1.1. CareCohere respects your right to privacy and is committed to safeguarding the privacy of our customers and website visitors. This policy sets out how we collect and treat your personal information.

1.2. We adhere to the Australian Privacy Principles contained in the Privacy Act 1988 (Ch) and to the extent applicable, the EU General Data Protection Regulation (GDPR).

1.3. "Personal information" is information we hold which is identifiable as being about you. This includes information such as your name, email address, identification number, or any other type of information that can reasonably identify an individual, either directly or indirectly.

1.4. Health information processed through our healthcare management tools, including patient records, medical histories, treatment plans, and clinical notes, is subject to enhanced safeguards under GDPR Article 9, the My Health Records Act 2012 (Cth), and AHPRA standards.

1.5. You may contact us in writing at L23 727 Collins Street, Docklands, Victoria, 3008 for further information about this Privacy Policy.

2.1. CareCohere will, from time to time, receive and store personal information you submit to our website, provided to us directly or given to us in other forms.

2.2. You may provide basic information such as your name, phone number, address and email address to enable us to send you information, provide updates and process your product or service order.

2.3. We may collect additional information at other times, including but not limited to, when you provide feedback, when you provide information about your personal or business affairs, change your content or email preference, respond to surveys and/or promotions, provide financial or credit card information, or communicate with our customer support.

2.4. Additionally, we may also collect any other information you provide while interacting with us.

3.1. CareCohere collects personal information from you in a variety of ways, including when you interact with us electronically or in person, when you access our website and when we engage in business activities with you. We may receive personal information from third parties. If we do, we will protect it as set out in this Privacy Policy.

3.2. By providing us with personal information, you consent to the supply of that information subject to the terms of this Privacy Policy.

3.3. We distinguish between necessary processing for service delivery (processed on a contractual basis) and optional secondary uses requiring your explicit consent. You may manage consent preferences independently for analytics, marketing, and research purposes. For health information, we obtain explicit consent under applicable data protection laws, and you may withdraw any consent at any time without affecting core service delivery.

4.1. CareCohere may use personal information collected from you to provide you with information about our products or services. We may also make you aware of new and additional products, services and opportunities available to you.

4.2. CareCohere will use personal information only for the purposes that you consent to. This may include to: (i) provide you with products and services during the usual course of our business activities; (ii) (iii) (iv) (v) administer our business activities; manage, research and develop our products and services; provide you with information about our products and services; communicate with you by a variety of measures including, but not limited to, by telephone, email, sms or mail; and (vi) investigate any complaints.

If you withhold your personal information, it may not be possible for us to provide you with our products and services or for you to fully access our website.

We retain personal information for 365 days after our business relationship ends or last service interaction, after which it will be securely deleted or anonymized unless legally required to retain it longer. You may request earlier deletion of your data by contacting our Data Protection Officer.

Personal information will be securely deleted using industry-standard methods including data overwriting, encryption key destruction, and certified data destruction services. Backup systems containing personal information will be purged within 90 of primary data deletion, except where retention is required by healthcare regulations, medical malpractice limitation periods, or contractual obligations to healthcare providers.

Data retention periods vary by category: Operational Data (user accounts, service logs, system access records) retained for 365 days after service termination; Health Records (patient data, treatment plans, clinical notes) retained per healthcare provider's legal obligations under healthcare regulations and medical malpractice limitation periods; Transaction Records retained for 5 years for tax compliance; and Communications retained for 90 days unless subject to legal hold.

5.1. CareCohere may disclose your personal information to any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes set out in this privacy policy.

5.2. If we do disclose your personal information to a third party, we will protect it in accordance with this privacy policy.

5.3. All third-party processors handling personal information are bound by Data Processing Agreements compliant with applicable privacy legislation, requiring implementation of appropriate technical and organisational security measures, processing only on documented instructions, and deletion or return of data upon termination.

5.4. CareCohere maintains a current register of all third-party processors and sub-processors handling personal information, including their locations and processing activities, which is available upon request to data subjects and healthcare provider customers for compliance verification purposes.

6.1. CareCohere will comply with the principles of data protection set out in the GDPR for the purpose of fairness, transparency and lawful data collection and use.

6.2. We process your personal information as a Processor and/or to the extent that we are a Controller as defined in the GDPR

6.3. We must establish a lawful basis for processing your personal information. The legal basis for which we collect your personal information depends on the data that we collect and how we use it.

6.4. We will only collect your personal information with your express consent for a specific purpose and any data collected will be to the extent necessary and not excessive for its purpose. We will keep your data safe and secure.

6.5. We will also process your personal information if it is necessary for our legitimate interests, or to fulfil a contractual or legal obligation.

6.6. We will document and maintain records of our legitimate interests assessments, particularly where processing relates to healthcare operations, and make these available to you upon request to demonstrate our compliance with data protection principles.

6.7. Where we rely on legitimate interests as a lawful basis, we conduct a balancing test to ensure our processing does not infringe your rights and freedoms. Our legitimate interests include improving our services, preventing fraud, ensuring network security, and direct marketing where appropriate. We will always consider whether your rights outweigh our interests before processing on this basis.

6.8. We process your personal information if it is necessary to protect your life or in a medical situation, it is necessary to carry out a public function, a task of public interest or if the function has a clear basis in law.

6.9. We do not collect or process any personal information from you that is considered "Sensitive Personal Information" under the GDPR, such as personal information relating to your sexual orientation or ethnic origin unless we have obtained your explicit consent, or if it is being collected subject to and in accordance with the GDPR.

6.10. You must not provide us with your personal information if you are under the age of 16 without the consent of your parent or someone who has parental authority for you. We do not knowingly collect or process the personal information of children.

7.1. If you are an individual residing in the EU, you have certain rights as to how your personal information is obtained and used. CareCohere complies with your rights under the GDPR as to how your personal information is used and controlled if you are an individual residing in the EU 7

7.2. Except as otherwise provided in the GDPR, you have the following rights: (i) to be informed how your personal information is being used; (ii) access your personal information (we will provide you with a free copy of it); (ili) to correct your personal information if it is inaccurate or incomplete; (iv) to delete your personal information (also known as "the right to be forgotten"); (V) to restrict processing of your personal information; (vi) to retain and reuse your personal information for your own purposes; (vii) to object to your personal information being used; and (vili) to object against automated decision making and profiling.

7.3. Please contact us at any time to exercise your rights under the GDPR at the contact details in this Privacy Policy.

7.4. We may ask you to verify your identity before acting on any of your requests.

7.5. We will respond to your request within 14 days of receipt, which may be extended by a further 30 days for complex requests with written notice to you.

8.1. Information that we collect may from time to time be stored, processed in or transferred between parties or sites located in countries outside of Australia. These may include, but are not limited to United Kingdom and/or USA.

8.2. We and our other group companies have offices and/or facilities in United Kingdom and/or USA. Transfers to each of these countries will be protected by appropriate safeguards, these include one or more of the following: the use of standard data protection clauses adopted or approved by the European Commission which you can obtain from the European Commission Website; the use of binding corporate rules, a copy of which you can obtain from CareCohere's Data Protection Officer.

8.3. The hosting facilities for our website are situated in United Kingdom and/or USA. Transfers to each of these Countries will be protected by appropriate safeguards, these include one or more of the following: the use of standard data protection clauses adopted or approved by the European Commission which you can obtain from the European Commission Website; the use of binding corporate rules, a copy of which you can obtain from CareCohere's Data Protection Officer.

8.4. Our Suppliers and Contractors are situated in United Kingdom and/or USA. Transfers to each of these Countries will be protected by appropriate safeguards, these include one or more of the following: the use of standard data protection clauses adopted or approved by the European Commission which you can obtain from the European Commission Website; the use of binding corporate rules, a copy of which you can obtain from CareCohere's Data Protection Officer.

8.5. You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.

8.6. Where we transfer personal data to countries outside the European Economic Area (EEA), we implement additional technical and organizational measures including encryption of data in transit, regular security assessments of recipients, and contractual safeguards through Standard Contractual Clauses (SCs) as approved by the European Commission under Article 46 of the GDPR.

9.1. CareCohere is committed to ensuring that the information you provide to us is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

9.2. Where we employ data processors to process personal information on our behalf, we only do so on the basis that such data processors comply with the requirements under the GDPR and that have adequate technical measures in place to protect personal information against unauthorised use, loss and theft.

9.3. The transmission and exchange of information is carried out at your own risk. We cannot guarantee the security of any information that you transmit to us, or receive from us. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that personal information that we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy.

9.4. In the event of a personal data breach, we will notify the relevant supervisory authority within 24 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, including a clear description of the breach's nature and recommendations to mitigate potential adverse effects.

9.5. We maintain a comprehensive breach register documenting all personal data breaches, including the facts surrounding each breach, its effects, and remedial actions taken. This register records our assessment of risk to individuals' rights and freedoms, the rationale for notification decisions, and communications with supervisory authorities and affected individuals. You may request information about breaches affecting your personal data by contacting our Data Protection Officer.

10.1. You may request details of personal information that we hold about you in accordance with the provisions of the Privacy Act 1988 (Cth), and to the extent applicable the EU GDPR. If you would like a copy of the information which we hold about you or believe that any information we hold on you is inaccurate, out of date, incomplete, irrelevant or misleading, please email us at info@carecohere.com.

10.2. We reserve the right to refuse to provide you with information that we hold about you, in certain circumstances set out in the Privacy Act or any other applicable law.

11.1. If you have any complaints about our privacy practices, please feel free to send in details of your complaints to info@carecohere.com. We take complaints very seriously and will respond shortly after receiving written notice of your complaint.

12.1. Please be aware that we may change this Privacy Policy in the future. We may modify this Policy at any time, in our sole discretion and all modifications will be effective immediately upon our posting of the modifications on our website or notice board. Please check back from time to time to review our Privacy Policy.

12.2. Material Changes to this Privacy Policy (affecting data handling, sharing, retention, or security) will be notified to all users and healthcare provider customers at least 30 days in advance via email and website announcement. Healthcare providers may review proposed changes and contact our Data Protection Officer with concerns. If a material change is unacceptable, healthcare providers may terminate their service agreement without penalty within 14 days of the change taking effect. After that normal cancellation policies applies.

13.1. When you visit our website. When you come to our website (https://carecohere.com.au), we may collect certain information such as browser type, operating system, website visited immediately before coming to our site, etc. This information is used in an aggregated manner to analyse how people use our site, such that we can improve our service.

13.2. Cookies. We may from time to time use cookies on our website. Cookies are very small files which a website uses to identify you when you come back to the site and to store details about your use of the site. Cookies are not malicious programs that access or damage your computer. Most web browsers automatically accept cookies but you can choose to reject cookies by changing your browser settings. However, this may prevent you from taking full advantage of our website. Our website may from time to time use cookies to analyses website traffic and help us provide a better website visitor experience. In addition, cookies may be used to serve relevant ads to website visitors through third party services such as Google AdWords. These ads may appear on this website or other websites you visit.

13.3. Third party sites. Our site may from time to time have links to other websites not owned or controlled by us. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Please be aware that CareCohere is not responsible for the privacy practises of other such websites. We encourage our users to be aware, when they leave our website, to read the privacy statements of each and every website that collects personal identifiable information.

13.4. Cookie Categories and Controls. We categorize cookies used on our website as follows: (1) Strictly Necessary cookies required for basic site functionality, (2) Performance cookies that help us improve our website, (3) Functional cookies enabling enhanced features, and (4) Targeting/Advertising cookies for personalized content. You can manage your cookie preferences through our Cookie Control Panel, where you may enable or disable non- essential cookies at any time. We will always ask for your explicit consent before placing non-essential cookies on your device, and you can withdraw this consent at any time through your browser settings or our Cookie Control Panel.

This policy is effective from 01 Jan 2026.