Group Privacy Policy
Introduction
Welcome to the Montu Group of companies and businesses.
Montu includes Montu Group Pty Ltd (ABN 35 634 198 360) and its wholly owned subsidiaries Alternaleaf Pty Ltd, uMeds Australia Pty Ltd and Leafio Pty Ltd, as well as all its businesses including Saged (Montu, we, us, our) and applies to all business conducted by Montu in Australia.
Montu is committed to respecting and protecting the privacy of the information provided by you when you engage with us. We conduct our business in accordance with the Australian Privacy Principles (APPs) in the Privacy Act. The APPs govern the way in which we collect, use, process, store, share, transfer and dispose of your Personal Information. The APPs can be found on the website of the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au/.
Application of this Policy
This Policy applies to everyone that uses our Services or browses, accesses, or provides information to us including on or through our Platforms (collectively and individually referred to as you or your within this Policy).
In this Policy:
Health Information means Personal Information about a person’s health, health services provided to them, information collected in providing health services to them and other information within the meaning of that term in the Privacy Act
Medicine means medicine prescribed by a prescribing practitioner.
Personal Information means information or an opinion about an identified individual, and other information within the meaning of that term in the Privacy Act including Health Information.
Platform means any one or more of the websites, digital media, and service platforms we use to provide the Services.
Policy means this privacy policy as updated from time to time.
Privacy Act means the Privacy Act 1988 (Cth).
Services means the services each of us provide as described in the Terms.
Staff means people employed by us or contracted to us to provide the Services.
Terms means the terms of service with each of us and any one of us, our Policy, and any other agreement with us that you accept.
Further information about the Services provided by our Australian businesses is set out in the Terms for those businesses on our Platforms, which currently include:
- Alternaleaf - telehealth clinic
- uMeds - service platform to facilitate the purchase and delivery of Medicine from pharmacies
- Leafio - medicine distributor for healthcare professionals
- Saged - medicine education platform for healthcare professionals
- Montu Brands and Montu Medical - product information for healthcare professionals
1. Information We Collect
We collect your Personal Information when you use our Services including the Platforms.
1.1 Information we collect directly from you:
We may collect Personal Information you give us directly:
- when you use a Platform
- when you make an inquiry or order in relation to our Services including through a Platform
- when you contact us by telephone or in correspondence, including when you complete a form or communicate with us through a Platform, interact with our chatbot, or write to us by email
- while participating in customer satisfaction and market research surveys,
- when we provide you with any of our Services, and
- if you are a healthcare professional or staff member of a health organisation, when you provide us with information such as your name, AHPRA registration number, and details of the health organisation you work at (including name, address, and ABN), to enable us to provide support, fulfil orders, otherwise deliver our Services to you.
Recording of Consultations and Customer or Support Calls
To help us maintain and improve the quality of our Services, we may record interactions you have with our Staff. This includes:
- telehealth consultations with healthcare practitioners
- participation in patient experience activities such as service evaluations or user feedback sessions, and
- sales calls made by our account managers and inbound and outbound customer support calls from pharmacies regarding orders and service inquiries.
These recordings may be used for quality assurance, training, and service improvement purposes. Where recordings are made, and notice or consent is required by law, you will be informed prior to the interaction. By continuing, you provide your consent to the recording.
Recordings of telehealth consultation are stored for 14 days in accordance with this Policy, but transcriptions of these recordings may be kept for a longer period as described in section 5.1 of this Policy. Customer or support call recordings are stored securely and retained only for as long as necessary to fulfil their intended purpose, in line with applicable legal and operational requirements. Recordings made as part of patient experience or user research activities are handled securely, and in line with the User Experience Research section of this Policy.
1.2 Information we collect directly from third parties:
We may collect Personal Information from third parties including:
- prescriptions issued to you by third parties
- health records relating to you created or held by third parties
- other information created, held, or known by third parties relevant to the provision of our Services to you, and
- other information created, held, or known by third parties relevant to Medicine prescribed to you.
1.3 Information we collect indirectly
We and our third-party business partners, including analytics and advertising partners, may automatically collect Personal Information including through cookies or similar technologies when you use our Platform. This includes your browser type, operating system, pages viewed, interactions, links clicked, IP address, visit duration, referring URL, and search terms. Our partners may also track your online activities over time and across different websites and services. See section 4 (Cookies and Tracking Tools).
1.4 Information we collect from other sources
We and our third-party business partners may collect Personal Information about you from other sources, such as third parties, public databases, and social media platforms that are relevant to our Services. Examples include databases containing Personal Information about:
- your contact or financial details
- If you are a healthcare professional, your licensing and registration status, such as verifying your AHPRA registration number against the AHPRA public register
- your prescriptions for Medicine issued by third parties such as state health Safe Script databases, and
- your past and current healthcare, symptoms, diagnoses, and treatment plans.
If you are a patient of Alternaleaf, we may also collect your Personal Information from your My Health Record in line with legal requirements, to support your care. You can control Alternaleaf’s access to your My Health Record directly when logging into My Health Record.
2. How we use your information
We may use your Personal Information in the following ways:
2.1 To provide Services to you
We use your Personal Information to:
- conduct our business
- provide our Services to you
- provide customer service to you and respond to enquiries
- communicate with you
- customise our marketing programs and campaigns, and
- send you alerts, announcements, invitations, and other information about products, brands, services, and health topics
2.2 To connect you with third parties
We may connect you with third parties to provide our Services. If you use this function, your use will be governed by the third party's privacy policy and terms. We recommend carefully reviewing the privacy policies and terms of these third parties.
Third parties may include:
- Pharmacies,
- Partner delivery services, and
- Suppliers or sponsors of Medicine.
2.3 To validate your ability to access services and information
Certain products, services, and information we provide may be tailored for and accessible to individuals who meet specific eligibility criteria. In such instances, we may verify your eligibility to access these offerings.
Examples include:
- certain information intended solely for registered healthcare professionals. We may use information gathered directly from you and external sources to confirm your eligibility to access this information.
- eligibility to utilise our patient services. We may use details such as Medicare card details and Individual Healthcare Identifier (IHI) to identify an individual for health care purposes.
2.4 To improve our Services
We aim to continuously improve our Services while ensuring compliance with legal and regulatory requirements. This means that we may use your Personal Information to practice effective risk management and quality control through auditing and compliance monitoring.
We use Personal Information for data analysis, understanding impact of product or Services, tracking, and addressing concerns, fraud prevention, quality assurance, training, the improvement, and efficient delivery of our Services to you, product development and patient advocacy. We may also use your Personal Information to practice effective risk management and quality control through auditing and compliance monitoring.
We use Personal Information to meet regulatory monitoring and reporting obligations, including while protecting against adverse events, responding to product or service complaints, and promotion to patient safety.
2.5 To conduct clinical research to inform future clinical practice
As part of the Alternaleaf clinic, your Personal Information will be collected, used, and stored for the purposes of clinical research related to your Medicine. Your medical data will be included in a Medical Cannabis clinical research patient registry (Registry), which is designed to gather information on individuals with specific conditions or diagnoses. This Registry helps healthcare professionals improve patient outcomes, enhance treatment strategies, and provide valuable data for future research, including the development and testing of new treatments.
The data collected within the Registry will initially be deidentified but re-identifiable to allow for future medical treatment. For research purposes, however, the data will be de-identified [so that it is not re-identifiable], ensuring that such data cannot be personally identified when it is shared with third-party research institutes. Research conducted with registry data will adhere to the Privacy Act and the Australian National Health and Medical Research Code for the Responsible Conduct of Research (available at NHMRC Research Code) to ensure that research is conducted ethically and with integrity.
Third-party research institutes may access the data to conduct approved research in accordance with the Code, and all research data will be handled confidentially and used in a de-identified format.
Please note that once your data has been entered into the Registry, it cannot be removed retrospectively if it has already been deidentified and used in research. However, you have the right to withdraw your consent for any further collection or addition of your identifiable data from the Registry at any time. Should you wish to do so, please contact us using the details provided below, and your identifiable data will be removed upon request.
2.6 For marketing purposes
We may use your Personal Information to communicate updates about new features, events, Services, or products that may interest you, based on your interactions on the Platforms and with your consent for using cookies. You may unsubscribe from our marketing lists at any time by contacting us in writing.
2.7 User experience research
We may occasionally invite users, including patients and pharmacies, to participate in user experience research, user texting, or service evaluations to help us improve our offerings. This may involve collecting Personal Information that you provide directly or that is generated through your interactions with our Services. With your consent, these sessions may be recorded to ensure accurate feedback.
Any information collected during these activities will be handled securely and used solely for improving our products and Services. Personal Information will be kept confidential and separated from the feedback provided, and results will be anonymised wherever possible.
Participation is completely voluntary, and you can choose to opt out at any time without affecting your access to our Services. Where possible, personal data collected for these purposes will be anonymised or de-identified to further protect your privacy.
If you have questions or concerns about how your information is used in user testing or service improvement activities, please contact us using the details provided below.
2.8 In aggregated and de-identified form
We may aggregate and de-identify Personal Information collected through the use of our Services. By aggregating data, we consolidate information we obtain to gain insights into trends and patterns that can inform our business decisions and improve user experiences.
When we de-identify data that was originally based on Personal Information, we ensure that any identifiable details are removed so that individuals cannot be identified or reidentified. This data allows us to analyse broader trends and behaviours without compromising individual privacy. It is our commitment to maintain the de-identified status of this data.
3. How we disclose your information
Examples of how we disclose your Personal Information are below. This list is not intended to be exhaustive. There may be other third parties to which we give your Personal Information (for example, professional advisors or insurers) where required or permitted by law. In some circumstances, the entities with which we share information with may also share your Personal Information with other entities with which they do business.
3.1 Within our family of companies
Montu may share your Personal Information within the Montu group of companies for the purposes outlined in this Policy.
3.2 With Providers
We may engage other companies and individuals to perform Services on our behalf, and we may collaborate with others for specific products or services (collectively and individually, Providers). Providers may have access to Personal Information, which may include through the use of cookies, and similar technologies, to carry out their responsibilities. When we share your Personal Information with Providers, we require that they adhere to appropriate privacy and security standards.
Examples of Providers include:
- credit card processors - to securely process your payments
- sale platform providers (such as Shopify) - to manage and fulfil your online orders
- customer support providers - to help respond to your questions or concerns
- email and SMS service providers - to send you order updates or other communications
- web hosting and development companies - to keep our Platforms running smoothly
- data warehouse providers - to help us store and analyse information securely
- Medicine suppliers, sponsors, and distributors - to supply products to healthcare professionals
- pharmacies - to help dispense your Medicine
- technology integration partners (such as PharmX) - to support and enable service integrations and delivery of products
- delivery partners - to get your order to you safely and on time.
3.3 To comply with laws and protect individuals
We may disclose your Personal Information to a third party if authorised under the Privacy Act, including if we are required or authorised by or under law, for example, if we are required to respond to a subpoena, court order, or to comply with a regulatory requirement.
We may disclose your Personal Information if we consider it necessary to ensure the safety of an individual or other members of the public, for example where Staff identify serious concerns for the immediate safety or welfare of any person, we may report this to emergency services.
3.4 Aggregate/De-identified Data
We may share aggregated or de-identified data, which does not personally identify individuals, with third parties for purposes permitted by applicable law.
3.5 Overseas disclosure of Personal Information
We may use and disclose your Personal Information to our Providers for services such as software and system development, communication networks and data storage located outside Australia. The data protection laws in that country may be of a lower standard than those in Australia. We will take all reasonable steps to ensure this information is handled in compliance with the APPs.
3.6 Use of AI Function
We may use artificial intelligence (AI) technologies to improve our services by:
- enhancing functionality and performance
- personalising user experiences
- automating routine tasks
- analysing user behaviour to better understand needs
AI tools may process Personal Information you provide directly or that is generated through your interactions with our Services. We handle all such information in accordance with this Policy. We also regularly review AI tools to ensure they meet our privacy and ethical standards.
Personal Information collected through AI tools is only disclosed where permitted under this Policy - for example, to trusted service providers or where required by law.
Where AI is used in clinical settings, it supports but does not replace the judgement of qualified healthcare professionals, who retain full responsibility for all medical decisions.
If you have any questions about our use of AI, please contact us using the details provided below.
4. Cookies and tracking tools
We use cookies, web beacons, and similar tracking technologies (collectively and separately, cookies) to enhance our understanding, customise and improve user experiences on our Platforms and use of our Services, and to manage our advertising and analytics initiatives.
Cookies may fall within the following categories:
- Essential Cookies: These cookies are necessary for the Platforms to function properly. They enable basic functions like page navigation and access to secure areas of the website.
- Performance and Analytics Cookies: These cookies help us understand how visitors interact with our Platforms by collecting information anonymously. This data helps us improve the performance of our website.
- Functionality Cookies: These cookies allow the Platforms to remember choices you make and provide enhanced, more personalised features.
- Advertising Cookies: These cookies are used to deliver advertisements that are more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.
4.1 Managing your cookie preferences
You can manage your cookie preferences through your web browser settings. Most browsers allow you to control cookies through their settings, which may include the ability to delete cookies or block certain types of cookies. However, please note that blocking cookies may affect your experience on the Platform and limit its functionality.
4.2 Third-party cookies
We may also use cookies provided by third-party for analytics, advertising, and other purposes. These cookies are subject to the respective privacy policies of these third parties. We do not guarantee links or policy of third parties.
5. How we hold and secure your information
5.1 Holding your information
We hold your Personal Information in information management systems which may be on-premises or cloud-based servers, data warehouses, data lakes, and in hard copy files. These systems are managed in a number of ways. They may be managed or administered directly by us or by a Provider internally by us, or they could be managed by a third-party with whom we may have a contractual relationship. Where practicable possible, we ensure data is stored in Australia–particularly for medical Personal Information. Some third-party tools may store or process other types of Personal Information (such as non-medical identifiers) in offshore data centres, including locations like the US, though we make every reasonable effort to ensure our service providers store data locally. Regardless of where your data is stored or accessed, we take reasonable steps to safeguard it in line with this Policy and applicable Australian privacy laws.
When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify it. However, most of the Personal Information contained in a patient’s medical record is or will be stored in patient files, which will be retained for a minimum of 7 years to comply with health record legislative requirements around record retention.
5.2 Securing your information
Your Personal Information is stored in a manner that reasonably protects it from misuse, loss, and unauthorised access, modification, or disclosure. We use a combination of administrative, physical, and technical safeguards to do this. These include secure system access controls, encryption of sensitive data, secure transfer methods, and regular reviews of our information handling practices. We also assess the security measures of third-party service providers where they are involved in storing or processing your Personal Information, to ensure they meet appropriate standards.
These measures are designed to align with industry standards and evolve as threats and technologies change.
6. Changes to this Policy
We reserve the right to change the terms of this Policy from time to time, and we will inform you of any material changes. An up-to-date copy of our Policy is available on our Platforms, and we encourage you to check the Platforms you use periodically to make sure you are aware of the current terms of the Policy.
7. Your privacy rights
7.1 Consent to collect, use, and share your information
We are required to obtain your consent to collect, use and share your Personal Information. You provide this consent by using, and continuing to use, our Services and Platforms.
We want to ensure that you fully understand the consequences of giving or not giving your consent. Consent is voluntary, meaning you are not being forced to provide consent, and it should be current and specific at the time it is given.
Providing consent to your Personal Information, including your Health Information, comes with both benefits and risks. The primary benefit of providing consent is that it is often a necessary step for us to provide our Services and/or products to you.
However, there may be risks associated with giving consent. In the event of a data breach, there could be unintended misuse, interference, loss, or unauthorised access, modification, or disclosure of your Personal Information. We take these risks seriously and have implemented a range of measures to minimise the chances of such incidents occurring.
7.2 How to access or correct your information
You have the right to request access to the Personal Information that we hold about you and to request that we correct any Personal Information that is incorrect or incomplete. To make a request, please send us an email or a written request using the contact details provided below. Once received, we will aim to respond to your request within 30 days.
You will be required to show that you are authorised to make a request if acting on behalf of someone else, or otherwise have legal authority to request this information (such as a warrant, subpoena, order, or notice).
In most cases, there is no charge for requesting access to or correcting your Personal Information. In certain circumstances we may require you to meet our reasonable costs of providing you with access to your information.
Please be aware that there are some circumstances in which we may not be able to provide access to or correct your Personal Information. For example, if we are conducting a sensitive investigation, or if any of the exceptions in the Privacy Act apply, we may deny your request. If we refuse your request, we will provide you with a written statement which sets out the reasons for the refusal and the avenues available to you to make an appeal or complaint.
7.3 Right to withdraw consent
You have the right to withdraw your consent for us to collect, use or disclose your Personal Information at any time. If you choose to withdraw consent, we will stop collecting, using, and disclosing your data for the specific purposes for which consent was given, from the time of withdrawal
Please be aware that withdrawing consent may mean we are unable to continue to provide our Services to you.
To withdraw consent, please contact us using the details below.
7.4 How to make a privacy complaint
If you think we have not handled your Personal Information correctly or in accordance with the law, you can lodge a complaint with our Privacy Officer or the Office of the Australian Information Commissioner (OAIC). We recommend you contact us first so that we can try to resolve your complaint to the best of our ability. The OAIC will usually refer you back to us if you have not already complained directly to us.
When our Privacy Officer receives a complaint, they will contact you to acknowledge your complaint. You will have the opportunity to explain why you are unhappy with how we have handled your Personal Information and provide further detail. Our Privacy Officer will review your concerns, taking into account all relevant information, including relevant privacy requirements, and work with you to try to resolve your complaint. If you are not satisfied with the outcome of your complaint, you can take your complaint to the OAIC.
8. Contact information
8.1 Contact us
Please contact the Privacy Officer in writing if you wish to make an access or correction request, make a complaint, have questions about this Policy or would like a free copy of this Policy:
Level 18/1 Nicholson St, East Melbourne VIC 3002
By email: privacy@montu.com.au
8.2 Office of the Australian Information Commissioner (OAIC)
Complaints to the OAIC must be made in writing and cannot be made over the phone. Please refer to the 'Lodge a privacy complaint with us' page on the OAIC website to access the relevant forms. For general inquiries about the processes for making a complaint to the OAIC or for other privacy advice, you can call the OAIC on 1300 363 992.