PRIVACY POLICY

Headsafe Group | Effective: 28 November 2025

Introduction

This is the Privacy Policy of the Headsafe Group of companies which comprises Headsafe Holdings Pty Ltd (Australian Company Number: 616 965 434) and its subsidiaries (in this policy referred to as we, us or our).

This global privacy policy describes the types of personal information we collect, the purposes for which we collect that personal information, the other parties with whom we may share it and the measures we take to protect the security of the personal information.

It also tells individuals about their rights and choices with respect to their personal information, and how we can be contacted regarding our privacy practices.

Our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements. Specific privacy obligations may be mandated by the applicable privacy laws in the countries in which our Nurochek Pro System (as described below) is offered.

We provide a solution to assist licensed medical practitioners in their diagnosis of whether a person under their care (Patient) has suffered a concussion.

Our Nurochek Pro hardware and software (System) consists of:

  • hardware – used for the collection of data from a Patient; and
  • software that:
    • includes machine learning algorithms;
    • receives and analyses Patient data; and
    • issues a report regarding its concussion assessment.

The System is used by licensed health care professional or persons working under the supervision of a licensed health care professional (each an Authorised User).

The analysis, provided by the System, is available for use by the licensed medical practitioner conducting the test or supervising the conduct of the test as an aid to their diagnosis of the likelihood of a Patient having suffered a concussion event.

Legal Compliance

We strive to be transparent and fair in our privacy practices. We implement robust security measures and aim to comply with all applicable privacy laws in the countries in which the System is offered.

Australia

This Privacy Policy takes into account the requirements of the Privacy Act 1998 (Cth) and the 13 Australian Privacy Principles as amended from time to time (collectively referred to as Australian Privacy Laws).

New Zealand

This Privacy Policy takes into account the requirements of the New Zealand Privacy Act 2020 and the 13 Information Privacy Principles, as amended from time to time (collectively referred to as New Zealand Privacy Laws).

United States

This Privacy Policy takes into account the:

  • applicable federal privacy and data protection laws such as:
    • the Federal Trade Commission Act;
    • the Health Insurance Portability and Accountability Act (HIPAA);
  • applicable state based laws including the:
    • California Consumer Privacy Act as amended by the CPRA;
    • California Online Privacy Protection Act;
    • New York SHIELD Act; and
    • Florida Information Protection Act,

(collectively referred to as United States Privacy Laws).

In this Privacy Policy we describe:

  • the types of personal information we collect and the purposes for which we collect that information;
  • the use and disclosure of personal information collected;
  • the security of personal information collected;
  • the ability to gain access to the personal information we hold that is applicable to that individual;
  • what to do if the information that we hold about an individual is inaccurate; and
  • how to contact us.

Personal Information

In this Privacy Policy, we use the term:

  • "personal information" refers to information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. In some countries terms like "personal data" or "personally identifiable information" are used instead.
  • "sensitive personal information" refers to a subset of personal information that requires a higher level of protection under the applicable privacy and data protection legislation. Sensitive personal information may include religious beliefs, criminal record or biometric and medical information. In some jurisdictions terms such as "special category data" are used instead.

Information we collect may include the following:

About a Patient

This information will be provided by the Authorised User.

Identifying information about the Patient, including:

  • name;
  • date of birth;
  • email address;
  • phone number; or
  • gender.

Health information about the Patient, as provided to us, including:

  • existing medical history (especially about vision and epilepsy and concussion); and
  • brain pattern measurements.

About an Authorised User

Identifying information about the Authorised User, including:

  • name;
  • work place address;
  • email address; and
  • phone number.

Occupational details about the Authorised User including:

  • position at an organisation;
  • registration details;
  • qualifications;
  • health care specialisation;
  • professional body memberships; or
  • professional indemnity insurance details.

About our suppliers and business partners

Information that may identify people who are our contractors, suppliers and business partners, or who are employed by our contractors, suppliers and business partners.

About visitors to our website

Information about visitors including:

  • name;
  • email address;
  • phone number and
  • records of our communications with such visitors.

We rely on those persons, who provide us with personal information on behalf of others, having the right at law to share that personal information with us.

Collection of Personal Information

We collect personal information about Patients and Authorised Users and others with whom we interact.

Collection of personal information is necessary in the case of Patients for us to provide access and use of the System. If we are not provided with the personal information we request in respect of a Patient, we will be unable to provide access to and use of the System in relation to that Patient.

Authorised Users providing us with personal information about a Patient must only do so if that Patient consents to the Authorised User doing so or the Authorised User has other authority to do so.

If we receive personal information, which we did not solicit, we will determine as quickly as possible whether that personal information could have been lawfully and fairly collected by us in accordance with this Privacy Policy. If so, we will only use the unsolicited personal information as if it had been solicited by us in accordance with this Privacy Policy. If not, we will take reasonable steps to de-identify and/or destroy the information.

If our website contains links to the websites of third-parties and a visitor accesses those third-party websites, they may collect information about that visitor. We do not collect information from those third-parties regarding visitors that access their third-party website. Personal information that is provided to those third-parties will be governed by their privacy policies for which we are not responsible.

We do not knowingly collect information from visitors to our website, who are under 18 years of age.

Cookies

A cookie is a small text file placed on a computer hard drive by a web page server.

Cookies may be accessed later by the back-end of our website. Cookies store information about a visitor using the website. Cookies also allow us to provide visitors to our website when accessing our website with more personalised service when doing so.

We use cookies to:

  • determine whether a visitor has previously visited our website;
  • identify the website pages accessed;
  • facilitate administration of the website;
  • for security purposes; or
  • analyse visitor behaviour through third-party tools.

Most web browsers are set to accept cookies. Browsers can be configured to not accept cookies. If a visitor sets its browser to reject cookies, it may restrict full use of the website.

To administer and improve the website, we may use third-party tools to track and analyse usage and statistical volume information, including page requests, form requests, and click paths. Use of third-party tools may involve cookies to track behaviour. We do not use these tools to collect personal information that directly identifies persons who visit our website, nor do we use cookies for targeted advertising.

We do not collect personal information or identifiers through cookies from visitors.

Use and Disclosure of Personal Information

We may collect and use aggregated, de-identified data regarding use of the System for the purposes of:

  • improving the performance of the System;
  • internal analysis, usage monitoring, and System optimisation; and
  • enhancing our understanding of Patient outcomes.

This de-identified data does not identify individual Patients or Authorised Users.

We will only use and disclose personal information for the purpose for which it was collected by us in accordance with this Privacy Policy. We will not use personal information for purposes that are not directly related to the original purpose of collection except as permitted by New Zealand Privacy Laws, Australian Privacy Laws or United States Privacy Laws.

We may use personal information that we collect to:

  • operate the System;
  • comply with our regulatory compliance and safety requirements as a provider of a regulated medical device;
  • maintain, upgrade, improve and provide support services for the System;
  • answer queries and requests;
  • comply with our legal and regulatory obligations;
  • manage and resolve any legal or commercial complaints or issues; and
  • enable us to meet our obligations under law.

Patients may request to have their personal information deleted subject to our retention obligations outlined in this Privacy Policy.

We may disclose personal information that we collect:

  • to Authorised Users providing their services to Patients;
  • to our staff who need the information to discharge their duties;
  • to our business partners, agents and service providers, including payment system operators and information technology service provides;
  • in connection with:
    • a corporate restructuring or change of ownership or control of all or part of our business; and
    • any a financing or any proposed financing in respect of our business.
  • to our agents, contractors or third-party service providers and business partners to enable them to provide administrative and other support services to us;
  • in connection with satisfaction surveys or other data collection activities relevant to the System;
  • to professional advisors who we engage to provide advice on our business;
  • when we have a good-faith belief that disclosure of personal information is reasonably necessary to detect or protect against fraud or security issues;
  • to comply with a legal obligation or in response to a request from law enforcement or other public authorities wherever we may do business;
  • to protect, enforce and/or defend our rights or intellectual property; or
  • to act in urgent circumstances to protect the personal safety of Patients, Authorised Users and our employees or contractors.

We require any party, that has access to personal information collected by us, to handle that personal information in a manner consistent with all applicable laws and this Privacy Policy.

We may from time to time use personal information held by us about Authorised Users to send marketing communications about our System that we think may be of interest to those Authorised Users. Authorised Users can opt-out of receiving marketing communications from us by contacting us at support@nurochekpro.com or following the "unsubscribe" link in the communication.

We do not sell personal information to data brokers or third parties for their independent use.

Quality of Personal Information

We take all reasonable steps to ensure the personal information held is accurate, up-to-date and complete.

Access to Personal Information

Subject to certain conditions (as outlined below) we will permit an individual access to the personal information that we hold regarding them.

We will correct personal information where that information is inaccurate or incomplete. We will not charge a fee for the access request but may charge a reasonable cost of processing such request.

If an individual wants to access the personal information we hold about them, or correct it, they must email us at: support@nurochekpro.com.

We will seek to provide such information within a reasonable period of time, and in the manner so requested (where reasonable to do so).

We may not always be able to give that individual access to all the personal information we hold regarding them. If this is the case, we will provide a written explanation of the reasons for our refusal.

We may not be able to give access to information where such request:

  • is reasonably considered to pose a serious threat to the life, health of safety of any individual or to public health or safety;
  • may unreasonably impact the privacy of another individual;
  • is reasonably considered to be frivolous or vexatious;
  • is reasonably considered to relate to existing or anticipated legal proceedings which would otherwise not be accessible in the discovery process relating to such proceedings;
  • is reasonably considered to be unlawful or prohibited by law or an order of a court/tribunal;
  • is reasonably considered to relate to unlawful activity or serious misconduct, where access would likely prejudice the taking of appropriate action in relation thereto; or
  • is reasonably considered to relate to activities conducted by or on behalf of a law enforcement body may be prejudiced.

Residents of the state of California, have the right to:

  • request that we disclose what personal information we know regarding that resident from which we have requested personal information in the past 12 months;
  • request that we delete the personal information we have collected regarding that resident; and
  • request an overview of the personal information we hold regarding that resident.

Retention of Personal Information

Our retention periods are based on criteria that include legally mandated retention periods, in the countries within which the personal information is collected pending or actual litigation, contractual requirements, operational directives or needs and the expected period of use of the System.

When there is no need for us to keep personal information to:

  • provide the System;
  • comply with applicable privacy and data protection laws;
  • resolve disputes; or
  • enforce our agreements,

we will remove it from our systems when it is reasonably practicable to do so by deleting it, archiving it or de-identifying it (as is appropriate).

Deletion of Personal Information

Subject to any applicable laws which mandate us to retain health data, we will, on the request of the affected person, delete personal information held by us.

If an individual wishes to delete personal information that we hold about them, they must email us at: support@nurochekpro.com.

We will take all reasonable steps to delete such information in compliance with legal requirements and in a reasonable time frame unless we are required to retain such information.

If we are unable to comply with a request to delete, we will notify the individual in writing of our reasons.

Data Breaches

Our goal is to be transparent and helpful in our communications should any security incident occur.

In Australia, if we suffer a data breach, we will promptly notify the affected individual and the Australian Information Commissioner if the unauthorised access or disclosure of personal information is likely to result in serious harm to those affected and we have been unable to prevent the likely risk of serious harm with remedial action.

In New Zealand, if we suffer a privacy breach, we will promptly notify the affected individual and the New Zealand Privacy Commissioner where the breach is a notifiable privacy breach under the New Zealand Privacy Laws. That is, where the unauthorised access to, or disclosure or loss of, personal information has caused, or is likely to cause, serious harm to the individual, and we have been unable to reduce the likelihood of serious harm through remedial action.

In United States (including the California and New York), if we suffer a data breach, we will promptly notify the affected individual where there has been unauthorised access to, exfiltration, theft or disclosure of personal information that compromises the security or confidentiality of that information, and where applicable United States Privacy Law requires such notification. Where required under the United States Privacy Law or the applicable state-based laws, we will also notify the appropriate regulatory or governmental authorities.

Security of Personal Information

We take reasonable steps and precautions, including technical and organisation measures, to keep personal information secure from loss, misuse, and interference, and from unauthorised access, modification or disclosure.

These precautions and technical measures include:

  • physical security of our servers, offices and facilities;
  • multifactor authentication;
  • access limited to need to know;
  • encryption in transit and at rest;
  • physical server security;
  • periodical penetration testing/security reviews; and
  • recording of access and logging of configuration changes.

As part of our compliance with the United States Privacy Laws, we ensure our security program meets the "reasonable safeguards" requirement that addresses administrative, technical, and physical safeguards appropriate to the size of our business and the sensitivity of the information.

There are inherent risks in transmitting information over the internet. We do not have control over information while in transit over the internet and we cannot guarantee its security.

Storage of Personal Information

We will take all reasonable steps to ensure that all personal information we collect is stored electronically in a secure environment accessed only by authorised persons.

We store personal information on computer infrastructure located in the region in which the personal information was collected unless otherwise specifically notified in this policy.

Personal Information, that is collected outside Australia, is stored on servers in the United States.

Policy Changes

We reserve the right to change this Privacy Policy at any time. Changes to this Privacy Policy will be notified by us posting a new privacy policy to this page.

This Privacy Policy should be periodically checked for any changes.

Changes to this Privacy Policy are effective when they are posted on this page.

Continued use of our System or access to our website after we post or send a notice about our changes to this Privacy Policy means that the collection, use and sharing of personal information is subject to the updated Privacy Policy.

Privacy Complaints

Australia

In accordance with Australian Privacy Laws, we have appointed a Privacy Officer. If there is a complaint relating to this Privacy Policy, our compliance with Australian Privacy Laws or our treatment of personal information, please contact our Privacy Officer at the contact details below.

If the outcome of the complaint, made by a resident of Australia, is not satisfactory then that resident has the right to lodge a complaint with the Office of the Australian Information Commissioner and can contact them in the following ways:

New Zealand

In accordance with New Zealand Privacy Laws, we have appointed a Privacy Officer. If there is a complaint relating to this Privacy Policy, our compliance with New Zealand Privacy Laws or our treatment of personal information, please contact our Privacy Officer at the contact details below:

If the outcome of the complaint, made by a resident of New Zealand, is not satisfactory then that resident has the right to lodge a complaint with the Office of the Privacy Commissioner and can contact them in the following ways:

United States

If there is a complaint relating to this Privacy Policy, or our compliance with United States Privacy laws or our treatment of personal information there is a right to lodge a complaint with the relevant state authority. Depending on a resident's location in the United States they may contact the following state regulators:

California: California Privacy Protection Agency

  • Telephone: 916–572–2900
  • Website: https://cppa.ca.gov/
  • Address: California Privacy Protection Agency, 400 R Street Suite 350, Sacramento, CA 95811.

New York: New York Attorney General - Bureau of Internet and Technology

Florida: Florida Attorney General

We aim to acknowledge all privacy-related complaints as soon as reasonably practicable and will seek to resolve them promptly and fairly.

If the matter is complex or requires additional time, we be in contact to explain the reason for the delay and provide updates on our progress.