Privacy Policy

1 . Purpose of our policy

1.1 CoTreat Pty Ltd (ABN 92 638 604 190) (CoTreat) provides the CoTreat AI software, reporting and management services and associated technologies (Platform).

1.2 All references to ‘us,’ ‘we’ and ‘our’ in this Privacy Policy are references to CoTreat. All references to ‘you’ and ‘your’ in this Privacy Policy are references to:

(a) the dental practitioners and employees and contractors of dental clinics who are customers, or potential customers, of our products and services (Dentist Users);

(b) the patients of the dental clinics who use our Platform, and any other individuals who use our Platform or website to connect with a dental practitioner (Patients); and

(c) our contractors and suppliers, potential employees, and any other individuals we might deal with in the course of running our business or providing our services.

1.3 This Privacy Policy explains how we will collect, use, disclose, store and protect your personal information. This Policy also describes the way in which you may access or correct the personal information we hold about you, and how to contact us if you have any complaints in relation to your privacy.

1.4 We are committed to protecting your privacy, and ensuring that the ways in which we deal with your personal information comply with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (Privacy Act), the Health Privacy Principles contained in the Health Records Act 2001 (Vic), and any other applicable laws relating to privacy and health records.

1.5 We may update this Privacy Policy periodically. We will notify you about any changes to this Policy through our website, and we will make the most current version of the Policy available to on your request. If you have any questions about this Privacy Policy, please contact us using our contact details contained in section 12 below.

2. The types of Personal Information we collect and why we collect it

2.1 To provide our services and run our business, we need to collect personal information, being information about an individual which is reasonably capable of identifying that individual (and which might also include their health or other sensitive information) (Personal Information).

2.2 Personal Information includes ‘sensitive information’, which is a particular type of Personal Information. Sensitive information includes identifying health information about you (such as details of your health and medical history or the health services you have received). Sensitive information also includes information about racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, and sexual orientation or practices.

2.3 We may collect Personal Information from you so that we can provide our services to you, or where this is otherwise necessary for our functions or activities, including provision of the Platform.

2.4 In particular, we will collect the Personal Information of Dentist Users and Patients, to enable you to use the Platform. We may also collect your Personal Information to provide you with information regarding our services, to arrange payments (if applicable), and to enable us to respond to any queries or complaints you may have.

2.5 We collect Personal Information from Dentist Users and Patients such as:

(a) your name, date of birth, postal address, gender, occupation, email address and telephone numbers;

(b) if you are a Patient:

(i) your health and medical history, including your dental imaging, photos, symptoms, and any previous diagnosis and treatment given to you;

(ii) your private health insurance details;

(i) your login details and passwords for the Platform;

(ii) your communications with Patients, for example via the Platform’s chat function;

(iii) information about your professional registration, professional indemnity insurance and dental association details;

(d) religious and cultural beliefs that may be relevant to the services we provide you; and

(e) your payment and billing details (if applicable) to transact with us.

2.6 If you are a person other than a Dentist User or a Patient, such as a contractor or supplier, potential employee, or another individual we deal with in the course of running our business, we may collect Personal Information from you to enable us to work or transact with you, or which is relevant to the services we provide or procure from you.

3. How do we collect your Personal Information

3.1 We will collect your Personal Information in a lawful and fair way and in a manner that is not unreasonably intrusive. We will only collect information in accordance with the law.

3.2 If you are a Patient:

(a) most Personal Information we collect about you will be received from you directly (or your dentist);

(b) we will store details of any communications or interactions you have with a dental clinic using the Platform – for example chat messages between you and your dentist; and

(c) if you use or access our website or Platform, aggregated statistical information such as information about your online preferences and movements, location information, time spent on our platform, and links clicked will be recorded for statistical analysis.

3.3 If you are a Dentist User:

(a) most Personal Information we collect about you will be received from you directly, your patients or potential patients, or the clinic which employs or otherwise engages you. However, and depending on the nature of your relationship (or potential relationship) with us, we may also collect your Personal Information from other sources such as advertising, public records, mailing lists, contractors, our staff and our business partners; and

(b) if you use or access our website or Platform, aggregated statistical information such as information about your online preferences and movements, location information, time spent on our platform, links clicked, and dental treatment planning will be recorded for statistical analysis and reporting.

3.4 If you are a person other than a Dentist User or a Patient, such as a contractor or supplier, potential employee, or another individual we deal with in the course of running our business, we will generally collect your personal information directly from you, and we may collect your personal information from third parties. For example, we may collect your Personal Information provided through proposals, contracts, or job applications you submit to us, and we may collect your Personal Information from third parties such as your referees.

4. How Personal Information is used and disclosed

4.1 The primary purposes for which we generally use and disclose your Personal Information are to enable and provide you with the functionality of the Platform, provide you with our services, and to support the operation of our business.

4.2 If you are a Patient:

(a) we will use and disclose your Personal Information (including your health and other sensitive information) for the primary purpose for which we collected it, which will usually be to provide you with our services and assist your dentist to provide you with a dental treatment plan;

(b) we may disclose your Personal Information to:

(i) the dental clinic that you have previously had, or intend to book, an appointment with;

(ii) our information technology, network, software and cloud storage providers; and

(iii) any practice management software providers which your dental practitioner uses,

where this is necessary for you to receive our services and assist your dentist to provide you with a dental treatment plan;

(i) if you have provided your consent for us to do so;

(ii) for purposes which are directly related to the primary purpose for which we collected it, in circumstances where you would reasonably expect us to use your information (for example to verify your identity if you have forgotten your user details for the Platform);

(iii) where we are otherwise required or authorised by law to do so, for example: where disclosure is necessary under law, such as where we need to comply with a subpoena or Court order; or where it is unreasonable or impracticable to obtain your consent and we reasonably believe disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety; and

(d) we will maintain all Personal Information (especially health information) in strict confidence, and certain data will be rigorously de-identified before use (relevant for X-Rays and images of teeth).

4.3 If you are a Dentist User:

(a) we will use and disclose your Personal Information (including your payment and billing information) for the primary purposes of providing you with our services or enabling your use of the Platform to communicate with your Patients;

(b) we may use your Personal Information to:

(i) enable your treatment planning and use of the chat function in the Platform;

(ii) monitor your use of the Platform or our services;

(iii) enable Patients to book appointments or communicate with you;

(iv) verify your identity;

(v) perform billing and payment activities;

(vi) communicate with you about our own marketing and promotions; or competitions, surveys and questionnaires; and

(vii) investigate any issues or complaints about, or made by, you or another individual, or if we have reason to suspect that you or another individual are in breach of any of our terms and conditions or have been otherwise engaged in any unlawful activity;

(ii) our information technology, network, software and cloud storage providers, but only to the limited extent required to enable these providers to provide their business support functions;

(iii) the practice management software provider used by the dental clinic which employs or engages you;

(iv) subscription and mailing operations with your consent;

(d) we will otherwise only use or disclose your Personal Information:

(i) if you have provided your consent for us to do so;

(e) we maintain all Personal Information (especially health information) in strict confidence.

4.4 If you are a person other than a Dentist User or a Patient, such as a contractor or supplier, potential employee, or another individual we deal with in the course of running our business we may use and disclose your personal information to manage our relationship with you.

4.5 We comply with the requirements of the Australian Privacy Principles if Personal Information is disclosed overseas. For example, it may be necessary to disclose a Patient’s Personal Information to persons or organisations interstate or overseas to provide them with ongoing care. We will only disclose your Personal Information overseas if we would be lawfully permitted to disclose it to a recipient in Australia, and:

(a) we have taken reasonable steps to ensure that the overseas recipient of your Personal Information does not breach the Australian Privacy Principles; or

(b) the overseas recipient is subject to a law, binding scheme or binding contract that provides substantially similar protection to the Australian Privacy Principles which you can access and enforce; or

5. Direct marketing

5.1 If we intend to engage in any marketing communications, we may send you such communications in accordance with any previous consent you have provided or any marketing communication preferences that you have notified to us, and in accordance with applicable laws.

5.2 If you have previously agreed to receive such marketing communications, but no longer wish to receive such marketing communications you can contact us using our contact details set out below to modify your preferences, or you can simply opt-out of such communications using the instructions or opt-out link provided in the marketing communication sent to you.

6. If you do not wish for us to collect your Personal Information

6.1 An individual may opt not to have us collect their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services, including via the Platform. To opt out, please contact us by email to:

privacy@cotreat.com.au

7 Security of your Personal Information

7.1 We will take all reasonable precautions to protect your Personal Information from unauthorised access or disclosure, or misuse, interference or loss. This includes appropriately securing our physical facilities and electronic networks.

7.2 We keep your Personal Information for the time periods required by law. When your Personal Information is no longer required or authorised to be held under law (and in the case of any of your health information we hold, the information has been retained for the required periods under the Health Privacy Principles) we will take steps to securely destroy the information or to ensure that the information is permanently de-identified.

7.3 Under the Health Privacy Principles, we are generally required to retain any health information we hold for at least 7 years after the date of last service for adults, and hold health information collected from a child until they turn 25.

7.4 CoTreat uses standard industry encryption methods when storing and transferring Personal Information, and has implemented monitoring and access controls which regulate who can access particular information.

8. Data Breaches

8.1 We are required to comply with the mandatory ‘notifiable data breach’ scheme (the NDB scheme) under the Privacy Act. The NDB scheme applies when an ‘eligible data breach’ of Personal Information occurs.

8.2 An ‘eligible data breach’ occurs when:

(a) there is unauthorised access to or unauthorised disclosure of Personal Information, or a loss of Personal Information, that an organisation holds; and

(b) this is likely to result in serious harm to one or more individuals; an

8.3 An organisation may take remedial steps to prevent the likelihood of serious harm occurring for any affected individuals after a data breach has occurred, in which case, the data breach is not an ‘eligible data breach’.

8.4 Where we have reasonable grounds to believe that we have experienced an eligible data breach (and remedial action cannot be used), we will promptly notify affected individuals and the Office of the Australian Information Commissioner (Commissioner) about the breach in accordance with the Privacy Act.

9 How to access, correct or update your personal information

9.1 We take reasonable steps to ensure that the Personal Information we collect, use and disclose is accurate, up-to-date, complete and relevant. Under the Australian Privacy Principles, you have the right to request access to, or correction of, the Personal Information that we hold about you.

9.2 If you would like to make a request to access, or correct, your Personal Information which is held by us, you can:

(a) Correct your data using your 'profile' section on the platform.

(b) otherwise contact us using the details provided in section 12 of this Privacy Policy below.

9.3 In certain circumstances, we may refuse to allow you access to, or correct, your Personal Information where this is authorised by the law. If we refuse your request for access or correction, we will provide you with reasons for the refusal in writing, and details about how you may complain about the decision.

10. Automated decision making and use of artificial intelligence

10.1 We use artificial intelligence (AI) tools to assist in the processing of information (such as Patient X-Rays and images of teeth) when we provide our services, for example to assist Dentist Users in their treatment planning and quality checking. However, we rigorously de-identify Patient information prior to doing so, and no identifying Patient Personal Information is shared with our AI tools.

We do not make decisions which could reasonably be expected to significantly affect the rights or interests of individuals solely by means of automated decision making or the use of AI, and all AI use is subject to human oversight.

11 Complaints and disputes

11.1 If you have a query or complaint about our handling of your Personal Information, please contact us in writing using the details provided in section 12 below. We will aim to resolve the issue with you directly.

11.2 If you are not satisfied with our response to your complaint, you can also lodge a complaint with the Office of the Australian Information Commissioner:

(a) by phone: 1300 363 992; or

(b) online at: www.oaic.gov.au.

12. Contacting us

12.1 All questions, comments or requests regarding this Privacy Policy or the way in which we handle your Personal Information should be provided to:

email to: privacy@cotreat.com.au

Version number 20.08.25

3471-6729-4014, v. 1