Effective Date: 25th August 2025

 

This privacy policy (hereinafter "Privacy Policy") deals with the protection of Your privacy while You use Our :

 

•    Website;

•    Apps, including subscription or membership to our services;

•    Our ECG monitor devices connected to our App on a mobile phone or tablet;

•    MapDx intelligent clinical diagnostics platform

 

hereinafter collectively referred to as "the Product”.

 

The Product is owned and operated by: Biosignals Diagnostics Pty Ltd. (ACN 642 479 874) a healthcare diagnostics company.

 

We are committed to the protection of Your privacy while You use the Product.

 

This Privacy Policy only applies to the Product. The Product may contain links to other websites or applications operated by a third party however the Privacy Policy does not apply to any linked third party websites or applications.

 

We gather certain information from users of the Product, so this Privacy Policy explains what information we collect, how we use it, and your rights in relation to it.

 

By continuing to use the Product You acknowledge that You have had the chance to review and consider this Privacy Policy, and You acknowledge that You agree to it. This means that You also consent to the use of Your information and the method of disclosure as described in this Privacy Policy. If You do not understand the Privacy Policy or do not agree to it, then please do not use the Product.

 

1    DEFINITIONS

a)    "Content" means any content, writing, images, audio-visual content or other information published on the Product.

b)    "Goods" means any or all goods provided by or on the Product.

c)    "Items" means any and all of the Product, Goods, Services, Content and Materials collectively.

d)    "Materials" means any materials, Information or documentation that We may provide to You in connection with Your use of the Goods or Services or Product including documentation, data, information developed by Us or owned by Us, and other materials which may assist in Your use of the Goods or Services or Product.

e)    "Parties" means both You (the user of the Product) and Us (the owner of the Product) collectively.

f)    "Personal Information" means information that we obtain from You in connection with Your use of the Product. It might include but is not limited to name, username, email address, postal address, phone number, date of birth, gender, health or medical information, medications, ECG data, imaging, pathology results, genetic data, workout history, diet history, credit card number, IP address, device mode, device ID, device language, operating system.

g)    "Privacy Policy" means this privacy policy.

h)    "Services" means any or all services provided by or on the Product including Clinical services.

i)    "Third Party Links" means links or references to websites other than Website, to content other than the Content or to materials other than the Materials, none of which are controlled by Us.

j)    "Third Party Service Provider" means a third party, separate from Us or Our company but which provides services that assist Us in serving You. This may include but is not restricted to professional data analysis, web hosting, IT services, security services, payment processing, deliveries, customer service, order fulfilment or other services.

k)    "Us", "We", "Our", "the Company" or "the Owner" refers to Biosignals Diagnostics Pty. Ltd.

l)    "Us", "We", "Our", "the Company" or "the Owner" also includes any employees, affiliates, agents or other representatives of Biosignals Diagnostics Pty. Ltd.

m)    "Website" means the websites operated by Biosignals Diagnostics Pty. Ltd.

n)    "You" or "Your" refers to the user of the Product. “Your Content" means any Content posted to or added to the Product, Content or Materials by You or by somebody authorised by You or doing so on Your behalf.
 

2    INTERPRETATION

a)    In this Privacy Policy, unless the context otherwise requires, the following rules of interpretation shall apply:

i)    Words referring to one gender include every other gender.

ii)    Words referring to a singular number include the plural, and words referring to a plural include the singular.

iii)    Words referring to a person or persons include companies, firms, corporations, organisations and vice versa.

iv)    Headings and titles are included in this Privacy Policy for convenience only and shall not affect the interpretation of this Privacy Policy.

v)    Each Party must, at its own expense, take all reasonable steps and do all that is reasonably necessary to give full effect to this Privacy Policy and the events contemplated by it.

vi)    Any obligation on a Party not to do something includes an obligation not to allow that thing to be done.
 

3    TYPE OF INFORMATION AND HOW IT IS COLLECTED

a)    When You use the Product, We may collect information from You through;

i)    Automated collection of IP address, device mode, device ID, OS version, device language, operating system, browser type, browsing history, search history, local time, local time zone and information regarding Your interaction with an Internet Web site, application, or advertisement;

ii)    Your smartphone, tablet device or Our website during; 

(1)    User registration

(2)    Access to our services

(3)    Adding supplemental information such as symptoms, diet, exercise

(4)    Making a payment

(5)    Access to clinician assessment

(6)    Contact us

b)    In addition, We may collect information that You volunteer to Us such as;

i)    Name, Date of Birth, Phone number, Email, Gender, Delivery address, Photo, ECG data, Symptoms and notes to ECG recordings, Medication, Diet, Exercise, credit card details, debit card details, or any other financial information. 

c)    Information that You provide during a sign up process (or at other times while using the Product). In order to access all of the features of the Product, You are required to register as a user. During the registration process, We collect some of Your Personal Information, in the following manner:

i)    We will not collect information that identifies You personally, except when You specifically volunteer that information to Us.

ii)    The information that We will collect from You at registration includes: Name, Email address, Phone number, Date of Birth, Gender

iii)    By undergoing the registration process You consent to Us collecting Your Personal Information, including the Personal Information described in this clause. You also consent to Us collecting any other Personal Information as well as storing, using or disclosing Your Personal Information in accordance with this Privacy Policy.

d)    In order to access some specific features of the Product, You are required to provide some Personal Information. During this process, We collect some of Your Personal Information, in the following manner:

i)    We will not collect information that identifies You personally, except when You specifically volunteer that information to Us when using specific Product features. These specific Product features might include, but are not limited to:

(1)    generating a report;

(2)    making purchases;

(3)    receiving notifications by text message or email about events and promotions;

(4)    receiving general emails from Us;

(5)    commenting on Our content such as blogs, articles, photographs or videos or participating in Our forums, bulletin boards, chat rooms or other similar features

ii)    In addition to any Personal Information that You are required to provide in order to access these additional Product features, in some cases You may be required to provide more specific information. For example, in order to make purchases, You may need to provide credit card information, billing information and postal addresses.

e)    From time to time We may request information from You to assist Us in improving Our Product, Goods, Services, Content or Materials. For example, We may ask You to answer some questions about Your demographics, Your shopping preferences, or Your other preferences in relation to the Product.

f)    In addition to collecting the Personal Information as already described in this clause, we may also collect the following Personal Information:

i)    Exercise record, Diet record

ii)    Symptoms, medical conditions, medications

iii)    Electrocardiogram (ECG or EKG) data
 

4    COOKIES

a)    Cookies are small files stored on Your computer or mobile device which collect information about Your browsing behaviour.

b)    Cookies do not access information which is stored on Your computer.

c)    Cookies enable us to tailor our configurations to Your needs and preferences, in order to improve Your user experience.

Most internet browsers accept cookies automatically, although You are able to change Your browser settings to control cookies, including whether or not You accept them, and how to remove them. You may also be able to set Your browser to advise You if You receive a cookie, or to block or delete cookies. However, if You do this, You may be prevented from taking full advantage of the Product.

​

5    HOW YOUR INFORMATION IS STORED

a)    Please note that no systems involving the transmission of information via the internet, or the electronic storage of data, are completely secure. However, we take the protection and storage of Your Personal Information very seriously. We take all reasonable steps to protect Your Personal Information.

b)    We use appropriate physical, digital, managerial and security systems to store Your Personal Information and to protect it against unauthorised access, destruction or disclosure. 

 

​

6    THIRD PARTIES

a)    We may provide some of Your Personal Information from time to time to Third Party Service Providers so that they can help us to serve You via the Product. In particular, We may use Third Party Service Providers to assist with information storage (such as cloud storage).

b)    We may provide some of Your Personal Information to Third Party Service Providers for the purpose of analysing data or tracking usage. For example, We may use these services to find out which service is requested most, dates and times of service requests and other details about Your usage of the Product. This information enables Us to understand patterns of usage of the Product, and to improve the Product.

c)    We may use Third Party Service Providers to host the Product. If this occurs, that Third Party Service Provider is likely to have access to some of Your Personal Information.

d)    We may use Third Party Service Providers to fulfil orders in relation to the Product. If this occurs, that Third Party Service Provider is likely to have access to some of Your Personal Information.

e)    We may use Third Party Service Providers for the following services in relation to the Product:

i)    Healthcare Provision;

ii)    Clinical Diagnostics Services;

iii)    Payment Gateways and Payment Processors;

iv)    Organisations providing marketing services on our behalf;

v)    Organisations developing, testing or reviewing our information technology services or capabilities;

f)    For Your information, some of Our Third Party Service Providers may be located outside Australia and may not be subject to Australian privacy laws. The countries or regions in which our Third Party Service Providers may be located include:

i)    USA, China

g)    No data processing is conducted outside of Australia.

h)    We only share Your Personal Information with a Third Party Service Provider if that provider agrees to Our privacy standards as set out in this Privacy Policy.

i)    Your Personal Information will not be sold or otherwise transferred to other third parties without Your approval.

j)    Notwithstanding the other provisions of this Privacy Policy, We may provide Your Personal Information to a third party or to third parties in order to protect the rights, property or safety, of Us, Our customers or third parties, or as otherwise required by law.

k)    We may also share Your Personal Information with the following third parties:

i)    Hospitals or healthcare providers from whom You have received or from whom You intend to seek diagnosis or treatments;

ii)    Carers;

iii)    Parents;

iv)    Law enforcement.

l)    We will not knowingly share Your Personal Information with any third parties other than in accordance with this Privacy Policy.

m)    If Your Personal Information might be provided to a third party in a manner which is other than as explained in this Privacy Policy, You will be notified. You will also have the opportunity to request Us not to share that information.
 

7    CROSS-BORDER DISCLOSURE

a)    Where we disclose Personal Information to service providers located outside Australia (currently including, where applicable, the United States and the People’s Republic of China), we take reasonable steps to ensure they handle it consistently with the Australian Privacy Principles (for example, contractual safeguards and supplier due diligence). If we cannot ensure this, we will not disclose your Personal Information overseas except with your express consent or where permitted by law.

b)    The cross‑border disclosure described in this section applies only to the ECGme Platform. The MapDx Platform has no overseas recipients.

c)    Sub‑processor Register: 

i)    We maintain a current Sub‑processor Register identifying each overseas recipient and country. 

ii)    This register is available on our website (Legal → Sub‑processors) or on request via privacy@biosignalsdx.com.

d)    Overseas support access (ECGme only):

i)    Our platform for ECGme is supported by the medical device manufacturer BORSAM Biomedical Instruments Co., Ltd (Shenzhen, China). From time to time, authorised BORSAM personnel may be granted least‑privilege access to systems containing Personal Information on a time-limited basis solely for episodic maintenance of the Services. We take reasonable steps to ensure handling is consistent with the Australian Privacy Principles, including contractual safeguards, multi‑factor authentication and just‑in‑time access approvals, and audit logging of all support access. We remain accountable for overseas disclosures under APP 8 and section 16C of the Privacy Act.

ii)    Current overseas recipient(s) and countries: 

(1)    As at the ‘Last updated’ date, our overseas recipient is BORSAM Biomedical Instruments Co., Ltd (Shenzhen, China). If we add or replace an overseas recipient, we will update this section and our Sub‑processor Register before that change takes effect.
 

8    PLATFORMS & DATA BOUNDARIES

a)    We operate two distinct platforms with separate data boundaries:

i)    ECGme Platform (device/app/backend) – supports acquisition and preliminary processing of single‑lead ECG. This platform uses an overseas support provider solely for maintenance - see (7)(d) “Overseas support access (ECGme)”.

ii)    MapDx Platform – our clinical diagnostics platform, wholly designed, built, owned and operated in Australia. All MapDx data and services (including ECG, genomic, imaging/ultrasound, pathology/point‑of‑care, reports and analytics) are hosted and supported in Australia. MapDx has no offshore sub‑processors and no overseas disclosure of Personal Information.
 

9    NOTIFIABLE DATA BREACHES

If we experience a data breach that is likely to result in serious harm, we will promptly assess the incident and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in line with the Notifiable Data Breaches scheme.​
 

10    SECURITY

We use TLS for data in transit, AES-256 encryption at rest, strict access controls (including MFA and role-based access), continuous monitoring and audit logging, and periodic independent security testing. We review our controls regularly and conduct supplier due diligence for third parties handling Personal Information.

​​

11    DATA RETENTION & DELETION

We retain health records for at least 7 years from the last entry (or until the individual turns 25 if collected while they were under 18), unless a longer period is required by law. When no longer required, we destroy or de-identify information using industry-standard methods.

​​

12    CHILDREN & AUTHORISED REPRESENTATIVES

Where a parent/guardian or an authorised representative (e.g., carer) manages an account on behalf of an individual, we will verify their authority before granting access or disclosing information. We support supported-decision-making frameworks in disability and aged care contexts.
​​

13    RELATED ENTITIES

a)    We may share Your Personal Information, including Personal Information that identifies You personally, with any of Our parent companies, subsidiary companies, affiliates or other trusted related entities.

b)    However, We only share Your Personal Information with a trusted related entity if that entity agrees to Our privacy standards as set out in this Privacy Policy.

​

14    COMBINING INFORMATION

a)    We may combine, link or aggregate some of Your information in order to obtain a better understanding of Your requirements. This may enable Us to better design the Product and may also assist with Our business or administration requirements.

b)    We may also share aggregated information with third parties but only if that aggregated information does not contain any information that identifies You personally.

​

15    HOW YOUR INFORMATION IS USED

a)    We use Your Personal Information to help us improve your experience with Our Product. We may use Your Personal Information for purposes including but not limited to:

i)    Order fulfilment

ii)    Providing customer service to You

iii)    Enabling Your use of the Product
 

16    MERGER, RESTRUCTURE OR SALE OF OUR BUSINESS

a)    Part or all of Our business may be merged, restructured or sold including but not limited to through an ordinary sale of business or of stock, a corporate reorganisation, a change in control, bankruptcy or insolvency proceedings.

b)    In the event that such a merger, restructure or sale occurs as described in the preceding sub-clause hereof, We may transfer Your Personal Information, including personally identifiable information, as part of that merger, restructure or sale.
 

17    INFORMATION YOU RELEASE

You acknowledge and agree that if You publish or submit Personal Information in publicly accessible sections of the Product (such as forums, bulletin boards, chat rooms, or other similar sections), then You are solely responsible for the release of that Personal Information and We are not liable or responsible in relation to the release of that Personal Information

​

18    EMAIL OPT IN/OUT

If You receive an email from Us in relation to the Product and would prefer not to receive such correspondence in the future, You may follow the instructions in the email to opt out of future correspondence. You may also contact Us, using the details at the bottom of this Privacy Policy, in order to opt out of future correspondence. We will make all reasonable efforts to promptly comply with Your requests. However, You may receive subsequent correspondence from Us while Your request is being handled.

​

19    ACCESSING, UPDATING AND CORRECTING PERSONAL INFORMATION

a)    You have the right to request access to any of Your Personal Information which We are holding.

b)    You have the right to request that any of Your Personal Information which We are holding be updated or corrected.

c)    In order to request access, an update or a correction to Your Personal Information, you may contact us using the details at the end of this Privacy Policy.
 

20    CHANGES TO THIS POLICY

a)    We may make changes to this Privacy Policy at any time in Our sole discretion.

b)    If We make changes to this Privacy Policy, unless We obtain Your express consent to those changes, then such changes will only apply to any information that We obtain from You after the date that the changes take effect.

c)    If We make changes to this Privacy Policy, Your continued use of the Product after the date that the changes take effect confirms that You acknowledge, accept and agree to those changes.
 

21    COMPLAINTS

We take customer satisfaction very seriously. If You have a complaint in relation to Our handling of Your Personal Information, We will endeavour to handle it promptly and fairly. If You have a complaint in relation to Our handling of Your Personal Information, or if You are not satisfied with Our response to Your complaint, You may refer your complaint to the applicable authority governing data protection laws in your respective country. However, prior to lodging a complaint we ask that you contact us directly and allow us the opportunity to work with you to resolve your concerns.

​

22    ABOUT THIS POLICY & AUSTRALIAN PRIVACY LAW

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Because we handle health information in Victoria, we also comply with the Health Records Act 2001 (Vic) and Health Privacy Principles (HPPs).

​

23    HOSTING & DATA RESIDENCY (PROVIDERS AND STANDARDS)

Sole hosting location: Australia (Victoria).

 

MapDx and ECGme production services are hosted in the Oracle Cloud Infrastructure (OCI) Melbourne Region (ap-melbourne-1) and in our own servers located in the Equinix Melbourne IBX® data centers. No overseas disclosure arises from these providers.

​

a)    Shared responsibility: 

i)    We implement application, data and access controls; our providers supply physical, environmental and platform security controls.

b)    Oracle Cloud Infrastructure (OCI) — Melbourne Region: 

i)    Third‑party attestations include ISO/IEC 27001, AICPA SOC 1 Type II, SOC 2 Type II and SOC 3, and PCI DSS Attestation of Compliance; Oracle provides a Cloud Compliance program and makes attestation reports available via the OCI Console to customers. OCI has been independently assessed under Australia’s IRAP against ISM PROTECTED controls. [Vendor documentation available on request.]

c)    Equinix IBX® Melbourne (ME2) — Colocation facilities: 

i)    Facility‑level certifications include ISO 27001 (information security), ISO 22301 (business continuity), ISO 9001 (quality), ISO 14001 (environmental), ISO 50001 (energy), LEED, and AICPA SOC 1 Type II and SOC 2 Type II. Equinix operates under approved Binding Corporate Rules (Global Privacy Policy). [Vendor documentation available on request.]

d)    References (providers & standards):

i)    Oracle Cloud Compliance hub: https://www.oracle.com/corporate/cloud-compliance/

ii)    OCI regions (Melbourne ap‑melbourne‑1): https://docs.oracle.com/en-us/iaas/releasenotes/changes/533b7bbc-0af6-4ad8-aa39-4733f310dd79/

iii)    OCI compliance documents overview (SOC/ISO/PCI): https://docs.oracle.com/en-us/iaas/Content/ComplianceDocuments/Concepts/compliancedocsoverview.htm

iv)    OCI IRAP PROTECTED assessment (blog): https://blogs.oracle.com/cloud-infrastructure/post/irap-assessment-opens-new-opportunities-in-australias-public-sector

v)    Oracle Trust Center – Cloud status & availability: https://www.oracle.com/au/trust/availability/

vi)    Equinix Melbourne ME2 certifications (ISO/SOC/LEED): https://www.equinix.com/data-centers/asia-pacific-colocation/australia-colocation/melbourne-data-centers/me2

vii)    Equinix IBX Standards & Compliance: https://www.equinix.com/data-centers/design/standards-compliance

viii)    Equinix Global Privacy Policy (BCR): https://www.equinix.com/about/legal/privacy/global-privacy-policy

 

​​

24    CONTACT US

You can contact Us about this Privacy Policy using the following details:

 

Phone: +61 1300 46 32 46

Email: privacy@biosigdx.com

Address: Level 1, 127 Market Street, South Melbourne Victoria 3205