Privacy Policy
PRIVACY POLICY
INTRODUCTION
This is the Privacy Policy of Synapses Global Assist Pty Ltd (ACN 640 006 757) trading as
MiAid (MiAid, we, our or us).
In this Privacy Policy, a reference to “you” means a User or an individual about whom we have collected Personal Information, such as a Client, an employee of MiAid, an individual Australian Health Practitioner or Service Provider.
MiAid is an Australian services provider that connects Clients with Australian Health Practitioners, Clinics, Hospitals and Australian Health Services.
This Privacy Policy explains the key measures we have taken to implement the requirements of the Privacy Act 1988 (Cth) including the Australian Privacy Principles (Privacy Act) and, where applicable, other international data protection laws such as the European Union General Data Protection Regulations (GDPR).
MiAid is committed to ensuring that your privacy is protected. In this Privacy Policy we aim to answer the questions you may have about how we collect, store, use and disclose the information we collect from you, including your Personal Information.
You must be aged over 18 years to use our services. By using our services, you agree to our Privacy Policy and warrant that you are aged over 18.
If you have questions about our privacy practices, you can contact our Privacy Officer:
Phone: +613-83759636
Email: david.pan@micurae.com
DEFINITIONS
In this Privacy Policy, the following terms have the following meanings:
App means the smartphone application “MiAid” which provides Users with location specific medical information and related medical services Users can access from their smartphone or other electronic devices.
Australian Health Practitioner, Clinic, Hospital or Australian Health Service means an Australian-based doctor, clinic, hospital or health service listed on the App.
Client means a non-Australian adult individual who accesses our services via the App.
Service Providers means Australian Health Practitioners, Clinics, Hospitals, Australian Health Services, translators, hotels, driving services, MiAid employees or any other service providers that we engage to provide services to Clients.
MiAid Service Providers means service providers that we engage to provide services to MiAid, such as IT professionals and data storage providers.
User means any person about whom we collect Personal Information, including Clients, employees, Australian Health Practitioners, or individuals from any Service Provider.
OUR SERVICES
We provide a service whereby Clients can log on to the App and obtain health related services from an Australian Health Practitioner, Clinic, Hospital or Australian Health Service, including via video teleconference or by face to face appointment and other services from Service Providers.
MiAid does not provide any medical services and does not engage in medical practice. Any medical services that are requested or required by a Client will be provided by the relevant Australian Health Practitioner, Clinic, Hospital or Australian Health Service pursuant to that Service Provider’s terms of service. Any communication, sharing of data or sharing of information between the Client and a Service Provider will be governed by and subject to that Service Provider’s privacy policies and the Service Providers’ obligations under the Privacy Act, GDPR and any other relevant law. Our agreements with Service Providers require such Service Providers to comply with these laws.
WHAT IS PERSONAL INFORMATION
Personal Information is information or an opinion relating to an identified or reasonably identifiable individual, whether true or not, and includes Sensitive Information.
Sensitive Information is a subset of Personal Information and is defined in the Privacy Act to include health information, genetic or biometric information, information or an opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, philosophical beliefs, membership of a trade union, sexual orientation or criminal record.
WHAT INFORMATION WE COLLECT
We may collect the following Personal Information about a Client:
· name;
· gender;
· age;
· contact details such as phone numbers and email addresses; and
· location information from the User’s mobile device.
We do not actively solicit a Client’s Sensitive Information, however, the Client may provide the Client’s Sensitive Information when requesting our services, for example requesting services that relate to the Client’s medical needs.
We may also collect the name, contact details, and insurance and registration (and similar) details (if applicable) of Users.
HOW WE COLLECT YOUR INFORMATION
We will only collect your Personal Information by lawful and fair means. We collect a User’s Personal Information in a number of ways, including:
· through the App;
· directly from the User in person; or
· directly from the User by phone, through email correspondence or other means of communication, whether initiated by the User or us.
Information that we collect about Service Providers will be collected directly from the Service Provider and/or the Service Provider’s employer or designated contact person.
WHY WE COLLECT AND USE YOUR PERSONAL INFORMATION
We will only collect, store, use or disclose your Personal Information if we believe it is reasonably necessary for one or more of our functions or activities, including to provide the User with the services the User requested or maintain contact with the User, or as or otherwise required by law.
DISCLOSURE OF INFORMATION, INCLUDING OVERSEAS DISCLOSURE
The User has a right to be informed about any protections that we have in place when we transfer the User’s Personal Information, including transferring the User’s Personal Information overseas. This Privacy Policy outlines where we disclose the User’s Personal Information and the steps we have taken to protect the User’s Personal Information during that transfer.
Other than the disclosure to Service Providers (explained below) or as required by law, our policy is that we do not give Personal Information to other organisations unless we have disclosed the use in this Policy or you have expressly consented for us to do so.
Occasionally, we might also use Personal Information for other purposes or share Personal Information with another organisation because:
· we believe it is necessary to protect your rights, property or personal safety;
· we believe it is necessary to do so to prevent or help detect fraud or serious credit infringements - for example, we may share information with credit reporting agencies, law enforcement agencies and fraud prevention units; or
· we believe it is necessary to protect the interests of Waveki – for example, disclosure to a Court in the event of legal action to which Waveki is a party.
The User has a right to not provide the User’s Personal Information or to identify itself. However, if we do not collect the User’s Personal Information then we may not be able to contact the User or provide the User with the services that the User has requested.
We will not use the User’s Personal Information to enable direct marketing to the User by us or any third party.
When we share information with other organisations and Service Providers as set out below, we do so in accordance with this Policy. To the extent that these organisations and service providers gain access to Personal Information, their use is governed by their own privacy policies, the Privacy Act, GDPR and any other relevant law.
CLIENT PERSONAL INFORMATION
We will not disclose the Client’s Personal Information to Service Providers, and vice versa, unless required to do so in order to obtain the services the Client has requested from those Service Providers. We will never provide more information than is necessary to obtain the service for the Client.
For example, we may provide the Client’s name and phone number to a Service Provider in the process of making an appointment for the Client.
MIAID SERVICE PROVIDERS
OVERSEAS DISCLOSURE AND TRANSFER
We may also disclose any User’s Personal Information to third parties overseas for the purpose of using cloud storage as disclosed under the heading “Information Storage and Security” below.
SALE OF MIAID ASSETS
If the assets of MiAid are sold or if the business interests of MiAid are acquired by another party, you consent to the control of your Personal Information being transferred to the new owner by MiAid for the purpose of the new owner providing the services.
We may but we are under no obligation to inform you if the assets or the business of MiAid will be acquired by another party.
The new owner would be bound to comply with this Privacy Policy and Australian law in respect of the use, storage, disclosure and transfer of the User’s Personal Information. However, the new owner may update this Privacy Policy at any time.
Nothing in this Privacy Policy permits us to sell a User’s Personal Information to another party for use as a general contact database or for the purposes of marketing to you.
INFORMATION STORAGE AND SECURITY
Your information, including any de-identified information and Personal Information, is stored on secure servers hosted in Australia and/or overseas.
We may disclose the User’s Personal Information to MiAid Service Providers on a need to know basis to allow the provision of services to us (such as IT service providers) to ensure our systems are working efficiently.
The security and protection of your Personal Information is important to us.
We take steps to ensure that your information is protected from misuse and loss and from unauthorised access, modification or disclosure. We also take reasonable steps to ensure that your Personal Information is stored in a secure environment accessed only by authorised persons.
Transport Protocol
The MiAid system uses HTTP/2 (based on SPDY) as the default application network layer protocol, and TLS1.2 (Transport Layer Security) in the session network layer. Data is encrypted with SHA-256 algorithm.
Data Encryption
All data collected by the MiAid system will be stored and managed by Mysql database. Data will be encrypted by Transparent Data Encryption (TDE) mechanism. TDE is a data-at-rest encryption method at table level with InnoDB. User data related tables without metadata will be encrypted after data is written in the database, and decrypted and sent to an authorised user when that user requests those data.
File Encryption
All documents in the MiAid system will be stored in an Amazon Web Server. The MiAid system servers are hosted in AWS with security groups that block all inbound port access from the Internet (excluding 80 and 443 ports). Sandbox, development, stage, and production servers are kept in separate networks and provide different access controls. Files will be secured via encryption before and during storage, as follows:
· Encryption in storage
AWS provides Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). Each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. There are separate permissions for the use of an envelope key (that is, a key that protects data's encryption key) that provides added protection against unauthorised access of objects in AWS. AWS server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
· Encryption before storage
The MiAid system encrypts data before sending it to AWS.
When uploading an object MiAid uses the AWS KMS customer master key ID (CMK ID). The client first sends a request to the AWS Key Management Service (AWS KMS) for a key that it can use to encrypt object data. AWS KMS returns two versions of a randomly generated data encryption key. The client obtains a unique data encryption key for each object that it uploads.
When downloading an object, the encrypted object is downloaded from AWS along with the cipher blob version of the data encryption key stored as object metadata. The cipher blob is then sent to AWS KMS to get the plain-text version of the key so that the user can decrypt the object data.
Server Security
The server is hosted on AWS with a security group that limits port access (excluding 80 and 443 ports) only to certain IP (e.g. Elegant Media office dedicated IP, for development purpose) during maintenance period and will be denied totally for other live time.
Access to production servers and the AWS Dashboard is managed through AWS IAM accounts, policies and roles. Accounts are personal and granted on a need-to-have basis and with the minimum necessary permissions. Access to the servers is logged and can be audited through AWS SSM SSH. Access to AWS Dashboard and AWS SSM SSH servers requires 2- Factor authentication.
The App will be managed by CloudFlare to prevent DDos Attacks, and boost access performance for users in different jurisdictions.
Backups
All data and documents will be automatically backed up every day. All backups will be encrypted and stored in AWS and secured by AWS.
Monitor
MiAid system will be monitored and maintained by Elegant Media.
Unauthorised access
If we have reasonable grounds to believe that the Personal Information that we hold about you may be subject to unauthorised access or disclosure (data breach), we will investigate and assess the suspected data breach to determine whether the data breach is likely to result in serious harm to you (Notifiable Data Breach). If a Notifiable Data Breach occurs then we will notify you and the Australian Information Commissioner as soon as practicable after we become aware of the Notifiable Data Breach in accordance with our obligations under the Privacy Act. We will comply in every way with our obligations under Part IIIC – “notification of eligible data breaches” of the Privacy Act.
DATA RETENTION
We will keep your Personal Information for as long as we require the Personal Information for a valid and lawful purpose.
Purposes include (but are not limited to):
1. to provide the User with our services that the User requested;
2. to protect our rights, investigate or defend any claims (actual or potential) made against us;
3. to perform our obligations under a contract; and
4. to comply with our legal obligations.
Unless we are required to keep it at law, we will take reasonable steps to destroy or permanently de-identify your Personal Information if it is no longer needed for any purpose for which it was obtained.
Without limiting the above, you may also request that we delete your Personal Information, or that we stop or limit the processing of your Personal Information. If you would like to make such a request, you should contact our Privacy Officer and we will take reasonable steps to comply with your request.
DATA PORTABILITY
If you are in the EU or UK and subject to the GDPR, you may have the right to request that we help you move your Personal Information to other companies or organisations where this is technically feasible provided that the Personal Information was collected by automatic means. If you would like to make such a request, you should contact our Privacy Officer. If we are required to do so at law, we will take reasonable steps to process your request.
ACCESSING INFORMATION WE KEEP ABOUT YOU
You can access the Personal Information that we hold about you at any time. Simply contact our Privacy Officer to make your request. We will always endeavour to meet your request for access. However, in some circumstances we may decline a request for access. If we decline your request for access, we will give you reasons for our decision when we respond to the your request.
CORRECTING YOUR INFORMATION
It is important that the Personal Information we hold about you is accurate. We will take reasonable steps to ensure that your information is accurate, complete and up-to-date at the time of collecting, storing, using or disclosing the information.
If you believe that any Personal Information we hold about you is inaccurate, incomplete or out-of-date, you should contact our Privacy Officer and we will take reasonable steps to update it.
QUESTIONS OR COMPLAINTS
If you have any further queries relating to this Privacy Policy, please contact our Privacy Officer. If we become aware of any ongoing concerns or problems with your information, we will take these issues seriously and work to address these concerns.
If you have a complaint in relation to the way information has been handled by us, the complaint should be made in writing to our Privacy Officer in the first instance. We will investigate the complaint and prepare a response to the User in writing within a reasonable period of time.
CHANGES TO OUR PRIVACY POLICY
From time to time, our policies will be reviewed and may be revised. We reserve the right to change this Privacy Policy at any time and publish such changes on our web site. Before providing us with any information, please check this Privacy Policy on our web site for any changes.
This Privacy Policy was last updated in May 2021.