CATHRX – PRIVACY POLICY
Privacy Policy
Last Updated: September 2025
This Privacy Policy applies to all personal information collected by CathRx Pty Ltd (ABN 23 089 310 421) and will be referred to as “CathRx,” “we,” “our,” or “us.” We are committed to protecting the privacy of the personal information we collect, hold, use, and disclose. This policy sets out how we manage your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and where applicable, the European Union’s General Data Protection Regulation (GDPR).
By using our website, products, or services, or by otherwise providing us with your personal information, you agree to the terms of this Privacy Policy.
1. WHAT IS PERSONAL INFORMATION?
For the purposes of the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive information (under Australian law) is a subset of personal information. Under the GDPR, this is referred to as ‘special categories of personal data,’ which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. As a medical device manufacturer, we may collect health data.
2. COLLECTION OF PERSONAL INFORMATION AND LAWFUL BASIS
We collect personal information that is reasonably necessary for us to carry out our functions and activities. Under the GDPR, we must have a lawful basis for processing your data.
The kinds of personal information we may collect and the lawful basis for our processing include:
2.1. Contact Information: Your full name, email address, postal or residential address, and telephone numbers.
Lawful Basis: Consent, and/or for the performance of a contract with you, and/or our legitimate interests (e.g., to respond to your inquiries).
2.2. Identification Information: Date of birth.
Lawful Basis: Consent, and/or our legal obligations (e.g., age verification).
2.3. Financial Information: Credit or debit card details, bank account details.
Lawful Basis: Performance of a contract.
2.4. Professional Information: If you are a healthcare professional, we may collect your professional registration number, qualifications, and place of practice.
Lawful Basis: Legitimate interests, and/or performance of a contract.
2.5. Health Information (Special Categories of Personal Data): As a medical device manufacturer, we may collect health information in order to provide our products and services, manage product inquiries or complaints, or for research and development purposes. This may include information about your medical conditions, treatments, and medical history.
Lawful Basis: Explicit consent from the individual, or for reasons of substantial public interest (e.g., ensuring high standards of quality and safety of medical devices), or for medical diagnosis, the provision of health care or treatment, or the management of health care systems.
3. HOW WE COLLECT YOUR PERSONAL INFORMATION:
We collect personal information directly from you when you:
3.1. Purchase or use our products and services;
3.2. Subscribe to our newsletters, announcements, or notices;
3.3. Contact us via our website, internet messaging, or telephone;
3.4. Apply for a job with us;
3.5. Provide feedback, make an inquiry, or lodge a complaint;
3.6. Submit information through our share registry service provider; or
3.7. Use our website.
4. WE MAY ALSO COLLECT PERSONAL INFORMATION FROM THIRD PARTIES, INCLUDING:
4.1. Our business partners, distributors, and third-party suppliers;
4.2. Healthcare professionals or organisations who use our devices and provide us with information; and
4.3. Our share registry provider.
5. PURPOSES FOR PROCESSING
We process your personal information for the following specific purposes:
5.1. To provide our products and services to you and to manage our business relationship with you (performance of a contract).
5.2. To comply with our legal, regulatory, and reporting obligations (legal obligation).
5.3. To ensure the safety and quality of our medical devices (legitimate interests and/or substantial public interest).
5.4. For quality assurance, product development, research, and analysis related to our medical devices (legitimate interests).
5.5. To manage our internal business operations, including financial and accounting purposes (legitimate interests and/or legal obligation).
5.6. To consider and process your application for employment (legitimate interests and/or performance of a contract).
5.7. To send you direct marketing communications (consent or legitimate interests).
5.8. To improve and customise the content of our website (legitimate interests).
6. DATA MINIMISATION AND STORAGE LIMITATIONS
We will only collect and process personal information that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We will retain your personal information only for as long as necessary to fulfil the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements.
7. YOUR GDPR DATA PROTECTION RIGHTS
If you are a resident of the EEA, you have the following rights under the GDPR regarding your personal data:
7.1. The right to be informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data.
7.2. The right of access: You have the right to request a copy of the personal data we hold about you.
7.3. The right to rectification: You have the right to request that any incomplete or inaccurate data we hold about you is corrected.
7.4. The right to erasure (‘right to be forgotten’): You can ask us to delete your personal data where there is no good reason for us to continue to process it.
7.5. The right to restrict processing: You have the right to ask us to suspend the processing of your personal data.
7.6. The right to data portability: You have the right to request a copy of your personal data in a structured, commonly used, machine-readable format to transmit to another organisation.
7.7. The right to object to processing: You have the right to object to the processing of your personal data for direct marketing purposes, or where the processing is based on our legitimate interests.
7.8. The right to withdraw consent: Where we are relying on your consent to process your personal data, you have the right to withdraw that consent at any time.
To exercise any of these rights, please contact our Data Protection Officer (DPO) using the details below.
8. DISCLOSURE OF PERSONAL INFORMATION
We may disclose your personal information to the following types of third parties:
8.1. Our service providers: Third-party suppliers who assist us with business operations.
8.2. Our business partners: Such as distributors and joint venture partners.
8.3. Regulatory bodies: Including the TGA, US FDA, and relevant European regulatory authorities, where required or authorised by law.
8.4. Professional advisers: Such as lawyers, accountants, or auditors.
8.5. Our related entities.
8.6. In the event of a corporate transaction: To a successor entity.
8.7. To a healthcare professional: For the purpose of providing patient support.
9. INTERNATIONAL DATA TRANSFERS
As we are based in Australia, the disclosure of your personal information to us constitutes a transfer of data outside of the European Zone.
We will only transfer your personal data to a country outside the EEA if:
9.1. The European Commission has decided that the country provides an adequate level of data protection (an ‘adequacy decision’).
9.2. We have put in place appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure your personal data is protected.
9.3. You have provided explicit consent to the transfer after being informed of the risks.
We take all necessary measures to ensure that any transfer of personal data from the EEA is conducted in accordance with GDPR requirements.
10. DATA SECURITY AND BREACH NOTIFICATION
We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.
We are required under the GDPR to notify the relevant supervisory authority and, in some cases, affected individuals, of a personal data breach without undue delay, and where feasible, not later than 72 hours after becoming aware of it. This obligation is separate from and in addition to the Australian NDB scheme.
11. DATA PROTECTION OFFICER (DPO)
For all matters related to this Privacy Policy and the processing of your personal data, you can contact our Data Protection Officer:
Data Protection Officer CathRx Pty Ltd Email: info@cathrx.com
Post: Unit 8, 2 – 8 South Street, Rydalmere NSW 2116, Australia
Phone: +61 (0)2 7804 1846
12. RIGHT TO LODGE A COMPLAINT
In Australia, if you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC) at:
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
In Europe, if you are a European resident and are not satisfied with our response to your complaint, or believe that our processing of your personal data is not in compliance with the GDPR, you have the right to lodge a complaint with your local data protection authority.
13. CHANGES TO THIS PRIVACY POLICY
We may amend this Privacy Policy from time to time by publishing an updated version on our website.