includes entering into enforceable contracts that require the recipient to maintain the same standards of data security and privacy as required under applicable laws.

In some cases, we may disclose information to an overseas recipient if we reasonably believe they are subject to a law or binding scheme that offers substantially similar protection to the Australian Privacy Principles (or, for our New Zealand customers, comparable safeguards to those in the Privacy Act 2020 (NZ)), or if you provide us with your express consent to the disclosure after being informed that we may not be able to ensure the recipient’s compliance with the APPs or IPP 12.

Any transfer of your personal information will follow applicable laws, and we will treat the information under the guiding principles of this Privacy Policy. Medik8 Pty Ltd remains accountable for the acts and practices of overseas recipients in relation to the information disclosed, in accordance with applicable laws. 

9. WHAT ARE YOUR RIGHTS OVER YOUR PERSONAL INFORMATION?

You have specific rights under applicable laws regarding how we handle your personal information. These include:

  • Access: You have the right to request access to the personal information we hold about you. We will provide this free of charge in most cases, though we may charge a reasonable administrative fee for excessive or complex requests (we will notify you of any charges beforehand). We may refuse your request to access your personal information for legitimate reasons.

  • Correction: You have the right to ask us to correct your personal information if it is inaccurate, out of date, incomplete, irrelevant, or misleading. We may refuse your request to correct your personal information for legitimate reasons.

  • Anonymity: Where practicable, you have the right to interact with us anonymously or using a pseudonym (for example, when making general inquiries). However, there may be circumstances where we will require your personal information in order to provide you with our products and services, or properly respond to any inquiries or concerns.

  • Opt-out of Marketing: You can ask us to stop sending you marketing messages at any time by following the "unsubscribe" links in our communications or by contacting us directly

  • Withdraw Consent: Where you have provided express consent for us to handle sensitive information (such as health data or photos of skin reactions), you may withdraw that consent at any time.

  • Government related identifiers: We do not use any government related identifiers, such as passport number or driver's licence number, as our own identifier of any individual.  


10. HOW CAN YOU STOP THE USE OF YOUR PERSONAL INFORMATION FOR DIRECT MARKETING?

If you provide your consent to receive direct marketing communications, we may use your personal information to provide you with information about our products or services that we believe may be of interest to you. If you no longer wish for your personal information to be used for direct marketing purposes, you may opt out by:

  • Clicking the 'unsubscribe' link included in the footer of every marketing email or SMS we send you; or

  • contacting our Privacy Officer at any time to request a manual opt-out.

Under applicable laws we will process your unsubscribe request as soon as possible and, in any event, within 5 business days. While we update our systems, you may receive communications during this 5-day period, but no further marketing will be sent to you after that time.

Please note that opting out of marketing does not stop service-related communications, such as order confirmations, shipping updates, or safety and recall notices regarding your products.

11. CONTACTING THE REGULATOR?

If you feel that your personal information has not been handled correctly, or you are unhappy with our response to a request you have made regarding your privacy, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at:

Address: GPO Box 5218, Sydney NSW 2001

Email: enquiries@oaic.gov.au

Under Australian privacy law, the OAIC will generally only investigate a complaint if you have first given us the opportunity to resolve the matter directly. We recommend that you allow at least 30 days for us to respond to your initial complaint before escalating it to the OAIC.

You can find further details of your rights and obligations in respect of privacy at www.oaic.gov.au

12. ANY QUESTIONS?

We hope this Privacy Policy has been helpful in setting out the way we handle your personal information and your rights to control it. If you have any questions that haven't been covered, please contact our Privacy Officer via email - privacy@medik8.com.