ND Dermal Pty Ltd (A.C.N. 655 321 565) including but not limited to My Escape Skin Spa or My Escape Spa & Salon (“My Escape, us, we, our”), have adopted this Privacy Policy to ensure that we handle personal information in accordance with the Australian Privacy Principles (the APPs) set out in Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the Amended Act), which amends the National Privacy Principles (the NPPs) as set out in Schedule 3 of the Privacy Act 1988 (the Act) and the General Data Protection Regulation (GDPR) where relevant. We respect our customers’ (“you, your”) concerns about privacy. Our Privacy Policy describes the type of personal data that we collect about you, how we use that information, with whom we share it and your rights regarding our use of this information. We also set out the measures that we take to protect the security of your information, how long we retain it and how you can contact us with questions about our privacy practices and your rights regarding those practices. 1. Collection of Your Personal Information and Anonymity 1.1 Type of Information Your personal information is only collected when it is reasonably necessary to do so, or directly related to, one or more of our functions or activities and is usually collected through information provided by you on your client information cards, on our website and/or through promotions, competitions and consumer queries. This information may include: • your name, postal address, contact number(s) and email address; * age, date of birth and gender; * username and password; • information about your preference for products or services we offer from time to time; • information on any health conditions you may have; • payment information such as your credit card details for products, services and cancellation fees (if applicable); • information on the products and services we have provided to you; • details of any prizes you may have won; • a record of any queries you have made; * information provided to us by social networks or mobile applications when you visit our social media platforms or use one of our social networking or mobile applications (such as your name, profile picture, likes, location, friend list and other information described in the social networking application sign-up page), or your geo-location details when using one of our mobile applications. Most mobile applications allow you to turn off location services; and • other information you have provided to us. We will only collect other personal information, including sensitive information, in accordance with the Privacy Act 1988. We do not collect health information about you without your consent. Where it is lawful and practicable to do so, customers may transact business with us without providing personal information or by providing such information under a pseudonym. 1.2 Cookies We may use ‘cookies’ on our website. Cookies are an industry standard and most major websites use them. A cookie is a small text file that our website may place on your computer. Usually, cookies are used as a means for our website to remember your preferences. As such, cookies are designed to improve your experience of our website. In some circumstances, cookies may collect and store personal information about you. We extend the same privacy protection to your personal information, whether gathered via cookies or from other sources. Most internet browsers are pre-set to accept cookies; however, you can adjust your internet browser to disable cookies or to let you when cookies are being used. Please note that if you disable cookies, you may not be able to access certain areas of our website or take advantage of the improved website experience that cookies often offer. 2. Use and Disclosure 2.1 Use We collect personal information directly from you wherever possible. However, sometimes we may collect personal information about you from a third party, e.g. a friend who has provided your details to us so we can send you a voucher, or a friend who has entered your name and email address as part of a competition. This information is used for the following purposes: * to contact you directly about our brand, its products, special offers, samples, social networking or mobile applications and other promotions; * to reward you for being our loyal customer; * to approve transactions you wish to make; * to confirm your identity; * to process your payment card transactions; * to create and manage your online account; * to analyse and improve the services offered; * to provide you with products and services you have requested; * to follow up or pursue any queries you make; * to conduct consumer research; * to notify you of the outcome of competitions or other promotions; and for such other purposes relating to your relationship with us (collectively the Primary Purpose). We will not use or disclose any personal information for a purpose other than the Primary Purpose for which it was collected. 2.2 Disclosure and Use of Information by Third Parties Except where you are otherwise notified and you have not objected to such, we do not sell, rent or otherwise make available any personal information to third parties. We do however outsource certain business functions to third party organisations from time to time and solely for the purpose of such organisations providing services to us, Personal information may be transferred to or handled by the following parties as required: * our related companies; * organisations which provide services to us, such as mailing houses, promotion and advertising agencies and consumer research agencies; * credit reference agencies or other credit providers; and * government or statutory authorities. We will notify you in writing before we transfer your personal information. These parties may directly contact you on our behalf and may also store your personal information on their computer servers or databases on our behalf as part of the services rendered to us. 2.3 Third Party Sites You may link to third party sites from our site in which case we recommend that you refer to the privacy statement/policy of the sites you visit. Unlike a situation where a third party is providing services to us under Clause 2.2, our Privacy Policy applies to our website only and we assume no responsibility for information and content of third-party sites. 3. Data Quality We take all reasonable precautions to ensure that the personal information we collect, use and disclose is accurate, complete, up-to date and relevant to the Primary Purpose for which the information is collected. However, the accuracy of that information depends to a large extent on the information you provide. You can access, review, update and delete your information, including your name, address, profile information and other personal information that we retain by calling us on 03 9500 9276. If you would like to transfer your personal information or have any other related questions, then please contact our Privacy Officer and let us know the nature of your query. To make a written request to the Privacy Officer regarding your personal information please contact our Privacy Officer at: My Escape Skin Spa Att: Privacy Officer 1C Llaneast St, Armadale VIC 3143 Email: hello@myescapeskinspa.com.au 4. Data Security We are committed to keeping personal information secure and protected from misuse, loss, unauthorised access, modification, disclosure and interference. This includes physical security, computer and network security, communications security and personnel security. We only retain your credit card or account information to secure your appointment booking for spa treatments authorised by you. Once we no longer require your personal information for the Primary Purpose for which it was collected, we will take all reasonable steps to destroy or de-identify the personal information. 5. Marketing We comply with permission based direct marketing requirements under the Act and the Spam Act 2003. When collecting your personal information, we must request your permission to use that information to send you information on products and promotions or have our associates send you marketing material. We must also give you the opportunity to “opt out” of receiving such marketing material on all such marketing communications. Where you indicate your consent, we may enter your details into a database for the purpose of contacting you directly about our brand, products, special offers, samples, consumer research and other promotions. 6. Competitions and Trade Promotions The most frequent methods by which we collect your personal information are via bookings for spa treatments, details that you provide to us on our website, your client card which is completed at your first spa visit, and through competitions or other trade promotions. For the purposes of competitions and trade promotions, the following special conditions apply to the collection, use and disclosure of your personal information: All entries become our property (and any third parties conducting joint promotions with us); winners’ details and a description of the prizes will be entered on a database to comply with record-keeping requirements of relevant Australian State and Territory trade promotion legislation; and your personal information may also be published in a newspaper or other media in accordance with the terms and conditions of each promotion. 7. Openness, Access and Correction You can request more specific information from us about the sort of personal information we hold on you, for what purposes we hold it and how we collect, hold, use and disclose your personal information, by sending us a written request addressed to My Escape Skin Spa Att: Privacy Officer 1C Llaneast St, Armadale VIC 3143. If the information held is inaccurate, incomplete or not up to date you may access, review, update and delete your information, including your name, address, profile information and other personal information that we retain by logging onto endotaspa.com.au or you may request us to correct the information. We may refuse to grant you access to the information if the Act permits or requires such refusal. You can also advise us directly if you would prefer not to be contacted by us by sending us a written request addressed to My Escape Skin Spa Att: Privacy Officer 1C Llaneast St, Armadale VIC 3143. 8. How Long Do We Retain Your Personal Information We retain your personal information to enable your continued use of our services, for as long as it is required in order to fulfil the relevant purposes described in this Privacy Policy, as may be required by law, or as otherwise communicated to you. 9. Transborder Data Flows We will only transfer personal data overseas in circumstances where it is permitted by the Act, the Amended Act and the GDPR. We have systems and procedures that are designed to ensure that personal information stored or accessed from offshore can only be accessed in accordance with the terms of this Privacy Policy. 10. Complaints If you have any concerns or complaints regarding the handling of your personal information by us or a breach of the APPs by us, please contact My Escape Skin Spa Att: Privacy Officer 1C Llaneast St, Armadale VIC 3143. 11. Our Plan in Case of a Data Breach We maintain a data breach response plan in case personal information is lost or subject to unauthorised access, modification, use or disclosure or other misuse. 12. Additional Information Further information on privacy is available at the website of the Office of the Australian Information Commissioner https://www.oaic.gov.au We reserve the right to change this Privacy Policy at any time and to notify our customers by posting an updated version of the policy on our website: www.myescapeskinspa.com.au