1. Our commitment to privacy The types of Personal Information SkinKandy may collect depends on the SkinKandy and each of its associates, related entities and subsidiaries (together, “we”, “us”, “our” and “SkinKandy”) are committed to protecting the privacy of Personal Information in accordance with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (“Privacy Act”). Please read this Privacy Policy carefully as it describes how we collect, use, disclose and otherwise handle your Personal Information. A copy of this policy is available on the SkinKandy website at skinkandy.com.au or you can request a copy by contacting SkinKandy. In this Privacy Policy, “you” refers to any individual about whom we collect Personal Information. 2. What information does SkinKandy collect about you? The types of Personal Information SkinKandy may collect depends on the purposes for which it is collected but may include (without limitation) your name, gender, date of birth, occupation, residential address, email address, telephone number and other contact details, previous order information, purchasing preferences, IP address, credit card details, purchasing behaviour, employment history and other information relating to your work experience. SkinKandy will not collect Sensitive Information which includes information about racial or ethnic groups or religious beliefs without your express consent or as otherwise required by law. The exception to this is when you apply for a position, in which case refer to the section below titled “Prospective Employees or Applicants”. We will not use sensitive information for marketing purposes. When you communicate with us through our social media pages, such as Facebook or Twitter, the social network provider and its partners may collect and hold your Personal Information overseas. You should consult their privacy policy for further information. You can always decline to give SkinKandy any Personal Information we request, but that may mean we cannot provide you with some or all of the services you have requested. If you have any concerns about Personal Information we have requested, please let us know. Without limitation, SkinKandy will collect Personal Information from the following groups or individuals below. (a) Loyalty Club Members When you enquire about our services or when you become a SkinKandy Loyalty Club Member (a Kandy Club Member), a record is made which includes your Personal Information. The type of Personal Information that we collect will vary depending on the circumstances of collection, but will typically include: the name, e-mail, postal address, telephone number and other contact details of each Kandy Club Member; and any additional Personal Information you provide to us, or authorise us to collect, as part of your interaction with SkinKandy. (b) Prospective employees or applicants We collect Personal Information when recruiting personnel, such as your name, contact details, qualifications and work history. Generally, we will collect this information directly from you. We may also collect Personal Information from third parties in ways which you would expect (for example, from recruitment agencies or referees you have nominated). Before offering you a position, we may collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions. Subject to your consent, we may also collect sensitive information about you such as information about your health (including any disability), any criminal record, if it is relevant to the role that you are applying for, and whether you identify as Aboriginal or Torres Strait Islander. In limited circumstances as provided by the Privacy Act, SkinKandy may collect information which is considered sensitive information without your consent (for example, if you are injured at a SkinKandy owned or operated premises, we may collect health information about you in an emergency) (c) Other individuals SkinKandy may collect Personal Information about other individuals who are not clients of SkinKandy. This includes: individual service providers and contractors to SkinKandy; and other individuals who interact with SkinKandy on a commercial basis. The kinds of Personal Information we collect will depend on the capacity in which you are dealing with SkinKandy. Generally, it would include your name, contact details, and information regarding our interactions and transactions with you. (d) Visitors to our websites The way in which we handle the Personal Information of visitors to our websites is discussed below. 3. How does SkinKandy collect your Personal Information? Where it is reasonable and practicable to do so, SkinKandy will collect your Personal Information from you. If you are under the age of 18, SkinKandy may collect Personal Information about you from your parent or legal guardian. We collect Personal Information in a number of ways including over the phone, by email, over the internet or in person. We may collect your Personal Information directly from you or in the course of our dealings with you, for example: Information that you provide to us, such as your name; Information when you buy our products or use your services, such as your purchase history; Information you provide when making an online payment; When you subscribe to a mailing list or follow our social media pages including Facebook, Twitter and Instagram; If you use social media, any information that you allow the social media site to share with us; If you provide feedback and opinions about our products and services through any channel; If you are applying for a position with SkinKandy, we will collect information as outlined in the section above titled “Prospective employees or applicants”; and By accessing our website via links in an email we have sent and/or by accessing our website where you have identified yourself, you consent to the collection of such information where it is Personal Information. We may combine your anonymous or personal visitor session information or other information collected through tracking technologies with other Personal Information collected from you from time to time in order to understand and measure your online experiences and to determine what products, promotions and services are likely to be or interest to you. In some circumstances, we may collect Personal Information from third parties such as credit reporting agencies or marketing agencies. Where we do, we will ensure that we act in accordance with relevant Australia laws. In addition to Personal Information, we use cookies, web beacons and other technologies on our website and applications to collect information about your usage of our services. Using cookies enables us to collect data regarding your personal preferences, including what products you have ordered, at what times and in what amounts, the pages you have visited and so forth. This enable us to recognise you as a specific customer and to help us and our third party service providers present targeted and customised advertising to you. Our website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control, endorse or make representations about these third-party sites and you are not responsible for their privacy statements. When you leave our websites, we encourage you to read the privacy notice of every website you visit. If you choose to give Personal Information to unrelated third parties it will not be covered by this Privacy Policy. 4. Why does SkinKandy collect, use, hold and disclose your Personal Information? We will only collect Personal Information from you that we reasonably require for one or more of our business functions or activities and will do so in accordance with the Australia Privacy Principles. SkinKandy uses the information we collect to provide, personalise, maintain and improve our products and services. This includes using the information to: respond to requests for information and other general inquiries or complaints; create and update your account, including any SkinKandy Loyalty Club Membership (Kandy Club Membership); verify your identity; to assist us in providing goods and services to you; processing orders you place with us in our stores or via our electronic or other ordering system, providing you with our products and processing refunds where applicable; perform internal operations necessary to provide our goods and services, including to troubleshoot software bugs and operational problems, to conduct data analysis, testing, and research, and to monitor and analyse usage and activity trends; features to personalise your experience on our SkinKandy platforms; to identify services and products that may be of interest to you; facilitating our internal business operations, including fulfilment of any legal and regulatory requirements; informing you of our activities, events, facilities and services; and recruitment processes (including for volunteers, internships and work experience). When we collect your Personal Information, your Personal Information will only be used or disclosed for the primary purpose for which it was collected, a related secondary purpose, in accordance with any express consent you give SkinKandy or as otherwise lawfully required (for example where your Personal Information is requested by a law enforcement agency). If you use Facebook, we may use your email address in an encrypted format to match with your Facebook profile so that we can provide you with personalised advertising on Facebook. This is subject to the privacy settings you have chosen on Facebook. 5. Disclosure of Personal Information SkinKandy may disclose Personal Information we collect from you to our related entities, suppliers, consultants, contractors or agents for the purposes set out above or for other purposes directly related to the purpose for which the Personal Information is collected. We may also disclose the Personal Information to third parties where this is relevant to our primary purpose, including but not limited to mailing houses and data entry providers. These third parties include contractors and service providers used for payment services, data processing, data analysis, information technology services and support, website maintenance/development, printing, archiving, and mail-outs. Third parties to whom we have disclosed your Personal Information may contact you directly to let you know they have collected your Personal Information and to give you information about their privacy policies. We will also disclose your Personal Information if required by law or other reason in accordance with the Australia Privacy Principles. 6. Can you deal with SkinKandy anonymously? SkinKandy will, wherever it is lawful and practicable, provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us (for example, when making a general enquiry) by contacting the SkinKandy Privacy Officer. In some instances this may prevent us from being able to provide you with products and services, for example where you place an order for products online. 7. How does SkinKandy hold information? SkinKandy stores information in paper-based files, on the cloud or through other electronic record keeping methods in secure databases (including trusted third party storage providers based in Australia and overseas). Personal Information may be collected in paper-based documents and converted to electronic form for use or storage (with the original paper-based documents either archived or securely destroyed). We take reasonable steps to protect your Personal Information from misuse, interference and loss and from unauthorised access, modification or disclosure. SkinKandy maintains physical security over paper and electronic data stores, such as through locks and security systems at our premises. We also maintain computer and network security, for example, we use firewalls (security measures for the internet) and other security systems such as user identifiers and passwords to control access to our computer systems. We only keep your information for as long as it is required for the purpose for which it was collected or as otherwise required by law. We will take appropriate measures to destroy or permanently de-identify your information that we no longer require. These measures vary depending on the type of information concerned, the way it was collected and how it was stored. SkinKandy retains user profile and other information for as long as you maintain your Kandy Club Membership or other SkinKandy account. If you withdraw consent to the collection or use of Personal Information, SkinKandy deletes such Personal Information. This may mean the deletion of your Kandy Club Membership. You may request deletion of your Kandy Club Membership at any time via email or over the phone. There may be circumstances relating to employment or inappropriate or legal conduct which prevent SkinKandy from permanently deleting Personal Information. For example, in the case of fraud or where litigation has been threatened. 8. Direct Marketing SkinKandy may use or disclose your Personal Information for the secondary purpose of direct marketing communication, if: SkinKandy collected the information from you; you would reasonably expect your Personal Information would be used or disclosed for direct marketing; SkinKandy has provided a simple means by which you can request not to receive direct marketing; and you have not made a request not to receive direct marketing. Where you would not reasonably expect your Personal Information to be used for direct marketing, or the information has been collected from a third party SkinKandy may use the information for the secondary purpose of direct marketing communication only where: you have expressly consented to the use or disclosure for direct marketing, or it is impracticable for SkinKandy to seek your consent before that use; you have not made a request to SkinKandy not to receive direct marketing communication; in each direct marketing communication, SkinKandy always prominently displays a simple notice or actionable option that you may express a wish not to receive any further direct marketing communication; and each written direct marketing communication by SkinKandy with you sets out SkinKandy’s contact details including business address, telephone and fax numbers and email address. 9. Overseas Disclosure We are based in Australia, so your Personal Information will be processed in Australia. However, some of our related entities and third-party goods and services providers are located overseas. We may need to share your Personal Information with organisations or persons located outside of Australia. The countries in which these organisations or persons are located will depend on the circumstances, but in the course of our ordinary operations, we may disclose Personal Information to our global third party service providers. If we disclose Personal Information to a third party in a country which does not have equivalent privacy laws to Australia, we will take steps reasonable in the circumstances to ensure that the Personal Information that it transfers will not be held, used or disclosed by the recipient of the information inconsistently with, or otherwise in breach of, applicable privacy laws (including the Privacy Act). For example, SkinKandy may adopt appropriate contractual clauses with overseas recipients that ensures their compliance with applicable privacy laws (including the Privacy Act). 10. Security and Data Breaches We take protecting your Personal Information seriously and are continuously developing our security systems and processes. We have a number of security controls in place and use a range of resources, process and technology controls to protect your Personal Information. While we endeavour to protect the Personal Information of users of our website, we cannot guarantee the security of information you disclose online. You disclose that information at your own risk. You should be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. Users of our websites are encouraged to exercise care in sending Personal Information via the internet. You can also help protect your Personal Information by keeping your account details confidential, access is limited and encourage you to use a unique and strong password, limit access to your computer and log out after use. If you become aware of unauthorised access, please let us know as soon as practicable. In the event of any loss, or unauthorised access or disclosure of your Personal Information that is likely to result in serious harm to you, SkinKandy will investigate and notify you and where applicable the relevant supervisory authority (e.g. the Australian Information Commissioner) as soon as practicable after becoming aware of the loss, or unauthorised access or disclosure, in accordance with applicable privacy laws (including the Privacy Act). 11. Access and Correction Access You are entitled to access your Personal Information held by SkinKandy on request. To request access to your Personal Information please contact our privacy officer using the contact details set out below. We will generally provide you with access to your Personal Information subject to some exceptions permitted by law. When making an access request, please provide as much detail as you can about the particular information you seek, in order to help us retrieve the information. We may ask you to verify your identity before proceeding with any request you make, this includes providing us satisfactory proof of identity as determined by us. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act or will contact you directly to seek your permission. You will not be charged for making a request to access your Personal Information but you may be charged for the reasonable time and expense incurred in compiling information in response to your request. Correction We will take reasonable steps to ensure that the Personal Information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in Personal Information we hold about you and letting us know if your personal details change. If you ask us to correct Personal Information that we hold about you, or if we are satisfied that the Personal Information we hold is inaccurate, out of date, incomplete, irrelevant or misleading, we will take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading. If we correct Personal Information about you, and we have previously disclosed that information to another agency or organisation that is subject to the Privacy Act, you may ask us to notify that other entity. If so, we will take reasonable steps to do so, unless this would be impracticable or unlawful. A record of the changes made to your Personal Information may be noted in your account or filing. You acknowledge that there may be circumstances where SkinKandy is entitled to assume such accuracy and completeness and reserves the right to not correct Personal Information, where permitted under relevant laws. We may decline your request to access or correct your Personal Information in certain circumstances in accordance with the Australian Privacy Principles. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your Personal Information about the requested correction 12. Inquiries Procedure You may contact SkinKandy at any time if you have any questions or concerns about this Privacy Policy or about the way in which your Personal Information has been handled. You may make a complaint about privacy to the privacy officer at the contact details set out below. We may ask you to submit your complaint in writing. We may discuss and share your complaint with our staff and our service providers and others as required and appropriate. The privacy officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally respond to your complaint within a week. If your complaint requires more detailed consideration or investigation, we will acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved. In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know. If you are not satisfied with our response to your complaint, or you consider that SkinKandy may have breached the Australian Privacy Principles or the Privacy Act, a complaint may be made to the Office of the Australian Information Commissioner. The Office of the Australian Information Commissioner can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au. 13. How changes are made to this Privacy Policy? SkinKandy may amend this Privacy Policy from time to time, with or without notice to you. We recommend that you visit our website regularly to keep up to date with any changes. The current version will be posted on our website and a copy may be obtained by contacting SkinKandy. 14. How can you contact SkinKandy? If you would like further information about how we manage your Personal Information, or if you have any queries relating to our Privacy Policy, or wish to lodge a complaint in relation to an alleged breach of the Privacy Act, please contact our Privacy Officer: SkinKandy privacy officer: Mark Oliphant 11 Beach Road, Maroochydore QLD 4558 Info@skinkandy.com 1300 129 991 15. General For information about privacy generally, you may visit the Office of the Australian Information Commissioner’s website at www.oaic.gov.au. This Privacy Policy was last updated in April 2021.