1. Purpose of our Privacy Policy

  1. PainChek Ltd ABN 21 146 035 127 (weus or our) provides the PainChek® web & mobile system (PainChek), which is intended to allow users to access parts of a Patient’s account to:
    a) Assess and record the Patient’s level of pain and the pain relief administered to manage their pain over time
    b) Connect and share information with other authorised users
    c) Access such other information and features, as we may make available via PainChek® from time-to-time in accordance with the PainChek® Terms of Service.In order to achieve the above, Users have to create, store and edit Personal Information about Patients and Users.
  2. Care-Receivers being assessed for pain shall be collectively referred to as Patients throughout this Privacy Policy.
  3. Patients, Care-Givers and the organisations responsible for caring for Patients shall be collectively referred to as Users throughout this Privacy Policy.
  4. We have adopted this Privacy Policy to ensure that we have standards in place to protect the Personal Information that we collect about Patients and Users that is necessary and incidental to:
    a) Providing the system and services that PainChek Ltd offers; and
    b) The normal day-to-day operations of our business.
  5. This Privacy Policy follows the standards of the Australian Privacy Principles set by the Australian Government for the handling of Personal Information under Australia’s Privacy Act 1988 (Privacy Act).
  6. By publishing this Privacy Policy we aim to make it easy for our customers and the public to understand what Personal Information we collect and store, why we do so, how we receive and/or obtain that information, and the rights an individual has with respect to their Personal Information in our possession.

2. What Information does this Policy Apply to?

  1. Our Privacy Policy deals with how we handle both “personal information” and “health information” for Patients and for Users as those terms are defined in the Privacy Act (and together referred to in this Privacy Policy as Personal Information).Personal information is information that could reasonably be expected to:
    a) reveal the identity of an individual, and/or
    b) be linked to an identified individual
  2. The following types of information are always considered to be Personal Information: first name, last name, email, specific addresses/locations, birthdate and any other dates directly related to the individual, driver’s or other account/licence numbers, facial photographic images.
  3. We handle Personal Information of adults and children in our own right and also for and on behalf of our customers and users.
  4. Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information which we store that is about the people in those businesses or companies.
  5. Our Privacy Policy does not apply to Non-identifiable Information.
    Non-identifiable information (or de-identified information) is personal or health information that cannot reasonably be expected to:
    a) reveal the identity of an individual, and/or
    b) be linked to an identified individual
  6. Personal Information can become Non-Identifiable by:
    a) Excluding Identifiable Information, and/or
    b) Aggregation of Information
  7. Non-identifiable Information can include gender, year of birth, general address/location (i.e. state/province only), nationality, together with information about assessments, therapies and pain relief recorded by PainChek®.
  8. The Privacy Policy applies to all forms of Personal Information, physical and digital, whether collected or stored electronically or in hardcopy.

3. Patient Consent to Collection

  1. Personal Information that is disclosed to us may be collected by us, and used and disclosed by us as described in this Privacy Policy (including to our service providers, who may collect the Personal Information in order to provide services to us).  Also, any User may collect Personal Information about a Patient from us, and using it as contemplated by this Privacy Policy if they are an authorised User in relation to that Patient.
  2. By providing Personal Information about yourself, you consent to each collection, use and disclosure of that Personal Information described in subparagraph 3.1 above.
  3. Where the Patient is a child, if you are the “Responsible Person” for the child as defined in the Privacy Act (such as the parent or guardian of the child) and you allow the child to provide Personal Information to us, you consent to each collection, use and disclosure of that Personal Information described in subparagraph 3.1 above.
  4. If, at any time, a person (Provider) provides Personal Information or other information about an individual other than himself or herself (including where the individual is a Patient), the Provider warrants that:
    a) the individual has consented to each collection, use and disclosure of that Personal Information described in subparagraph 3.1 above; or
    b) if the individual does not have capacity to consent, the Provider is a Responsible Person in relation to the individual, and consents to each collection, use and disclosure of that Personal Information of the individual described in subparagraph 3.1 above.
  5. In relation to each Patient, the authorised Users include:
    a) the Patient’s treating medical practitioner, and
    b) the staff of the organisation (such as a nursing home, a medical centre, a hospital, or a provider of medical services in the community) providing the treatment, and
    c) medical service providers who are treating the Patient with the consent of the Patient or the Patient’s Responsible Person, and
    d) any other organisation that has been approved as an authorised User by the Patient or a Responsible Person for the Patient.

4. The Information We Collect

  1. In the course of business, it is necessary for us to collect Personal Information. This information allows us to identify who an individual is for the purposes of our business, share Personal Information when permitted and/or required of us by law, contact the individual in the ordinary course of business and transact with the individual. Without limitation, the type of information we may collect is:
    a) Health Information. We may collect information about the health, injuries, disability, health services, medical histories, prescriptions, allergies and other information about an individual defined as “health information” in the Privacy Act;
    b) Personal Information. We may collect personal details such as an individual’s name, location, date of birth, profile image, nationality, family details and other information defined as “Personal Information” in the Privacy Act that allows us to identify who the individual is;
    c) Contact Information. We may collect information such as an individual’s email address, telephone & fax number, third-party usernames, residential, business and postal address and other information that allows us to contact the individual;
    d) Financial Information. We may collect financial information related to an individual such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide them with our services;
    e) Statistical Information. We may collect information about an individual’s online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes;
    f) Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities.
  2. We may collect other Personal Information about an individual, which we will maintain in accordance with this Privacy Policy.
  3. We may also collect non-Personal Information about an individual such as information regarding their computer, network and browser. This may include their IP address. Where non-Personal Information is collected and is not aggregated with information that is Personal Information, the Australian Privacy Principles do not apply.

5. How Information is Collected

  1. Most information will be collected in association with an individual’s use of the PainChek® mobile application, the PainChek® Web Administration Console, the public PainChek Ltd web site, an enquiry about PainChek® or generally dealing with us.  Some information may be collected from authorised Users in relation to a Patient.However we may also receive Personal Information from sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, recruitment agencies and our business partners.In particular, information is likely to be collected as follows:
    a) Registrations/Subscriptions. When an individual registers or subscribes for a service, list, account, connection or other process whereby they enter Personal Information details in order to receive or access something, including a transaction;
    b) Accounts/Memberships. When an individual submits their details to open an account and/or become a member with us;
    c) Using PainChek®. When an Individual enters personal information into PainChek® for any reason, records a profile image, or performs an automated facial assessment. Note the facial images used by the automated facial assessment process to determine a patient’s level of pain are discarded immediately and are not stored on the device nor transmitted to other systems.
    d) Supply. When an individual supplies us with goods or services;
    e) Contact. When an individual contacts us in any way;
    f) Access. When an individual makes contact with us in-person we may require them to provide us with details for us to permit them such access. When an individual accesses us through the internet we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services; and/or
    g) Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened.
  2. As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.
  3. Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian Privacy Principles.

6. When Personal Information is Used and Disclosed

  1. The primary reason Personal Information is used or disclosed is so that a Patient’s level of pain and pain relief usage can be recorded and reviewed by Users.
  2. In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected (or purposes which are directly related to that purpose, and which the individual would reasonably expect), except with the individual’s permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
  3. Except as noted elsewhere in this section, we will never use an individual’s Personal Information for any purpose other than:
    a) sharing that information with a User authorised by the individual receiving it
    b) sharing that information with third-parties authorised by the individual to receive it
    c) supporting and developing the PainChek® system (using our internal resources and third-party service providers under obligations of confidence)
  4. When we disclose an individual’s Personal Information to a third-party, it is done so in a manner compliant with the Australian Privacy Act.
  5. We will retain Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.
  6. Personal Information is used to enable us to operate our business, especially as it relates to an individual. This may include:
    a) The provision of goods and services between an individual and us, or for the benefit of the individual;
    b) Verifying an individual’s identity;
    c) Communicating with an individual about:
    i) Their relationship with us;
    ii) Our goods and services;
    iii) Our own marketing and promotions to customers and prospects;
    iv) Competitions, surveys and questionnaires;
    v) Research studies;
    vi) Investigating any complaints about or made by an individual, or if we have  reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
    vii) As required or permitted by any law (including the Privacy Act)
  7. There are some circumstances in which we must disclose an individual’s Personal Information:
    a) As part of a sale (or proposed sale) of all or part of our business;
    b) Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of; and/or
    c) As required or permitted by any law (including the Privacy Act).
  8. We will not disclose an individual’s Personal Information to any entity outside of Australia that is in a jurisdiction that does not have a similar regime to the Australian Privacy Principles or an implemented and enforceable privacy policy similar to this Privacy Policy. We will take reasonable steps to ensure that any disclosure to an entity outside of Australia will not be made until that entity has agreed in writing with us to safeguard Personal Information as we do.
  9. We utilise third-party service providers to communicate with an individual and/or to store and process Personal Information about them. Such services we currently use include:
    a) Amazon Web Services (AWS) operated by Amazon.com, Inc. (a company incorporated in the Washington, United States) that host PainChek® systems and data on servers located in Australia.
    b) SiteGround operated by DreamScape Networks FZ-LLC (a company incorporated in the UAE) for email and for hosting of the painchek.com website.
    c) Office 365 operated by Microsoft for hosting @painchek.com email addresses.
    d) JIRA operated by Atlassian Pty Ltd (a company incorporated in Australia) for bug tracking, issue tracking, and project management.
    e) ZenDesk operated by ZenDesk Inc for Customer Service and Technical Support enquiries.
    f) Dropbox operated by Dropbox International Unlimited Company (a company incorporated in Dublin) for data storage.
    g) Wordpress operated by Automattic (a company incorporated in California) for hosting the PainChek® website.
    h) Sentry operated by Sentry.io (a company incorporated in California) for reporting errors in the web backend, and web portal.
  10. Service providers based in the European Union are bound by European Union data protection laws.  Under those laws the entity that is responsible for protecting Personal Information (known as a ‘data controller’) is able to have Personal Information processed by other entities based in any European Union country (known as ‘data processors’) but remains responsible at law for the lawful processing of that data.

7. Opting “In” or “Out”

  1. An individual may opt to not have us collect their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:
    a) Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us; or
    b) Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us.  The exercise of an opt-out right does not mean that we immediately delete all records of the individual, if there are still legitimate uses for the information we hold (including record keeping obligations).
  2. Each individual has the right to opt out of receiving marketing communications from us.

8. The Safety & Security of Personal Information

  1. We may appoint a Privacy Officer to oversee the management of this Privacy Policy and compliance with the Australian Privacy Principles and the Privacy Act. This officer may have other duties within our business and also be assisted by internal and external professionals and advisors.
  2. We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
  3. In some circumstances, PainChek® Users might be staff of institutions that provide care to a patient (e.g. a nursing home).  We require that such organisations have a compliant privacy policy in place.
  4. In the case that Personal Information is shared with a third-party, we require that such organisations have a compliant privacy policy in place. The third-party may use or copy the Personal Information, for example to provide services to us or in order to provide care to the Patient.
  5. PainChek® uses client-side, transmission, and server-side encryption for all Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.
  6. We are not responsible for the privacy or security practices of any third-party (including third-parties to which we are permitted to disclose an individual’s Personal Information in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third-parties may be subject to separate privacy and security policies.
  7. If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.
  8. Except as provided by law, we are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorised to provide that person with the Personal Information.

9. How to Access and/or Update Information

  1. Users of PainChek® can update their Personal Information from within their PainChek® account or profile.
  2. Subject to the Australian Privacy Principles, an individual has the right to request from us the Personal Information that we have about them, and we have an obligation to provide them with such information within 28 days of receiving their written request.
  3. If an individual cannot update or cancel its own information, we will update or cancel the Personal Information we hold about an individual within 7 days of receiving written notice from them about those errors.
  4. It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.
  5. We may charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them.

10. Complaints and Disputes

  1. If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.
  2. If there is a dispute regarding an individual’s Personal Information, we will initially seek to resolve the issue directly with the individual.  We will usually make contact within 14 days and we endeavour to resolve disputes within 30 days, unless we need further information from the complainant to resolve the matter.
  3. If we become aware of any unauthorised access to an individual’s Personal Information we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.

11. Contacting Individuals

  1. From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Because this information is important to the individual’s interaction with us, they may not opt out of receiving these communications.

12. Use of Cookies

  1. When you view our web site, we may store some information on your computer. This information will be in the form of a “cookie” or similar file. Cookies are small pieces of information stored on your hard drive, not on our website site. Cookies do not spy on you or otherwise invade your privacy, and they cannot invade your hard drive and steal information. Rather, they help you navigate a Web site as easily as possible.
  2. We use cookies to deliver content specific to your interests and to prevent you from needing to re-enter all of your registration data at each connection.

13. Contacting Us

  1. All correspondence with regards to privacy should be addressed to:The Privacy Officer
    PainChek Ltd
    Suite 401
    35 Lime Street,
    Sydney NSW 2001
    [email protected] may contact the Privacy Officer by email in the first instance.

14. Changes to this Policy

  1. If we decide to change this Privacy Policy, we will post the changes on our webpage at painchek.com. Please refer back to this Privacy Policy regularly to check for and to review any amendments.
  2. If a User objects to any of the changes to the Policy, the User must cease using PainChek® and can request that we remove their Personal Information. In this case we take reasonable steps to delete or de‑identify their personal information within 28 days.
  3. We may do things in addition to what is stated in this Privacy Policy to comply with the Australian Privacy Principles, and nothing in this Privacy Policy shall deem us to have not complied with the Australian Privacy Principles if we do so.
  4. This policy was last updated on 15th September 2021.