Privacy Policy

Privacy Statement

Last Updated: 7 May 2020

This Privacy Policy describes how members of the Althea group of companies worldwide collect and process your personal information in connection with our websites, platforms, applications, products, software, or services (collectively, Services).

The Althea group of companies includes Althea Group Holdings Limited (ACN 626 966 943), Althea Company Pty Ltd (ACN 618 177 192), Althea MMJ UK Limited (Company No. 11125946) (Althea UK), MMJ Clinic Group Limited (Company No. 11906622) (MAC UK), and any affiliates of the above (collectively, we, us or our).

This Privacy Policy does not apply to our employee and contractor records.

If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided at the bottom of this Privacy Policy.

How we collect information

Broadly speaking, the way in which we collect personal information about you will depend on your relationship or interactions with us.

Information that you provide voluntarily

Certain parts of our Services may ask you to provide personal information voluntarily. For example, we may ask you to provide your contact details in order to register an account with us, to subscribe to marketing communications from us, or to submit enquiries to us. The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.

Information that we collect automatically

When you access our Services online, we may collect certain information automatically from your device. Specifically, the information we collect automatically may include your internet protocol (IP) address, your login data, browser type and version, time zone setting and location and other technical information. We may also collect information about how your device has interacted with our Services, including what was accessed and the links clicked.

Collecting this information enables us to better understand the users of our Services, where they come from, and what content is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Website and Platform.

Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Online tracking and your choices” below.

Information that we obtain from third party sources

Where possible, we collect information directly from you. However, there may be occasions where we receive information about you from third parties, such as your healthcare professional or pharmacy if you are a patient, your patient if you are a healthcare professional, or third parties with whom we have a relationship. For example, in some countries, regulations require us to obtain relevant documents from third parties which contain patient information before we can release products.

Information we collect and why

The table below sets out the types of personal information we collect, why we use it, and where required under applicable law, the lawful basis for processing that personal information.

 

Data subject category

Data type

Why do we use this information?

Lawful basis

Healthcare professionals

 

Contact information: such as your name, email and work address (i.e. clinic details)

To assist you in completing any required application forms, required by law/regulation

  • Performance of a contract

  • Our legitimate interests

To facilitate contact from one of our representatives where you request such a visit

  • Consent

  • Our legitimate interests

To provide you with information about our products, educational platform and other services on your request

  • Consent

  • Our legitimate interests

Where your patient has provided your information to MAC UK in order to book a consultation with MAC UK, to contact you in relation to the patient’s request

  • Performance of a contract

  • Our legitimate interests

  • Health or social care purposes (for the provision of healthcare or treatment)

To participate in surveys provided by us for research purposes

  • Consent

Professional information: such as your professional registration number, health practitioner type, your qualification, speciality and clinic details

To verify your details with the relevant regulatory body

  • Legal obligation

  • Our legitimate interests

To add your clinic details and your professional details to the “find a doctor” directory on our Website and/or our Platform

  • Consent

Patients with a profile on our Services

Contact information: such as your name, email and location

To create your user profile on our Services

  • Consent

To provide you with information and/or access to information relating to medicinal cannabis on your request

  • Consent

To contact you to participate in a survey

  • Consent

To assist you in locating relevant healthcare professionals near your location when you use our Services

  • Consent

To sign up or register to use our Services

  • Consent

Survey information: any information you provide to us as part of your voluntary participation in a survey, which could include sensitive personal information

To carry out analysis on users of our Services

  • Consent

Patients of healthcare professionals engaging with us

Contact information: such as name, email, address

Information uploaded by your healthcare professional to one of our Services, but not accessible to us

N/A

Where your healthcare professional has provided your information to MAC UK in order to book a consultation with MAC UK, to contact you for referral purposes

  • Performance of a contract

  • Our legitimate interests

Prescription data: such as name, initials, address, date of birth, gender, weight and printed age for those under the age of 12 or over the age of 60, indication and clinical justification for the use of the product (e.g. the seriousness of the condition, details of previous treatments including detail on use of therapeutic treatment), product type, dosage and dose form, treating doctor or clinic

For identity verification purposes and to fulfil a product order relating to your prescription from a healthcare professional, including where you have requested products from a dispensing pharmacist.

  • Legal obligation

  • Health or social care (for the provision of healthcare or treatment)

Medical information: such as your diagnosis or medical condition, indication and clinical justification for the use of the product (e.g. the seriousness of the condition, details of previous treatments including detail on use of therapeutic treatment), except where such information is collected as part of your “prescription data” (see above)

To carry out analytics and create aggregate statistics for research purposes.

  • Our legitimate interests

  • Scientific research purposes

Information uploaded by your healthcare professional to one of our Services including as part of regulatory requirements but not accessible to us.

N/A

Where your healthcare professional has provided your information to MAC UK in order to book a consultation with MAC UK, for referral purposes

  • Performance of a contract

  • Our legitimate interests

  • Health or social care (for the provision of healthcare or treatment)

Treatment information: such as product type, dosage, dose form, frequency of administration and expected duration of treatment, treating clinic, except where such information is collected as part of your “prescription data” (see above)

To carry out analytics and create aggregate statistics for research purposes.

  • Our legitimate interests

  • Scientific research purposes

 

Information uploaded by your healthcare professional, including as part of regulatory requirements but not accessible to us

N/A

Pharmacists

Contact information: such as your name, email address and pharmacy contact details

To add your pharmacy details to the “find a pharmacy” directory on our Website and/or our Platform

  • Consent

To facilitate contact from one of our representatives where you request such a visit

  • Consent

  • Our legitimate interests

To provide you with information about our products, educational platform and other services on your request

  • Consent

  • Our legitimate interests

To deliver orders to you and provide you with information relevant to ordering our Services

  • Performance of a contract

  • Our legitimate interests

Professional Information: such as your professional registration number

To verify your details with the relevant regulatory body

  • Legal obligation

  • Our legitimate interests

Financial Information: such as information regarding your financial viability

To conduct credit enquiries relating to your dispensing pharmacy application

  • Legal obligation

  • Our legitimate interests

Visitors or users of our Services

Contact information: such as name, email, telephone number, address, content of free text

To respond to your queries and requests, to register you, and/or book a consultation

  • Our legitimate interests

Technical information: such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform

To understand how you interact with our Website and Platform, as well as our content to enable us to improve service and functionality

  • Our legitimate interests

Information you disclose to us: any information you disclose to us through your communications with us which may include sensitive personal information

To respond to you including your questions in relation to our products and services

  • Consent

Shareholders

 

Shareholding information: such as your name, address and number of shares held

To register and verify your interest in our securities, and manage any shareholding you may have in Althea Group Holdings Limited

  • Legal obligation

  • Our legitimate interests

Job applicants

Identification data: such as your name, gender, photograph, date of birth, national identifiers

To identify you as the individual applying for a role with us

  • Performance of a contract

  • Our legitimate interests

Contact information: such as home address, telephone number, email address

To contact you about your application to us and invite you to participate in any assessments and interviews with respect to the role you have applied for

  • Performance of a contract

  • Our legitimate interests

Employment details: such as employment history, application for role, third party references

To assess your job application to us and your suitability for the role

  • Performance of a contract

  • Our legitimate interests

Background information: such as academic or professional qualifications, education, CV, criminal records data (for vetting purposes, where permissible and in accordance with applicable law)

To assess your job application to us and your suitability for the role

  • Performance of a contract

  • Our legitimate interests

  • Employment (for the assessment of your working capacity)

Lawful basis for processing

The lawful basis for processing your personal information are as follows:

  • Consent: where you have given consent to the processing of your personal data for one or more specific purposes

  • Performance of a contract: where processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract

  • Legal obligation: where processing is necessary for compliance with our legal obligations

  • Legitimate interests: where processing is necessary for a legitimate interest, and that legitimate interest is not overridden by your interests or fundamental rights and freedoms

 

The lawful basis for processing your sensitive personal information are as follows:

  • Health or social care: where processing is necessary for the provision of healthcare or treatment

  • Employment: where processing is necessary for the assessment of your working capacity

 

Sensitive personal information

Some of the information we collect and process may include sensitive personal information (also known as special category data).

Sensitive personal information is a subset of personal information that is generally afforded a higher level of privacy protection. It includes health and genetic information and information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record and some types of biometric information.

We will only collect sensitive information where it is reasonably necessary for our functions or activities, and with respect to our entities in the UK, including Althea UK and MAC UK (UK Entities), where those entities have a lawful basis to do so under applicable laws as provided for in the table above.

Scientific research and statistical reporting of pseudonymised data

As set out in the table above we may also use your information for scientific research and statistical reporting. However, we have taken a number of measures to ensure that this information is pseudonymised and cannot directly identify an individual. We only have access to your medical and treatment information for this purpose only and cannot directly identify you from this information.

Althea Concierge™

We provide a platform to facilitate and assist healthcare professionals to complete their regulatory obligations when prescribing medicinal cannabis. In order to do this, healthcare professionals upload to our platform patient details, which include contact, medical and treatment information. In this situation, we act solely as a processor and we have “locked down” our platform to ensure that a patient’s directly identifiable information is not linked to their medical and treatment information, and is therefore not accessible to us.

For this reason, if you are a patient of a healthcare professional who has uploaded your information to our platform, and you wish to amend, update, delete or access any of that information, you must contact your healthcare professional directly as the controller of your personal data, and they will be able to assist with this.

Online tracking and your choices

Like many websites, we may analyse log file information and other data collected through cookies, web beacons, and other tracking technology, to collect information about your browsing behaviour when you visit our websites. This includes, for example, your browser type, domains, page views, IP address, referring/exit pages, information about how you interact with our website and with third-party links, traffic and usage trends on the service.

We use session cookies to keep you logged in while you use features of our website; these disappear after you close your browser. We also use persistent cookies, which stay in your browser and allow us to recognise you when you return to the website. We use this to remember your information, so you will not have to re-enter it, to better understand how you use our Services, to diagnose and fix technology problems, and otherwise enhance our Services. In some of our email messages, we use a “click-through URL” linked to content on our website. We track this click-through data to help us measure the effectiveness of our customer communications.

We may collect analytics data directly or through third party analytics tools (including Google Analytics) to assist us with analysing and improving our service, and measure traffic and usage trends for our products and services. These tools collect information sent by your browser or mobile device, including the pages you visit and other information that assists us in improving our Services.

Most internet browsers automatically accept cookies, but you may be able to change the settings of your browser to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you set your browser to reject cookies, parts of our website may not work for you. Please note, depending on your type of device or browser, it may not be possible to delete or disable all tracking mechanisms on your device.

Your selection of the “Do Not Track” option provided by your browser may not have any effect on our collection of cookie information for analytic and internal purposes. The only way to completely “opt out” of the collection of any information through cookies or other tracking technology is to actively manage the settings on your browser or mobile device to delete and disable cookies and other tracking/recording tools. To learn more about cookies, clear gifs/web beacons and related technologies, you may wish to visit allaboutcookies.org.

For more information on our cookies and tracking technologies please see our Cookie Notice.

How we share your information

We may share your personal information to the following categories of recipients:

  • To persons for whom we have your consent to share your personal information.

  • To our group companies for the purposes for which we are entitled to process your personal information under this Privacy

  • To third party service providers who work for us in the provision of our services and with whom we have contractual relationship. Your data may also be processed by a third party if required to deliver a service you have requested. For example, to a dispensing pharmacy in order to fulfil an order, regulatory bodies and healthcare professionals.

  • To any competent law enforcement body, regulatory, government agency, court or other third party where we believe it is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person. For example, we are required under the Australian Corporations Act 2001 (Cth) to maintain a register of shareholders and make it available for inspection by the public. We may also be required to disclose information about your shareholding to regulatory bodies such as the Australian Securities and Investments Commission and the Australian Taxation Office.

  • To an actual or potential buyer (and its agents and advisors) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes set out in this Privacy Policy.

 

We will check any third party that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your personal information.

 

We will have written contracts with them which provide assurances regarding the protections that they will give to your personal information and their compliance with our data security standards and international transfer restrictions.

Third-party sites and features

Our websites may contain links to other websites operated by third parties and may include social media features such as Facebook and Twitter buttons (such as “Like,” “Tweet” or “Pin”). These third-party sites may collect information about you if you click on a link and the social media sites may automatically record information about your browsing behaviour every time you visit a website that has a social media button. Your interactions with these features are governed by the privacy policy of the company providing the feature, not by this Privacy Policy. We do not control what information these third parties collect. Please review your privacy settings on your social media sites and think carefully before clicking on links which may take you to a third-party website.

How we secure and store your information

Security

We take security seriously and care about the integrity of your personal information. We use commercially reasonable physical, administrative, and technological methods to secure your personal information and protect it from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information.

In the event that any information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.

Data retention

In order to deliver our core functions and to ensure we meet our legal data protection and privacy obligations, we will retain your information for at least as long as your account is active, as needed to provide you services, as long as is needed to fulfil the purpose for which it was collected (and any other linked purpose) or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

When we have no ongoing legitimate business need to process your personal information (as described above), we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible.

International transfers

Personal information collected from interactions with our UK Entities is stored securely within the UK.

We will not transfer data collected and stored within the EEA (including the UK) to any country outside of the EEA that is not recognised as ensuring an adequate level of protection, without compliance with the relevant legal or regulatory requirements. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies, which require all group companies to protect personal information they process from the EEA or the UK in accordance with European Union data protection law. In addition, where required, we have implemented similar appropriate safeguards with our third-party service providers. Further details on our international transfer safeguards are available on request.

Personal information collected from interactions with one of our entities in Australia is stored securely in Australia. We may disclose information outside of Australia where it has a legal right to do so and to its group companies located overseas in the normal course of its business. Our policy is to comply with the requirements of the applicable laws which apply to cross border disclosure of personal information. 

Your rights

You have the following data protection rights:

  • If you wish to access of your personal information, you can do so at any time by contacting us using the contact details provided under the “Contact Us” section below.

  • If you wish to correct or update your personal information you can do this by accessing the profile sections of our Website and/or Platform, or by using the contact details provided under the “Contact Us” section below.

Where one of our UK Entities is the controller of your personal information, you also have the following additional rights:

  • You can request deletion of your personal information by contacting us using the contact details provided under the “Contact Us” section below.

  • You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “Contact Us” section below.

  • You can opt out of marketing communications we send you at any time by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “Contact Us” section below.

  • If we have collected and process your personal information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

  • You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please see the UK Information Commissioner’s Office website at https://ico.org.uk/make-a-complaint.

Where you exercise your data protection rights, our response will depend on our role as a controller or processor, our legal basis for processing and whether or not any exemptions are available under applicable privacy or data protection laws. If you wish to exercise any of these rights in relation to personal information provided to us by your healthcare professional and for which we are a processor, please contact your healthcare professional directly.

We respond to all requests we receive from individuals wishing to exercise their rights in accordance with applicable privacy and data protection laws. In order to comply with a request, we may ask you to identify yourself. In such a situation, we will only request information to the extent required to confirm your identity. You also have the right not to identify yourself when dealing with us where it is lawful and practicable for us to allow it. However, if you don’t provide us with your personal information when requested, we may not be able to respond to your request or provide you with the Service that you are seeking.

Contact us

If you have a question, comment or complaint about how we have collected or handled your personal information, please contact our privacy officer using the contact information below and provide details of the incident so that we can investigate it.

If you are making a complaint, we will treat your complaint confidentially, investigate your complaint and aim to ensure that we contact you and your complaint is resolved within a reasonable time (and in any event within the time required by applicable law).

Non-EEA countries (including Australia)

Privacy Officer

[email protected]

Althea Company Pty Ltd
Suite 2, Level 37
360 Elizabeth Street
Melbourne VIC 3000
Australia

If our response to your complaint does not address your concerns to your satisfaction, you may have a right to make a complaint to the Office of the Australian Information Commissioner at https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint.

EEA (including the UK)

Privacy Officer

[email protected]

Portland House
Bressenden Place
London, SW1E 5RS

The Information Commissioner’s Office (ICO) is our lead supervisory authority. Where you are concerned about the collection and use of your personal information by one of our UK Entities, you have the right to make a complaint to the ICO  For more information, please see the UK Information Commissioner’s Office website at https://ico.org.uk/make-a-complaint.

ICO Registration No:

  • Althea MMJ UK Limited – ZA51934

  • MMJ Clinic Group Limited – ZA519342

Changes to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy.

You should check our website frequently to see any recent changes. Unless otherwise stated, our current Privacy Policy applies to all information that we have about you. We will not materially change our policies to make them less protective of personal information collected in the past without the consent of those affected.