Privacy Policy

This Privacy Policy explains how Regeniq Pty Ltd (ABN 41 694 432 865) ("Regeniq", "we", "us", "our") collects, holds, uses, discloses and protects personal information and sensitive information (including health information).

This Policy has been prepared in accordance with the Privacy Act 1988 (Cth) (the "Privacy Act"), the Australian Privacy Principles ("APPs"), the Privacy and Other Legislation Amendment Act 2024 (Cth), the Health Records Act 2001 (Vic), the Health Records and Information Privacy Act 2002 (NSW), applicable state and territory health records legislation, the Spam Act 2003 (Cth), the My Health Records Act 2012 (Cth) (where applicable), the Security of Critical Infrastructure Act 2018 (Cth) (where applicable), and relevant AHPRA codes of conduct and telehealth guidelines.

Regeniq is a private sector health service provider. Regardless of our annual turnover, we are covered by the Privacy Act because we provide a health service within the meaning of section 6FB of the Privacy Act.

Eligibility: Regeniq's telehealth consultation services are available only to individuals aged 18 years and over. We do not knowingly collect personal information or health information from individuals under 18. See Section 20 (Adults-Only Service) for details.

By using our website (regeniq.au), engaging with our telehealth consultation services, or providing your personal information to us, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy should be read alongside our Terms of Service, Refund Policy, and Shipping & Delivery Policy, which together govern your use of Regeniq's website and services.

1. About This Policy (APP 1)

This Privacy Policy sets out the types of personal information and sensitive information we collect, how we collect and hold that information, the purposes for which we use it, the circumstances in which we may disclose it, and how you can access, correct or make a complaint about the handling of your information.

Regeniq takes reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs, any registered APP code that binds us, and to enable us to deal with enquiries or complaints about our handling of personal information.

This Policy applies to patients, prospective patients, and website visitors. Our handling of employee, contractor and practitioner personal information is governed by separate internal privacy arrangements, except to the extent that those individuals are also users of our services.

2. Definitions

In this Policy:

• Personal information has the meaning given in section 6 of the Privacy Act: information or an opinion about an identified individual, or an individual who is reasonably identifiable.
• Sensitive information includes health information, genetic information, biometric information, racial or ethnic origin, and other categories listed in section 6 of the Privacy Act.
• Health information has the meaning given in section 6FA of the Privacy Act: information about an individual's health, disability or health service use, and includes genetic information that could be predictive of an individual's health.
• APP / APPs means the Australian Privacy Principles set out in Schedule 1 to the Privacy Act.
• OAIC means the Office of the Australian Information Commissioner.
• AHPRA means the Australian Health Practitioner Regulation Agency.
• RTPM means Real-Time Prescription Monitoring.

3. Types of Information We Collect (APP 3)

3.1 Personal Information

We may collect the following categories of personal information:

• Full name, date of birth, gender and residential address
• Email address, mobile phone number and other contact details
• Emergency contact details
• Government-related identifiers (Medicare number, DVA number, Individual Healthcare Identifier) where required for your care, see Section 14
• Payment and billing information (processed securely via Stripe; we do not store full credit card numbers)
• Registration data including date and time of registration, source URL, consent records and referral source
• Technical information including IP address, browser type, device information, cookies and website analytics data
• Communication records including emails, chat messages and telephone call records

3.2 Sensitive Information (Including Health Information)

Under the Privacy Act, health information is a subset of "sensitive information" and receives enhanced protections. We collect sensitive information only with your express, informed consent and only where it is reasonably necessary for our functions or activities. The types of sensitive information we may collect include:

• Medical history, current medications, allergies and existing conditions
• Consultation notes, clinical assessments and treatment plans
• Diagnostic results including pathology reports, blood test results, hormonal panels, inflammatory markers and metabolic indicators
• Prescription records and dispensing history
• Eligibility and screening questionnaire responses
• Referral correspondence and reports from other treating practitioners
• Records of informed consent for examinations, treatments and services
• Where relevant to the clinical service, limited genetic and biometric information as defined in the Privacy Act

3.3 Telehealth Consultations Are Not Recorded

Regeniq does not record video or audio of telehealth consultations. Practitioners document the consultation only through contemporaneous clinical notes stored in our practice management system. If this practice ever changes, we will update this Policy and obtain your separate express consent before any recording occurs.

3.4 Required vs Optional Collection

Some information we collect is required to provide our services safely and effectively. Other information is optional. We will tell you at the point of collection whether providing particular information is required or optional.

Required information includes your name, date of birth, contact details, medical history and health information necessary for your clinical assessment. If you do not provide required information, we may be unable to provide our telehealth consultation services to you, process your membership, or fulfil our duty of care obligations.

Optional information includes marketing preferences, referral source data and feedback. Choosing not to provide optional information will not affect your access to clinical services.

4. How We Collect Information (APP 3, APP 5)

We collect personal information and sensitive information by lawful and fair means, and directly from you wherever reasonably practicable. Collection methods include:

• Our website registration and eligibility screening forms
• Telehealth consultations (video and telephone) conducted by AHPRA-registered practitioners
• Secure online patient intake forms administered through our practice management system (Halaxy)
• Email, telephone and SMS communications with our team
• Third-party pathology and diagnostic laboratories (with your consent or as required for your ongoing care)
• Referrals from other treating health practitioners (with your consent)
• Cookies and website analytics tools (see Section 16)

At or before the time of collection (or as soon as practicable afterwards), we will take reasonable steps to notify you of the matters required under APP 5, including the purpose of collection, the entities to which we usually disclose information, and how to access our Privacy Policy.

5. How We Handle Sensitive Information

We recognise the enhanced protections that apply to sensitive information under the Privacy Act. The following safeguards apply specifically to health information and other sensitive information we hold.

5.1 Collection

• We collect sensitive information only with your express consent, or where required or authorised by law (for example, mandatory reporting obligations)
• We collect only the minimum sensitive information reasonably necessary to provide safe, effective clinical care
• Consent is obtained through clear, plain-language consent forms presented before or during the consultation process, and recorded in our consent register

5.2 Storage Safeguards

• Health information is stored in our practice management system (Halaxy), which maintains encryption at rest and in transit, role-based access controls, and audit logging
• Electronic records are protected by multi-factor authentication, firewalls, intrusion detection and regular security patching
• Access to health information is restricted to the treating practitioner and authorised clinical and administrative staff on a need-to-know basis
• We conduct periodic access reviews and security audits
• Where hard-copy records are created (which is not our standard practice), they are stored in locked, access-controlled facilities

5.3 Retention Schedule

We retain personal information only as long as necessary for the purpose for which it was collected or as required by law. The following retention periods apply:

These retention periods align with the Health Records Act 2001 (Vic), the HRIP Act 2002 (NSW), and best-practice guidance from the Australian Medical Association, AHPRA, and the RACGP.

5.4 De-identification

Where we use health information for purposes other than your direct clinical care (such as internal quality improvement, service evaluation or aggregate reporting), we de-identify or pseudonymise the information so that you are not reasonably identifiable. De-identification is performed in accordance with the OAIC's guide to de-identification and re-identification.

We do not sell, trade or rent your identifiable health information to any third party for any purpose.

5.5 My Health Record

If you have a My Health Record, we will not upload clinical information to your My Health Record without first obtaining your informed consent. You may opt out of having information uploaded at any time. We comply with the My Health Records Act 2012 (Cth) and the associated My Health Records Rule 2016 where applicable.

5.6 Sharing with Your GP or Other Practitioners

We will not share your health information with your general practitioner, specialist or other health practitioners unless you provide informed consent, or unless disclosure is required by law or necessary to prevent a serious threat to life, health or safety. You may authorise standing (ongoing) sharing with your nominated GP via our patient intake forms, and may withdraw that authorisation at any time.

6. Use of Artificial Intelligence and Automated Decision-Making

Regeniq may use software tools, including tools that incorporate artificial intelligence ("AI"), to support administrative functions, content generation and service improvement. The following commitments apply:

• No clinical decisions by AI: All clinical decisions, including diagnosis, prescribing and treatment planning, are made by AHPRA-registered practitioners exercising independent clinical judgment. AI tools are not used to make or substantially contribute to clinical decisions about your care.
• No identifiable data for model training: Your identifiable personal information and health information will not be used to train, fine-tune or improve any AI or machine learning model without your separate, express written consent.
• De-identified data: We may use de-identified, aggregate data for internal analytics, service improvement or research purposes. This data cannot reasonably identify you.
• Consent and withdrawal: If we ever seek to use your identifiable information for AI-related purposes, we will obtain your separate, informed consent. You may withdraw that consent at any time by contacting privacy@regeniq.au, and we will cease using your identifiable information for that purpose going forward.
• Documented consent: Any consent obtained for AI-related use of your data will be recorded and maintained in our consent register.
• Automated decision-making disclosure (effective 10 December 2026): In anticipation of the transparency obligations introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), Regeniq confirms that we do not currently use computer programs to make, or to substantially and directly contribute to making, decisions that could reasonably be expected to significantly affect an individual's rights or interests. Should this change, we will update this Policy before commencing any such use and notify registered users.

7. Purpose of Collection and Use (APP 6)

We collect and use your personal information and sensitive information for the following purposes:

• Providing telehealth consultation services, including clinical assessments, diagnosis, treatment planning and prescribing by AHPRA-registered practitioners
• Verifying your identity (see Section 9)
• Processing membership subscriptions and payments
• Managing appointment scheduling, reminders and follow-up communications
• Coordinating with compounding pharmacies, pathology laboratories and other health service providers involved in your care
• Complying with legal and regulatory obligations including AHPRA registration requirements, TGA regulations, Real-Time Prescription Monitoring (RTPM), electronic prescribing obligations, and state-based health records legislation
• Maintaining clinical records as required by law and professional standards
• Internal quality improvement, service evaluation and clinical governance
• Communicating with you about service updates, appointment availability and membership information
• Responding to your enquiries and complaints
• Protecting against fraud, unauthorised access and misuse of our services

We will only use or disclose your personal information for the primary purpose for which it was collected, or for a directly related secondary purpose that you would reasonably expect, unless we have your consent or are required or authorised by law.

8. Disclosure of Information (APP 6, APP 8)

8.1 Domestic Disclosure

We may disclose your personal information and health information to the following categories of recipients, as necessary and in accordance with the APPs:

• AHPRA-registered practitioners engaged by Regeniq to provide your clinical care
• Accredited pathology and diagnostic laboratories for the purpose of processing your diagnostic tests
• TGA-licensed compounding pharmacies for the purpose of dispensing prescribed medications
• Your nominated general practitioner or other treating health practitioners (with your consent, or as required by law)
• Our practice management system provider (Halaxy) and technology service providers who assist with secure data storage and clinical infrastructure
• Payment processors (Stripe) for subscription and transaction processing
• Communication service providers (for appointment reminders and service notifications)
• Professional indemnity insurers and legal advisors (in connection with claims or legal proceedings)
• Government agencies, regulators or law enforcement bodies where required or authorised by Australian law, court order or regulatory obligation

All third-party service providers who receive personal information are bound by contractual confidentiality obligations and are required to handle information in accordance with the APPs.

8.2 Cross-Border Disclosure (APP 8)

Our primary data storage is within Australia. Some of our technology service providers may process or store data in overseas jurisdictions. As at the date of this Policy, the countries in which overseas recipients are likely to be located include:

• United States of America: cloud infrastructure providers (Vercel, Supabase) and payment processing (Stripe)
• United States of America (Meta Platforms Inc.): hashed contact information for advertising attribution via the Meta Pixel (browser-side) and the Meta Conversions API (server-side), where Marketing consent has been granted. See Section 16.1 for the full list of identifiers transmitted and Section 16.2 for the consent mechanism. Health information, screening responses, program selection and clinical context are excluded from this disclosure.

Before disclosing personal information to an overseas recipient, we take the following reasonable steps to ensure the recipient does not breach the APPs in relation to that information:

• We enter into written data processing agreements with overseas recipients that require compliance with the APPs
• We select providers who maintain recognised security certifications (SOC 2 Type II, ISO 27001 or equivalent)
• We limit the categories of personal information disclosed to what is strictly necessary for the service
• We conduct transfer impact assessments for material overseas disclosures of health information

Where we cannot reasonably ensure compliance with the APPs, we will obtain your express consent to the disclosure under APP 8.2(b) after expressly informing you that APP 8.1 will not apply. We will update this section if the countries to which we are likely to disclose personal information change.

9. Identity Verification and Access Controls

Identity verification is a critical safeguard in telehealth, both for patient safety (including prescribing integrity and RTPM compliance) and for the protection of personal information.

9.1 Patient Identity Verification

We verify your identity using the following methods:

• Government-issued photo identification (such as a driver licence or passport) presented during the video consultation or uploaded securely via our intake process
• Matching identifying details (name, date of birth, address) against information provided during registration
• In accordance with AHPRA telehealth guidelines, the consulting practitioner will confirm your identity at the commencement of each consultation

9.2 Access Request Authentication

If you request access to, or correction of, your personal information or health records, we will verify your identity before processing the request. This may include:

• Confirming your identity against the information we hold on file
• Requesting government-issued photo identification
• Contacting you via the email address or phone number registered to your account

These measures protect you against unauthorised access to your health information.

10. Access to and Correction of Your Information (APP 12, APP 13)

10.1 Access

You have the right to request access to the personal information and health information we hold about you. To make an access request, contact us at privacy@regeniq.au or in writing to the address set out in Section 23.

We will respond to your request within 30 days. We will provide access in the manner you request where it is reasonable and practicable to do so. There is no charge for making an access request, but we may charge a reasonable fee for providing copies of records (for example, printing or postage costs). We will inform you of any fee before incurring it.

In limited circumstances, we may refuse access in whole or in part. These circumstances include where:

• Providing access would pose an imminent threat to the life, health or safety of any individual
• Providing access would have an unreasonable impact on the privacy of other individuals
• The request is frivolous or vexatious
• Access is required to be refused by law or court order
• Providing access would prejudice enforcement-related activities

If we refuse access, we will provide you with written reasons for the refusal and information about how you may complain.

10.2 Correction

You have the right to request that we correct personal information or health information we hold about you if it is inaccurate, out of date, incomplete, irrelevant or misleading. Contact us at privacy@regeniq.au to request a correction.

We will respond within 30 days. If we correct information that we have previously disclosed to another entity, we will take reasonable steps to notify that entity of the correction (unless it is impracticable or unlawful to do so). If we refuse to correct information, we will provide you with written reasons and information about how to complain. You may also request that a statement of the correction sought be associated with the information.

10.3 Transfer to Another Practitioner

If you wish to transfer your clinical records to another treating practitioner, we will provide a copy of the records (or a clinical summary where appropriate) on receipt of your signed authorisation, consistent with AHPRA continuity-of-care obligations.

11. Data Security (APP 11)

We take reasonable steps to protect your personal information and health information from misuse, interference, loss, unauthorised access, modification or disclosure. Our security measures include:

• Encryption of data at rest and in transit (TLS/SSL across all services)
• Multi-factor authentication for staff access to clinical and administrative systems
• Role-based access controls ensuring staff can only access information necessary for their role
• Regular security monitoring, vulnerability assessments and software patching
• Secure, access-controlled data centres with industry-standard physical security
• Staff training on privacy obligations, data handling and information security
• Contractual obligations on third-party service providers to maintain appropriate security measures
• Supabase Row Level Security (RLS) policies on all database tables
• Stripe hosted checkout for payment processing, ensuring Regeniq has zero PCI scope for credit card data

When personal information or health information is no longer needed for the purpose for which it was collected and we are not required by law to retain it, we will take reasonable steps to destroy or permanently de-identify the information.

To the extent the Security of Critical Infrastructure Act 2018 (Cth) applies to our operations as a responsible entity for a critical healthcare asset, we maintain a risk management program and comply with reporting obligations to the relevant Commonwealth regulator.

12. Data Breaches and the Notifiable Data Breaches Scheme

Regeniq is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. We maintain a data breach response plan that includes the following:

• Detection and containment: We take immediate steps to contain any suspected data breach and limit potential harm.
• Assessment: We promptly assess whether the breach is likely to result in serious harm to any affected individual. This assessment will be completed as soon as practicable, and in any event within 30 days of becoming aware of the breach.
• Notification: If we determine that an eligible data breach has occurred (i.e. it is likely to result in serious harm and we have been unable to prevent the likely risk of harm through remedial action), we will:
  • Notify the Office of the Australian Information Commissioner (OAIC) using the official NDB notification form
  • Notify all individuals whose personal information is involved in the breach and who are at risk of serious harm
  • Include in the notification: the identity and contact details of Regeniq, a description of the breach, the types of information involved, and recommended steps individuals should take in response
• Record keeping: We maintain records of all data breach incidents and our response actions for at least 7 years.
• Post-breach review: Following any breach, we investigate the cause and implement measures to prevent recurrence.

Given that the health sector consistently reports the highest number of data breaches in Australia, we treat data breach prevention and response as a critical priority.

13. Anonymity and Pseudonymity (APP 2)

You have the option of interacting with us anonymously or using a pseudonym where it is lawful and practicable to do so. For example, you may browse our website anonymously, or make a general enquiry without identifying yourself.

However, it is impracticable for us to provide telehealth consultation services, process memberships, or manage clinical records on an anonymous or pseudonymous basis. We are required by law to verify patient identity for prescribing, RTPM compliance, and clinical record-keeping purposes.

14. Government Related Identifiers (APP 9)

We may collect and use government related identifiers, including your Medicare number, Department of Veterans' Affairs (DVA) number, and Individual Healthcare Identifier (IHI), solely where collection is reasonably necessary for us to provide our health service to you, or where required or authorised by law.

In accordance with APP 9:

• We do not adopt a government related identifier as our primary internal identifier for you; we use our own internal patient identifier
• We use or disclose government related identifiers only for purposes permitted under APP 9 (for example, verifying your identity with Services Australia, claiming Medicare benefits, or as required by health or prescribing legislation)
• We apply additional access controls to systems that store government related identifiers

15. Healthcare-Specific Regulatory Compliance

As a telehealth provider, Regeniq operates within multiple overlapping regulatory frameworks. Our privacy practices are designed to comply with:

• Privacy Act 1988 (Cth) and the APPs: our primary privacy obligations as a health service provider
• Privacy and Other Legislation Amendment Act 2024 (Cth): including the new statutory tort for serious invasions of privacy
• Health Records Act 2001 (Vic) and Health Records and Information Privacy Act 2002 (NSW): we apply the strictest state-based health records requirements to all patients regardless of their state of residence
• My Health Records Act 2012 (Cth) where applicable (see Section 5.5)
• AHPRA codes of conduct: our practitioners comply with the relevant National Board codes of conduct, which include obligations regarding health record management, confidentiality and informed consent
• Medical Board of Australia telehealth guidelines: including requirements for identity verification, informed consent, clinical record keeping, RTPM compliance and prescribing in both the practitioner's and patient's jurisdiction
• Therapeutic Goods Administration (TGA) requirements: compliance with advertising and prescribing obligations for therapeutic goods, including compounded medicines
• State and territory real-time prescription monitoring (RTPM) legislation: our practitioners check RTPM databases as required by the laws of the patient's state or territory before prescribing monitored medicines
• Security of Critical Infrastructure Act 2018 (Cth) where applicable

15.1 Clinical Record Obligations

Our practitioners maintain contemporaneous clinical records for every consultation. Records include the date, time and mode of consultation (video or telephone), the identity of the practitioner and patient, clinical findings, diagnosis, treatment decisions, medications prescribed, informed consent obtained, and any referrals made. Records are maintained in accordance with AHPRA record-keeping guidelines and the RACGP Standards for General Practices (5th Edition).

16. Cookies, Tracking and Advertising Technologies

Our website uses cookies, browser pixels and equivalent server-side technologies to operate the site, measure performance and attribute advertising. We group these into three categories:

• Essential: required for the site to function. Includes session cookies, security cookies (such as cross-site request forgery tokens) and the cookie that records your consent decision itself (named regeniq_consent, 12 month expiry, first-party, same-site lax). Essential cookies are set without consent because the site cannot function without them.
• Analytics: first-party telemetry that helps us measure site performance and improve the experience. We currently use Google Tag Manager (which loads Google Analytics 4) and PostHog. Analytics data is aggregated and is never linked to your clinical record.
• Marketing: third-party advertising attribution. We use the Meta Pixel (browser-side) and the Meta Conversions API (server-side), both provided by Meta Platforms Inc. These technologies are described in sections 16.1 and 16.2 below.

The categories of information that may be collected by these tools include:

• Browser type and version
• Pages visited and time spent on pages
• Referring website addresses
• General location information (country and city level)
• Device type and screen resolution
• For Marketing only, hashed contact identifiers as listed in section 16.1

16.1 Meta Pixel and Meta Conversions API

We use two complementary Meta tracking channels. Both are subject to your Marketing consent decision in section 16.2 and are never loaded or fired before you grant consent.

Meta Pixel (browser-side). When Marketing consent is granted, our website injects Meta's Pixel script (fbevents.js). The Pixel records standard funnel events such as PageView, ViewContent and InitiateCheckout. ViewContent is restricted to a fixed allow-list of generic public pages (/pricing, /how-it-works, /clinics, /learn, /blog); pages that could imply a clinical interest (the eligibility wizard, the booking flow, condition pages and protocol pages) are excluded.

Meta Conversions API (server-side). When Marketing consent is granted, our backend also sends the same conversion events (Lead, CompleteRegistration, Schedule) directly to Meta from our server. Server-side transmission is more reliable than browser-only tracking and lets us match conversions even when ad blockers prevent the Pixel from loading. The information transmitted is identical to the Advanced Matching parameters described below; no additional health information is included.

Identifiers transmitted (hashed before leaving the page or server):

• email address
• phone number
• first name
• last name
• country (always au)
• an internal account or submission identifier (external_id) used for deduplication only

Email, phone, name and country are hashed using SHA-256 of the normalised value before transmission. The internal identifier is also SHA-256 hashed. Meta uses these hashes solely to match your activity to a Facebook or Instagram account for advertising attribution. We additionally transmit your IP address and user-agent string (which Meta auto-collects from any pixel request anyway), the_fbp first-party Pixel cookie and, where present, the _fbc click-attribution cookie.

Identifiers we never transmit to Meta: date of birth, gender, sex at birth, residential address, city, state, postcode, Medicare number, Individual Healthcare Identifier, health goals, program or protocol selection, condition names, screening questionnaire responses, medications, supplements, allergy details, pathology results, blood-test status, clinical notes, prescription records, treatment suitability outcomes, and pharmacy data.

Meta processes this data in the United States. Our cross-border disclosure obligations under APP 8.2 are addressed in section 8.2. You can review Meta's privacy practices at facebook.com/privacy/policy. You can opt out of interest-based advertising from Meta at facebook.com/adpreferences.

16.2 Your Choices

On your first visit to regeniq.au we present a cookie banner at the bottom of the page with three actions:

• Accept all: grants Analytics and Marketing consent immediately. The Meta Pixel script is loaded and Conversions API events become eligible to fire. Essential cookies are set regardless of this choice.
• Reject non-essential: Analytics and Marketing remain off. The Meta Pixel script is never loaded, no Pixel events are sent, and no Conversions API requests are issued for your session. Only essential cookies are set.
• Customise: opens a dialog with independent toggles for Analytics and Marketing. Essentials are non-toggleable and explained in the dialog.

Your decision is stored in two places: a small first-party cookie named regeniq_consent (12 month expiry, same-site lax, not flagged HttpOnly so the browser banner can read it) and your browser's localStorage under the key regeniq.consent.v1. The cookie is what our server checks when deciding whether to fire a Conversions API event.

You can change your decision at any time by clicking the Cookie preferences link in the website footer, which re-opens the same dialog. If you switch Marketing off, no further Pixel events are sent and no further Conversions API requests are issued from your subsequent activity. We do not automatically remove hashed identifiers already received by Meta; if you want them suppressed at Meta you can email privacy@regeniq.au and we will request deletion through Meta's data-deletion channel within 30 days.

Disabling Analytics or Marketing cookies will not prevent you from accessing our clinical services. We do not use cookies, the Meta Pixel or the Conversions API to collect health information.

Browser-level controls (such as private browsing mode, third-party cookie blocking, and the “Do Not Track” signal) operate independently of our consent banner. Where they conflict, the browser-level control takes effect for technologies it can block.

17. Marketing Communications (APP 7, Spam Act 2003)

We will only send you commercial electronic messages where you have consented to receive them, either expressly or via a relationship implied under the Spam Act 2003 (Cth). Marketing consent checkboxes are never pre-checked.

All marketing messages from Regeniq will:

• Clearly identify Regeniq as the sender and include accurate sender contact details
• Contain a functional unsubscribe facility that operates for at least 30 days from the date of sending
• Process unsubscribe requests within 5 business days

Marketing communications may include service launch announcements, consultation availability, health and wellness information, and membership updates. You may opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Replying "STOP" to any SMS message
• Contacting us at info@regeniq.au

Opting out of marketing communications will not affect service-related communications necessary for your care (such as appointment reminders and clinical follow-up).

18. Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We encourage you to review the privacy policies of any third-party website before providing personal information.

19. Accessibility and Language Support

Regeniq is committed to making our services and this Policy accessible. If you require this Policy in an alternative format (large print, plain text, translated) or require an interpreter for a consultation, contact info@regeniq.au and we will make reasonable arrangements.

20. Adults-Only Service

Regeniq provides telehealth services exclusively to individuals aged 18 years and over. Our intake and identity-verification processes are designed to confirm that every patient meets this age requirement. We do not knowingly collect personal information or health information from individuals under 18. Any enquiry or registration identified as coming from a person under 18 will not be processed, and any information inadvertently received will be deleted.

21. Complaints

If you believe we have breached your privacy or handled your personal information in a manner that does not comply with the APPs, you have the right to make a complaint.

21.1 How to Complain

To make a complaint, contact us at:

• Email: privacy@regeniq.au
• Subject line: "Privacy Complaint"

Please include as much detail as possible about your complaint, including the conduct you are concerned about and how you would like it resolved.

21.2 Our Complaint Process

• We will acknowledge your complaint within 7 business days
• We will investigate the matter thoroughly
• We will respond to your complaint within 30 days
• If the complaint is complex and requires additional time, we will notify you and provide an estimated timeframe

21.3 External Complaints

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

Depending on your state or territory, you may also lodge a complaint with the relevant health complaints commissioner, such as the Health Care Complaints Commission (NSW), Health Complaints Commissioner (Vic), Office of the Health Ombudsman (Qld), or Health and Community Services Complaints Commissioner (SA).

We take all complaints seriously and will cooperate fully with any investigation by the OAIC or a relevant regulatory body.

22. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or regulatory guidance. The updated policy will be published on our website with a revised "Last updated" date and version number.

Where changes are material, we will take reasonable steps to notify registered users by email before the changes take effect. Your continued use of our services after the updated policy is published constitutes acceptance of the changes.

23. Contact Us

If you have any questions, concerns or requests regarding this Privacy Policy or how we handle your personal information, please contact us: