Protecting your privacy

We will adhere to the provisions of the Australian Privacy Principles (APPs) which are contained within the Privacy Act, in relation to how we collect, use, disclose and protect your Personal Information.

Where applicable, we also adhere to the requirements of the EU General Data Protection Regulation (GDPR).

We maintain ISO 27001 certification for our information security management system, demonstrating our commitment to protecting your data through internationally recognized security standards. For detailed information about our security practices, please visit our Security Trust Center at: https://trust.mobiddiction.com.au/

This policy aims to provide you with information to understand how We collect, use, store and disclose your Personal Information in accordance with the APPs and the GDPR. This policy applies where we are a 'data controller' in relation to your Personal Information. That is, where we are in control of the purposes and methods of processing your Personal Information.

Our legal basis for the collection, storage, use and disclosure of your Personal Information arises from your consent to this policy, the protection of our legitimate interests, including the delivery and improvement of our Services.

Definitions

In this policy:

Cookie

means a small piece of data stored on your device used to access our Website.

Personal Information

has the meaning given under the Privacy Act.

Privacy Act

means the Privacy Act 1988 (Cth).

Related Entities

has the same meaning as under the Corporations Act 2001 (Cth) and includes our franchisees.

Sensitive Information

has the same meaning as under the Privacy Act.

Services

means the offers and services provided by us or the companies and individuals who work with us.

Website

means http://www.mobiddiction.com.au/ and it's sub-pages includes other forms of social media where you post comments or we interact with you.

The meaning of any general language is not restricted by any accompanying example and the words 'includes', 'including', 'such as', 'for example' or similar words are not words of limitation.

What Personal Information do we collect and why do we need it?

To provide you with our Services or if you apply for a job with us, including by using the links on our Website, we need to collect Personal Information. If we do not collect the Personal Information or if any of the Personal Information you provide is incomplete or inaccurate, we may not be able to provide the Services or process a job application or the employment process may be compromised.

Depending on the nature of the Services we provide to you, the personal information we collect may include:

• your name, email address, telephone numbers as well as residential and/or mailing address;
• any information you provide if you apply for a job with us, including your qualifications;
• date of birth;
• Sensitive Information, for example, if you advise us of any medical conditions such as allergies;
• credit card details; and
• any other Personal Information relevant to the Services we provide to you.

3.1 Meta Platform Data Collection (VR Applications)

When you use our Virtual Reality (VR) applications on Meta Quest devices, we may collect and process the following information from the Meta Platform:

• User Profile Information: Your Meta account display name, profile picture, and account identifier (User ID) to authenticate your access to the application and personalize your experience.
• User ID: A unique identifier provided by Meta to verify your ownership of the application, manage your account within our services, authenticate your VR headset, and enable access to licensed content.

Why We Collect Meta Platform Data:

• Authentication & Authorization: To verify that you have a valid license to use our VR applications and to authenticate your VR headset with your account.
• Content Delivery: To provide you with personalized VR content and experiences based on your account and subscription status.
• Account Management: To create and maintain your user profile within our platform, link your VR headset to your workspace, and manage your content library.
• Service Delivery: To enable the core functionality of our VR applications, including content synchronization, progress tracking, and multi-device support.
• Technical Support: To provide customer support and troubleshoot issues related to your VR headset and application usage.

What We Do NOT Collect: We do not collect or access sensitive VR data such as room mapping, hand tracking data, eye tracking data, body tracking, voice recordings, photos/videos captured within the headset, or your physical location data from the Meta Platform beyond what is necessary for authentication.

How do we collect the Personal Information?

We aim to collect Personal Information directly from you. We may also collect Personal Information:

• through our Website and by other electronic communication channels (e.g. when you send us an email or post an entry on our Facebook page);
• from third parties;
• from publicly available sources of information;
• when we are required to do so by law;
• when you log onto or connect to our Website and our server automatically records information your browser sends (e.g. your IP address, how and when you travel through our Website, the pages and documents accessed, information about your usage, e.g. by way of cookies and other information provided by downloading information from our website). However, unless your name is part of your email address or you specifically provide it, our server does not automatically collect this information. You can also adjust the settings on your computer to decline any cookies if you wish;
• over the phone, if you tell us information about you;
• from a third party engaged by you (such as a web developer);
• if you use any of our online forums;
• when you enter a competition or promotion with us, participate in a survey or register to receive information from us or register to receive information on any of our Services.

If at any time you supply Personal Information to us about any other person (e.g. another member of your household or you post a photo on our Website), you represent and we accept that information on the basis that you are authorised to do so and that the relevant person has consented to the disclosure to us.

4.1 Collection of Meta Platform Data (VR Applications)

When you use our VR applications on Meta Quest devices, we collect information from the Meta Platform through the following methods:

• Application Launch: When you first launch our VR application on your Meta Quest device, the application requests authentication from the Meta Platform to verify your identity and app ownership.
• Meta Platform API: Our application uses Meta's Platform APIs to retrieve your User ID and basic profile information (display name, profile picture) that you have authorized us to access through your Meta account permissions.
• Device Authentication: Your VR headset communicates with our servers using your Meta User ID to authenticate and authorize access to content and features you are entitled to use.
• Ongoing Session Management: During your use of the VR application, we maintain your authentication session to provide continuous access to services and content.

Your Control Over Meta Platform Data:

• You can revoke our application's access to your Meta account data at any time through your Meta Quest privacy settings or Meta account settings.
• Revoking access will prevent the application from accessing your profile information, but may limit or prevent functionality of the VR application.
• You can request deletion of your Meta Platform data from our systems using the mechanisms described in Section 10.

This privacy statement only covers the collection of Personal Information by our sites and applications only and does not cover the collection of Personal Information from other third parties you access via a hyperlink or otherwise on our sites or applications, whether or not affiliated with us. Meta's collection and use of your data through the Meta Platform is governed by Meta's Privacy Policy, available at: https://www.meta.com/legal/quest/privacy-policy/

How do we use your Personal Information?

We use the Personal Information we collect for operational purposes and to:

• provide our Services, including fulfilling orders and payment of invoices;
• comply with our licensing and other legal obligations;
• respond to medical emergencies;
• process your inquiries and improve our Services, including to assist our staff training and development initiatives;
• advise you of additional services or information which may be of interest to you;
• provide your contact details to companies and individuals who have agreed to provide you with the offers described on our Website (you may opt out of receiving this information at any time);
• communicate with you;
• use for security purposes; and
• develop our products and services.

Any communication with us (regardless of mode) is recorded and stored to assist with the operational purposes set-out above. If at any time you no longer wish to receive any additional marketing material from us or do not want your information disclosed for direct marketing purposes, contact us using the details in section 10 and we will remove your details from our marketing database.

5.1 How We Use Meta Platform Data (VR Applications)

Specifically, we use Meta Platform data (User ID and User Profile information) for the following purposes:

• User Authentication: We use your Meta User ID to verify your identity when you access our VR applications.
• License Verification: We verify that you have a valid license or entitlement to use our VR application by validating your Meta User ID against our subscription and licensing records.
• Account Creation & Management: We use your Meta User Profile information (display name, profile picture) to create and maintain your user account within our platform.
• Device Pairing & Management: We link your Meta User ID to your registered VR headsets to enable device management, content synchronization across devices, and headset authentication.
• Content Delivery & Personalization: We use your User ID to deliver appropriate content packages, VR experiences, and features based on your subscription level and licensed entitlements.
• Usage Analytics: We collect aggregated, anonymized usage data to understand how users interact with our VR applications. This data does NOT include personally identifiable information.
• Customer Support: We use your User ID and profile information to provide technical support and respond to your support requests.
• Service Communication: We may use your profile information to send you important service-related notifications.
• Workspace Management: For organizational/enterprise users, we use your Meta User ID to manage workspace memberships and assign content access permissions.

What We Do NOT Do With Meta Platform Data:

• We DO NOT sell, rent, or share your Meta Platform data with third parties for their marketing purposes.
• We DO NOT use your Meta Platform data for targeted advertising or behavioral tracking outside of our VR applications.
• We DO NOT combine your Meta Platform data with other data sources to create detailed user profiles for purposes unrelated to providing our VR services.
• We DO NOT access or process sensitive VR sensor data (such as eye tracking, hand tracking, room mapping) beyond what is necessary for application functionality.

Data Retention: We retain your Meta Platform data for as long as your account remains active, as required to provide ongoing services, as required by law, or to resolve disputes; after which time we will delete or anonymize your data as described in Section 10.

Disclosing personal information

We may be required to disclose your Personal Information by law, by court order or to investigate suspected fraud or other unlawful activity.

We may also disclose your Personal Information to third parties in certain circumstances including:

• if you agree to the disclosure;
• when we use it for the purpose for which it was collected, e.g. to provide you with Services;
• in circumstances where you would reasonably be expected to consent to information of that kind being passed to a third party;
• where disclosure is required or permitted by law;
• where it is required to be disclosed for audit purposes;
• to our Related Entities;
• if disclosure will prevent or lessen a serious or imminent threat to someone's life or health; or
• where it is reasonably necessary for the enforcement of the criminal law, a law imposing a pecuniary penalty or for the protection of public revenue.

6.1 Third-Party Service Providers

We work with carefully selected third-party service providers to deliver our Services. These service providers may process your Personal Information on our behalf for purposes such as: Cloud Infrastructure (e.g. AWS, data stored in Sydney, Australia), Payment Processing (e.g. Stripe), Email Communications, Analytics (aggregated and anonymized), Customer Support, and Identity Verification. When we disclose your Personal Information to our third party service providers, we ensure they have appropriate data security policies, require them to process data only according to our instructions, conduct security assessments, maintain contracts requiring compliance with privacy laws, limit access to only necessary data, and regularly review their security practices. We do NOT sell, rent, or trade your Personal Information to third parties for their own marketing purposes.

6.2 Legal Disclosure Requirements

We may disclose your Personal Information when required by law, including in response to a subpoena or court order, to comply with regulatory requirements, to protect our legal rights or safety, to investigate fraud or illegal activities, or in connection with a corporate transaction where appropriate safeguards are in place.

Jurisdiction and Cross-Border Transfers

Due to the nature of the Services provided, your Personal Information may be stored and processed in any country where we have operations or where we engage service providers, and we may transfer your Personal Information to countries outside of your country of residence. These countries may have different privacy and data protection rules to those of Australia and/or your country. However, we will endeavour to ensure that any such transfers comply with applicable laws and that your Personal Information remains protected. In some circumstances, courts, law enforcement agencies, regulatory agencies or other official authorities in those countries may be entitled to access your Personal Information.

7.1 International Data Transfers

Our primary data storage is located in Australia (AWS Sydney for Australian users), the United States (for certain service providers and platform integrations), and the European Union (for EU/UK users where applicable). When we transfer Personal Information internationally, we ensure appropriate safeguards are in place such as Standard Contractual Clauses (SCCs), Privacy Shield or equivalent frameworks, Binding Corporate Rules, adequacy decisions, or your explicit consent where required by law. For more information, please contact our Privacy Officer.

Children's Privacy

We are committed to protecting the privacy of children who use our Services, particularly our VR applications on Meta Quest devices.

Age Requirements: General Services require users to be at least 13 years of age. VR Applications require users to meet Meta Quest's minimum age requirements. Some healthcare/medical services may require users to be 18+ or have parental/guardian consent.

Age Verification: We implement age verification measures including requiring date of birth during account registration, relying on Meta Platform's age verification for VR applications, blocking access for users who do not meet minimum age requirements, and verifying parental consent where required by law.

Parental Controls and Consent: For users under 18 (or under 16 in certain jurisdictions), we may require verifiable parental or guardian consent before collecting Personal Information. Parents/guardians can review, request deletion of, or refuse further collection of their child's Personal Information by contacting us. For VR applications used in healthcare settings, we require healthcare provider authorization and may require parental consent. Parents/guardians can use Meta Quest's parental controls to manage their child's VR experience.

Limited Data Collection for Minors: For users we know to be under 18, we limit data collection to what is necessary, do not collect Sensitive Information without explicit parental consent, do not use children's data for marketing or profiling, do not disclose children's Personal Information to third parties except as necessary to provide Services, and apply stricter data retention policies (deletion within 90 days of account closure).

Parent/Guardian Rights: Parents or guardians may review the Personal Information collected from their child, request deletion, refuse to permit further collection or use, and contact us at contactus@mobiddiction.com.au. For more information about Meta Quest's approach to age-appropriate experiences, see: Meta Quest Age-Appropriate Experiences.

Considerations when you send information to us

While we do all we reasonably can to protect your Personal Information from misuse, loss, unauthorised access, modification or disclosure, including investing in security software, no data transfer over the Internet is 100% secure. The open nature of the Internet is such that information exchanged via the Internet may be accessed and used by people other than those for whom the data is intended. If you send us any information, including (without limitation) Personal Information, it is sent at your own risk.

If you provide Personal Information to us electronically, there are steps you can take to help maintain the information's privacy. These include:

• always closing your browser when you have finished your session;
• NEVER providing Personal Information by using a public computer; and
• NEVER disclosing your user name and password to another person.

You are responsible for all actions taken using your username, email or password. If at any time you believe your username or password has been compromised, you should immediately contact us and also change your password. You should also contact us immediately if you believe: someone has gained access to your Personal Information; we have breached our privacy obligations or your privacy rights in any way; or you would like to discuss any issues about our Privacy Policy.

How your information is stored and secured

We endeavour to keep our information systems and files secured from unauthorised access. Those who work with us, including our third-party service providers, are aware of the importance we place on protecting your privacy and their role in helping us to do so.

9.1 ISO 27001 Certified Information Security

We maintain ISO 27001 certification for our information security management system. This internationally recognized standard demonstrates our commitment to protecting your personal information through: Risk Assessment & Management, Access Controls, Encryption (in transit and at rest), Security Monitoring, Incident Response, Regular Audits, Employee Training, Physical Security, and Business Continuity. For detailed information, please visit our Security Trust Center at: https://trust.mobiddiction.com.au/

9.2 Technical and Organizational Security Measures

Our procedures include: multi-factor authentication for administrative access, regular security patching and vulnerability management, network segmentation and firewall protection, intrusion detection and prevention systems, secure backup procedures with encrypted storage, password protection software and policies, security logging and audit trails, regular penetration testing, and vendor security assessments.

9.3 Data Breach Notification

In the unlikely event of a data breach that affects your Personal Information, we will notify you as soon as reasonably practicable (within 72 hours where required by law), notify relevant regulatory authorities as required, provide details about what information was affected and what actions we are taking, recommend steps you can take to protect yourself, and investigate the cause and implement measures to prevent future breaches.

9.4 Data Retention

When the Personal Information that we collect is no longer required, we will remove or de-identify it as soon as reasonably possible. We may, however, retain Personal Information for as long as is necessary to comply with any applicable law, for the prevention of fraud, for insurance and governance purposes, in our IT back-up, for the collection of any monies owed and to resolve disputes. Specific retention periods include: Account Data (while active and 90 days after closure), Transaction Records (7 years as required by Australian taxation law), Audit Logs (2 years), Usage Analytics (aggregated and anonymized may be retained indefinitely), Backup Systems (up to 90 days), Marketing Communications (until opt-out, then removed within 30 days).

How you can update, correct, or delete your Personal Information

You may request access to your Personal Information, request correction of any inaccurate or out-of-date information, or request deletion of your Personal Information by contacting our Privacy Officer using the details below. For security purposes, before we process your request, we may require you to provide evidence of your identity.

You may also request information about the source of any Personal Information we collect from a third party. We will provide this information at no cost, unless there is a lawful reason under the Privacy Act or another applicable law for withholding it. If there is a reason under the Privacy Act or another law for us to refuse access, correction, or deletion of your Personal Information, we will provide you with a written notice of refusal that sets out the reasons for the refusal (unless it would be unreasonable to do so) and the mechanisms available to you to make a complaint.

10.1 Data Deletion Requests

Method 1: Through Your Account (Recommended) — If you have an active account: Mapiddiction Users: Log in to app.mapiddiction.com.au → Profile → Privacy → "Delete My Account". PatientVR Users: Log in to app.patientvr.com → Profile → Privacy → "Delete My Account". Follow the on-screen instructions. Your account will be immediately deactivated and data will be permanently deleted within 30 days.

Method 2: Public Deletion Request (If You Cannot Log In) — Visit our Data Deletion Portal at: https://www.mobiddiction.com.au/privacy-data-deletion/ Follow the instructions to submit a deletion request via email to contactus@mobiddiction.com.au. Include your name, email address, and which service you used. We will respond within 5 business days and process your request within 30 days.

What Happens When You Request Data Deletion: We will deactivate your account and prevent further data collection within 48 hours; permanently delete your Meta User ID and associated profile information, remove device pairing records and authentication tokens, delete your user account and associated workspace memberships, anonymize usage analytics data, and delete stored preferences and subscription records within 30 days. We may retain certain data if required by law, for fraud prevention, to resolve disputes, or to enforce our agreements. Backup systems may retain data for up to 90 days. Aggregated, anonymized analytics and transaction records (7 years for Australian law) may be retained.

Third-Party Platform Data: This deletion request only covers data we collect and store. To delete data held by Meta, you must submit a separate request directly to Meta through your Meta account privacy settings at: https://www.meta.com/help/quest/articles/accounts/privacy-information-and-settings/access-your-information/

Changes to our Privacy Policy

This document sets out our current Privacy Policy. Our Privacy Policy will be updated from time to time. You should review our Privacy Policy each time you visit our Website or provide us with Personal Information.

Contact us

If you would like further information on our Privacy Policy or if you have any concerns over the protection of the information you have given to us or that we have collected from others, please contact our Privacy Officer:

• Email:contactus@mobiddiction.com.au
• Post: Privacy Officer, MOBIDDICTION Pty Ltd, Level 14, 167 Eagle Street, Brisbane, QLD 4000, Australia
• Security Trust Center:https://trust.mobiddiction.com.au/
• Data Deletion Requests:https://www.mobiddiction.com.au/privacy-data-deletion/ or contactus@mobiddiction.com.au

Australian Privacy Complaints: More information about your rights and our obligations are available from the Office of the Australian Information Commissioner: Website: www.oaic.gov.au | Post: GPO Box 5218, Sydney NSW 2001, Australia | Email: enquiries@oaic.gov.au | Phone: 1300 600 670 (within Australia).

EU/GDPR Complaints: If you are located in the European Union or European Economic Area, you have the right to lodge a complaint with your local data protection authority.

Version History: January 2026 — Updated to include Meta Platform data collection details, comprehensive data deletion mechanisms, ISO 27001 security information, children's privacy provisions, and third-party service provider details. December 2025 — Updated deletion of data request policy.