Privacy Policy

1. Introduction & Scope

This Privacy Policy explains how BioSyn-AI Pty Ltd (GxpVigilance, AusAiLab, PharmaAIOnlineTraining) handles personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We also align our practices with recognised international standards where appropriate, but we do not offer services in the EEA/UK and this policy is governed by Australian law.

Where relevant (e.g., when data relates to overseas individuals), we aim to align with comparable international standards (i.e., European Union's General Data Protection Regulation (GDPR) and the New Zealand Privacy Act 2020).

Our electronic marketing complies with Australia’s Spam Act 2003 (consent, sender ID, functional unsubscribe).

2. Information Collected

The BioSyn-AI PTY LTD Group collects personal information that is reasonably necessary for us to provide our services and to operate our business effectively. The types of personal information we collect and how we collect it include:

2.1. Information Collected Directly from You:

We only collect the minimum personal information needed to deliver our services, contact you, and follow up on your requests. We do not collect information we don’t need for those purposes. This reflects the APP 3 “reasonably necessary” test and international data-minimisation standards.

Contact details – name, work email, phone, postal address, and organisation details when you ask for services, register for training, sign up for updates, or enter a client engagement.

Professional information – job title, employer, relevant qualifications, and role-related preferences (e.g., GxP background for GxpVigilance; AI experience for BioSyn-AI training) only if needed to tailor and deliver the service.

Financial & billing – we collect limited billing details required to issue invoices and reconcile payments. We do not collect or store credit card numbers, CVV, or bank account numbers. Card payments (if used) are handled by PCI DSS-compliant providers; we receive only non-sensitive confirmations (e.g., transaction IDs).

Communication records – your enquiries, feedback, and support requests so we can respond and resolve issues.

Training & performance data – for participants in our training (e.g., PharmaAIOnlineTraining): enrolment, progress, completion status, and assessment results to deliver the course, verify completion, and provide support.

We apply purpose limitation (use data only for the purposes above or a directly related purpose you’d reasonably expect) and storage limitation (don’t keep it longer than needed)

Health/safety information (client work only) – in regulated engagements (e.g., PV case processing, audits) we may receive limited health or incident details under client instruction and only when necessary to deliver the contracted service. Where feasible, we prefer de-identified data. (We act as a service provider/processor under client-agreed terms.)

2.2. Information Collected from Third Parties:

We may receive personal information from third parties where you have authorised them to share your information, or where it is otherwise lawfully permitted. This could include information from your employer if they are engaging us for corporate training or services on your behalf.

In the context of GxP Auditing or Pharmacovigilance services provided by GxpVigilance, we may receive personal information (including potentially Health Information or Sensitive Information related to adverse events or clinical trial participants) from our regulated clients as part of our agreed-upon service scope. In such cases, our collection and handling of this information are strictly governed by contractual agreements and relevant regulatory frameworks, and we act as a processor or service provider to our clients.

2.3. Information Collected Automatically (through website/digital platforms):

Technical Data: IP addresses, browser type, operating system, and device identifiers when you access our websites or online training platforms.

Usage Data: Information about how you use our websites and online services, such as pages visited, time spent on pages, and navigation paths.

Cookies and Similar Technologies: We may use cookies and similar tracking technologies to enhance your experience, analyse website usage, and for marketing purposes. Details on cookie usage will be provided separately in a Cookie Policy or within the relevant platform.

2.4. Collection of Unsolicited Information:

Occasionally, we may receive unsolicited personal information. If we receive personal information that we have not solicited and determine that we could not have collected the information by lawful and fair means, we will destroy the information or ensure that it is de-identified as soon as practicable, provided it is lawful and reasonable to do so. This applies particularly to Health Information or Sensitive Information that is not directly relevant to our core services.

3. Consent and Anonymity

We obtain informed consent for the collection and use of personal information, including sensitive information and Health Information, in accordance with the Australian Privacy Principles. Consent is typically obtained at the point of collection through clear statements and opt-in mechanisms. You have the right to withdraw your consent at any time, subject to legal and contractual restrictions.

Where practicable and lawful, individuals may choose to remain anonymous or use a pseudonym when interacting with us. However, in many instances, particularly when providing our specialised services (e.g., GxpVigilance, professional training), the nature of the service requires the identification of the individual for effective delivery and compliance.

If you choose not to provide personal information that is reasonably necessary for us to provide our services, it may impact our ability to offer you the full scope of our services or engage in a client partnership. We will inform you of the potential consequences of not providing the required information at the time of collection.

4. Use of Information

The BioSyn-AI PTY LTD uses personal information for the following primary and secondary purposes:

4.1. Primary Purposes:

• Providing our core services, including Regulatory Compliance, Artificial Intelligence Integration, and Professional Training and Upskilling, through our various entities.

• Managing client relationships and partnerships.

• Processing payments and managing billing.

• Delivering and administering training programs and assessing performance (PharmaAIOnlineTraining).

• Performing GxP Auditing, Pharmacovigilance, and Medical Device Vigilance services (GxpVigilance).

• Communicating with you regarding our services, updates, and relevant information.

• Complying with legal and regulatory obligations relevant to our operations and services.

• Secondary Purposes:

• Internal analysis and research to improve our services and operational efficiency.

• Website and platform improvement and customisation.

• Marketing and promotional activities, including newsletters and information about new services, where you have consented to receive such communications.

• Preventing fraud and ensuring the security of our systems and data.

• Responding to inquiries and providing support.

We will only use personal information for the purposes for which it was collected, or for a directly related secondary purpose that would be reasonably expected, or with your consent, or as required by law.

For transactions involving credit cards, we utilize secure third-party payment processors (such as Stripe). We do not retain credit card information on our servers after the transaction is processed.

5. Disclosure of Information

The BioSyn-AI PTY LTD Group may disclose personal information to the following parties:

• Affiliates: Personal information may be shared among the entities within the BioSyn-AI PTY LTD Group to facilitate the provision of integrated services and for internal administrative purposes.

• Service Providers: We may disclose personal information to third-party service providers who assist us in our operations, such as IT support, cloud hosting, payment processors, and marketing platforms. These providers are contractually obligated to protect the confidentiality and security of personal information and to use it only for the purposes for which it was disclosed.

• Clients: In the context of GxP Auditing or Pharmacovigilance services provided by GxpVigilance, we may disclose relevant personal information (including potentially Health Information or Sensitive Information) to our regulated clients as required by our contractual agreements and relevant regulatory frameworks.

• Authorised Third Parties: We may disclose personal information to other authorised third parties with your consent or where required for the provision of our services.

• Regulatory Authorities and Law Enforcement: We may disclose personal information to regulatory authorities, government agencies, and law enforcement bodies where required by law, court order, or to comply with regulatory obligations (e.g., reporting adverse events in pharmacovigilance).

• Potential Business Partners: In the event of a potential merger, acquisition, or business sale, we may disclose personal information to prospective partners, subject to confidentiality agreements and legal requirements.

We will not tolerate the unauthorised disclosure of personal information with intent to harm (“doxxing”). Such conduct is a criminal offence under Commonwealth law; we take steps to detect, prevent and report it where appropriate.

6. International Data Transfers

We operate from Australia. If we disclose personal information overseas (for example, by using Microsoft 365 or other cloud services hosted outside Australia), we take reasonable steps to ensure the overseas recipient handles it in a way that is consistent with the Australian Privacy Principles (APPs). Where APP 8.1 applies, we may be accountable under section 16C of the Privacy Act for mishandling by that recipient.

Safeguards we use. Depending on the service and risk, our steps can include: due-diligence on the provider, binding contractual terms that require APP-consistent handling, technical and organisational security measures (encryption in transit and at rest, access controls, logging), and monitoring of the provider’s certifications and audit reports. (See also our security measures in Section 7.)

Main overseas service providers. We use Microsoft 365 for productivity and collaboration. Microsoft provides enterprise data-protection commitments, including encryption and contract terms that restrict processing to our instructions. (For clarity: we do not rely on Microsoft to “comply with GDPR” on our behalf; rather, we ensure its contractual commitments and controls support APP-consistent handling.)

Where APP 8.1 may not apply (limited exceptions). We may disclose personal information overseas without the “reasonable steps” obligation where an APP 8.2 exception applies—for example, if: (a) we reasonably believe the recipient is subject to a law or binding scheme that is at least substantially similar to the APPs and enforceable by individuals; (b) you give express, informed consent after we tell you that APP 8.1 will not apply to that disclosure; (c) the disclosure is required or authorised by Australian law or a court/tribunal order; or (d) another limited permitted situation applies. We document any reliance on an exception.

Use vs disclosure with cloud services. When overseas infrastructure or personnel can access personal information, we generally treat that arrangement as a disclosure and apply APP 8. We do not rely on narrow “use only” characterisations to avoid cross-border obligations.

7. Data Quality & Security

The BioSyn-AI PTY LTD Group takes reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, complete, and up-to-date. We rely on the information provided by individuals and clients and encourage you to inform us of any changes to your personal information.

We are committed to protecting personal information from misuse, loss, unauthorised access, modification, and disclosure. We implement a range of physical, technical, and administrative security measures. These include:

• Technical Measures: Encryption of data in transit and at rest, firewalls, intrusion detection systems, secure coding practices, and regular security vulnerability assessments.

• Administrative Measures: Strict access controls and permissions, employee training on privacy and data security obligations, internal policies and procedures for data handling, and third-party agreements that mandate appropriate security standards.

• Physical Measures: Secure storage of physical records (where applicable) and restricted access to our premises.

While we strive to maintain the highest level of data security, it is essential to acknowledge that no system is 100% secure. We continuously review and update our security practices in response to evolving threats and technological advancements.

We take reasonable steps to protect personal information, which includes technical and organisational measures as clarified by the Privacy and Other Legislation Amendment Act 2024.

8. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to individuals, the BioSyn-AI PTY LTD Group has established procedures for containment, assessment, and notification in accordance with the Australian Notifiable Data Breach (NDB) scheme and other relevant regulatory requirements (such as those that may apply under GDPR for specific client engagements).

Our data breach response plan includes:

• Containment: Taking immediate steps to limit the impact of the breach.

• Assessment: Investigating the nature and extent of the breach and the types of personal information involved.

• Notification: Notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the NDB scheme. Notification timelines and content will comply with legal requirements.

We will also cooperate with any relevant regulatory bodies or law enforcement agencies, as necessary.’

We notify affected individuals and the OAIC of eligible data breaches likely to result in serious harm, consistent with the NDB scheme.

9. Your Choices & Access

You have the right to access, correct, or update the personal information that the BioSyn-AI PTY LTD Group holds about you.

• Access: You can request access to your personal information. We will provide you with access within a reasonable time, subject to any legal exceptions or limitations.

• Correction/Update: If you believe that any personal information, we hold about you is inaccurate, incomplete, or out-of-date, you can request that we correct or update it. We will take reasonable steps to correct the information. If we disagree with your requested correction, we will provide you with our reasons and may attach a statement from you to the information.

To request access or correction of your personal information, please contact us using the details provided in the "Contact Information" section below. We may require you to verify your identity before processing your request.

Opting Out of Communications: You can opt-out of receiving marketing and promotional communications from us at any time by following the unsubscribe instructions provided in the communication or by contacting us directly.

Every commercial email/SMS requires prior consent, clear sender identification, and a functional, easy unsubscribe in each message. We maintain suppression lists and honour opt-outs promptly.

10. Retention Period

The BioSyn-AI PTY LTD Group retains personal information for no longer than is necessary for the purposes for which it was collected, or as required by law or contractual obligations. The specific retention period may vary depending on the type of information and the context in which it was collected and used.

Factors influencing retention periods include:

• Regulatory Requirements: Compliance with regulations that mandate specific record retention periods.

• Contractual Obligations: Agreements with clients or service providers that specify data retention requirements.

• Legal Requirements: Retention periods mandated by Australian law.

• Business Needs: The need to retain information for ongoing business operations, historical analysis, or potential future legal claims.

When personal information is no longer required, we will securely destroy or de-identify it in a manner that prevents its future retrieval or identification, provided it is lawful and reasonable to do so.

11. Third-Party Links & Services

Our websites and digital platforms may contain links to external websites, products, or services that are not operated by the BioSyn-AI PTY LTD Group. We are not responsible for the privacy practices or content of these third-party sites or services.

We encourage you to review the privacy policies of any third-party websites or services you access through our platforms.

12. Minors

The services provided by the BioSyn-AI PTY LTD Group are primarily directed at professionals and organizations in the pharmaceutical and life sciences industries. Our services are not intended for individuals under the age of eighteen.

We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor without appropriate parental or guardian consent, we will take steps to delete that information as soon as practicable.

13. Artificial Intelligence - Consulting Services / Auditing

We use Microsoft Copilot for Microsoft 365 (Business/Enterprise) with Commercial Data Protection enabled to assist our staff with internal productivity tasks (for example, drafting, summarising, formatting and searching content we already hold lawfully in Microsoft 365 sharepoint).

AI is used as a supporting tool only. We do not make decisions that produce legal or similarly significant effects solely by automated means. Any AI-assisted output is reviewed by a person before we act on it. If we introduce any user-facing assistant in the future, we will clearly identify it as AI-enabled and provide a non-AI contact option.

We do not use identifiable personal information (and no patient information) to train any AI models. Our Copilot configuration is set so that our content is not used to train foundation models. For internal testing or examples, we rely on synthetic, de-identified or aggregated data and apply data minimisation to exclude unnecessary personal information. If we ever wish to use identifiable personal information for AI development beyond what is described here, we will seek separate, explicit consent, and you may withdraw that consent at any time.

We apply privacy principles to AI-assisted workflows. We collect and process only the personal information reasonably necessary to enable AI functionality, and we use least-privilege access controls. Because AI outputs can contain inaccuracies, any information generated or inferred by AI about an identifiable person is treated as personal information. We take reasonable steps to keep it accurate, up-to-date and complete, and you may access and request correction of such information (see “Access and Correction”).

Where Microsoft 365 involves cross-border processing, we rely on enterprise safeguards and approved transfer mechanisms (such as Standard Contractual Clauses, where applicable). Content is encrypted in transit and at rest within Microsoft 365, and we maintain additional administrative and technical safeguards appropriate to the risk.

AI-related artefacts (such as prompts, drafts and generated files) are retained under our standard records retention schedule for the underlying content type. We do not maintain separate AI training corpora derived from identifiable personal information.

We may engage service providers to support these functions. Our primary AI/hosting provider is Microsoft (Microsoft 365 and Copilot for Microsoft 365). All providers are bound by data processing terms that restrict use to our instructions and require appropriate security.

For Microsoft 365 Copilot, Microsoft acts as our data processor under the Data Protection Addendum/Product Terms. Prompts, responses and Microsoft Graph data aren’t used to train foundation models. Content is encrypted in transit and at rest within Microsoft 365

14. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, or if you wish to access or correct your personal information, please contact us using the following details:

Mr. Carl Bufe

Email: [email protected]

We will endeavour to respond to your inquiry within a reasonable time.

Australia: website of the Office of the Australian Information Commissioner, at http://www.oaic.gov.au

New Zealand website of the Privacy Commissioner, at https://www.privacy.org.nz/privacy-act-2020/privacy-principles/

15. Policy Updates

The BioSyn-AI PTY LTD Group may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal and regulatory requirements.

When we make significant changes to the policy, we will notify users by posting a notice on our website. The updated policy will take effect on the date of publication.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information.

16. Definitions

• "BioSyn-AI PTY LTD Group" or "We" / "Us" / "Our": Refers to BioSyn-AI PTY LTD and its specialised entities: GxpVigilance, BioSyn-AI, Australia AI Solutions Lab and PharmaAIOnlineTraining.

• "Personal Information": Information or an opinion about an identified individual, or a reasonably identifiable individual, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. This includes, but is not limited to, names, contact details, and professional information.

• "Sensitive Information": A subset of Personal Information that includes information or an opinion about an individual's racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or union, sexual orientation or practices, criminal record, health information, genetic information, biometric information, or biometric templates. While the BioSyn-AI PTY LTD Group primarily deals with professional and business-related data, sensitive information may be incidentally collected or processed in certain contexts, particularly within GxP compliance services.

• "Health Information": A type of Sensitive Information that includes information or an opinion about the health, illness, or disability of an individual; an individual's expressed wishes about the future provision of health services to him or her; or a health service provided, or to be provided, to an individual. This may be relevant in the context of pharmacovigilance or medical device vigilance services provided by GxpVigilance.

• "User" / "Client" / "You" / "Your": Refers to any individual or entity engaging with the BioSyn-AI PTY LTD Group's services, including clients, trainees, website visitors, and other stakeholders.

• "Services": Encompasses all offerings by the BioSyn-AI PTY LTD Group, including Regulatory Compliance, Artificial Intelligence Integration, and Professional Training and Upskilling, as detailed in the "Who We Are" and "How We Operate" sections of our organisational overview.

• "Affiliates": Refers to the individual entities within the BioSyn-AI PTY LTD Group (GxpVigilance, BioSyn-AI, PharmaAIOnlineTraining) and any other related bodies corporate or associated entities.

17. References

• Privacy Act 1988 (Cth) - Core privacy legislation

• Privacy and Other Legislation Amendment Act 2024 (Cth)

• Australian Privacy Principles (APPs) - 13 principles governing privacy compliance

• Spam Act 2003 (Cth) - Electronic marketing compliance (already referenced in your policy)

• OAIC Guide to Developing an APP Privacy Policy - Essential guidance for policy structure and content

• Australian Privacy Principles Guidelines - Detailed interpretation of APP requirements

• OAIC Children's Online Privacy Code Issues Paper 2025

• OAIC Media Release (28 November 2024) - Welcoming passage of privacy reforms

• Children's Online Privacy Code Consultation - Ongoing development process with implementation by December 2026

• Microsoft 365 Copilot Privacy Documentation - Enterprise data protection commitments

• New Zealand Privacy Act 2020

• GDPR (EU General Data Protection Regulation)

• EU AI Act (2025–2026 Rollout)

QMS Document:

Name: Privacy Policy

Effective: 24-Aug-2025

Revision: 1.0

Document Number: HR-POL-001