Privacy Policy

1. This privacy policy gives you information about how we collect and use your personal data through your use of this Website, including personal information submitted when you provide property reviews, interact with our platform, or access related services.
2. This Website is intended for individuals aged 18 years and older. We do not knowingly collect personal information from children under 18. If we become aware that personal information from a minor has been provided, we will take reasonable steps to delete it.
3. If you have any questions about this privacy policy, including any requests to exercise your legal rights (99), please contact us using the information set out in the contact details section (1110).

1. Personal information refers to any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not, as defined under the Privacy Act 1988 (Cth).
2. Categories of personal information collected
   
   We may collect, use, store, and disclose various types of personal information, including but not limited to:
   1. Identity Information: Full name, date of birth, gender, and contact details.
   2. Health and Pathology Data: Pathology test results from accredited laboratories, historical health data, and any other medical information relevant to AI-based analysis.
   3. AI-Generated Insights: AI-derived health scores, risk assessments, and probability-based diagnostics, which do not constitute a medical diagnosis.
   4. Medical Escalation Data: Information reviewed by a licensed medical professional, including any recommendations provided following AI analysis.
   5. De-identified Data: Anonymised pathology data used for AI model training and research, ensuring no personally identifiable information is included.
   6. Technical Data: Internet protocol (IP) addresses, device identifiers, and interaction logs with the Company's AI system, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website.
   7. Usage information: Details about how you interact with our Website, including page views, navigation paths, and patterns of usage.
   8. Marketing and communication preferences: Your preferences in receiving marketing materials from us and your communication preferences.
3. Aggregated data
   
   We also collect, use, and share aggregated data, such as statistical or demographic data, for various purposes. Aggregated data may be derived from your personal information but is not considered personal information under the law, as it does not directly or indirectly reveal your identity. For example, we may aggregate your usage information to assess the effectiveness of our Website features.
4. Sensitive Information
   
   We do not actively collect sensitive information (such as information about your racial or ethnic origin, political opinions, religious beliefs, or sexual orientation) unless it is necessary for the provision of our Services and/or in carrying out our business functions and activities, and we have obtained your consent or are otherwise permitted by law to do so.

1. Direct collection
   
   We may collect personal information directly from you through the following methods:
   1. Communications: When you contact us directly through email, phone, postal mail, or by using forms provided on our Website.
   2. Subscription services: When you subscribe to newsletters, notifications, or other marketing materials we offer, subject to your preferences and consent.
   3. Pathology laboratory integration: Test results are transmitted securely from accredited pathology labs to the Company's AI system for processing.
   4. Direct User interactions: Users may submit personal information when booking pathology tests or accessing AI-generated reports.
   5. Medical practitioner communications: Personal information may be transmitted to licensed healthcare professionals when AI-generated insights require escalation.
   6. Automated AI processing: The AI system automatically generates risk assessments and probability-based insights, which are stored in encrypted environments.
   7. Explicit consent: Where legally required, Users will be asked to provide explicit consent before health data is collected, stored, or transferred.
2. Third parties or publicly available sources
   
   We may obtain personal information about you from authorised third-party sources, including:
   1. Analytics providers: Such as Google Analytics and other data analytics platforms that provide statistical and technical data about how our Website is accessed and used.
   2. Publicly available sources: Including publicly accessible records, social media platforms where data is shared publicly, and real estate databases, to the extent permitted by law.
3. Consent-based collection
   
   Where required by law, we will obtain your consent before collecting certain categories of personal information, including sensitive information such as identity verification documents (e.g., utility bills or government-issued identification).
4. Lawful collection
   
   We will only collect personal information where it is reasonably necessary for our business operations or where required by law. If personal information is collected from third-party sources, we will take reasonable steps to ensure its accuracy, completeness, and relevance, in accordance with the Privacy Act and APPs.

1. Legal bases for processing Personal Information
   1. We rely on one or more of the following legal bases for processing personal information:
      1. Performance of a Contract: The processing of personal information is necessary for the performance of a contract with you, including:
         1. Creating and managing User accounts and medical service subscriptions;
         2. Processing pathology test orders and AI-based analysis requests;
         3. Facilitating AI-generated health insights and referrals to medical professionals;
         4. Providing access to relevant services available on our platform.
      2. Legitimate interests: We process personal information where necessary for our legitimate business interests, provided that such processing does not override your fundamental rights and freedoms. Our legitimate interests include:
         1. Enhancing and personalising AI-driven health insights based on pathology test results;
         2. Improving the accuracy and reliability of AI-generated medical analysis through data-driven refinements;
         3. Ensuring system security, fraud detection, and cybersecurity protection for all processed health data;
         4. Conducting internal AI performance assessments, research, and service development;
         5. Communicating service updates, AI model improvements, and changes to health data processing methodologies.
      3. Legal Obligations: We process personal information to comply with statutory, regulatory, and legal requirements, including but not limited to:
         1. Compliance with Australian healthcare and privacy regulations, including obligations related to health data retention and security;
         2. Responding to requests from governmental, regulatory, and law enforcement bodies, including the Office of the Australian Information Commissioner (OAIC) and healthcare authorities.
      4. Consent: We process personal information based on your explicit consent for specific purposes, including:
         1. Providing AI-driven health insights and risk assessments based on pathology data;
         2. Sending marketing communications, newsletters, and promotional offers, where applicable;
         3. Conducting customer feedback requests, surveys, and research initiatives to improve AI accuracy.
   2. You may withdraw your consent at any time by contacting us using the information provided in this Privacy Policy. Withdrawal of consent may impact the availability of certain AI-driven services.
2. Purposes for processing personal information
   1. The Company processes personal information for the following specific purposes:
      1. To create, maintain, and manage your User account, including verifying your identity, managing AI-based pathology test analyses, and facilitating access to health insights;
      2. To process and analyse pathology test results using our AI-driven Longevity Panel, which provides probabilistic health risk assessments and insights;
      3. To escalate AI-generated results to a licensed medical professional in cases where further review is required for clinical validation;
      4. To respond to inquiries, provide technical support, and communicate administrative updates, including changes to our AI processing methodologies, regulatory compliance updates, and system enhancements;
      5. To enhance AI model accuracy and effectiveness, through anonymised health data aggregation, ensuring all personally identifiable information (PII) is removed before use in AI training and research;
      6. To send personalised health-related notifications and educational content, including AI-based health insights, subject to User preferences and explicit consent;
      7. To comply with legal and regulatory obligations, such as health data retention requirements, fulfilling government or medical regulatory inquiries, and ensuring compliance with Australian privacy and healthcare data protection laws;
      8. To ensure the security and integrity of AI-driven health data processing, detect and prevent fraud, unauthorised access, cyber threats, and other potential risks to the confidentiality of User data.
3. Data retention
   1. We will retain your personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected, including for legal, regulatory, accounting, or reporting obligations. The retention period will depend on:
      1. The nature of the personal information collected.
      2. The purposes of data processing.
      3. Legal and regulatory requirements applicable under Australian law.
   2. Once the retention period expires, personal information will be securely deleted, anonymised, or archived, as appropriate.
4. Direct marketing and communications
   1. We may send you marketing communications about our services or promotions if:
      1. You have given explicit consent.
      2. You have previously used our services, and the communications are relevant to similar services, provided you have not opted out.
   2. Opting out
      You may opt out of marketing communications at any time by:
      1. Following the unsubscribe instructions provided in each marketing email.
      2. Contacting us directly at support@biolume.health
   3. Third-party marketing
      We will obtain your explicit consent before sharing your personal information with third parties for their direct marketing purposes.
5. Sharing personal information
   We may share your personal information with third parties only under the following circumstances:
   1. Service providers: We may disclose personal information to trusted service providers who assist us with website hosting, data analysis, and technical support.
   2. Legal compliance: We may share personal information when required by law, regulation, legal process, or government request.
   3. (Business transactions: In the event of a business transfer, merger, or sale, personal information may be shared with the acquiring entity, subject to confidentiality obligations.
6. Security Measures
   We implement technical, administrative, and physical security measures to safeguard personal information against unauthorised access, alteration, disclosure, or destruction. In the event of a data breach likely to cause serious harm, we will notify affected individuals and report the breach to the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) Scheme.

1. How we share Your personal information
   We may disclose your personal information to third parties when such disclosure is reasonably necessary to achieve the purposes outlined in this Privacy Policy. We will only disclose personal information in compliance with relevant Australian privacy laws.
2. Categories of third parties
   We may disclose personal information to the following categories of third parties:
   1. Service providers: Companies that assist us in providing services, including website hosting, data storage, IT support, customer service, and analytics providers. For example cloud storage providers, technical support teams, and marketing platforms.
   2. Professional advisors: Legal advisors, accountants, auditors, and insurers, where disclosure is necessary for compliance, legal proceedings, or risk management.
   3. Developers and real estate agencies: Verified developers may access anonymised and aggregated property review data for benchmarking purposes.
   4. Regulatory authorities and law enforcement agencies: Government agencies, regulators, and law enforcement officials when disclosure is required by law or for legal proceedings.
   5. Business transfers: In the event of a merger, acquisition, sale, or transfer of business assets, personal information may be shared with the acquiring entity, subject to strict confidentiality obligations.
   6. Third-party marketing (with consent): External marketing providers, but only with your explicit consent and in compliance with data-sharing regulations.
3. Requirements for third-party processing
   We require all third parties receiving personal information from us to comply with the following obligations:
   1. Third parties must implement robust security measures to protect personal information from unauthorised access, misuse, and loss.
   2. Third parties may only process personal information in accordance with the specific purposes outlined in our instructions and must not use it for any unauthorised purposes.
   3. All third parties are bound by confidentiality agreements or similar legal obligations requiring them to handle personal information with utmost care and integrity.
   4. Any transfer of personal information to third parties outside Australia will comply with Australian Privacy Principle (APP) 8. Before disclosing Personal Information to an overseas recipient, Bioloom Health shall take reasonable steps to ensure the recipient does not breach the APPs (other than APP 1). Reasonable steps may include:
      1. Assessing the recipient’s data protection framework;
      2. Implementing contractual safeguards ensuring APP compliance; or
      3. Ensuring the recipient is subject to a comparable privacy regime.
         
         If reasonable steps are not taken, Bioloom Health may be held accountable for any breach of the APPs by the overseas recipient.
4. Business transfers
   In the event of a merger, acquisition, restructuring, or sale of our business or its assets, personal information may be transferred to the new entity. In such cases, we will:
   1. Ensure that the acquiring entity continues to process personal information in compliance with this Privacy Policy.
   2. Provide notification of such changes through our Website or other appropriate communication channels.
5. Legal obligations and compliance
   We may disclose personal information where required by law or when responding to legal requests, court orders, or regulatory inquiries. This includes situations where disclosure is necessary to protect our legal rights, defend against legal claims, or prevent potential fraud or abuse of our platform.
   
   We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
   
   We are committed to protecting the privacy of individual Users. Developers and other third parties will only have access to anonymised and aggregated data for benchmarking purposes. No personally identifiable information (PII) will be shared with developers or third parties unless explicitly consented to by the User.

1. General statement
   
   We operate primarily within Australia. However, in certain circumstances, your personal information may be transferred, processed, or stored outside of Australia. Any such transfers will comply with the Privacy Act, particularly APP 8, which governs cross-border disclosure of personal information.
   
   The Company transfers personal information to Switzerland for processing through the Longevity Panel AI system, which analyses pathology test data.
2. When international transfers may occur
   
   We may transfer personal information outside Australia in the following circumstances:
   1. Cloud storage and data hosting services: When our third-party service providers, such as cloud storage or IT infrastructure providers, host personal information on servers located outside of Australia.
   2. Service providers and contractors: When service providers or contractors assisting in providing services are based outside Australia.
   3. Business transactions: In the event of a merger, acquisition, or sale of our business, personal information may be transferred to an acquiring entity operating outside Australia.
   4. Global business operations: If we expand our operations to other countries, your personal information may be processed at our international offices, subject to applicable legal safeguards.
3. Safeguards for international transfers
   
   Where personal information is transferred outside of Australia, we will ensure that reasonable steps are taken to protect the personal information in line with Australian privacy laws. These steps include, but are not limited to:
   1. Contractual safeguards: We will ensure that appropriate contractual arrangements are in place with international service providers or third parties to ensure compliance with Australian privacy standards.
   2. Privacy policies and security standards: We will require all third parties processing personal information outside Australia to adhere to strict privacy and security standards equivalent to the requirements of the Privacy Act.
   3. Data minimisation: We will only transfer personal information that is necessary for the specified purpose and ensure that data is retained only for as long as required by applicable legal and operational requirements.
   4. (Secure transfer methods: We will implement secure data transfer protocols, including encryption and secure file-sharing methods, to safeguard personal information in transit.
4. User Consent for International Transfers
   
   By using our services and submitting your personal information, you consent to the transfer, storage, and processing of your personal information outside Australia as described in this Privacy Policy.
5. Requests and inquiries
   
   For more details about international data transfers, including specific safeguards or contracts in place, please contact us using the details provided in this Privacy Policy.

1. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties strictly on a need-to-know basis. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
2. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How long will you use my personal data for?

1. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
2. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
3. By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for up to three years after they cease being customers for tax purposes.
4. In some circumstances you can ask us to delete your data: see [99] below for further information.
5. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

1. You have a number of rights under data protection laws in relation to your personal data.
   
   You have the right to:
   1. Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
   2. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
   3. Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
   4. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
   5. You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes (see OPTING OUT OF MARKETING in 44.4(b) for details of how to object to receiving direct marketing communications).
   6. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
   7. [Withdraw consent at any time where we are relying on consent to process your personal data (see paragraph 3.3 for details of when we rely on your consent as the legal basis for using your data). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.]
   8. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
      1. If you want us to establish the data's accuracy;
      2. Where our use of the data is unlawful but you do not want us to erase it;
      3. Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
      4. You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
2. If you wish to exercise any of the rights set out above, [please contact us [see Contact details (1110)] OR email support@biolume.health
3. No fee usually required
   
   You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
4. What we may need from you
   
   We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
5. Time limit to respond
   
   We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

1. If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact us in the following ways:
   1. Email address : [support@biolume.health]
   2. Postal address : [8 Montague Rd Cremorne NSW]

1. If you have concerns about how we collect, use, or disclose your personal information, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC), the regulator responsible for enforcing Australian privacy laws.
   
   Office of the Australian Information Commissioner (OAIC)
   
   a. Website : https://www.oaic.gov.au
   
   b. Phone : 1300 363 992
   
   b. Mailing Address : GPO Box 5218, Sydney NSW 2001, Australia
   
   We encourage you to contact us first to allow us the opportunity to address your concerns before reaching out to the OAIC. You may contact our Privacy Officer at the contact details provided above.

We keep our privacy policy under regular review. This version was last updated on [31 July 2025].

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

1. This Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy policy of every website you visit.
2. We act as a platform for user-generated reviews and does not endorse, verify, or take responsibility for the content of these reviews. All reviews reflect the opinions of individual Users and not of Biolume Health. We are not liable for any claims, damages, or legal actions arising from user-generated content, including defamation claims.