ePharmacy Privacy Statement

ePharmacy Group Pty Limited (ePharmacy, we, us, our) is committed to ensuring the privacy and confidentiality of the personal information you entrust to it, including through your use of www.chemistwarehouse.com.au and www.ultrabeauty.com.au (our ‘Websites’). References to ‘health information’, ‘personal information’ and ‘sensitive information’ under this Privacy Statement have the meanings given to them under the Privacy Act 1988 (Cth) (‘Privacy Act’).

1. About this Privacy Statement

This Privacy Statement includes our:

Privacy Collection Notice, which includes information about our collection and handling of your personal information when your order or purchase products (including medicines) or make a booking to receive health services; and

Privacy Policy, which explains how we collect and manage your personal information, including the purposes for which we collect and use your information, and the types of organisations we share it with. It also explains how you can access and correct the personal information we hold about you, and how you can make a complaint about our handling of your personal information.

On occasion, we will provide you with a supplementary privacy notice which relates to a specific type of collection of personal information. Please read this Statement and any supplementary privacy notice provided to you and contact us if you have any questions regarding how we handle your personal information.

Business Partners

In this Privacy Statement, we refer to ‘Business Partners’. This term describes the service providers that help us run our business. It also includes Chemist Warehouse franchisees and Marketplace Sellers who sell products on www.ultrabeauty.com.au.

Depending on how you engage with us, including the product or service you order from us, and whether directly with us or with the support of a Business Partner, some or all of this Privacy Statement may be relevant to you. For example, if you order certain medicines online through one of our Websites, you will need to create a patient profile for yourself, or another person that you order medicines for, so our pharmacy Business Partners can make sure the medicine is suitable for the patient.

2. About ePharmacy

We are bound by the Privacy Act and must handle and protect your personal information according to that Act. In addition, we are bound by Australian state and territory health records legislation.

Important information about our collection of your information

3. How and when do we collect your personal information?

We collect most of your personal information directly from you, whether electronically via one of our Websites, via email or over the phone.

For example, we collect your personal information from you when you interact with us to:

• visit one of our Websites and browse products, place an order, book a vaccination appointment, enter a competition, opt-in to receive direct marketing communications from us, or provide us with health information necessary to ensure a medicine you’re ordering is suitable for you;

• provide us with feedback or make a complaint;

• chat with us online, email us, do business with us, or otherwise interact with us.

We may also collect your personal information if we infer or generate information about you based on your transactions, preferences, and behaviours, including through the use of data analytics.

When you visit and interact with one of our Websites, we use cookies, tags, pixels and other tracking technologies to collect your personal information. For more information, please refer to our Cookies, Pixels and Tracking Technologies Privacy Notice.

Our pharmacy Business Partners may collect personal information from you in person when you visit a Chemist Warehouse store. They may also collect your information for safety and security purposes, including via use of video surveillance devices in store.

4. What personal information do we collect and hold?

The personal information (including sensitive information) about you that we may collect and hold will depend on the products and services we provide to you and the nature of your interactions with us.

We list below the types of personal information about you that we collect and hold, together with examples of what these may include.

For most products

Personal and contact details. For example, your name, residential and delivery address details, contact telephone number, and email address.

Transactional information. For example, records of your orders and other purchases including your payment method, payment currency, delivery method, shipping type, order identifier and the category, type and quantity of products or services purchased.

Preference information. For example, your preference to receive or not receive direct marketing communications from us, and how you wish to receive such communications, e.g. email, SMS or online targeted advertising.

Interaction and behavioural information. For example:

• Your interactions with us, including your queries and complaints.

• Pages viewed and browsing behaviour on our website.

• How you navigate through our Websites and interact with our webpages, including search terms and fields completed in forms.

For more information on how we deal with your interaction and behavioural information, please refer to our Cookies, Pixels and Tracking Technologies Privacy Notice.

Digital information. For example, the date and time of your visits to our webpages, geographic location information, information about the device you use to visit our website (such as your tablet or mobile device) including device identifier, browser type and operating system, session identifier, user identifier, logged-in status, IP address you are using, and geolocation where you provide permission in your device settings.

Publicly available information: For example, we may collect information about you from ePharmacy pages on social media platforms if you publicly comment, but we will never ask you to supply personal information over any social media platform on which we have a presence and use, such as Facebook, Instagram or X.

For certain medicines and other health services

If you order certain medicines or make a booking to receive a health service such as a vaccination, we may also collect and hold the following types of personal information about you:

Personal details. For example, your gender and date of birth.

Government identifiers. For example, your Medicare card details, Concession card details, Health Care card details, Pharmaceutical Benefits Scheme/Repatriation Pharmaceutical Benefits Scheme Safety Net card details and your Individual Healthcare Identifier.

Health information. For example, details of any allergies to medicines, details of any medical conditions, details of medications you take, whether you are pregnant or breastfeeding.

Prescription information. For example, eScript token/s and paper prescriptions you provide to us to keep on file.

Other sensitive information. For example, Aboriginal or Torres Strait Islander status, if you choose to provide this information.

Preference information. For example:

• Your preference for generic medicines or brand name medicines.

• Your preference to receive periodic immunisation booking availability reminders or communications about your eligibility to receive a free vaccination under the National Immunisation Program or a state/territory immunisation program, and how you wish to receive such communications.

Your health professional team. For example, the name, practice address and contact details of your general practitioner.

5. Why we collect and hold your personal information

For most products

We may collect and hold your personal information to help us run our business and serve you better, including for the purposes listed below.

Sell, deliver and provide products and services to you. For example:

• provide you with the products and services you have ordered or requested directly from us, including with the support of our Business Partners;

• answer your questions and resolve your complaints;

• provide updates on the delivery of products you’ve ordered.

Promote our products and services. For example, where you agree or we are permitted by law:

• to send you direct marketing communications about products and services we believe may be of interest and value to you;

• for online targeted advertising onsite and via third party websites and social media platforms.

Improve your experience, and our marketing and other communications. For example, to understand your interests and preferences so we can tailor our online experience, digital content and our communications to you.

Security and prevention of fraud or other criminal activity. For example, to:

• prevent, detect and investigate suspicious, fraudulent, criminal or other activity that may cause you, us, any of our Business Partners or others harm, including in relation to our products and services;

• verify your identity to ensure an online order is collected by, or delivered to, you, or a personal information access request has been made by you.

Legal and regulatory compliance. For example, to share information with law enforcement, regulators and government agencies.

For certain medicines and other health services

If you order certain medicines or make a booking to receive a health service, we or a pharmacy Business Partner may also collect and hold your personal information, including health information, for the following purposes:

Provide products and services to you. For example,

• We may collect sensitive information necessary to provide a health service, such as when we collect health information so our pharmacy Business Partners can make sure the medicine is suitable for you or the person for whom it has been prescribed.

• A pharmacy Business Partner will collect your paper or electronic prescription when you have ordered a prescription medicine online.

Communicate with you about products and services. For example, we may contact you in the event of a recall of a product you have ordered from us.

Inform you about health services. For example, where you agree or we are permitted by law, we may collect sensitive information about you to:

• let you know you may be eligible for a free vaccination under the National Immunisation Program or a state/territory immunisation program;

• send you communications about appointments for annual or periodic vaccinations from our pharmacy Business Partners.

Legal and regulatory compliance. For example, to comply with legislative and regulatory obligations applicable to pharmacy Business Partners such as maintaining records of medicines dispensed.

6. Who we disclose your personal information to, and why

The list below explains who we may disclose your personal information (including sensitive information) to.

For most products

Our related companies CW Retail Services Pty Ltd (which provides administrative services such as facilitating payments to pharmacy Business Partners for online orders) and CW Media Pty Ltd (which is the promoter of competitions).

Business Partners that help us run our business including:

• our pharmacy Business Partners for the purpose of fulfilling your order, including dispensing the medicine where applicable;

• our contractors and service providers such as IT providers, mailing houses, delivery partners, and cloud service providers for the purposes of:

  • delivering your online order;

  • helping us with our marketing and advertising activities;

  • helping us to develop insights, conduct data analysis to improve our website, enhance our customer relationships and provide hosting services;

  • identifying, investigating or preventing fraud or other unlawful activity.

Parties that facilitate transactions and payment services such as payment system participants and other parties who are involved in processing transactions such as credit or debit card issuers, mobile payments and digital wallet providers, and buy now pay later platforms.

Authorised third parties: Third parties you have authorised to act for you (such as an executor or a person with power of attorney).

Professional advisers such as our financial advisers, auditors and legal advisers for the purpose of obtaining their professional services.

Regulatory authorities, government entities or agencies and law enforcement bodies where we are required or authorised by law to do so.

Investors and prospective purchasers: Companies or other persons who purchase or invest in, or may purchase or invest in, a part or all of our business or assets (including their advisors and representatives).

For certain medicines and other health services

Pharmacy Business Partners may share your personal and health information with government entities and agencies such as Services Australia and the Australian Digital Health Agency where it is necessary for managing the My Health Record System (for example, for the purpose of correcting an omission or error). Pharmacy Business Partners may also collect, use and disclose your information from My Health Record for the purpose of providing healthcare services to you.

Pharmacy Business Partners may disclose your personal information to third parties for a purpose directly related to your vaccine administration. For example, they disclose your personal information to the Australian Immunisation Register, Medicare provider Services Australia and other third parties as required by law. They will seek your consent to upload your information to the Department of Health and Aged Care (DHAC) and the Pharmacy Administrators Program Portal which is owned and administered by Australian Healthcare Associates Pty Ltd for the purpose of assessing your eligibility for pharmacy programs funded by DHAC. If you do not consent, you will not be able to access DHAC funded programs such as the National Immunisation Program.

We disclose your personal information (including health information) to CW Retail Services Pty Ltd which provides administrative services such as facilitating bookings for health services with pharmacy Business Partners and claiming payments for pharmacy programs funded by the DHAC.

7. Dealing with us anonymously or using a pseudonym

Where it is lawful and practicable to do so, you may deal with us anonymously, for example, if you make an enquiry about our products and services generally. You may be able to receive healthcare services on a pseudonymous basis. However, there may be consequences for you if you choose to use a pseudonym to receive healthcare services. For example, you won’t be eligible to claim PBS medicines under your pseudonym.

8. What happens if you do not provide us with your personal information?

You do not have to provide us or our Business Partners with your personal information in relation to our products and services. However, we may not be able to process your order, provide the product or service, assist with your enquiries or respond to any complaint you make to us if you do not provide us with your personal information.

9. Laws that require or authorise us to collect, use and/or disclose your personal information

Certain laws require us or a pharmacy Business Partner to collect, use and disclose your personal information in particular circumstances including:

• if you receive a vaccination, our pharmacy Business Partners are required to record your personal information, including government identifiers and details of the vaccination on the Australian Immunisation Register under the Australian Immunisation Register Act 2015 (Cth);

• if you order a prescription medicine online through one of our Websites, you must provide the paper prescription or eScript token to the pharmacy Business partner who will dispense the medicine under the National Health Act 1953 (Cth) and state/territory medicines, poisons and controlled substances laws and regulations.

Pharmacy Business Partners are also bound by the following laws:

• the Healthcare Identifiers Act 2010 (Cth) and its regulations, and may only access, use or disclose your Individual Healthcare Identifier for limited purposes; and

• the My Health Records Act 2012 (Cth), its rules and regulations, and may only collect, use or disclose information in your My Health Record with your consent or as otherwise permitted under the My Health Record legislative framework.

10. Collecting your personal information from others

For most products

From time to time, we may collect personal information about you from others. For example, we may collect your information from:

• Business Partners engaged by us or our related companies CW Retail Services Pty Ltd or CW Media Pty Ltd to provide financial, administrative or other services to us including payment services providers;

• law enforcement, dispute resolution, statutory and regulatory bodies and complaints resolution bodies.

For certain medicines and other health services

If you’ve ordered certain medicines online from one of our Websites, our pharmacy Business Partners may collect your personal information from a member of your healthcare team where the information is necessary to dispense the medicine and the information is collected in accordance with the Australian Health Practitioner Regulation Agency Code of Conduct.

11. Do we collect, use and disclose your personal information for direct marketing?

We may (and our pharmacy Business Partners may) collect, use and disclose your personal information to offer products and services we believe may be of interest and value to you, if you have given us permission to do so or we otherwise have your consent to do so. The products and services offered may be provided by us, other companies within the Sigma Healthcare Limited group of companies (which includes CW Retail Services Pty Ltd and CW Media Pty Ltd) or by one of our third-party partners. Products and services may be offered to you by various means such as email or SMS. If you no longer want to receive direct marketing communications from us, including offers we send about products and services offered by other companies within the Sigma Healthcare Limited group of companies and our third-party partners, you can unsubscribe through the opt-out facility provided to you in each marketing message or go to our web page (https://www.ultrabeauty.com.au/help-centre/contact-us) where you can email us, use our online web messaging function or call us on 1300 367 283. Our business hours are Monday to Friday 8:00am to 8:00pm AEST.

We may also collect, use and disclose your personal information to communicate with you through social media platforms or online targeted advertising. For more information including how to manage your consent preferences, please refer to our Cookies, Pixels and Other Tracking Technologies Privacy Notice.

Particular circumstances that may apply to you

12. If you give us personal information about someone else

Before you provide another person’s personal information to us (for example, a family member), whether directly or with the support of a Business Partner, you must make them aware:

• that you will be doing this;

• of the contents of this Privacy Statement and any other relevant Privacy Notices; and

• that we will collect, use and share their personal information in accordance with this Privacy Statement and any other privacy notices we give you.

13. If you are a representative of a patient, or a healthcare provider to a patient

Where you are a representative of a patient or a healthcare provider to a patient, this Privacy Statement will also apply to you where we collect and handle your personal information. For example, our pharmacy Business Partners may collect your personal information to contact you to discuss a medicine you’ve prescribed to a patient, or provide the product to the patient, such as when they have authorised you to collect the product on their behalf.

Further information about our handling of your personal information

14. How we hold and protect your personal information

We store your personal information held in hard copy and electronic records in secure premises and systems or using trusted Business Partners.

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure including technical and organisational measures. We use technologies and processes such as identity and access management controls, network firewalls, encryption, and physical security to protect your personal information. All employees, including employees of our Business Partner pharmacies, are required to complete information security and privacy awareness training.

15. Sharing your personal information overseas

We may share your personal information (including sensitive information) outside Australia to some of the types of recipients and for the purposes noted above (see Section 6 – ‘Who we disclose your personal information to, and why’), including our contracted service providers operating overseas, which are likely to be located in the United States, Singapore, Malaysia, the European Union and the United Kingdom.

16. Accessing and correcting your personal information

You may request access to the personal information (including your sensitive information) that we hold about you. You can also ask for corrections to be made to it. To do so, please contact us using the contact details provided below.

We will seek to verify your identity before we allow access, or make changes, to your personal information.

There is no fee for requesting corrections to your personal information or for us to make those corrections. In some circumstances, we may charge you a reasonable amount for providing you access to your personal information to cover the costs of locating the information, copying it and supplying it to you.

We are not required to provide you with access to your personal Information in certain limited circumstances, for example, where a court or tribunal order requires us to deny access. There are also certain circumstances in which we are not required to correct your personal information, for example, where we are not satisfied that the information we have on record about you is inaccurate, out-of-date, incomplete, irrelevant or misleading.

However, if we refuse to give you access to, or to correct, your personal information, we will give you a notice explaining our reasons (except to the extent it would be unreasonable or unlawful for us to do so) and provide you with information on how you can complain about our refusal.

17. Resolving your privacy complaints and concerns

If you wish to make a complaint about the way we’ve managed your personal information, you can lodge a written complaint with us using the contact details below. Please provide us with as much information as possible so we can investigate and respond.

We will do our best to respond to your complaint within 30 days of receiving your complaint. If we cannot respond within this timeframe, we will let you know.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner.

Office of the Australian Information Commissioner

Telephone: 1300 363 992

Online Form: OAIC Web Form

Lodge a privacy complaint with us | OAIC

18. Contact us

Customer Service

To contact us, you can go to our web page (https://www.ultrabeauty.com.au/help-centre/contact-us) where you can email us, use our online web messaging, or call us on 1300 367 283. Our business hours are Monday to Friday 8:00am to 8:00pm AEST.

Privacy Officer

Mail:

The Privacy Officer, CW Retail, 6 Albert Street, Preston VIC 3072

Email:

[email protected]

19. Changes to this Privacy Statement

We may update this Privacy Statement from time to time. An up-to-date version of this Privacy Statement is available at any time at https://www.ultrabeauty.com.au/help-centre/terms-and-policies/privacy-policy.

This Privacy Statement was published on 3 June 2025.