Purpose and Scope

This Privacy Policy applies to users (“you”) of the software program (and functionality provided through the software program) provided by Advanced Health Intelligence Ltd (AHI) (the “Application”) and downloaded and accessed by you on an iPhone or Android smart device, named AHI Technology Demo (“AHI Tech Demo”), (the

“Service”).

The Service is for demonstration purposes only and can only be accessed if you have supplied your name and email address to AHI for the purposes of creating an account and password for the Service.  

The Service calculates facial blood flow information, creates silhouettes of your body shape using pictures you take with your smartphone and collects information you input about your height, weight, sex, age ethnicity group, whether you are a smoker, type 1 diabetic, type 2 diabetic or neither, have hypertension, and if you are currently taking any blood pressure medication.  

We use the information above to:

• calculate accurate statistics including body measurements and body composition, heart rate, irregular heartbeats, breathing, blood pressure, heart rate variability, and cardiac workload.
• infer your risk of chronic diseases / mortality, cardiovascular disease, heart attack, stroke, and mental stress.  

We do collect information about your use of the Application and the Service, as described in this Privacy Policy, to help us secure and improve the Application and develop the Service.

Our collection and use of your Personal Data are subject to the data protection laws applicable where you reside, as set out in this Privacy Policy. AHI currently operates in the following locations:

1. Australia
2. Central Hong Kong
3. European Economic Area (“EEA”)
4. Peoples Republic of China
5. Peru
6. Singapore
7. South Africa
8. UK
9. USA.

Where we collect and process your Personal Data based on your explicit consent, as set out in this Privacy Policy, we will ask for your consent in the Service before we collect any of your Personal Data. You can withdraw your consent at any time by using the contact details provided in this Privacy Policy. If you do withdraw your consent, you will no longer be able to participate in the demonstration trial.

‍

1. Interpretation and Definitions

Capitalised words in this Privacy Policy have the meanings given below. All definitions have the same meaning regardless of whether they are used in singular or plural.

• APA means the Australian Privacy Act 1988.
• AHI means Advanced Health Intelligence Ltd of U5, 71-73 South Perth Esplanade, South Perth, Western Australia, 6151.
• Business means the legal entity that determines the purposes and means of processing of Personal Data about residents of California in accordance with the California Consumer Privacy Act (CCPA).
• Controller means the legal entity or natural person that determines the means and purposes of processing of Personal Data about individuals in the European Economic Area or the United Kingdom in accordance with the General Data Protection Regulation (GDPR).  
• CCPA means the California Consumer Privacy Act, California Civil Code sections 1798.100 et seq, and its implementing regulations.
• Entrusted Parties means the legal entity or natural person that processes Personal Data on behalf of and in accordance with instructions from a Controller in accordance with the PIPL.
• GDPR means the General Data Protection Regulation (EU) 2016/679 and, from the point at which the GDPR ceases to apply in the United Kingdom, the UK GDPR.  
• LGPD means the Brazilian General Data Protection Law (the Lei Geral de Proteção de Dados Pessoais).
• NuraLogix means NuraLogix Corporation of 250 Yonge St, Suite 1801, Toronto ON Canada M5B2L7.
• PDPL means Peru’s Personal Data Protection Law (N° 29733 (PDPL)) and its Regulation (N° 003-2013-JUS-Regulation of the PDPL).
• Personal Data means information which can be used directly or indirectly to identify you and which relates to you (and shall be deemed to include “Personal Data” as defined in the GDPR and LGPD and “personal information” as defined in the CCPA, PIPL and the Australian Privacy Act 1988 (Cth) respectively).
• Personal Information Processing Entity means the legal entity or natural person that determines the means and purposes of processing of Personal Data about individuals in PRC in accordance with the Personal Information Protection Law (PIPL).
• PIPL means China’s Personal Information Protection Law.
• Processor means the legal entity or natural person that processes Personal Data on behalf of and in accordance with instructions from a Controller in accordance with the GDPR.  
• Service Provider means the legal entity that processes Personal Data about residents of California on behalf of a Business in accordance with the CCPA.
• UK GDPR means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018.

‍

2. Face Scan Data

When you use the Service, we collect your height, weight, sex, whether you are a smoker, type 1 diabetic, type 2 diabetic or neither, have hypertension, and if you are currently taking any blood pressure medication when you provide this information to us.  We also collect photos you take using the Application, as well as facial blood flow information extracted using photos you take using the Application (“Face Scan Data”).

We use the Face Scan Data to calculate heart rate, irregular heartbeats, breathing, blood pressure, heart rate variability, and cardiac workload information, as well as provide user support.  

This information is your Personal Data because it is about you and can be used to identify and / or differentiate you from other individuals using the Service. We only collect face scan data with your explicit consent.  

‍

3. Body Scan Data

When you use the Service, we collect your height, weight and sex.  When you provide this information to us, we also collect photos you take using the Application, as well as silhouettes of your body image created using photos you take using the Application (“Body Scan Data”).  

We use the Body Scan Data to calculate digital anthropometric circumference measurements, body composition information (such as your body fat %, for example), body joint information (the areas where your bones are attached to permit body parts to move), as well as provide user support.  

This information is your Personal Data because it is about you and can be used to identify and / or differentiate you from other individuals using the Service. We only collect body scan data with your explicit consent.  

‍

4. Potential Risk Inference Data

We collect information you input about your height, weight, sex, ethnicity group, whether you are a smoker, type 1 diabetic, type 2 diabetic or neither, have hypertension and if you are currently taking any blood pressure medication. In combination with your body measurements and body composition, heart rate, irregular heartbeats, breathing, blood pressure, heart rate variability, and cardiac workload statistics, we use this data to highlight potential risk of chronic diseases / mortality, cardiovascular disease, heart attack, stroke and mental stress.  

We provide additional information on how we identify potential [health] risks, including; information from risk tables generated from studies by organisations such as The World Health Organisation, the International Diabetes Federation, and where possible we will reference the study name, organization that conducted the study, and the risk classification tables generated from the study.  This is so that you can understand how we arrived at the inferred risk result based on the body measurements and body composition, heart rate, irregular heartbeats, breathing, blood pressure, heart rate variability, and cardiac workload statistics.  

Please note, AHI risk inference is not a medical examination and is not intended to replace any diagnosis or treatment, it is only intended to provide extra information to you that might be helpful, however does not replace a doctor’s visit or professional medical advice. As such, please visit your doctor or seek professional medical advice if you have any concerns following use of our Service.

‍

5. Usage Data

We collect information about how you use the Service (“Usage Data”) automatically. Usage Data includes information about the device you are using to access the Service (including your IP address, your browser type and version, your operating system and the type of smartphone used), the time and date of your visit, and other diagnostic information.

We use Usage Data to secure and identify problems with the Service, monitor crash reports, and to help us support and improve the Application and to develop the Service.  

We collect and process Usage Data based on our legitimate interest to support and secure the Service, the Application and to identify potential improvements.  We may use your Body Scan Data for statistical, research and business related purposes, such as improving our products. Where we do so, we will always anonymise your data.

‍

6. Sharing your Personal Data

We may share your Personal Data with trusted third parties who provide us with services necessary to enable us to provide the Service to you. Any such third parties are required to enter a contract with AHI to take appropriate security measures to protect your Personal Data and may only use your Personal Data in line with our instructions, and not for their own purposes.  

The Service is hosted in the Amazon Web Services (“AWS”) cloud platform.  AWS is one of our trusted third-party service providers that will have access to your Personal Data.  

Our primary AWS hosting location is in the USA and our business operations, including our development and support teams, are based in Australia. This means that your Personal Data will be stored in and accessible by us from both the US and Australia where the data protection laws may not provide the same level of protection to the country or region in which you live.

Face Scan Data processing is provided by NuraLogix.  NuraLogix’s primary AWS hosting locations are Canada and the European Economic Area (EEA), with their business operations, including NuraLogix development and support teams, based in Canada.  This means that your Personal Data relating to your Face Scan Data will also be stored in and accessible by us and NuraLogix from the US, Canada, EEA and Australia where the data protection laws may not provide the same level of protection to the country or region in which you live.

If you are located in a country or territory where restrictions apply to international transfers we will only transfer your Personal Data outside that country or territory with your explicit consent.  

We may also share your Personal Data where;

• we are required to do so by law;
• where we believe in good faith that disclosure is necessary to protect the safety of users of the Service or the public;
• it is necessary to investigate and prevent possible wrongdoing in connection with the Service, to protect and defend our rights and assets; and;
• to protect against legal liability.  

If we are subject to any merger, acquisition of asset sale, your Personal Data may be transferred to the acquiring or merged entity. We will notify you if this occurs and provide you with details of any arising change to this Privacy Policy.  

‍

7. Retaining your Data

We will retain your Face Scan Data, Body Scan Data, and Risk Inference Data Personal Information for 3 months.

We will retain your Usage Data for 180 days.

‍

8. Protecting your Data

The security of your Personal Data is important to us, and we have implemented organisational and technical security measures in line with good industry practice to ensure that your Personal Data is protected.  

Unfortunately, no method of transmission over the internet or method of electronic storage is 100% secure. Whilst we will always take steps to protect your information in line with good industry practice, we cannot guarantee its absolute security.  

‍

9. Children’s Privacy

Our Terms of Service prohibit use of the Service by a child (age will vary between countries) and AHI does not knowingly collect Personal Data from children/minors.

If you are a parent or guardian and you believe your child is using the Service, please contact us immediately so that we can delete their Body Scan Data and the Usage Data.

If we become aware that we have collected Personal Data from a child/minor, we will take immediate steps to delete their Personal Data.  

‍

10. Your Rights

You have rights in respect of your Personal Data. The specific rights available to you depend on your country of residence. If you are in the European Economic Area or UK, please refer to Section 11 of this Privacy Policy. If you are a resident of California, please refer to Section 12 of this Policy. If you are a resident of Brazil, please refer to Section 13 of this Policy. If you are a resident of the People’s Republic of China (“PRC”), please refer to Section 14 of this Policy. If you are a resident of Peru, please refer to Section 15 of this Policy.

If you live in Australia, you have the right to request access to or correction of the Personal Data we hold about you and the right to stop receiving unwanted direct marketing. You can also make a complaint about us to the Office of the Australian Information Commissioner if you think we have mishandled your Personal Data.

You can exercise your rights or complain to us about how we use your data by emailing us at support@ahi.tech or writing to us at the address provided at Section 16 below.  

‍

11. GDPR Specific Processing

If you reside in the European Economic Area (“EEA”) or the United Kingdom (“UK”), this Privacy Policy applies as follows:

• AHI is the Controller for your Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data.
• The trusted third parties with whom we share your Personal Data as described in the Privacy Policy are our processors for Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data. We enter into data processing agreements that meet the requirements of Article 28 of GDPR with our subprocessors and processors.
• We only transfer your Face Scan Data, Body Scan Data, and Risk Inference Data outside the EEA or UK to our other third-party suppliers/partners with your explicit consent or where otherwise permitted by law to do so.  
• We transfer your Face Scan Data, Body Scan Data, Risk Inference Data, and Usage Data outside the EEA and the UK including to the United States, Canada and Australia where the data protection laws may offer a lower level of protection than in your country.
• For support purposes, we may share statistics (and other relevant information) relating to your Body Scan Data with third parties when we are liaising with them about the services and products we provide. Where we do so, we will always do so in a secure manner.
• Our representative in the EU and UK is Evalian Limited, who can be contacted by emailing: ahi@evalian.co.uk.
• We have designated a Data Protection Officer, who can be contacted by emailing: support@ahi.tech.  
• You have the following rights in respect of your Personal Data:
  - You have the right of access to your Personal Data and can request copies of it and information about our processing of it.  
  - You have the right to request that your Personal Data is deleted, subject to certain exceptions.
  - If the Personal Data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  - Where we are using your Personal Data because it is in our legitimate interests to do so, you can object to us using it this way.  
  - Where we are using your Personal Data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
  - You can ask us to restrict the use of your Personal Data if:
    > It is not accurate.
    > It has been used unlawfully but you do not want us to delete it.
    > We do not need it anymore, but you want us to keep it for use in legal claims; or  
    > if you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
  - In some circumstances you have the right to receive the personal data, which you have provided to us, in a structured, commonly used and machine-readable format and the right to have this personal data transmitted to another company.
  - You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  - Where we are processing your Personal Data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.
  - You can also raise a complaint with the data protection supervisory authority in the country in which you reside.  
• To exercise your rights in respect of Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data you can contact us using the details set out at Section 10 or Section 16 of this Privacy Policy.

‍

12. CCPA Processing

If you are a resident of California, this Privacy Policy applies as follows:

• To the extent applicable under the CCPA, AHI is the Business for Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data.
• We may share statistics (and other relevant information) relating to your Body Scan Data with third parties when we are liaising with them about the services and products we provide. Where we do so, we will always anonymise your data so that any third parties cannot link it to you.
• AHI does not sell your Personal Data within the meaning of the CCPA.
• You have the following rights in respect of your Personal Data to the extent required by the CCPA:
  - You have the right to disclosure of specific information to you about the collection and use of your Personal Data over the last 12 months.
  - You have the right to request that your Personal Data is deleted, subject to certain exceptions.
  - You have the right not to be discriminated against for exercising your rights under the CCPA.
  - To exercise your rights in respect of Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data you can contact us using the details set out at Section 10 or Section 16 of this Privacy Policy.
  - The Service does not respond to ‘Do Not Track’ signals.
  - California Business and Professions Code Section 22581 allows California residents under the age of 18 who are registered users of online sites, services or applications to request and obtain removal of content or information they have publicly posted. If this applies to you, please contact us using the details set out at Section 10 or Section 16 of this Privacy Policy. We will action your request to the extent required by law.  
  - California Civil Code Section 1798.83 (California's ‘Shine the Light’ law) enables California residents with an established business relationship with us to request information once a year about the sharing of their Personal Data with third parties for direct marketing purposes. If this applies to you, please contact us using the details provided at Section 10 or 16 of this Privacy Policy.

‍

13. LGPD Specific Processing

If you reside in Brazil, this Privacy Policy applies as follows:

• AHI is the Controller for your Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data.
• The trusted third parties with whom we share your Personal Data as described in the Privacy Policy are our sub-processors for Usage Data. We enter into data processing agreements with our sub-processors and processors to ensure they only process your Personal Data in accordance with our instructions.  
• We only transfer your Usage Data outside of Brazil to our other third-party suppliers/partners with your explicit consent or where otherwise permitted by law to do so.  
• We may share statistics (and other relevant information) relating to your Body Scan Data with third parties when we are liaising with them about the services and products we provide. Where we do so, we will always anonymise your data so that any third parties cannot link it to you.
• We have designated a Data Protection Officer, who can be contacted by emailing: support@ahi.tech.  
• You have the following rights in respect of your Personal Data:
• You have the right of access to your Personal Data and can request copies of it and information about our processing of it.  
  - If the Personal Data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  - Where we are not relying on consent, you have the right to oppose the processing we are carrying out on your Personal Data where we have not complied with the LGPD.  
  - You can ask us to block, anonymise or delete the use of your Personal Data if:
    > It has been used unlawfully
   > It is unnecessary
    > It is excessive.
  - In some circumstances you can request a machine-readable copy of your Personal Data and request us to transfer it to another service provider.
  - You have the right to review a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  - Where we are processing your Personal Data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.
  - You can also raise a complaint with the data protection supervisory authority in the country in which you reside.
• To exercise your rights in respect of Usage Data you can contact us using the details set out at Section 10 or Section 16 of this Privacy Policy.

‍

14. PIPL Specific Processing

If you reside in the PRC, this Privacy Policy applies as follows:

• AHI is the Personal Information Processing Entity for your Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data.
• The trusted third parties with whom we share your Personal Data as described in the Privacy Policy are our Entrusted Parties for Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data. We enter into data processing agreements with any Entrusted Parties that we use in the provision of our Service to ensure that your Personal Data is handled in accordance with PIPL.  
• We only transfer your Face Scan Data, Body Scan Data, and Risk Inference Data outside of PRC to our Entrusted Parties with your explicit consent and where otherwise permitted by law to do so.  
• We may share statistics (and other relevant information) relating to your Body Scan Data with third parties when we are liaising with them about the services and products we provide. Where we do so, we will always anonymise your data so that any third parties cannot link it to you.
• We have designated a Data Protection Officer, who can be contacted by emailing: support@ahi.tech.
• You have the following rights in respect of your Personal Data:
  - You have the right to know and decide upon Personal Data Processing.
  - You have the right of access to your Personal Data and can request copies of it and information about our processing of it.  
  - If the Personal Data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  - You have the right to request that your Personal Data is deleted, in certain circumstances.
  - You have the right to object and have the right to restrict the use of your Personal Data in certain circumstances. - You have the right not to be subject to a decision based solely on automated processing.
  - You have the right to portability, subject to conditions stipulated by the Cyber space Administration of China.
  - Where we are processing your Personal Data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.
  - You have the right to ask Entrusted Parties to explain their processing rules on data subjects’ requests.
  - The close relatives of a deceased data subject also have certain rights.
  - You can also raise a complaint with the data protection supervisory authority in the country in which you reside.  
  - To exercise your rights in respect of Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data you can contact us using the details set out at Section 10 or Section 16 of this Privacy Policy.

15. PDPL Specific Processing

If you reside in Peru, this Privacy Policy applies as follows:

• AHI is the Controller for your Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data.
• The trusted third parties with whom we share your Personal Data as described in the Privacy Policy are our processors for Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data. We enter into data processing agreements with our sub-processors and processors.  
• We only transfer your Face Scan Data, Body Scan Data, and Risk Inference Data outside of Peru to our other third-party suppliers/partners with your explicit consent or where otherwise permitted by law to do so.  
• We transfer your Face Scan Data, Body Scan Data, Risk Inference Data, and Usage Data outside Peru to the United States, Canada and Australia where the data protection laws may offer a lower level of protection than in your country.
• For support purposes, we may share statistics (and other relevant information) relating to your Body Scan Data with third parties when we are liaising with them about the services and products we provide. Where we do so, we will always do so in a secure manner.
• We have designated a Data Protection Officer, who can be contacted by emailing: support@ahi.tech.
• You have the following rights in respect of your Personal Data:
  - You have the right to be informed about the collection and use of your Personal Data.
  - You have the right of access to your Personal Data and can request copies of it and information about our processing of it.  
  - You have the right to request that your Personal Data is deleted, subject to certain exceptions.
  - You have the right to object to our processing of your Personal Data in certain circumstances, for example, where you have legitimate and grounded reasons, due to a specific personal situation.
  - If the Personal Data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it.
  - In some circumstances, you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  - Where we are processing your Personal Data with your consent you can withdraw your consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.
  - You can also raise a complaint with the data protection supervisory authority in the country in which you reside. - To exercise your rights in respect of Face Scan Data, Body Scan Data, Risk Inference Data and Usage Data you can contact us using the details set out at Section 10 or Section 16 of this Privacy Policy.

‍

16. Our Contact Details

You can contact us about this Privacy Policy, to exercise your rights or to complain by writing to:

Advanced Human Imaging Limited (“AHI”), U5, 71-73 South Perth Esplanade, South Perth, Western Australia, 6151.

You can email us about this Privacy Policy at:  

support@ahi.tech.  

‍

17. Updates to this Privacy Notice

We will review and update this Privacy Policy from time to time. Please visit this page periodically to check for updates.  

This Privacy Policy was last updated on the date shown in the table below.

‍