​UAre Privacy Policy

Effective Date: 1 September 2025

Last Updated: 1 September 2025

1. Introduction and Our Commitment to Your Privacy

1.1 Who We Are

This Privacy Policy applies to the UAre mobile application ("Application"), our websites (including uare.app), and all related products and services (collectively, the "Services"). The Services are provided by Ultimate Athlete Pty Ltd (ACN 644 348 363), trading as UAre Group, with our registered office at 44 North Fort Road, Manly NSW 2095 Australia ("UAre," "we," "us," "our").

1.2 Our Commitment and the Scope of This Policy

UAre is fundamentally committed to safeguarding your privacy and handling your personal information in an open, transparent, and lawful manner. This policy has been developed to provide a comprehensive overview of our data practices and to ensure compliance with key global privacy regulations, including:

• The Australian Privacy Act 1988 (Cth) and its Australian Privacy Principles (APPs).

• The European Union's General Data Protection Regulation (GDPR).

• The United States' Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the specific circumstances outlined in Section 10 of this policy.

This document supersedes all previous privacy policies.

1.3 Our Role: Controller and Business Associate

Understanding our role is essential to understanding our obligations to you. The nature of our services means our legal role can vary depending on your location and how you access our Services.

• For users in the European Economic Area (EEA), United Kingdom (UK), and Switzerland: For the purposes of the GDPR, UAre is the "data controller" of your personal data. This means we determine the purposes for which and the means by which your personal data is processed.

• For users in the United States: The legal framework for health data in the U.S. is specific. For most individuals who download and use our Services for personal well-being tracking, UAre is not a "Covered Entity" under HIPAA, and the data processed is not considered "Protected Health Information" (PHI). However, in circumstances where you use our Services as part of a well-being program offered by your employer's group health plan or another healthcare provider (a "Covered Entity" under HIPAA), UAre acts as a "Business Associate" to that entity. In this capacity, we are subject to specific HIPAA requirements for the data we process on their behalf. Section 10 of this policy provides detailed information on our HIPAA-related obligations.

1.4 Data Protection Officer and How to Contact Us

To oversee our compliance with this policy and applicable privacy laws, we have appointed a Data Protection Officer (DPO). If you have any questions, concerns, or complaints about our privacy practices, or if you wish to exercise your data protection rights, please contact our DPO:

• Email: privacy@uare.app

• Postal Address:
  Attn: Data Protection Officer
  44 North Fort Road, New South Wales, 2095
  Australia

2. The Personal Information We Collect and Why

We collect personal information to provide and improve our Services. The collection of this information must be transparent to comply with legal standards such as Australian Privacy Principle 5 (Notification of the Collection of Personal Information) and the GDPR's principle of transparency. The following sections detail the categories of information we collect.

2.1 Information You Provide Directly to Us

• Account and Profile Information: When you create a UAre account, we collect information such as your name, email address, phone number, date of birth, location, and a password to secure your account.

• Communications and Feedback: We collect information you provide when you communicate with our customer support team, participate in surveys or promotions, or provide feedback on our Services.

• Financial Information: If you subscribe to our paid Services, we collect payment information, such as credit card or other financial details, to process your transactions.

2.2 Sensitive and Health-Related Information (Special Category Data / PHI)

The core function of the UAre Application involves processing information that is considered sensitive. This type of data receives the highest level of protection under privacy laws, such as "sensitive information" under the Australian Privacy Act, "special category data" under GDPR Article 9, and "Protected Health Information" (PHI) under HIPAA. We only process this information with your explicit consent.

• Biometric and Health Data from "Instant Health Check": Our "Instant Health Check" feature uses your device's camera to perform a face scan. This process is conducted entirely on your device to generate biometric measurements and health indicators, which may include Resting Heart Rate, Breathing Rate, Heart Rate Variability, Stress Score, Blood Pressure, and an estimation of your Body Mass Index. To protect your privacy, the raw facial video is processed in real-time on your phone and is
  not stored, transmitted, or saved by UAre. Only the resulting health indicator data is collected by our Services.

• Well-being Information: You may choose to provide additional information about your lifestyle, such as personal or business affairs, habits, mindset, and relationships, to personalise your experience and receive tailored insights.

• Information from Connected Devices and Apps: With your permission, you can connect third-party applications or wearable devices to your UAre account. This allows us to collect health and activity data from those services to provide a more comprehensive view of your well-being.

2.3 Information Collected Automatically During Your Use of the Services

• Technical and Device Information: When you use our Application, we automatically collect technical information, including your mobile device's unique ID, IP address, mobile operating system, and the type of mobile internet browser you use.

• Usage Information: We collect information about your interaction with our Services, such as the features you use, the pages you view, and the time and duration of your activities. This information is collected through log files and analytics tools and helps us understand how our Services are used.

• Cookies: We use cookies, which are small files stored on your device, to identify you when you return to our Application and to store details about your usage. You can configure your device settings to reject cookies, but this may limit the functionality of our Services.

2.4 Location Information

With your explicit permission, we may use GPS technology or other similar technologies to determine your current location. This information is used to provide location-based features, such as displaying a local map with relevant information. We will not share your precise location with other users or partners without your consent.

2.5 Information from Third Parties

From time to time, we may receive personal information about you from third parties. For instance, if you join UAre through a Customer Well-Being Program offered by one of our partners, we may receive basic information from that partner to facilitate your access. If we receive your personal information from third parties, we will protect it in accordance with this Privacy Policy.

Table: Our Data Processing Activities

To ensure maximum transparency, this table summarises the categories of personal information we process, the purposes for which we process it, and the legal basis for that processing under the GDPR. This structure is designed to fulfil the information requirements of GDPR Articles 13 and 14 and the Australian Privacy Act's principles of open and transparent management of personal information. It provides a clear, at-a-glance summary that connects the data we collect to its purpose and legal justification, which is a cornerstone of modern privacy law.

Categories of Personal Information

• Identity & Contact Data

  • Examples: Name, email address, phone number, date of birth, and address.

  • Purpose of Processing: To create and manage your account, to process your product or service orders, to provide customer support and communicate with you about your account.

  • Legal Basis (under GDPR): Performance of a contract with you (Article 6(1)(b)).

• Special Category: Health & Biometric Data

  • Examples: Instant Health Check results (e.g., blood pressure, heart rate), self-reported well-being data, and data from connected wearables.

  • Purpose of Processing: To provide the core functionality of the Application, including health and well-being insights, tracking progress, and generating your longevity score.

  • Legal Basis (under GDPR): Explicit Consent (Article 9(2)(a)).

• Technical & Usage Data

  • Examples: Mobile device unique ID, IP address, operating system, app interaction data, cookies, and log files.

  • Purpose of Processing: To ensure the security, stability, and proper functioning of our Services; to analyse usage patterns to improve our products and services; to diagnose technical problems.

  • Legal Basis (under GDPR): Legitimate Interest (to improve, maintain, and secure our Services) (Article 6(1)(f)).

• Location Data

  • Examples: GPS coordinates collected via your mobile device.

  • Purpose of Processing: To provide location-based features, such as determining the city you are in and displaying a location map with relevant advertisements.

  • Legal Basis (under GDPR): Consent (Article 6(1)(a)).

• Financial Data

  • Examples: Credit card details, payment information.

  • Purpose of Processing: To process payments for subscription services or other purchases you make.

  • Legal Basis (under GDPR): Performance of a contract with you (Article 6(1)(b)).

• Marketing & Communications Data

  • Examples: Your email preferences, responses to surveys and promotions.

  • Purpose of Processing: To send you information about new products, services, and opportunities that may be of interest to you.

  • Legal Basis (under GDPR): Consent (for direct electronic marketing) or Legitimate Interest (for marketing to existing customers, with an opt-out) (Article 6(1)(a), 6(1)(f)).

    
    
    

3. How We Use Your Personal Information

This section provides a more detailed explanation of the purposes for processing outlined in the table above.

• To Provide, Personalise, and Maintain the Services: We use your information to operate and deliver the core features of the UAre Application. This includes creating and managing your account, processing your Instant Health Check data to generate insights, tracking your progress, and providing you with customer support.

• To Improve Our Services: We analyse user data to better understand your needs and improve our products and services. This is primarily done using aggregated and de-identified data, which allows us to conduct research and analysis on user trends without identifying individuals. This helps us enhance the functionality, usability, and effectiveness of the Application.

• To Communicate With You: We may use your contact information to send you important service-related communications, such as updates to our terms, security alerts, and administrative messages. We may also, with your consent or where otherwise permitted by law, contact you by telephone, email, SMS, or mail with marketing communications about new products, services, and opportunities available to you. In compliance with the Australian Privacy Act (APP 7) and the GDPR, all marketing communications will include a simple and clear method for you to opt-out of receiving future messages.

• To Ensure Safety and Security: We use technical and usage data to protect the copyright, trademarks, legal rights, property, and safety of UAre, our Services, our customers, and third parties. This includes monitoring for and preventing fraudulent or malicious activity and ensuring compliance with our Terms of Use.

• To Comply with Legal Obligations: We may need to use and disclose your personal information to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, or a request from a law enforcement agency.

4. Legal Basis for Processing (GDPR)

For our users in the EEA, UK, and Switzerland, we only collect and process your personal data when we have a lawful basis under the GDPR to do so. Our legal bases are as follows:

• Performance of a Contract (Article 6(1)(b)): Much of our processing of your personal data is necessary to provide the Services you have requested and to fulfil our obligations under our Terms of Use. This includes creating your account, processing your subscription payments, and providing customer support.

• Legitimate Interests (Article 6(1)(f)): We process some of your data for our legitimate business interests, such as for improving, personalising, and securing our Services, and for analytics. We only rely on this basis when we have determined that our interests are not overridden by your rights and freedoms.

• Consent (Article 6(1)(a)): For certain processing activities, we rely on your consent. This includes sending you direct marketing communications, using non-essential cookies, and collecting your precise geo-location data.

• Explicit Consent for Special Category Data (Article 9(2)(a)): This is the most critical legal basis for UAre's core services. The health and biometric data generated by the "Instant Health Check" and other well-being information you provide is classified as "special category data" under GDPR Article 9. The processing of such data is prohibited unless a specific exception applies. The exception we rely upon is your explicit consent.

• The mechanism for obtaining this consent is a direct implementation of the high legal standard required for health data. Before you use the "Instant Health Check" for the first time, we present you with a dedicated privacy and consent screen. This screen explains what data will be processed and why, and requires you to take a clear, affirmative action—actively ticking a checkbox—to provide your consent. This process ensures your consent is specific, informed, unambiguous, and separate from other terms or consents, thereby meeting the definition of "explicit consent".

• You have the right to withdraw this consent at any time through the "Settings" menu in the Application. Withdrawing your consent is straightforward and will not affect the lawfulness of any processing that occurred before your withdrawal. However, please note that if you withdraw your consent, you will no longer be able to use features that require the processing of your health and biometric data, such as the "Instant Health Check".

5. Data Sharing and Disclosure

We may disclose your personal information to the following categories of third parties only for the purposes described in this policy.

5.1 Service Providers (Sub-processors)

We may share your personal information with our employees, officers, insurers, professional advisers, agents, suppliers, or subcontractors insofar as reasonably necessary for the purposes set out in this policy. This includes third-party vendors and service providers who perform functions on our behalf, such as cloud hosting providers (e.g., for data storage), payment processors, communication suppliers, and information technology suppliers. We maintain data processing agreements with these third parties, as required by GDPR, to ensure they protect your information and only use it to provide services to us. A list of our key sub-processors is available upon request.

5.2 UAre Employer and Partner Programs

The data sharing model for our employer and partner programs is designed with your privacy as the central consideration. The distinction between these programs is critical.

• Employer Programs: If you access UAre through a well-being program offered by your employer, your privacy is paramount. Your employer will only receive access to anonymised and aggregated group data. This data is used to help them understand the overall well-being needs of their team and make better investments in employee well-being. Your personal well-being data, results, and individual usage information are not shared with your employer, and they cannot identify you individually from the group data we provide, unless a disclosure is required by law. This strict separation is a critical risk mitigation feature, preventing the use of sensitive health data in an employment context.

• Partner Programs: If you join UAre through a program with one of our partners (such as an insurance, financial services, or health provider), that partner will, by default, only have access to the same anonymised and aggregated group data to improve their services for all customers. However, these programs may offer you an additional, optional benefit. You will be presented with a clear and separate choice to consent to the sharing of your personal well-being data with that specific partner. This may enable you to receive benefits like better pricing or more personalised services. Before providing your consent, you will be informed what data may be shared to access potential benefits. We will only share your personal data in this manner if you provide this specific, opt-in consent. Refusing to provide this consent will not prevent you from using the UAre Services provided through the partner program. This ensures that your consent is truly voluntary and freely given, as required by the GDPR.

5.3 Legal Requirements and Protection of Rights

We may disclose your personal information if we believe in good faith that it is necessary to:

• Comply with a legal obligation, such as a law, regulation, court order, subpoena, or warrant.

• Respond to a valid request from a law enforcement agency.

• Protect the copyright, trademarks, legal rights, property, or safety of UAre, our customers, or third parties.

5.4 Business Transfers

If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer our user databases, including personal and non-personal information, to the extent permissible by law. This information may be disclosed to a potential purchaser under a confidentiality agreement. We would seek to only disclose information in good faith and where required by any of the above circumstances.

6. Data Storage, Sovereignty, and International Transfers

6.1 Our Commitment to Data Sovereignty and Local Storage

UAre is committed to processing and storing your personal information, particularly your sensitive health information, in a manner that respects your privacy and complies with your jurisdiction's data sovereignty, data residence, and data localisation laws. To meet these legal obligations and to provide the best and most secure service possible, we have adopted a policy of storing your personal health information in a data centre located within your country or region of residence.

This approach ensures local data protection laws protect your data and minimise cross-border transfers. The following sections provide specific details on where your data is stored based on location.

6.2 Primary Data Storage Locations

To ensure compliance with specific legal mandates and best practices, we store personal health information as follows:

• For users in the European Economic Area (EEA) and the United Kingdom (UK): Your personal health information is stored on servers located exclusively within the European Economic Area. This practice ensures compliance with the General Data Protection Regulation (GDPR) and specific national laws, such as those in France and Germany that mandate in-region storage for health data.

• For users in the United States: Your personal health information is stored on servers located exclusively within the United States. This ensures compliance with federal privacy and security standards under HIPAA and specific state laws, including those in Texas and Florida that mandate health records be physically maintained within the U.S.

• For users in Canada: Your personal health information is stored on servers located exclusively within Canada. This aligns with the accountability principles of federal law (PIPEDA) and the data sovereignty expectations of provincial health privacy legislation.

• For users in Australia: Your personal health information is stored on servers located exclusively within Australia. This practice ensures we meet our accountability obligations under the Australian Privacy Principles (APPs) for the secure handling of your sensitive information.

• For users in New Zealand: Your personal health information is stored on servers located exclusively within Australia. This ensures we meet our obligations under New Zealand's Privacy Act 2020 and the Health Information Privacy Code 2020 for secure handling of sensitive information.

• For users in other regions: If you reside outside the jurisdictions listed above, your personal information will be stored in one of our primary regional data centres (located in Australia, the United States or the European Economic Area). All such storage and necessary data transfers are protected by the highest data protection standards, including implementing legal safeguards equivalent to those required by the GDPR.

6.3 Limited International Data Transfers

Our primary strategy is to store your personal health information locally. We will only transfer your personal health information outside of its primary storage region in limited and necessary circumstances, such as:

• When required to provide you with customer support or technical assistance, which our global support teams may render.

• When you use our Services while travelling outside of your home region.

• When we use secure third-party service providers located in other countries for functions that do not involve the hosting of your primary health data, such as for payment processing or communications.

Where your personal information is transferred internationally, we will ensure it receives adequate protection through legally recognised mechanisms, such as implementing Standard Contractual Clauses (or their equivalent in jurisdictions like the UK) and robust supplementary security measures. We conduct thorough due diligence on all third-party service providers to ensure they meet our stringent privacy and security standards.

6.4 Acknowledgment of Indigenous Data Sovereignty

UAre acknowledges the principles of Indigenous Data Sovereignty, which recognise the rights of Indigenous Peoples to govern the collection, ownership, and use of their data. We are committed to the respectful, ethical, and responsible stewardship of data from all our users.

7. Your Data Protection Rights

You have certain rights regarding the personal information we hold about you. We are committed to facilitating the exercise of these rights. The table below provides a summary of your rights under the different legal frameworks that may apply to you.

Table: Your Rights Over Your Personal Information

This table is designed to demystify your rights across complex legal frameworks, allowing you to quickly understand your specific entitlements. This transparency is a key goal of all three regulations and builds trust by making it easier for you to exercise your rights.

RightPrivacy Act (Australia)GDPR (EEA/UK)HIPAA (USA - for PHI only)Right to AccessYou have the right to request access to the personal information we hold about you (APP 12).You have the right to obtain a copy of your personal data and detailed information about how it is processed (Article 15).You have the right to inspect and obtain a copy of your PHI that is maintained in a "designated record set" (45 CFR § 164.524).Right to Correct / RectifyYou have the right to request the correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading (APP 13).You have the right to have inaccurate personal data rectified without undue delay (Article 16).You have the right to request an amendment to your PHI if you believe it is incorrect or incomplete (45 CFR § 164.526).Right to Delete / EraseYou can request that we destroy or de-identify information that we are no longer required by law to hold.You have the "right to be forgotten" and can request the erasure of your personal data in certain circumstances, such as when it is no longer necessary for the purpose it was collected (Article 17).This is not a direct right under HIPAA. Deletion is subject to the Covered Entity's legal record-keeping obligations.Right to Withdraw ConsentWhere we rely on your consent for processing, you can withdraw it at any time.You have the right to withdraw your consent at any time. This is particularly relevant for our processing of your health data based on your explicit consent.You can revoke a prior authorisation in writing, but this does not apply to actions already taken in reliance on it.Right to Object / Restrict ProcessingYou have the right to opt out of receiving direct marketing communications (APP 7).You have the right to object to processing based on our legitimate interests and for direct marketing purposes (Article 21). You also have the right to request the restriction of processing in certain situations (Article 18).You have the right to request restrictions on certain uses and disclosures of your PHI (45 CFR § 164.522), though the Covered Entity is not always required to agree.Right to Data PortabilityThis right is not explicitly provided under the Privacy Act.You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller (Article 20).This is not a direct right, but you can request that a copy of your PHI be transmitted directly to another person or entity designated by you.

How to Exercise Your Rights

To exercise any of these rights, please submit a request to our Data Protection Officer at privacy@uare.app. We will respond to your request within the timeframes required by applicable law. Before we can process your request, we may need to verify your identity to protect your information. Access to your personal information is generally free of charge, in line with GDPR requirements; the previous policy's mention of a potential administrative fee is no longer applicable.

8. Data Security and Retention

8.1 Our Security Measures

We are committed to ensuring that the information you provide to us is secure. We have implemented a comprehensive security program with suitable administrative, physical, and technical safeguards to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security framework is aligned with the best practices and requirements of regulations like the HIPAA Security Rule.

• Technical Safeguards: We employ a range of technologies to protect your data. This includes encryption of personal information both in transit (using protocols like TLS) and at rest. We enforce access controls, requiring unique user identification for access to systems containing personal data, and utilize multi-factor authentication for sensitive systems.

• Privacy by Design - On-Device Processing: A core component of our security and privacy strategy is the on-device processing for the "Instant Health Check." The facial video scan is analysed locally on your device in real-time. The raw video image is never transmitted to our servers or stored by us. This "privacy by design" approach significantly minimises the risk associated with this sensitive biometric data, as the most sensitive part of the data never leaves your personal device.

• Administrative Safeguards: We maintain internal data protection policies and procedures, conduct regular staff training on privacy and security obligations, and have a documented incident response plan to manage any potential security breaches.30

• Physical Safeguards: We implement physical security measures to protect our facilities and the cloud-based servers where your data is stored, restricting physical access to authorised personnel only.

While we take these robust measures, it is important to acknowledge that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

8.2 Data Breach Notification

In the unfortunate event of a data breach, we will act promptly to mitigate the harm and notify the relevant parties in accordance with our legal obligations.

• Australia: If we experience an "eligible data breach" that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) scheme.

• EEA/UK: For breaches affecting residents of the EEA or UK, we will notify the relevant data protection authority within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also communicate the breach to the affected individuals without undue delay.

• United States (HIPAA): For any breach of unsecured PHI that we handle as a Business Associate, we will comply with the HIPAA Breach Notification Rule, which includes notifying the Covered Entity and providing necessary cooperation.

8.3 Data Retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. The retention period for different categories of data may vary. When you delete your account or when we no longer need your information for the stated purposes, we will take reasonable steps to securely delete or de-identify it.

9. Children's Privacy

Our Services are intended for a general audience. As stated in our Terms of Use, individuals under the age of 18 may only use the Application with the consent and supervision of a legal guardian.

• GDPR Age of Consent: The GDPR sets a specific digital age of consent for "information society services" like UAre. The default age is 16, although individual EU member states may lower this to a minimum of 13. If we rely on consent as our legal basis for processing the personal data of a child in the EEA or UK who is below the applicable age of consent, such processing is only lawful if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

• Parental Consent Verification: In such cases, we will make reasonable efforts, taking available technology into consideration, to verify that the person providing consent holds parental responsibility for the child.

10. Specific Information for U.S. Users (HIPAA)

This section clarifies the specific applicability of the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to your information. It is critical to understand when HIPAA applies, as this is a common area of misconception for wellness applications.

10.1 When HIPAA Applies to Your Information

HIPAA is a U.S. federal law that protects a category of information known as "Protected Health Information" (PHI).

• For the majority of our users who download and use the UAre Application for their own personal health and well-being purposes, the information you provide is not considered PHI and is not subject to HIPAA. This is because, in this direct-to-consumer context, UAre is not acting as a "Covered Entity" (such as a healthcare provider, health plan, or healthcare clearinghouse).

• HIPAA does apply to your information in the specific circumstance where you use UAre as part of a workplace wellness program that is offered to you by your employer's group health plan or by another healthcare provider that is a "Covered Entity." In this formal, contractual context, UAre acts as a "Business Associate" to the Covered Entity. The health information we create, receive, maintain, or transmit on behalf of that Covered Entity is considered PHI and is protected by HIPAA. This distinction is the most important aspect of our HIPAA compliance framework, as it correctly scopes our legal liability and manages user expectations.

10.2 Our Obligations as a Business Associate

When we act as a Business Associate, we are legally required to enter into a formal "Business Associate Agreement" (BAA) with the Covered Entity. Under the terms of the BAA and HIPAA, we are obligated to:

• Use and disclose your PHI only for the purposes permitted or required by the BAA and by law.

• Implement the administrative, physical, and technical safeguards specified in the HIPAA Security Rule to protect the confidentiality, integrity, and availability of your electronic PHI (ePHI).

• Report any use or disclosure of PHI not provided for by the BAA, including breaches of unsecured PHI, to the Covered Entity as required by the HIPAA Breach Notification Rule.

• Ensure that any of our subcontractors that create, receive, maintain, or transmit PHI on our behalf agree to the same restrictions and conditions that apply to us.

10.3 Your HIPAA Rights

When your information is classified as PHI, you have specific rights under HIPAA, which are summarised in the table in Section 7. These rights are typically exercised by contacting the Covered Entity (e.g., your health plan or healthcare provider) directly, as they are the primary custodian of your designated record set.

11. Changes to This Privacy Policy

We may change this Privacy Policy in the future. We may modify this Policy at any time, and all modifications will be effective upon our posting of the modifications on our website or providing notice through the Application. For any material changes, we will provide you with reasonable notice prior to the change becoming effective, for instance, via email or an in-app notification. We encourage you to check back from time to time to review our Privacy Policy.

12. Definitions

• Personal Information: As defined in the Australian Privacy Act, this means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether it is recorded in a material form or not.

• Personal Data: As defined in the GDPR, this means any information relating to an identified or identifiable natural person ('data subject').

• Special Category Data: As defined in GDPR Article 9, this is a specific category of sensitive personal data that requires a higher level of protection. It includes data concerning health, biometric data used for the purpose of uniquely identifying a natural person, and genetic data.

• Protected Health Information (PHI): As defined under HIPAA, this is individually identifiable health information that is created, received, maintained, or transmitted by a Covered Entity or its Business Associate in the course of providing healthcare, payment, or operations.

• Controller: The entity that determines the purposes and means of the processing of personal data (as defined under GDPR).

• Processor: The entity that processes personal data on behalf of the controller (as defined under GDPR).

• Covered Entity: A health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard (as defined under HIPAA).

• Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (as defined under HIPAA).