1. Definitions
1.1 In this Policy:
- (a) Clinic means medical practice, centre, clinic or other medical facility, whether private or public.
- (b) Policy means this Privacy Policy.
- (c) You means in the case of an individual using a Nookal Website or purchasing a subscription through a Nookal Website, that individual, or in the case of an individual, using a Nookal Website or purchasing a subscription through a Nookal Website on behalf of a company or other legal entity, the company or other legal entity for which such, using the Nookal Website or purchasing a subscription through the Nookal Website.
- (d) Nookal, us, we means Nookal Pty Ltd ACN 636 857 979.
- (e) Nookal Website means the online services accessible via the Nookal websites described in the Schedule to this Policy.
- (f) Personal Information means information or an opinion about an identified natural person, or a natural person who is reasonably identifiable.
- (g) Products means those products on a Nookal Website from time to time.
2. Introduction
2.1 This Policy sets out how we collect, handle and use information about you.
2.2 We reserve the right to update this Policy at any time without notice but will place the updated version of this Policy on our website shortly after it has been finalized.
3. Purpose
3.1 The purpose of this Policy is to:
- (a) set out the types of information that we may collect; and
- (b) how that information will be used, handled, stored, and disclosed.
4. Application
4.1 This policy applies to Personal Information that we may collect about you in the manner outlined in this policy, including from all legal entities owned or controlled by us (across any jurisdiction).
4.2 This policy does not apply to Personal Information that may be collected by a third party or how that third party may use, handle, store or disclose your Personal Information.
5. Information We Collect About You
5.1 We may collect, use, store and transfer personal information about you which we have grouped together as follows:
- (a) Website User Identity Data being your first name, last name, title, address, email address and username collected through the Website;
- (b) Patient Identity Data being your first name, last name, title, address, email address and username that is collected and input directly by a Clinic;
- (c) Clinic Identity Data being the first name, last name, title, address, email address and username of employees and contractors of the Clinic;
- (d) Contact Data being your billing address, shipping address, email address and telephone numbers;
- (e) Financial Data, to the extent required by law or by any payment processor, being your bank account details, credit card details or other payment information;
- (f) Clinic Data being medical information, including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors, Medicare number for identification, health care identifiers and health fund information (if applicable);
- (g) Transaction Data being details about payments to and from you and other details of products or services you have purchased from us;
- (h) Technical Data being information regarding the IP addresses used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, cookies, operating system and platform, type of device;
- (i) Profile Data being your username or password from each Nookal Website, details regarding purchases or orders made by you, your interests, preferences, feedback and reviews;
- (j) Usage Data being information about how you use the Nookal Website, and Products;
- (k) Marketing and Communications Data being information regarding your preferencing in receiving marketing from us and your communication preferences;
- (l) Third-Party Data being information we may receive from third-parties such as business partners, sub-contractors in technical and delivery services, advertising networks, analytics providers and search information providers, third party applications that plug into the Products and payment providers or merchants;
- (m) Religious and Political Beliefs Data being information or opinions about your racial or ethnic origin, political opinions, or memberships, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation, or criminal record;
- (n) Nookal Products and Services Data being information, communication, or opinions about any of our products, services, transactions, payment history and business activities;
- (o) Proof of Identity Data being identifiers (such as tax file number and business number), citizenship and residency details, details regarding and information provided by your referees, details regarding and information provided by your guarantor(s) and business partner(s), financials/credit/criminal history checks, results of any pre-employment or profile tests, employment history, education history, identity documents, health information and next of kin details; and
- (p) Digital Media Data being digital media and content such as video, footage and audio.
5.2 In some situations you will have the option to deal with us anonymously or through a pseudonym, as permitted by applicable laws and regulations. However, where you are requesting products or services from us or a Clinic where such contact is via us or one of our services, it may become impracticable to provide those products or services to you without verifying your identity. Where you fail to provide us information or where the information provided is incomplete and/or inaccurate, or you choose not to provide us with the information that we have requested, it may affect our or a Clinic’s ability to provide you with our Products and services.
6. How do we Collect Information from You?
6.1 We use different methods to collect data from you and about you, including:
- (a) (direct interactions) – you may give us your Identity, Contact, Financial, Profile and Proof of Identity Data by creating an account with us, completing online forms or corresponding with us;
- (b) (interactions you have with other sources) – we receive Clinic, Identity, Contact, Financial, Transaction, Usage and Marketing and Communications Data from Clinics, business partners, sub-contractors in technical and delivery services, advertising networks, analytics providers and search information providers, third party applications that plug into the Products and payment providers or merchants;
- (c) (automated technologies or interactions) – we use the following technologies to collect Technical and Third-Party Data:
- (i) "Cookies" are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about how we implement cookies, please see our Cookie Policy;
- (ii) "Log files" track actions occurring on the Nookal Website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps; and
- (iii) "Web beacons", "tags", and "pixels" are electronic files used to record information about how you browse the Nookal Website and Products.
7. How do we use your Personal Information?
7.1 Website Users
Purpose / Activity | Type of Data | Lawful basis for processing (including basis of legitimate interest) |
To register you as a new customer or create an account with us, to identify you. | Website User Identity Data, Contact Data, Marketing and Communications Data, Proof of Identity Data | Performance of a contract with you. |
To process and deliver your order including, manage payments, fees, and charges, perform fraud checks and collect and recover money owed to us. | Website User Identity Data, Contact Data, Financial Data, Technical Data, Transaction Data, Usage Data, Marketing and Communications Data, Proof of Identity Data, Third-Party Data | Performance of a contract with you. Necessary for our legitimate interests (to recover debts due to us and reduce this risk of fraud). |
To manage our relationship with you which will include, notifying you about changes to our terms or privacy policy, asking you to leave a review or take a survey, engaging with you in relation to any support request or communication that you may submit. | Website User Identity Data Contact Data, Profile Data, Marketing and Communications Data | Performance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products and services). |
To administer and protect our business and the Nookal Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). | Website User Identity Data Contact Data, Technical Data | Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). Necessary to comply with a legal obligation. |
To deliver relevant the Nookal Website content and measure or understand the effectiveness of our website and to ensure the proper function of the website and online software. | Website User Identity Data Contact Data, Profile Data, Usage Data, Marketing and Communications Data, Technical Data | Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). |
To improve the Products, services or businesses that we or a Clinic undertakes. | Website User Identity Data Contact Data, Profile Data, Usage Data, Marketing and Communication Data | Necessary for our legitimate interests (to improve our Products and services). |
To use data analytics to improve the Nookal Website, products/services, marketing, customer relationships and experiences and to gather anonymous statistics. | Technical Data, Usage Data, Third-Party Data | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy). |
To provide you with our newsletter and make suggestions and recommendations to you about goods, services or promotions that may be of interest to you, whether initiated by us or a Clinic. | Website User Identity Data, Contact Data, Technical Data, Usage Data, Profile Data, Marketing and Communications Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
To maintain as a record in the event of any product service or warranty request. | Proof of Identity Data, Website User Identity Data, Contact Data, Financial Data | Necessary for our legitimate interests (to maintain customer satisfaction and ensure appropriate processes for warranty requests). |
To facilitate internal training, ensure the effective delivery of products and services and to resolve disputes or problems, whether initiated by us or a Clinic. | Digital Media Data, Identity Data, Contact Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
To improve our products, services and business activities we undertake. | Nookal Products and Services Data, Contact Data, Website User Identity Data, Usage Data, Marketing and Communications Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
7.2 Clinic Patients
Purpose / Activity | Type of Data | Lawful basis for processing (including basis of legitimate interest) |
To register you as a new customer or create an account with us, to identify you. | Patient Identity Data, Contact Data, Marketing and Communications Data, Proof of Identity Data | Performance of a contract with you. |
To process and deliver your order including, manage payments, fees, and charges, perform fraud checks and collect and recover money owed to us. | Patient Identity Data Contact Data, Financial Data, Technical Data, Transaction Data, Usage Data, Proof of Identity Data, Patient Identity Data, Third-Party Data | Performance of a contract with you. Necessary for our legitimate interests (to recover debts due to us and reduce this risk of fraud). |
For a Clinic to register you as a patient and for the Clinic to provide their services to you, including retrieval of historical data about you. | Patient Identity Data, Contact Data, Marketing and Communications, Clinic Data, Proof of Identity Data | The Clinic’s performance of a contract with you. Our performance of a contract with a Clinic. |
To manage our relationship with you which will include, notifying you about changes to our terms or privacy policy, asking you to leave a review or take a survey, engaging with you in relation to any support request or communication that you may submit. | Patient Identity Data, Contact Data, Marketing and Communications Data | Performance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products and services). |
To administer and protect our business and the Nookal Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). | Patient Identity Data, Contact Data, Technical Data | Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). Necessary to comply with a legal obligation. |
To deliver relevant the Nookal Website content and measure or understand the effectiveness of our website and to ensure the proper function of the website and online software. | Patient Identity Data, Contact Data, Profile Data, Usage Data, Marketing and Communications Data, Technical Data | Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). |
To improve the Products, services or businesses that we or a Clinic undertakes. | Patient Identity Data, Contact Data, Profile Data, Usage Data, Marketing and Communication Data | Necessary for our legitimate interests (to improve our Products and services). |
To use data analytics to improve the Nookal Website, products/services, marketing, customer relationships and experiences and to gather anonymous statistics. | Technical Data, Usage Data, Third-Party Data | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy). |
To provide you with our newsletter and make suggestions and recommendations to you about goods, services or promotions that may be of interest to you, whether initiated by us or a Clinic. | Patient Identity Data, Contact Data, Technical Data, Usage Data, Profile Data, Marketing and Communications Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
To maintain as a record in the event of any product service or warranty request. | Proof of Identity Data, Patient Identity Data, Contact Data, Financial Data | Necessary for our legitimate interests (to maintain customer satisfaction and ensure appropriate processes for warranty requests). |
To facilitate internal training, ensure the effective delivery of products and services and to resolve disputes or problems, whether initiated by us or a Clinic. | Digital Media Data, Patient Identity Data, Contact Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
To improve our products, services and business activities we undertake. | Nookal Products and Services Data, Contact Data, Patient Identity Data, Usage Data, Marketing and Communications Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
7.3 Clinic Personnel
Purpose / Activity | Type of Data | Lawful basis for processing (including basis of legitimate interest) |
To register you as a new customer or create an account with us, to identify you. | Clinic Identity Data, Contact Data, Marketing and Communications Data, Proof of Identity Data | Performance of a contract with you. |
To process and deliver your order including, manage payments, fees, and charges, perform fraud checks and collect and recover money owed to us. | Clinic Identity Data, Contact Data, Financial Data, Technical Data, Transaction Data, Usage Data, Proof of Identity Data, Patient Identity Data, Third-Party Data | Performance of a contract with you. Necessary for our legitimate interests (to recover debts due to us and reduce this risk of fraud). |
For a Clinic to register you as a patient and for the Clinic to provide their services to you, including retrieval of historical data about you. | Clinic Identity Data, Contact Data, Marketing and Communications Data, Clinic Data, Proof of Identity Data | The Clinic’s performance of a contract with you. Our performance of a contract with a Clinic. |
To manage our relationship with you which will include, notifying you about changes to our terms or privacy policy, asking you to leave a review or take a survey, engaging with you in relation to any support request or communication that you may submit. | Clinic Identity Data, Contact Data, Marketing and Communications Data | Performance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products and services). |
To administer and protect our business and the Nookal Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). | Clinic Identity Data, Contact Data, Technical Data | Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). Necessary to comply with a legal obligation. |
To deliver relevant the Nookal Website content and measure or understand the effectiveness of our website and to ensure the proper function of the website and online software. | Clinic Identity Data, Contact Data, Profile Data, Usage Data, Marketing and Communications Data, Technical Data | Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). |
To improve the Products, services or businesses that we or a Clinic undertakes. | Clinic Identity Data, Contact Data, Profile Data, Usage Data, Marketing and Communication Data | Necessary for our legitimate interests (to improve our Products and services). |
To use data analytics to improve the Nookal Website, products/services, marketing, customer relationships and experiences and to gather anonymous statistics. | Technical Data, Usage Data, Third-Party Data | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy). |
To provide you with our newsletter and make suggestions and recommendations to you about goods, services or promotions that may be of interest to you, whether initiated by us or a Clinic. | Clinic Identity Data, Contact Data, Technical Data, Usage Data, Profile Data, Marketing and Communications Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
To maintain as a record in the event of any product service or warranty request. | Proof of Identity Data, Clinic Identity Data, Contact Data, Financial Data | Necessary for our legitimate interests (to maintain customer satisfaction and ensure appropriate processes for warranty requests). |
To facilitate internal training, ensure the effective delivery of products and services and to resolve disputes or problems, whether initiated by us or a Clinic. | Digital Media Data, Clinic Identity Data, Contact Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
To improve our products, services and business activities we undertake. | Nookal Products and Services Data, Contact Data, Clinic Identity Data, Usage Data, Marketing and Communications Data | Necessary for our legitimate interests (to develop our products/services and grow our business). |
8. Do Not Track Settings
8.1 Please note that we do not alter our Nookal Website data collection and use practices when we see a Do Not Track signal from your browser. If you are a resident of California, please see additional information on Do Not Track settings as applicable to California residents.
9. Storing your Information: Duration and Retention
9.1 We are a growing business. To offer a consistent service to you we may store and manage data electronically or in paper form. Where data is stored electronically, it is done so by a third-party cloud service provider that may store your information or a backup of your information in:
- (a) those locations noted on our Security page; and
- (b) such other locations that the third-party cloud service provider determines from time to time (see our list of third parties here for jurisdictions where your information may be stored).
9.2 The data that we collect from you may be transferred to and be stored to these servers or processed by staff operating in other jurisdictions or who work for Nookal.
9.3 Nookal will retain your personal information only for as long as is necessary for the purposes set out in this Policy, or as required or permitted by law, and then will delete it as required by law. For example, Nookal will retain your information as long as required to comply with applicable tax/revenue laws, cybersecurity and privacy laws, laws and regulations that affect the conduct of our business; to resolve disputes, enforce our agreements, cooperate with law enforcement requests or to meet other legal obligations. We may also retain log files for internal analysis purposes, though we would retain them for only a brief period except in cases where we are legally required to retain them for longer periods, and in cases where they are used for site safety and security or to improve website functionality.
9.3 We will take all commercially reasonable steps to ensure that your information is secured from misuse, interference, loss, unauthorised access, unauthorised modification, or unauthorised disclosure. Any information will be handled in accordance with this Policy and applicable privacy laws. Despite using all steps reasonably necessary, the transmission of information through the internet is not completely secure.
9.4 Submission of any information to us is an acknowledgement that you agree to such use, storage, and disclosure.
10. Disclosing your Information
10.1 We may share your information with:
- (a) any and all of our affiliates;
- (b) third parties including business partners, suppliers and subcontractors;
- (c) any prospective buyer or acquirer of any part of our business or assets; or
- (d) where we are required to disclose your information in order to comply with any legal obligation, or in order to enforce any agreements; or to protect the rights, property, or safety of us and our customers, or others. This includes, where relevant, exchanging information with Organisations for the purposes of fraud protection and credit risk reduction.
11. International Data Transfers
11.1 We collect and store Personal Information globally from each jurisdiction we operate in and from each legal entity that is owned or operated by us in different international jurisdictions and may transfer, process and store your Personal Information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing you the Products. We have appointed Cloud Operations Pty Ltd ACN 636 585 127 (Cloud Operations), a company based in Australia, to control and manage all Personal Information that is collected globally by Nookal.
12. Accessing and Correcting your Information
12.1 You may request access to Personal Information that we hold about you at any time by contacting our Privacy Officer using the details set out in this Policy. We will respond to any such request for access to Personal Information within a reasonable time frame and will provide you access to the Personal Information that we hold pertaining to you if permitted to do so by our agreement with your Clinic or other healthcare provider. If the Clinic at which you were seen requires us to forward your request to the Clinic so that the Clinic can address it, the Clinic will be responsible for responding to your request. In addition, we may not provide access to your information if we are authorised not to do so by law.
12.2 Where permitted by law, we may charge you a reasonable fee for processing your request to access your Personal Information and should we decline you access to your Personal Information, a written explanation will be provided setting out the legal reasoning for doing so.
12.3 If upon receiving your Personal Information, or at any other time, you believe the Personal Information that we hold about you is incorrect, out of date, incomplete, irrelevant, or misleading, please notify our Privacy Officer using the details set out in this Policy. We will forward your request to the Clinic and any corrections will be made by the Clinic within its sole discretion.
13. Complaints
13.1 If you believe we have not fulfilled our obligations under any relevant law or have not complied with the terms of this Policy or would like to appeal a decision made by us in relation to your Personal Information, you can make a complaint in writing to our Privacy Officer using the contact details set out in this Policy.
13.2 We will respond to you within a reasonable period of time (or where a period is specified by any law, that period) to acknowledge your complaint and inform you of the next steps we will take in dealing with your complaint.
14. Our External Provider’s Privacy Policies
14.1 We provide Products to various Clinics. We hold your Personal Information on behalf of the Clinic in which you are dealing with.
14.2 Accordingly, where you are dealing with a Clinic and you are concerned that there may have been a breach of this Policy by an independent third party associated with us and/or a Clinic, please contact the relevant Clinic directly. Alternatively, you may contact the Privacy Officer at the details set out in this Policy.
14.3 (Primary Purpose): The primary purpose for which your Personal Information is collected by us:
- (a) is to facilitate various services on behalf of a Clinic to you;
- (b) for the Clinic to maintain its data and records about you in a centralised customer relationship management system;
- (c) for the Clinic to communicate with you in a secure manner;
- (d) for you to make payments to a Clinic;
- (e) for a Clinic to market to you;
- (f) for a Clinic to organise and store your Personal Information in a consistent manner for the Clinic to better provide its services to you; and
- (g) in any manner described or disclosed in the relevant privacy policy of a Clinic.
14.4 (Secondary Purpose): The secondary purpose in which we will use your Personal Information, includes (but is not limited to):
- (a) providing analytics services, of any kind, to Clinics;
- (b) to provide any entity in our group of companies;
- (c) disclosure is required or authorised by or under an Australian law, a law in any jurisdiction in which we operate or a court/tribunal order;
- (d) a permitted general situation exists in relation to the use or disclosure of the Personal Information by us; and
- (e) we reasonably believe that the use or disclosure of your Personal Information is necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
15. Data Breaches
15.1 In the event that we experience a Notifiable Data Breach, we will notify you within 14 days of us becoming aware of that Notifiable Data Breach.
15.2 In this clause 15, "Notifiable Data Breach" means an occurrence of unauthorised access to or unauthorised disclosure of your personal information, or a loss of your personal information that is required to be notified to you under legislation or regulations in the applicable jurisdiction.
16. Additional Information for Certain Jurisdictions
We provide additional information about the privacy, collection, and use of personal information of residents located in certain jurisdictions.
16.1 Federal and Local Law Requirements
16.1.1 Application
This section applies to residents in the United States of America (USA) and residents of the California (CA).
16.1.2 Definitions
Protected Health Information or PHI means information regarding past, present or future health (including metal health) or medical condition or treatment that can be traced to an identifiable individual by identifiers as set forth in the Privacy Rule of the Health Information Portability and Accountability Act of 1996 (HIPAA).
16.1.3 HIPAA
Nookal, in providing record management software and systems to Clinics, may be considered a Business Associate under the federal law and regulations known, collectively, as HIPAA. A Business Associate is an organization that accesses Protected health Information in order to perform a service for a healthcare provider. Our agreements with Clinics to provide our services comprises certain privacy and security provisions that govern our relationship with the Clinics and require us to adhere to certain privacy and cybersecurity standards, some of which may also be found in the HIPAA regulations. Nookal is obligated by law to adhere to those standards with regard to the health information we process.
16.2 Residents of California
16.2.1 While many browsers permit you to send a signal about your Do Not Track ("DNT") preferences, we do not respond to DNT signals sent from browsers.
16.2.2 If CCPA (the California Consumer Privacy Act) or the CPRA (California Privacy Rights Act) applies to you and to us (and we do not concede that it applies to us), then CCPA California Civil Code Section 1798.83, The California Consumer Privacy Act ("CCPA") permits you to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@nookal.com. CCPA also provides California residents with additional rights related to data privacy that is not Protected Health Information as that term is defined by the Health Insurance Portability and Accountability Act (HIPAA). If you have any questions about this section or HIPAA or whether it applies to you, please contact us at privacy@nookal.com
16.2.3 Pursuant to the CCPA, if it applies to you and to us, California residents may, subject to certain exceptions within CCPA:
- Request access to the specific and Personal Information that we have collected about you over the past twelve months, the categories of sources of that information, our business or commercial purposes for collecting the information, and the categories of third parties with whom the information was shared;
- Obtain a copy of your Personal Information in a format that would permit you to transfer that Information to another repository;
- Submit a request for deletion of Personal Information, subject to certain exceptions, including (without limitation) in the event that we may need to retain Personal Information to complete the transaction for which the Personal Information was collected, detect security incidents protect against illegal activity, exercise certain rights of free speech, comply with a legal obligation or for internal uses permitted by law. If your request is subject to any exception, we may deny your request to delete your data.
- Please note that you must verify your identity and request before further action is taken by us. To do so, we will notify you of what we require for identity verification via email.
16.2.4 Do Not Sell My Personal Information
Nookal does not sell Personal Information, but the CCPA defines sale more broadly than the traditional sense of an exchange of data for money and may encompass transactions in which we may share your Personal Information. Accordingly if CCPA applies to you and us (which we do not concede) you may, subject to exceptions in CCPA, request that Nookal not "sell" your personal information by submitting this request to us at privacy@nookal.com. Please be aware that certain sharing of your Personal Information, such as disclosures of that Information to "Service Providers" as that term is defined and in accordance with CCPA, or for certain business operations of Nookal are not considered "sale" of Personal Information.
CCPA comprises provisions that explicitly prohibit us from making any adverse decisions about you or your account based upon your exercise of this right ("non-discrimination").
To exercise these rights, you may contact us at privacy@nookal.com or at 18336035128. Consistent with California law, you may designate an authorized agent to make a request on your behalf. In order to designate an authorized agent please contact us at privacy@nookal.com or at 18336035128.
16.2 General Data Protection Regulation (GDPR and UK GDPR)
16.2.1 Application
This section applies to residents in the European Economic Area (EEA) and residents of the United Kingdom (UK).
16.2.2 Definitions
Controller, Data Processor, Data Subject, Processor, Processing, Sub-processor, and Supervisory Authority shall be interpreted in accordance with applicable Data Protection Legislation.
UK Data Protection Legislation means the UK General Data Protection Regulation under the Data Protection Act 2018 (UK) and any legislation and/or regulation implementing or made pursuant to it or which amends or replaces any of them, as it applies to the UK.
EEA Data Protection Legislation means General Data Protection Regulation, Regulation (EU) 2016/679 and any legislation and/or regulation implementing or made pursuant to it or which amends or replaces any of them, as it applies to the EEA.
16.3 Residents of the EEA
16.3.1 When you submit data, including Personal Information, via the Products or the Nookal Website, that data is being submitted directly to Ireland.
16.4 Residents of the UK (where we act as Processor)
16.4.1 We work with Clinics around the world, including the United Kingdom. If you are domiciled in the United Kingdom, your Personal Information is processed by us in Ireland . When you submit data, including Personal Information, via our Products, that data is being submitted directly into Ireland and at no time is held in the United Kingdom. As part of providing our Products, we may transfer your personal information to other regions, including to Ireland and Australia.
16.4.2 Nookal relies on the following provisions of the UK Data Protection Legislation when transferring your data to our servers in Ireland:
- (a) (Article 28): Nookal has entered into a data processing agreement with the relevant Controller, being the Clinic;
- (b) (Article 49(1)(a)): at the time of submitting the data, you explicitly consented to the transfer of your data outside of the UK and into Ireland;
- (c) (Article 49(1)(b)): the transfer of your data into Ireland is necessary in order for us to perform the a contract with you the Clinic or to perform the contract you are entering into with the Clinic (which is the Controller) when you submit your data;
- (d) (Article 49(1)(c)): the transfer of your data into Ireland is necessary in order to conclude or perform a contract concluded either between us and the Clinic or you and the Clinic (which is the Controller), created when you submitted the data; and
- (e) (Article 1): to otherwise pursue our legitimate business interests outlined in this policy, which include us acting as Processor for the Clinic as Controller.
16.5 Residents of the UK (where we act as Controller)
16.5.1 We work with Clinics around the world, including in the United Kingdom and you may make an enquiry with us, either on your own behalf or on behalf of a Clinic. If you are domiciled in the United Kingdom, your Personal Information is processed by us in Ireland. When you submit data, including Personal Information, via our Products, that data is being submitted directly into Ireland and at no time is it held in the United Kingdom. In such circumstances, we will be considered the controller of such data submitted.
16.5.2 Nookal relies on the following provisions of the UK Data Protection Legislation when transferring your data to our servers in Ireland:
- (a) (Article 28): Nookal has entered into a data processing agreement with Cloud Operations;
- (b) (Article 49(1)(a)): at the time of submitting the data, you explicitly consented to the transfer of your data outside of the UK and into Ireland;
- (c) (Article 49(1)(b)): the transfer of your data into Ireland is necessary in order to perform the contract you are entering into with us when you submit your data;
- (d) (Article 49(1)(c)): the transfer of your data into Ireland is necessary in order to conclude or perform a contract concluded between you and us, created when you submitted the data; and
- (e) (Article 1): to otherwise pursue our legitimate business interests outlined in this policy.
16.6 Residents of the EEA and UK
16.6.1 If you are domiciled in the UK or EEA, you have certain rights under the EEA Data Protection Legislation and UK Data Protection Legislation with respect to your Personal Information, including:
- (a) the right to request access to, correct, amend, delete, port to another service provider; or
- (b) object to certain uses of your personal data.
16.6.2 Due to the manner in which the Products are delivered, you are contracting directly with a Clinic. That Clinic has subsequently contracted with us in order to deliver the Products and therefore facilitate various communications between you and the Clinic. In this manner, we are the Processor of your Personal Information for the Clinic.
16.6.3 If you wish to exercise rights in accordance with the EU Data Protection Legislation or UK Data Protection Legislation, please contact the Clinic you interacted with directly – we serve as a processor on their behalf and can only forward your request to them to allow them to respond.
16.6.4 Additionally, if you are located in the UK, we note that we are generally processing your Personal Information in order to fulfil contracts we might have with you (for example if you interact with a Clinic who has purchased Products from us), or otherwise to pursue our legitimate business interests outlined in this Policy, unless we are required by law to obtain your consent for a particular processing operation. We process your Personal Information to pursue the following legitimate interests, either for ourselves, our partners, or other third parties:
- (a) to provide the Clinic, yourself and others with our Products;
- (b) to prevent risk and fraud on our platform and within the Nookal Website;
- (c) to provide communications, marketing, and advertising;
- (d) to provide reporting and analytics;
- (e) to facilitate communications and payments between you and the relevant Clinic;
- (f) to provide troubleshooting, support services, or to answer questions;
- (g) to test out features or additional services; and
- (h) to improve our services, Products or the Nookal Website.
16.6.5 When we process Personal Information to pursue these legitimate interests, we do so where we believe the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that Personal Information can help mitigate the risks to you.
16.6.6 We note that we use third parties as Sub-processors to process your Personal Information. Depending on the processing undertaken by the third party, will depend on information disclosed to them.
16.6.7 Where you are located in the UK submit any data to or otherwise use the Nookal Website:
- (a) you expressly consent to us transferring the submitted data outside of the United Kingdom; and
- (b) consent to our use of the Sub-processors as disclosed and as added to or replaced from time to time.
17. Data Retention
17.1 When we provide services to you, we will maintain your subscription information for our records unless and until you ask us to delete this information.
18. Minors
18.1 Our services are not intended for use by individuals under the age of 16 (Minor).
18.2 Where you are a Minor, a Clinic must obtain the consent of the parent or guardian having legal capacity over you.
18.3 Nookal complies with the Children's Online Privacy Protection Act (COPPA), which requires the consent of a parent or guardian for the collection of personally identifiable information from children under 13 years of age.
18.4 Nookal does not knowingly collect, use or disclose personal information from children under 13, or equivalent minimum age in the relevant jurisdiction, without verifiable parental consent that would be obtained at and by the Clinic at which the minor receives treatment. However, it is possible that we may inadvertently receive information pertaining to children under 13 without such parental consent.
18.5 If you believe that we have received information about your child that is under the age of 13 without the consent of the minor’s parent or guardian, please do not hesitate to notify us at privacy@nookal.com. When we receive your notification, we will obtain your consent to retain the information or will delete it permanently.
19. Contact
19.1 If you have any comments, concerns or questions regarding this Policy or Personal Information that we hold about you, please contact our Privacy Officer by email to privacy@nookal.com or by post at:
In the European Economic Area:
Privacy Officer
Nookal.com
C/- VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
In the United Kingdom:
Privacy Officer
Nookal.com
C/- VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
In all other jurisdictions:
Privacy Officer
Nookal Pty Ltd ACN 636 857 979
PO Box 1576
Oxenford QLD 4210
Australia
Schedule
Jurisdiction | Nookal Websites |
Australia | https://www.nookal.com/au |
The United Kingdom | https://www.nookal.com/uk |
The United States of America | https://www.nookal.com/us |
New Zealand | https://www.nookal.com/nz |
Canada | https://www.nookal.com/ca |
Ireland | https://www.nookal.com/ie |
South Africa | https://www.nookal.com/za |