Your Privacy Matters

How we protect and handle your personal information

🤝 Our Commitment to You

At Bad Backs, we are committed to protecting your privacy and handling your personal information with the utmost care and respect. This comprehensive privacy policy explains in detail how we collect, use, store, share, and protect your personal information when you visit our website, use our services, or interact with us in any capacity.

We believe in complete transparency about our data practices and want you to feel confident and informed about how your information is handled. This policy complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and other applicable privacy laws.

Effective Date: 2 October 2025

📋

What Information We Collect

We collect information in several ways and only when necessary for our legitimate business purposes. The types of information we may collect include:

Personal Information You Provide

  • Contact Details: Name, email address, phone number, postal address
  • Inquiry Information: Details about your back pain concerns, symptoms, and health-related questions
  • Communication Preferences: How you prefer to be contacted and frequency of communications
  • Appointment Information: Preferred times, locations, and specific service requests
  • Feedback and Reviews: Your experiences, testimonials, and suggestions for improvement

Information Collected Automatically

  • Website Analytics: Pages visited, time spent on each page, bounce rate, and user journey paths
  • Technical Data: IP address, browser type and version, operating system, device type, screen resolution
  • Location Data: General geographic location (city/state level) based on IP address
  • Referral Information: Which website or search engine brought you to our site
  • Cookie Data: Preferences, session information, and website functionality data

Information from Third Parties

  • Social Media: Public profile information if you interact with our social media pages
  • Business Partners: Referral information from healthcare providers or partner organizations
  • Public Sources: Publicly available information relevant to our services
🔍 Data Minimization: We only collect information that is necessary for the specific purposes outlined in this policy. We do not collect sensitive health information unless explicitly provided by you for service-related purposes.
🎯

How We Use Your Information

We use your personal information for specific, legitimate purposes that align with your expectations and our business needs. Our legal bases for processing include:

Service Provision and Customer Support

  • Respond to your inquiries about back pain solutions and treatments
  • Provide personalized recommendations based on your specific needs
  • Schedule and manage appointments or consultations
  • Follow up on services provided and gather feedback
  • Maintain records of our interactions for quality assurance

Website and Service Improvement

  • Analyze website usage patterns to improve navigation and content
  • Identify popular services and content areas
  • Optimize website performance and loading speeds
  • Develop new features and services based on user behavior
  • Conduct A/B testing to enhance user experience

Marketing and Communications (With Consent)

  • Send newsletters with back health tips and exercise recommendations
  • Notify you about new services or special offers
  • Share educational content about back pain prevention and treatment
  • Invite you to participate in surveys or feedback sessions
  • Provide updates about changes to our services

Legal and Security Purposes

  • Comply with Australian privacy laws and healthcare regulations
  • Protect against fraud, spam, and security threats
  • Maintain business records as required by law
  • Resolve disputes and enforce our terms of service
  • Respond to legal requests from authorities when required
📧 Marketing Communications: We will only send you marketing emails if you have explicitly opted in during registration or contact. Every marketing email includes an easy unsubscribe link, and we honor all unsubscribe requests immediately. You can also contact us directly to manage your communication preferences.
⚖️ Legal Basis: We process your information based on consent (for marketing), legitimate interests (for service improvement), contractual necessity (for service provision), and legal obligations (for compliance requirements).
🔒

How We Protect Your Information

We take data security seriously and implement comprehensive technical, administrative, and physical safeguards to protect your personal information from unauthorized access, use, disclosure, or destruction.

Technical Security Measures

  • Encryption: All data transmission uses SSL/TLS encryption (256-bit) to protect information in transit
  • Secure Storage: Personal information is stored on secure servers with encryption at rest
  • Firewalls: Network-level protection against unauthorized access attempts
  • Regular Updates: Security patches and software updates applied promptly
  • Monitoring: 24/7 security monitoring and intrusion detection systems
  • Backup Systems: Regular encrypted backups stored in secure, geographically separate locations

Administrative Security Controls

  • Access Controls: Strict role-based access with minimum necessary permissions
  • Staff Training: Regular privacy and security training for all team members
  • Background Checks: Security screening for personnel with access to personal information
  • Confidentiality Agreements: All staff and contractors sign comprehensive confidentiality agreements
  • Incident Response: Documented procedures for responding to security incidents
  • Regular Audits: Internal and external security assessments conducted regularly

Physical Security Measures

We utilize the services of professionally managed data centers to host our servers and store your information. While we carefully select reputable providers with strong security credentials, we have no direct control over their day-to-day physical security operations and cannot guarantee their specific practices.

Our data center providers typically implement controls such as:

  • Secure Facilities: Purpose-built data centers with multiple layers of physical security
  • Access Controls: Biometric scanners, key card systems, and multi-factor authentication for facility access
  • Environmental Protections: Climate control systems, fire suppression, and uninterruptible power supplies
  • Surveillance Systems: 24/7 video monitoring and security personnel on-site
  • Compliance Certifications: Industry standard certifications such as ISO 27001, SOC 2, and other security frameworks
⚠️ Third-Party Limitation: While we conduct due diligence when selecting data center providers and require them to maintain appropriate security standards, we cannot directly control or guarantee their specific physical security practices. We rely on their certifications, audit reports, and contractual commitments to security standards.
🚨 Data Breach Response: In the unlikely event of a data breach, we have procedures in place to contain the incident, assess the impact, notify affected individuals within 72 hours (where required), and report to relevant authorities as mandated by Australian privacy laws.
🔐 Your Role in Security: While we implement robust security measures, you can help protect your information by using strong passwords, keeping your contact information updated, and being cautious about sharing personal information online.
🤝

Information Sharing

We respect your privacy and do not sell your personal information. We may share information only in these limited circumstances:

  • Service Providers: Trusted third parties who help us operate our website and business (under strict confidentiality agreements)
  • Legal Requirements: When required by law or to protect our rights and safety
  • Business Transfers: In the event of a merger or acquisition (with continued privacy protection)
⚙️

Cookies and Tracking

Our website uses cookies to enhance your browsing experience:

Essential Cookies

These are necessary for the website to function properly and cannot be disabled.

Analytics Cookies

We use Google Analytics to understand how visitors use our site. This helps us improve our content and user experience.

Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect website functionality.

⚖️

Your Rights

Under Australian Privacy Law, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Ask us to correct any inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal requirements)
  • Opt-out: Unsubscribe from marketing communications at any time
  • Complaint: Lodge a complaint with us or the Australian Privacy Commissioner
💡 Exercise Your Rights: To exercise any of these rights, simply contact us using the information below. We'll respond within 30 days and provide you with a clear explanation of any actions taken.

How to Make a Privacy Complaint

If you believe we have mishandled your personal information, you can lodge a complaint with us:

  1. Contact Us Directly: Email privacy@badbacks.com.au with details of your concern
  2. Investigation: We'll acknowledge your complaint within 5 business days and investigate thoroughly
  3. Resolution: We'll provide a written response within 30 days outlining our findings and any corrective actions
  4. External Review: If unsatisfied, you can contact the Office of the Australian Information Commissioner (OAIC)
📞 OAIC Contact: Phone: 1300 363 992 | Email: enquiries@oaic.gov.au | Website: www.oaic.gov.au
🔄

Data Retention and Disposal

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and protect our legitimate business interests.

Retention Periods

  • Contact Information: Retained for 7 years after last contact or until you request deletion
  • Inquiry Records: Maintained for 5 years for quality assurance and follow-up purposes
  • Website Analytics: Aggregated data retained for 26 months, individual session data for 14 months
  • Marketing Communications: Retained until you unsubscribe or request deletion
  • Legal and Compliance Records: Retained as required by Australian law (typically 7 years)
  • Security Logs: Maintained for 12 months for security monitoring purposes

Factors Affecting Retention

  • Legal and regulatory requirements under Australian law
  • Ongoing business relationship and service provision needs
  • Dispute resolution and legal proceedings
  • Fraud prevention and security investigations
  • Your specific requests for data retention or deletion

Secure Disposal Process

  • Automated Deletion: Systems automatically delete data when retention periods expire
  • Secure Erasure: Multi-pass overwriting of digital storage media
  • Physical Destruction: Professional destruction of physical documents and storage devices
  • Verification: Confirmation that data has been completely removed from all systems
  • Documentation: Records maintained of disposal activities for audit purposes
📅 Retention Review: We regularly review our data retention practices and may delete information earlier than scheduled if it's no longer needed for legitimate business purposes.
🌍

International Data Transfers

While we primarily store and process your information within Australia, some of our service providers may be located overseas. When we transfer personal information internationally, we ensure appropriate safeguards are in place.

Countries Where Data May Be Transferred

  • United States: Cloud hosting services (AWS, Google Cloud) with Privacy Shield or equivalent protections
  • European Union: Analytics and marketing platforms with GDPR compliance
  • Singapore: Regional data processing centers with adequate privacy protections

Safeguards for International Transfers

  • Standard Contractual Clauses (SCCs) with overseas service providers
  • Adequacy decisions recognizing equivalent privacy protections
  • Binding Corporate Rules for multinational service providers
  • Regular audits of overseas service providers' privacy practices
  • Encryption of data during transfer and storage
🛡️ Your Rights: Even when your data is processed overseas, you retain all rights under Australian privacy law, including the right to access, correct, and delete your information.
📱

Third-Party Services and Links

Our website and services may integrate with or link to third-party platforms. We want you to understand how these relationships affect your privacy.

Third-Party Services We Use

  • Google Analytics: Website traffic analysis (anonymized data)
  • Social Media Platforms: Facebook, Instagram, LinkedIn for marketing and engagement
  • Email Marketing: Mailchimp or similar platforms for newsletter distribution
  • Customer Support: Help desk software for managing inquiries
  • Payment Processing: Secure payment gateways (if applicable)

External Website Links

Our website may contain links to external websites, including:

  • Healthcare provider websites and directories
  • Research articles and medical journals
  • Partner organizations and referral services
  • Social media platforms and community forums
⚠️ Important: We are not responsible for the privacy practices of external websites. Each site has its own privacy policy, and we encourage you to read them before providing any personal information. Links to external sites do not constitute an endorsement of their privacy practices.
📝

Policy Updates

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the updated policy on our website with a new effective date.

Last Updated: 2 October 2025