top of page

Metavate Connect App - Privacy Policy

Effective Date: 20th May 2026  |  Version 4.0

Issued by: Metavate Consulting  ABN 42 648 920 147

 

1.  Introduction

Metavate Connect (the App) is operated by Metavate Consulting Pty Ltd (ABN 42 648 920 147) (we, us, our). The App is a digital health platform used by Metavate Consulting on behalf of its clients (Clients) to collect health-related and other personal information from consumers (you) in connection with health research, wellness programmes, and evidence-based product or intervention evaluations.

We are committed to protecting your privacy and to handling your personal information — including sensitive health information — with care, transparency, and in full compliance with:

  • the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);

  • the My Health Records Act 2012 (Cth) where applicable;

  • the General Data Protection Regulation (GDPR) where applicable (EU/UK users);

  • any applicable state or territory health privacy legislation.

  • the Health Insurance Portability and Accountability Act of 1996 (HIPAA) where applicable (US users whose data is handled by a HIPAA-covered entity or business associate);

  • applicable US state consumer privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and equivalent laws in other US states where applicable.

By downloading or using the App you agree to this Privacy Policy and consent to the handling of your information as described below. If you do not agree, please do not use the App.

For clarity, not all activities conducted through the App constitute clinical research or clinical trials. Depending on the programme in which you participate, the App may be used for wellness monitoring, educational engagement, observational studies, product evaluations, analytics, or formal ethics-approved research activities. The nature of each programme and the applicable consent requirements will be disclosed to you at the time of participation.

1.1  Who Are We?

In this policy 'Metavate Consulting', 'we', 'us' and 'our' refers to Metavate Consulting Pty Ltd ABN 42 648 920 147, its officers, employees, and related bodies corporate.

 

Privacy Officer — Contact Details

Metavate Consulting Pty Ltd

Level 17, International Towers 3, 300 Barangaroo Avenue, Sydney NSW 2000, Australia

Email:  privacy@metavate.consulting

Phone:  +61 407 202 012

Website:  www.metavate.consulting

 

1.2  Scope of This Policy

This policy applies to all personal information collected through the Metavate Connect App. It does not apply to the personal information of Metavate Consulting employees (which is covered by a separate employee privacy policy) or to any third-party websites linked from the App.

Where Metavate Consulting collects personal information on behalf of a Client, the Client may have its own privacy policy and additional obligations. You will be informed of this at the time of collection.

2.  What Information We Collect

We collect only what is reasonably necessary to provide the services described in Section 4. The types of information we may collect include:

2.1  Health Information (Sensitive Information)

Health information is classified as sensitive information under Australian law and is subject to the highest level of protection. We may collect:

  • Responses to cognitive tests, health assessments, mood surveys, psychological questionnaires, and wellness surveys;

  • Information related to symptoms, medical history, lifestyle factors, or health outcomes;

  • Feedback on cognitive health products, wellness products, and health interventions;

  • Data about your participation in clinical or observational research studies (where applicable);

  • Information about your physical or mental wellbeing provided by you in free-text fields or via wearable device integrations (where enabled).

We will not collect any personally identifiable health information without your explicit, informed, and voluntary consent.

2.2  Technical and Usage Information

  • Device type, operating system version, and app version;

  • App usage metrics (e.g., time spent on tasks, button interactions, feature usage);

  • IP address (collected for platform security and integrity purposes);

  • Error reports, crash logs, and diagnostic information;

  • Session identifiers and authentication tokens.

2.3  Personal Information

We collect the following personal information from you:

  • Name;

  • Email address;

  • Phone number.

Where a Client programme requires additional identifiable information (such as postal address, demographic data, or participant identifiers), this will be clearly disclosed within the App at the time of collection and will require your separate consent.

3.  How We Collect Your Information

We collect information:

  • Directly from you when you complete tasks, cognitive tests, surveys, questionnaires, forms, or check-ins within the App;

  • Automatically through app usage logs, analytics tools, and (where enabled) device sensors or wearable integrations;

  • From any communication you initiate with us, including in-app messaging, email, or support requests;

  • From Client-provided participant lists or enrolment data, where you have consented to your participation in a Client programme;

  • For redeployment or longitudinal study participants only — from additional sources such as CV or prior survey responses, always with your express knowledge and approval.

We use cookies and similar tracking technologies within the App's web-based components. You can manage these preferences through your device settings.

4.  Why We Collect and Use Your Information

We collect and use your personal and health information to:

  • Deliver personalised app features and communicate personalised results to you (for example, whether your score on a test has changed as a result of using a product or completing an intervention);

  • Conduct health-related research and data analysis on behalf of Clients (for example, collecting evidence to assess the efficacy and safety of a health product or intervention);

  • Evaluate the effectiveness of health interventions (for example, measuring whether a wellness programme improves participant wellbeing);

  • Develop and improve our services, analytics capabilities, and recommendations (for example, assessing whether a product performs as intended);

  • Administer and improve the App, including troubleshooting, testing, and quality assurance;

  • Comply with our ethical, contractual, and legal obligations for health data management;

  • Communicate with you about your participation, including sending reminders, notifications, and updates (with your consent);

  • De-identify and aggregate data for normative research, benchmarking, and publication purposes.

 

5.  Legal Basis for Collection and Use

Under Australian law, health data is classified as sensitive information and may only be collected with your informed consent, or where permitted or required by law. Specifically, we will only collect and use your health data if:

  • You have given explicit, informed consent prior to collection;

  • It is required for research or statistical purposes that are ethics-approved, adequately safeguarded, and the data is de-identified where practicable; or

  • We are required or authorised to do so by or under an Australian law or a court/tribunal order.

For users in the UK and EU, we additionally rely on the following GDPR legal bases:

  • Article 6(1)(a) — Consent: you have given clear consent for us to process your personal data for the specific purposes described;

  • Article 6(1)(b) — Contract: processing is necessary for the performance of a contract to which you are a party;

  • Article 9(2)(a) — Explicit consent for special category (health) data.

For users in the United States, the following additional legal frameworks apply:

  • HIPAA: Where a Client is a HIPAA-covered entity (e.g., a licensed healthcare professional), and Metavate Consulting acts as a “Business Associate” in processing Protected Health Information (PHI) on that Client’s behalf, such PHI is governed by a Business Associate Agreement (BAA) and the Client’s own Notice of Privacy Practices. Personal data you provide directly to the App outside of a HIPAA-covered engagement is not PHI and is governed by this policy.

Unless expressly stated otherwise in connection with a specific healthcare provider, health plan, or HIPAA-covered programme, most App interactions are not conducted within a HIPAA-covered healthcare relationship. In those cases, personal information collected through the App is governed by this Privacy Policy and applicable Australian and international privacy laws, rather than HIPAA.

  • CCPA/CPRA (California residents): We collect, use, and disclose personal information as described in this policy. We do not sell or share your personal information for cross-context behavioural advertising. California residents have additional rights set out in Section 9A below.

  • Other US state privacy laws: Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with enacted consumer privacy legislation have equivalent rights to those described in Section 9A, to the extent applicable under their respective state law.

You may withdraw your consent at any time by contacting our Privacy Officer. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.

Where consent is relied upon as the legal basis for processing personal or health information, we may maintain records of consent, including timestamps, consent versions, and related programme information, for compliance, audit, and evidentiary purposes.

6.  Disclosure of Your Information

We take your privacy seriously. We will not sell, rent, or trade your personal information to any third party.

We may share your information in the following limited circumstances:

6.1  With Clients

Where you are participating in a programme operated by a Client of Metavate Consulting, aggregated or de-identified results may be shared with that Client. Where individually identifiable results are to be shared, this will be clearly disclosed to you before or at the time of collection, and will require your separate consent.

6.2  With Research Partners

We may share de-identified or aggregated data with ethics-approved research investigators, academic institutions, and industry partners for the purposes of research and publication. No individually identifiable health data will be shared with research partners without your explicit consent.

6.3  With Service Providers

We engage trusted third-party service providers to support the operation of the App, including:

  • Google Firebase (data hosting, authentication, push notifications) — data hosted on Google Cloud infrastructure in Australia (Melbourne or Sydney);

  • People Science Pty Ltd (ABN 36 619 753 267) — psychometric assessment provider and App partner;

  • Other IT support, analytics, and platform maintenance providers.

All service providers are bound by confidentiality obligations and are required to handle your data in accordance with Australian Privacy Principles and this policy.

6.4  For Legal and Regulatory Purposes

We may disclose your information where required or authorised by law, including:

  • To comply with a court order, subpoena, or legal obligation;

  • To protect the rights, property, or safety of Metavate Consulting, our Clients, users, or others;

  • To regulatory or ethics authorities overseeing an approved research study.

6.5  Business Transfers

If Metavate Consulting or substantially all of its assets are acquired by or merged with a third party, personal data held about users may be one of the transferred assets. You will be notified of any such transfer in advance.

7.  Data Storage and Security

We take reasonable and appropriate technical and organisational steps to protect your personal and health information against unauthorised access, disclosure, alteration, or destruction, including:

  • Encryption of all data in transit using TLS (Transport Layer Security);

  • Encryption of data at rest using AES-256;

  • Strict access controls and secure user authentication via Firebase Authentication;

  • Firebase Security Rules to control database and Cloud Storage access;

  • Firebase App Check to block unauthorised traffic;

  • Compliance with international standards including ISO 27001 and SOC certification frameworks;

  • Regular security assessments and vulnerability monitoring.

Your data is stored on Google Cloud infrastructure located in Australia (Melbourne or Sydney). In the event of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme.

While we implement robust security measures, no internet transmission is completely secure. Any transmission of data to our App is at your own risk. You are responsible for maintaining the confidentiality of your login credentials.

8.  Cross-Border Data Transfers

We do not routinely transfer your personal information outside Australia. Where a cross-border transfer is necessary (for example, to an overseas service provider or research partner), we will:

  • Ensure the overseas recipient is subject to a law or binding scheme that provides substantially similar privacy protections to the APPs; or

  • Obtain your consent to the transfer; or

  • Take reasonable contractual or other steps (e.g., Standard Contractual Clauses for EU/UK data) to ensure your data is handled securely.

For EU/UK users, all cross-border transfers are conducted in compliance with GDPR Chapter V requirements.

Where international data transfers occur, we seek to ensure that overseas recipients maintain privacy, confidentiality, and security standards substantially comparable to those required under Australian privacy law and other applicable international frameworks.

For US users: The App’s primary data infrastructure is located in Australia. By using the App, US residents acknowledge that their personal information will be transferred to and processed in Australia. We take contractual and technical steps to ensure your data is protected to a standard at least equivalent to that required by applicable US law. Where a HIPAA-covered Client is involved, a Business Associate Agreement governs any transfer of PHI.

Where required by applicable law, you may have the right to object to certain forms of profiling or automated processing by contacting our Privacy Officer.

Any insights, recommendations, or scores generated through automated processing should not be considered medical advice, diagnosis, or treatment recommendations.

We do not use fully automated decision-making processes that produce legal or similarly significant effects without appropriate human oversight.

These systems are designed to support — not replace — human judgement, healthcare advice, or professional decision-making.

The App may use analytics tools, algorithms, artificial intelligence (AI), machine learning systems, or automated processing technologies to assist with generating personalised wellness insights or recommendations; analysing trends, behavioural patterns, or health outcomes; supporting research, benchmarking, and statistical analysis; improving platform functionality and user experience; and identifying anomalies, engagement trends, or potential data quality issues.

9.  Your Privacy Rights

You have the following rights in relation to your personal and health information:

  • Access: to request access to the personal information we hold about you;

  • Correction: you may have the right to request that we correct inaccurate personal information we maintain about you;

  • Deletion: you have the right to request that we delete personal information we maintain about you. You can also manually delete your data directly in the App by navigating to your profile and tapping the “Delete Account Data” button;

  • Withdrawal of consent: to withdraw your consent to data processing at any time;

  • Opt-out of direct marketing: to opt out of receiving direct marketing communications at any time;

  • Data portability (EU/UK): to request a portable copy of your personal data in a structured, machine-readable format;

  • Objection (EU/UK): to object to processing based on legitimate interests;

  • Lodge a complaint: to make a complaint about how your information has been handled.

To exercise any of these rights, please contact our Privacy Officer at privacy@metavate.consulting. We will respond to your request within 30 days. We may require proof of identity before acting on a request.

9A.  Additional Rights for US Residents

9A.1  California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

  • Right to Know: to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.

  • Right to Delete: you have the right to request that we delete personal information we maintain about you. You can also manually delete your data directly in the App by navigating to your profile and tapping the “Delete Account Data” button. Deletion requests are subject to certain exceptions (e.g., where retention is required by law or to complete a transaction).

  • Right to Correct: you may have the right to request that we correct inaccurate personal information we maintain about you.

  • Right to Opt-Out of Sale or Sharing: We do not sell personal information or share it for cross-context behavioural advertising. You nevertheless have the right to direct us not to do so at any time by contacting privacy@metavate.consulting.

  • Right to Limit Use of Sensitive Personal Information: to request that we limit the use and disclosure of sensitive personal information (including health data) to purposes necessary to provide the services you have requested.

  • Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise any of the above rights, submit a verifiable consumer request to privacy@metavate.consulting. You may designate an authorised agent to make a request on your behalf. We will verify your identity before processing your request and will respond within 45 days (extendable by a further 45 days where reasonably necessary). You may also lodge a complaint with the California Privacy Protection Agency (CPPA) at www.cppa.ca.gov.

9A.2  Categories of Personal Information Collected (California Disclosure)

In the preceding 12 months we have collected the following categories of personal information (as defined under CCPA):

  • Identifiers: name, email address, phone number, IP address, device identifiers, participant IDs;

  • Personal records: postal address, date of birth;

  • Sensitive personal information — health and medical data: cognitive test scores, symptom reports, mood and wellness survey responses, and related health outcome data;

  • Demographic characteristics: gender, age, year of birth, occupation, location;

  • Internet or network activity: IP address, device type, OS version, app usage metrics, error logs;

  • Inferences: profiles derived from health and behavioural data to evaluate wellness outcomes.

We collected this information for the business purposes described in Section 4. We have not sold personal information and do not intend to. De-identified or aggregated data is not personal information and is not subject to these disclosures.

9A.3  HIPAA — Protected Health Information

Where a Client is a HIPAA-covered entity (such as a licensed healthcare professional or health plan), and Metavate Consulting processes Protected Health Information (PHI) on that Client’s behalf, Metavate Consulting acts as a “Business Associate” under HIPAA. In that context:

  • PHI is governed by a Business Associate Agreement (BAA) between Metavate Consulting and the relevant Client, and by the Client’s Notice of Privacy Practices (which will be provided to you separately);

  • We use and disclose PHI only as permitted or required by HIPAA and as directed by the covered entity Client;

  • To exercise HIPAA rights (such as access to or amendment of PHI), please contact the relevant covered entity (your healthcare provider) directly. If you are unsure who your covered entity is, please contact us at privacy@metavate.consulting and we will direct your enquiry appropriately;

  • In the event of a breach of unsecured PHI, we will notify the affected covered entity Client in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). The Client will in turn notify affected individuals and the US Department of Health and Human Services (HHS) as required.

9A.4  Children’s Online Privacy Protection Act (COPPA)

COPPA requires verifiable parental consent before knowingly collecting personally identifiable information online from children under 13. We do not knowingly collect personal information from children under 13 without such consent. If you believe a child under 13 has provided personal information to the App without parental consent, please contact privacy@metavate.consulting immediately and we will delete that information promptly. We do not condition participation in our services on children disclosing more personal data than is reasonably necessary for that participation.

9A.5  Other US State Residents

Residents of Virginia, Colorado, Connecticut, Texas, and other US states with enacted consumer privacy laws have substantially similar rights to those described in Section 9A.1, including rights to access, correct, delete, and opt out of the processing of personal data for targeted advertising or profiling. To exercise these rights, contact privacy@metavate.consulting. We will respond within the timeframe required by your applicable state law. You may also lodge a complaint with your state’s Attorney General if you believe we have violated your privacy rights.

10.  Data Retention

We retain personal and health information only for as long as reasonably necessary to fulfil the purposes described in this policy, comply with applicable laws, meet contractual obligations, and support legitimate research and operational requirements.

Retention periods may include:

  1. User account and participation data: retained for the duration of your participation and for a reasonable period afterward to support reporting, auditing, dispute resolution, and legal compliance;

  2. Customer support and enquiry records: generally retained for up to 24 months after the last interaction;

  3. Technical logs, analytics, and security monitoring records: generally retained for up to 7 years for cybersecurity, fraud prevention, and compliance purposes;

  4. Research and ethics-approved study data: retained in accordance with the applicable ethics approval, research protocol, funding requirements, and legal obligations;

  5. De-identified and aggregated research data: may be retained indefinitely for longitudinal analysis, benchmarking, statistical modelling, and publication purposes.

Where retention is no longer necessary, we will securely destroy, anonymise, or de-identify personal information in accordance with applicable law and industry standards.

You may request deletion of your identifiable personal information at any time, subject to legal, contractual, ethical, or operational obligations that require continued retention.

11.  Children's Privacy

The App is not intended for use by persons under the age of 18 without the consent of a parent or guardian. We do not knowingly collect personal information from children under 18 without verifiable parental or guardian consent. If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out in this policy to request that it be deleted. If you otherwise become aware that a child has provided us with personal information without such consent, please contact our Privacy Officer immediately.

12.  Third-Party Links and Services

The App may contain links to or integrations with third-party websites, platforms, or services. This policy does not apply to those third-party services. We encourage you to review the privacy policies of any third parties you interact with through the App. Metavate Consulting is not responsible for the privacy practices of third parties.

13.  Complaints

If you have a concern or complaint about how we have handled your personal or health information, or if you would like to exercise any of the rights available to you, please contact our Privacy Officer in the first instance at privacy@metavate.consulting. We will acknowledge your complaint promptly and aim to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with:

  • Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au  |  enquiries@oaic.gov.au

  • UK: Information Commissioner's Office (ICO) — www.ico.org.uk  |  casework@ico.org.uk

  • EU: Your relevant national Data Protection Authority.

  • US (California): California Privacy Protection Agency (CPPA) — www.cppa.ca.gov. For HIPAA-related complaints: US Department of Health and Human Services Office for Civil Rights (OCR) — www.hhs.gov/ocr.

  • US (other states): your relevant state Attorney General’s office.

14.  Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, legal obligations, or the App's functionality. We will notify you of material changes by:

The date of the most recent update is shown at the top of this policy. Continued use of the App following notification of changes constitutes acceptance of the updated policy.

bottom of page