Privacy Policy

📜 Purpose of Our Policy

Bodhi Holistic Hub Pty Ltd ACN 654 747 501 (we, us or our) has adopted this Privacy Policy to ensure that we have standards in place to protect the Personal Information that we collect about individuals that is necessary and incidental to:

• Providing the system and services that we offer; and
• The normal day-to-day operations of our business.

This Privacy Policy follows the standards of both:

• The Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988 (Cth) (Privacy Act); and
• The regulations and principles set by the European Union’s General Data Protection Regulation (GDPR) for the handling of Personal Data.

By publishing this Privacy Policy, we aim to make it easy for our users and the public to understand what Personal Information we collect, why we do so, how we receive, obtain and/or use that information, and the rights of control an individual has with respect to their Personal Information in our possession.

📌 Who & What the Policy Applies To

Our Privacy Policy deals with how we handle “personal information” and “personal data” as it is defined in the Privacy Act and the GDPR respectively (Personal Information).

We handle Personal Information in our own right and also for and on behalf of our users..

Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies.

The Privacy Policy applies to all forms of information, physical and digital, whether collected electronically or in hardcopy.

If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that they have that person’s consent to provide such information for the purpose specified.

If we learn that Personal Information has been collected on the service from minors without verifiable parental or guardian consent, then we will take the appropriate steps to delete such information.

📋 The Information We Collect

Without limitation, the type of information we may collect is:

• Personal Information. We may collect personal details such as an individual’s name, location, date of birth, nationality, family details and other information defined as “Personal Information” in the Privacy Act that allows us to identify who the individual is;
• Contact Information. We may collect information such as an individual’s email address, telephone & fax number, third-party usernames, residential, business and postal address and other information that allows us to contact the individual;
• Financial Information. We may collect financial information related to an individual such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide them with our services;
• Statistical Information. We may collect information about an individual’s online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes; and
• Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities.

We may collect other Personal Information about an individual, which we will maintain in accordance with this Privacy Policy.

We may also collect non-Personal Information about an individual such as information regarding their computer, network and browser. Where non-Personal Information is collected the Australian Privacy Principles and the GDPR do not apply.

📊 How Information is Collected

Most information will be collected in association with an individual’s use of our online platform for holistic and complementary therapies (Bodhi Holistic Hub), an enquiry about Bodhi Holistic Hub or generally dealing with us. In particular, information is likely to be collected as follows:

• Registrations/Bookings. When an individual registers or books for a service, account, connection or other process whereby they enter Personal Information details in order to receive or access something, including transactions;
• Supply. When an individual supplies us with goods or services;
• Contact. When an individual contacts us in any way;
• Access. When an individual accesses us physically we may require them to provide us with details for us to permit them such access. When an individual accesses us through the internet we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services; and/or
• Tracking. Tracking may be used to improve customer experience by analysing user behaviour to provide personalised recommendations and streamlined interactions.

As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.

Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a user), we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian Privacy Principles and the GDPR.

📅 Google Calendar Integration Privacy Policy

This section specifically addresses how Bodhi Holistic Hub handles Google user data through our Google Calendar integration. This policy is an integral part of our main Privacy Policy and applies to all users who choose to connect their Google Calendar with our service.

Data Collection and Access

Our application accesses the following Google Calendar data:

• Calendar availability and free/busy information
• Event timing and scheduling details
• Basic event metadata necessary for scheduling
• User email address associated with the Google Calendar

Purpose and Use of Data

We use Google Calendar data exclusively for the following purposes:

• Facilitating appointment scheduling between practitioners and clients
• Synchronising availability between our platform and users' Google Calendars
• Managing and preventing scheduling conflicts
• Sending scheduling confirmations and updates
• Improving our application's scheduling functionality

We do not use Google user data for:

• Marketing or advertising purposes
• Sale to third parties
• Any purpose unrelated to our application's core scheduling functionality

Data Storage and Protection

We implement comprehensive security measures to protect Google user data:

• All data is encrypted during transmission using industry-standard protocols
• Access to Google Calendar data is restricted to essential personnel
• We maintain secure API connections with Google services
• Regular security audits are conducted to ensure data protection
• We implement access controls and authentication measures
• All data is stored in secure, encrypted databases

Data Sharing and Disclosure

We do not share, transfer, or disclose Google user data to third parties except:

• When required by law
• With the explicit consent of the user
• To trusted service providers who assist in operating our service, subject to confidentiality obligations

Data Retention and Deletion

Our data retention policies for Google Calendar data are as follows:

• Active scheduling data is retained while your account is active
• Historical calendar events are automatically deleted after 30 days
• Users can request deletion of their Google Calendar data at any time by using the “Disconnect” button in their dashboard. Upon disconnection, all associated Google Calendar data will be removed from our systems.

🔍 When Personal Information is Used & Disclosed

In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected other than with the individual’s permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.

We will only process Personal Information when we can identify a lawful basis to do so. It is always our responsibility to ensure that we can demonstrate which lawful basis applies to the particular processing purpose.

The most common lawful bases relied upon are:

• Consent: we will only rely upon express, clear and informed consent. Any consent provided may specify and/or restrict the purpose and can be withdrawn at any time without penalty. We will keep a record of when and how we got consent from an individual.
• Legitimate interests: we will only rely upon an identifiable legitimate interest where we can demonstrate that the processing of Personal Information is necessary to achieve it by balancing it against the individual’s interests, rights and freedoms. We will keep a record of our legitimate interests’ assessments.

We will retain Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.

If it is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with the Australian Privacy Principles and the GDPR in the course of our business, we will inform you that we intend to do so, or have done so, as soon as practical.

We will not disclose or sell an individual’s Personal Information to unrelated third parties under any circumstances, unless the prior written consent of the individual is obtained.

Information is used to enable us to operate our business, especially as it relates to an individual. This may include:

• The provision of goods and services between an individual and us;
• Verifying an individual’s identity;
• Communicating with an individual about:
  • Their relationship with us;
  • Our goods and services;
  • Our own marketing and promotions to customers and prospects;
  • Competitions, surveys and questionnaires;
  • Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
  • As required or permitted by any law (including the Privacy Act).

The individual shall have the right to object at any time to the processing of their Personal Information for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. If we receive such a request, we will stop the processing of Personal Information for direct marketing purposes immediately without charge or penalty.

There are some circumstances in which we must disclose an individual’s information:

• Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
• As required by any law (including the Privacy Act); and/or
• In order to sell our business (in that we may need to transfer Personal Information to a new owner).

We will not disclose an individual’s Personal Information to any entity outside of Australia that is in a jurisdiction that does not have a similar regime to the Australian Privacy Principles or an implemented and enforceable privacy policy similar to this Privacy Policy. We will take reasonable steps to ensure that any disclosure to an entity outside of Australia will not be made until that entity has agreed in writing with us to safeguard Personal Information as we do.

We may utilise third-party service providers to communicate with an individual and to store contact details about an individual. These service providers may be located outside of Australia.

An individual who uses Bodhi Holistic Hub may be sending information (including Personal Information) to overseas jurisdictions where our servers may be located from time-to-time. In such circumstances, that information may then be transferred within their resident jurisdiction or back out to other countries outside of the individual’s country of residence, depending on the type of information and how it is stored by us. These countries may not necessarily have data protection laws as comprehensive or protective as those in your country of residence, however our collection, storage and use of Personal Information will at all times continue to be governed by this Privacy Policy.

🔄 Opting In or Out

An individual may opt to not have us collect and/or process their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:

• Opt Out. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us (for clarity, consent must involve an unambiguous positive action to opt in); or
• Opt In. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us.

If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us using the details as set out below.

🔒 The Safety & Security of Personal Information

We may appoint a Data Protection Officer (DPO) to oversee the management of this Privacy Policy and ensure compliance with the Australian Privacy Principles, the Privacy Act, and the GDPR. This officer may have other duties within our organisation and may also be assisted by internal and external professionals and advisers.

We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes securing our physical facilities and electronic networks appropriately.

Individuals who provide information to us via the internet or by post do so at their own risk. We cannot accept responsibility for the misuse, loss, or unauthorised access to Personal Information when its security is outside of our control.

We are not responsible for the privacy or security practices of any third parties (including those we are permitted to share Personal Information with under this policy or applicable laws), unless required by the Privacy Act or GDPR. The collection and use of an individual’s information by these third parties may be governed by separate privacy and security policies.

If an individual suspects any misuse, loss, or unauthorised access to their Personal Information, they should notify us immediately.

We are not liable for any loss, damage, or claim arising from another person’s use of the Personal Information, provided we were authorised to share it with them.

In the event of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to Personal Information, we will:

• Assess the likelihood and severity of the risk to the rights and freedoms of natural persons;
• If a risk is identified, notify the relevant supervisory authority within 72 hours, providing all relevant information;
• If the breach presents a high risk to individuals, notify the affected persons without undue delay, providing all relevant breach details.

We will document the facts of any security breach, its impact, and the remedial actions taken, and investigate the cause to prevent future occurrences.

Subject to the Australian Privacy Principles and the GDPR, an individual has the right to request the Personal Information we hold about them. We will respond as soon as practicable, and no later than 28 days after receiving the written request. The individual may retain and reuse their Personal Information for their own purposes, and we may be required to transmit it directly to another organisation if technically feasible.

If an individual is unable to update their information, we will correct any inaccuracies in the Personal Information we hold within 28 days of receiving written notice of the errors, or within two months for complex rectification requests.

Individuals are responsible for providing accurate and truthful Personal Information. We cannot be held liable for incorrect information provided to us.

If a request for access to Personal Information is manifestly unfounded, excessive, or repetitive, we may refuse to respond or charge a reasonable fee to cover the costs of fulfilling the request. If we refuse, we will explain why and inform the individual of their right to lodge a complaint with the supervisory authority and seek judicial remedy within 28 days.

We may be required to delete or remove all Personal Information about an individual under the following circumstances:

• When the Personal Information is no longer necessary for the purposes it was originally collected and/or processed;
• If the individual withdraws consent;
• If the individual objects to processing and there is no overriding legitimate interest to continue processing;
• If the processing of the Personal Information violates the GDPR;
• If the Personal Information needs to be erased to comply with a legal obligation;
• If the Personal Information concerns a child.

We may refuse to delete or remove Personal Information if it was processed for any of the following reasons:

• To exercise the right to freedom of expression and information;
• To comply with a legal obligation for public interest or official authority;
• For public health purposes in the public interest;
• For archiving purposes in the public interest, scientific research, historical research, or statistical purposes;
• For the exercise or defence of legal claims.

📝 Complaints & Disputes

If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.

If we have a dispute regarding an individual’s Personal Information, we both should first attempt to resolve the issue directly between us.

An individual shall have the right to seek a judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her Personal Information in non-compliance with the GDPR. Any proceedings should be commenced in New South Wales, Australia, where we are established.

If we become aware of any unauthorised access to an individual’s Personal Information we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.

📞 Contacting Individuals

From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Where such information is materially important to the individual’s interaction with us, they may not opt out of receiving these communications.

📧 Contacting Us

If you have questions, need access to your personal information, or want to file a privacy complaint, contact us at: [email protected]

✍️ Additions to This Policy

Please revisit this Privacy Policy to check for any updates or changes. We may undertake actions beyond what is outlined in this Privacy Policy to ensure compliance with the Australian Privacy Principles and the GDPR; nothing in this policy shall be interpreted as non-compliance with these regulations.