Privacy Policy

For clarity, the following terms have the meanings set out below when used in this Policy:

"Compound Direct," "we," "our," or "us" refers to Compound Direct Pty Ltd, the entity responsible for the operation of the Compound Direct Platform and for the processing of Personal Information as described in this Policy.

When processing Personal Information, Compound Direct acts solely as a Data Processor on behalf of Healthcare Organisations and processes such Personal Information only in accordance with their instructions and authority, and not for its own independent purposes.

This restriction applies only to Personal Information. It does not apply to Aggregated Data or De-identified Data (as defined below), which do not constitute Personal Information and may be processed by Compound Direct for its own legitimate business purposes as described in this Policy.

"CD Platform" means the proprietary software system developed, operated, and maintained by Compound Direct to simplify and optimise pharmaceutical compounding processes and to securely manage related data, including prescriptions, risk assessments, and communications between pharmacies and patients.

"Healthcare Organisations" means pharmacies, healthcare providers, or other licensed organisations that use the CD Platform to provide compounding, dispensing, or related pharmaceutical services. For purposes of this Policy, Healthcare Organisations act as Data Controllers, who collect and determine the purposes and means of processing the Patients' Personal Information.

"Patients" means patients, customers, or other individuals whose Personal Information is processed by Healthcare Organisations through the use of the CD Platform. Patients are the data subjects under applicable privacy laws.

"Personal Information" (also referred to as "Personal Data") means any information or opinion that identifies, relates to, or could reasonably identify an individual, directly or indirectly. This includes, but is not limited to, names, contact details, medical information, prescription data, and payment information.

For the avoidance of doubt, Personal Information does not include De-identified Data or Aggregated Data (as defined below). In addition, data derived from or relating to Patients or Healthcare Organisations that is clinical, medical, or health-related in nature is categorically excluded from any Aggregated Data or De-identified Data.

"Sensitive Information" means a subset of Personal Information that includes health and medical details, such as medical history, allergies, prescriptions, dosage requirements, and compounding specifications. Sensitive Information is processed only where necessary for healthcare provision and in accordance with applicable law. Sensitive Information does not include De-identified Data or Aggregated Data.

"Processing" means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, transfer, restriction, erasure, or destruction.

"Data Controller" means the person or entity that determines the purposes and means of processing Personal Information. For the purposes of this Policy:

• Healthcare Organisations act as Data Controllers with respect to the Patients' Personal Information processed through the CD Platform, as they determine how and why such information is collected and used.
• Compound Direct acts as a Data Controller only in limited circumstances, such as those described in Section 2 hereof (Our Role in Data Processing).

"Data Processor" means the person or entity that processes Personal Information on behalf of, and in accordance with the instructions of, a Data Controller. For the purposes of this Policy, Compound Direct acts as a Data Processor when processing the Patients' Personal Information on behalf of Healthcare Organisations in connection with their use of the CD Platform.

"Subprocessor" means any third-party service provider engaged by Compound Direct to support the delivery of the CD Platform, such as cloud hosting, payment processing, or analytics providers, each of which is contractually bound to maintain confidentiality and implement appropriate data protection measures.

The full and current list of Subprocessors engaged by Compound Direct is maintained in Appendix "A" - Subprocessor List, which is accessible through the CD Platform. Compound Direct updates this Appendix from time to time to reflect changes in Subprocessors, ensuring continued compliance with its contractual and data-protection obligations.

"Aggregated Data" means data that has been combined across multiple data points, entities, or sources such that it represents collective trends, patterns, or statistics and does not reasonably permit identification of any individual, Patient, Healthcare Organisation, or other specific person or entity. Aggregated Data may include summaries, averages, trends, or other high-level insights derived from platform usage or operational activity.

"De-identified Data" means Aggregated Data or any data processed to remove or alter personal identifiers, followed by the application of any additional techniques or controls required to remove, obscure, aggregate, alter, and/or protect data in some way so that it is no longer reasonably identifiable to a specific person or entity, taking into account the nature of the data, available technology, the context of processing, and foreseeable risks of re-identification. As such, De-identified Data does not constitute Personal Information or Sensitive Information under applicable privacy laws.

"Operational Data" means data generated through the use and operation of the CD Platform that relates to workflows, transactions, system usage, performance, inventory movement, ingredients, formulations, compositions, preparation methods, purchasing activity, sales volumes, or similar commercial or operational activity.

For the purposes of applicable privacy laws, Healthcare Organisations are the Data Controllers of any Personal Information processed through the CD Platform. Healthcare Organisations determine the purposes, scope, and lawful bases for which the Patients' Personal Information, including Sensitive Information, is collected, used, or disclosed.

Compound Direct acts as a Data Processor on behalf of Healthcare Organisations. We process Personal Information only as necessary to provide, maintain, and secure the CD Platform and its related services, and strictly in accordance with each of the Healthcare Organisations' instructions. We do not determine or influence the purposes for which the Patients' data is collected, used, or otherwise processed.

Compound Direct may, however, act as a Data Controller in limited circumstances, specifically in relation to data that we collect and process for our own operational, administrative, or commercial purposes. These include:

1. Account and Contact Information of the Healthcare Organisations and their authorised users or staff, used to manage the Patients' data, provide support, and deliver contractual services;
2. Technical and Platform Usage Data, such as logs, diagnostics, and analytics, used to maintain, improve, and secure the CD Platform;
3. Administrative, Financial, and Compliance Records required to operate our business, meet legal obligations, and ensure regulatory compliance;
4. Operational Data of Healthcare Organisations which may be processed into Aggregated Data or De-identified Data.

In these cases, Compound Direct independently determines the purposes and means of processing to ensure the proper operation, security, and integrity of the CD Platform.

Where Compound Direct acts as a Data Processor, this Policy should be read in conjunction with the privacy policy of the relevant Healthcare Organisation, which governs how the Patients' information is collected, used, and shared.

Patients who wish to exercise their privacy rights, such as access, correction, or deletion of their Personal Information, should contact the relevant Healthcare Organisation directly.

We maintain a comprehensive data protection program designed to comply with applicable data protection and privacy laws, including the EU General Data Protection Regulation ("GDPR"), the Australian Privacy Act 1988 ("APA"), and the Australian Privacy Principles ("APPs"), as applicable to the nature of the data we process and our role in such processing.

To ensure consistent protection for all users worldwide, we also adopt generally recognised privacy principles and regularly review and update our policies, practices, and technical safeguards to reflect evolving legal and industry requirements.

Compound Direct processes different categories of information depending on the context of your relationship with us.

A. Information We Process as a Data Processor (on behalf of Healthcare Organisations)

When Healthcare Organisations use the CD Platform to provide healthcare services to their Patients, we process Personal Information solely in accordance with their instructions. This processing is necessary to provide, maintain, and secure the CD Platform.

Specifically, we process the following categories of information on behalf of Healthcare Organisations:

a. Health and Medical Information

• Collection: The Healthcare Organisations' staff or authorised personnel initiate Risk Assessments through the CD Platform, either in-pharmacy or by sending a secure survey link to their Patients. The Patients complete the assessment via the CD Platform's online portal, entering medical and risk-related details directly into secure forms. Once completed, assessment results are stored within Compound Direct's systems and automatically made accessible to the originating Healthcare Organisation through their account dashboard. In some cases, a copy of the completed assessment may also be sent to the Healthcare Organisations' nominated email address for continuity of care.
• Scope: may include, but is not limited to, medical history, prescriptions, allergies, dosage requirements, risk-assessment results, and compounding specifications.
• Purpose: to enable pharmacies to deliver safe and accurate compounding services, review risk assessments, and maintain continuity of care.
• Note: Compound Direct does not determine the purposes or lawful basis for processing this data and does not use it for any independent purpose.

b. Payment Information

• Collection: Payment information is collected only when Patients use a secure payment link provided by the Healthcare Organisation to complete an order through the CD Platform. All payment card information is handled directly by authorised third-party payment processors (see Appendix "A") and protected through secure authentication protocols. Compound Direct does not collect, store, or access full payment card details.
• Scope: may include, but is not limited to, limited billing information such as name, billing address, and transaction amount.
• Note: We do not store or have access to full card details; only transaction confirmations are retained to assist Healthcare Organisations with reconciliation, fraud prevention, and record-keeping. Transaction-related information may also be transmitted to authorised payment processors to the extent that they are necessary for payment authentication, fraud detection, and transaction security.

c. Technical and Usage Data

• Collection: Data is automatically collected through interactions of the Healthcare Organisations or Patients through the access or use the CD Platform.
• Scope: may include, but is not limited to, technical identifiers and performance information such as IP address, device identifiers, browser type, operating system, access timestamps, event or error logs, and non-identifiable usage metrics such as page interaction data, completion rates, and drop-off points.
• Purpose: to enable the secure delivery, operation, and maintenance of the CD Platform, support troubleshooting, and ensure performance and reliability for Healthcare Organisations.
• Note: Compound Direct processes this data primarily on behalf of Healthcare Organisations to maintain service integrity. Certain technical and usage data may also be processed by Compound Direct in de-identified or aggregated form for platform monitoring, diagnostics, and service improvement.
  
  Such de-identified or aggregated insights may be shared with the relevant Healthcare Organisation for reporting, analytics, platform optimisation, and service improvement, provided that the data does not constitute Personal Information and does not identify any individual Patient, Healthcare Organisation, or specific site.

Compound Direct accesses Patient information only as necessary to provide support, perform maintenance, or comply with applicable law.

B. Legal Bases for Processing Personal Information for Healthcare Organisations

In compliance with the GDPR and other applicable data protection laws, Compound Direct relies on several legal bases to process Personal Information, depending on the nature and context of the processing activity:

• Contractual and Pre-Contractual Necessity: Processing may be required to enter into, perform, or administer our contractual obligations with Healthcare Organisations. This includes the creation and management of accounts, processing of payments, provision of access to the CD Platform, delivery of support and billing functions, and fulfillment of other contractual commitments.
• Legal Obligations: Processing may be necessary to comply with applicable laws and regulatory requirements, as well as to respond to lawful requests or orders from public authorities.
• Legitimate Interests: Processing may be required when it supports our legitimate business operations, provided such interests are not overridden by the rights and freedoms of data subjects. These interests include maintaining and securing the CD Platform, preventing misuse and fraud, enhancing user experience, improving system performance, conducting analytics, and managing internal business operations.
• Consent: In limited circumstances, we may rely on an individual's explicit consent to process Personal Information for optional features, research, or marketing communications. Where consent is the basis for processing, individuals may withdraw their consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• Public and Vital Interests: Processing may be necessary to protect an individual's vital interests or to fulfill obligations of substantial public interest under applicable law, such as ensuring public health and safety or preventing serious harm.

C. Information We Process as a Data Controller (for our own business operations)

Compound Direct acts as a Data Controller only in the limited circumstances described in Section 2 (Our Role in Data Processing) hereof.

In these cases, we collect and process information directly from Healthcare Organisations or their authorised users to provide services, ensure platform functionality, and comply with legal obligations.

a. Account and Contact Information

• Collection: Healthcare Organisations and their authorised representatives provide these data when creating, activating, or managing accounts on the CD Platform.
• Scope: may include, but is not limited to, names, business titles, organisation names, addresses, email addresses, phone numbers, and login credentials.
• Purpose: to verify identity and account ownership, create and administer user access, provide onboarding and technical support, deliver service-related communications, and maintain client relationship records.

b. Platform Usage and Analytics

• Collection: Data is automatically collected through authorised user activity within Healthcare Organisation accounts on the CD Platform.
• Scope: may include, but is not limited to, login timestamps, feature interactions, performance metrics, diagnostic logs, and security events.
• Purpose: to ensure the stability, security, and integrity of the CD Platform, including detecting and preventing unauthorised access or misuse, monitoring performance, supporting maintenance, and improving functionality.

Insights derived from this data may also be aggregated or de-identified and used by Compound Direct for internal analytics and broader industry-level analysis.

Where such insights do not constitute Personal Information or Sensitive Information and cannot reasonably be used to identify any individual or specific site, they may also be used, shared, licensed, or commercialised for legitimate business purposes, including platform optimisation, benchmarking, industry analysis, and supply-chain insights.

c. Operational Data

• Collection: Data is automatically collected through authorised user activity within Healthcare Organisation accounts on the CD Platform.
• Scope: may include, but is not limited to, workflows, transactions, system usage, performance, inventory movement, ingredients, formulations, compositions, preparation methods, purchasing activity, sales volumes, or similar commercial or operational activity.
• Purpose: to analyse operational trends and insights for generation of Aggregated Data or De-identified Data which Compound Direct may commercialise.
• Note: Compound Direct will never sell, share, or commercialise Personal Information, Sensitive Information, or Healthcare Organisation-specific formulations, recipes, or other proprietary intellectual property.

d. Billing and Transactional Information

• Collection: Data is provided by Healthcare Organisations who subscribe to or pay for access to the CD Platform and related services.
• Scope: may include, but is not limited to, billing contact details, business payment information, invoices, tax identifiers, and transaction records.
• Purpose: to issue and process invoices, manage payments and renewals, maintain accounting and audit records, and satisfy contractual, financial, and statutory compliance requirements.

Compound Direct shares Personal Information only where it is necessary to operate, maintain, or support the CD Platform, and always under appropriate safeguards.

When acting as a Data Processor, we disclose information solely under the instructions of the Healthcare Organisation and for the purposes permitted by applicable privacy laws.

The following table summarises the categories of recipients with whom Personal Information may be shared, the limited purposes for which such disclosures occur, and the safeguards that govern these transfers.

Compound Direct does not sell, rent, or trade Personal Information, and does not use the Patients' data for advertising, profiling, or marketing purposes. Patient clinical or health data is never shared, licensed, or commercialised.

Separately, Compound Direct may use, share, license, or commercialise De-identified Data, provided that such data does not constitute Personal Information or Sensitive Information and does not identify, and cannot reasonably be used to identify, any individual, Patient, Healthcare Organisation, or specific site. Any sharing, licensing, or commercialisation of data by Compound Direct outside the above table shall be limited to De-identified Data.

Compound Direct retains Personal Information only for as long as necessary to fulfill the purposes for which it was processed or as required by applicable law, regulation, or contractual obligations with Healthcare Organisations.

When acting as a Data Processor, we retain Patient information in accordance with the instructions of the Healthcare Organisation, including any applicable healthcare or professional retention requirements. Once our services to the Healthcare Organisation end, we may return or delete the data in accordance with the governing agreement and legal obligations.

Retention periods vary depending on the category of information and its purpose:

1. Account and Client Information

• Scope: Business contact details, account credentials, and related records of Healthcare Organisations and authorised users.
• Retention: Maintained for the duration of the client relationship and for a limited period thereafter to resolve billing, audit, or compliance matters.

2. Health and Medical Records (Client Data)

• Scope: Health and medical information processed on behalf of Healthcare Organisations, including prescriptions, risk assessments, and compounding details.
• Retention: Retained for the period directed by the Healthcare Organisation or as required under applicable healthcare and recordkeeping laws (typically up to seven years from the last interaction).
• Disposition: After the retention period, such records may be securely deleted or anonymised, unless further retention is required by law or the Healthcare Organisation's instructions.

3. Payment and Transaction Data

• Scope: Billing details, transaction confirmations, and related payment records.
• Retention: Retained only for as long as necessary to complete transactions, process refunds or chargebacks, and comply with financial, taxation, and anti-fraud recordkeeping requirements.
• Note: Compound Direct does not store or retain full payment card details; cardholder data is managed directly by our authorised payment processors (see Appendix "A").

4. Technical and Usage Data

• Scope: Log files, diagnostics, and platform analytics.
• Retention: Retained for a limited period as reasonably necessary to ensure platform performance, monitor security, and support troubleshooting or analytics. Following such use, technical and usage data may be securely deleted or processed into Aggregated Data or De-identified Data.

5. Communications and Support Records

• Scope: Inquiries, technical support requests, and related correspondence.
• Retention: Maintained for as long as necessary to address your inquiry, provide support, and maintain service records, subject to applicable legal or regulatory requirements.

6. Deletion and De-identification

• When data is no longer required for the purposes described above or under the Healthcare Organisation's instructions, it may be securely deleted or de-identified so that it can no longer reasonably identify an individual.
• Where deletion is not immediately possible due to technical or legal constraints, the data will be isolated and protected from further processing until it can be securely removed.

We take the protection of Personal Information seriously and implement a combination of technical, organisational, and administrative safeguards to keep data secure.

These measures are designed to prevent unauthorised access, disclosure, alteration, or destruction of Personal Information and are continuously reviewed to align with evolving industry standards.

Our safeguards include:

1. Encryption in Transit and at Rest: All data transmitted through or stored within the CD Platform is protected using industry-standard encryption protocols. This means that information is protected both while being sent over the internet ("in transit") and while it is stored on our systems ("at rest").
2. Payment Data Protection: Payment details are tokenised to ensure that sensitive payment information is never stored in raw form within our systems. We also use 3-D Secure Authentication protocols for online transactions to provide an added layer of fraud prevention and user verification.
3. Access Controls: Access to Personal Information is strictly limited to authorised employees and contractors who require it to perform their duties. We use role-based permissions, multi-factor authentication, and activity logging to prevent unauthorised access and to maintain an auditable record of data handling activities.
4. Secure Infrastructure: The CD Platform operates on secure, monitored servers that are protected by firewalls, intrusion detection systems, and redundant backups. These safeguards are designed to ensure platform stability, protect against network-based attacks, and prevent data loss in the event of system failure or disaster.
5. Testing and Audits: We conduct regular vulnerability scans, penetration tests, and security audits to identify and address potential weaknesses. Continuous monitoring helps us detect suspicious activity early, while third-party audits provide independent assurance that our security practices remain effective and compliant with industry standards.
6. Employee Training and Awareness: Compound Direct personnel with access to personal or health information receive privacy and security training appropriate to their access level. This training ensures that everyone handling Personal Information understands their responsibilities and adheres to legal, ethical, and procedural safeguards.
7. Incident Response: We maintain formal procedures to detect, investigate, and respond to security incidents or data breaches. If an incident occurs that may affect the rights or freedoms of individuals, Compound Direct will promptly notify the affected Healthcare Organisation, or, where Compound Direct acts as Data Controller, the affected individuals and relevant supervisory authorities, as required by law.

When acting as a Data Processor, Compound Direct assists Healthcare Organisations in meeting their breach-notification obligations under applicable privacy laws.

The rights available to you depend on your relationship with us and the nature of the data being processed.

Patients

Because Healthcare Organisations act as Data Controllers for Patient information, any requests to access, correct, delete, or otherwise exercise rights over your Personal Information should be directed to the Healthcare Organisation.

Compound Direct acts solely as a Data Processor in this context and does not determine the purposes or means of processing Patient Personal Information. Accordingly, Compound Direct does not respond directly to Patient rights requests, except to the extent required to assist the Healthcare Organisation in complying with applicable privacy laws.

Privacy rights apply only to Personal Information, and shall not extend to Aggregated or De-identified Data.

Requests relating to data processed by Compound Direct exclusively on behalf of a Healthcare Organisation will be referred to that Healthcare Organisation, unless Compound Direct is required by law to act directly.

Healthcare Organisations and Authorised Users

If you are a Compound Direct client or authorised user of a client account, you may contact us directly to exercise your privacy rights, including:

1. Access: Obtain confirmation of whether we hold your Personal Information and request a copy.
2. Rectification: Request correction or completion of inaccurate or incomplete Personal Information.
3. Erasure: Request deletion of Personal Information, unless retention is required by law or contract.
4. Restriction: Request temporary suspension of processing while a dispute regarding accuracy or lawfulness is reviewed.
5. Data Portability: Request transfer of your Personal Information in a structured, commonly used, and machine-readable format.
6. Objection: Object to processing based on legitimate interests or for direct marketing.
7. Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
8. Complaint: You may contact our Privacy Officer regarding any concerns about our handling of your Personal Information. If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner ("OAIC") or your local data protection authority.

We will respond to all valid requests within the timeframes required by law. Some rights may be subject to conditions or exceptions under the GDPR, APPs, or other applicable regulations.

Because the CD Platform supports Healthcare Organisations and their Patients in multiple jurisdictions, Personal Information processed through the CD Platform may be transferred to, stored, or accessed from countries outside your own, including those where our Subprocessors or Healthcare Organisations operate.

When such cross-border processing occurs, Compound Direct acts as a Data Processor on behalf of the relevant Healthcare Organisation, and implements appropriate safeguards to protect Personal Information in accordance with the Healthcare Organisation's instructions and applicable privacy laws.

To ensure that Personal Information remains protected wherever it is processed, we apply the following measures:

1. Standard Contractual Clauses ("SCCs"): For data originating from the European Union ("EU") or European Economic Area ("EEA"), we rely on SCCs to ensure that transfers to our Subprocessors or hosting providers maintain an equivalent level of data protection.
2. Australian Privacy Principles: For data originating from Australia, we comply with the APPs, which require that overseas recipients handle Personal Information in a manner consistent with Australian privacy standards.
3. Due Diligence and Contractual Protections: We engage only trusted Subprocessors (see Appendix "A") and require them to implement technical, organisational, and contractual safeguards to ensure security, confidentiality, and compliance with applicable privacy obligations.
4. Consistent Global Standards: In jurisdictions without equivalent data protection laws, we apply internationally recognised privacy and security principles to maintain a uniform level of protection across all regions.

Transfers or uses of De-identified Data may occur globally for legitimate business purposes, including analytics, benchmarking, and commercialisation, provided such data does not constitute Personal Information and cannot reasonably be used to identify any individual, Patient, Healthcare Organisation, or specific site.

Because such data falls outside the scope of Personal Information, these transfers are not subject to cross-border transfer requirements that apply specifically to Personal Information. Nevertheless, Compound Direct applies reasonable technical and organisational safeguards to protect such data and to reduce the risk of re-identification.

These measures help ensure that Personal Information processed through the CD Platform remains protected and handled in a manner consistent with this Policy and applicable legal requirements, regardless of where it is transferred or stored.

The CD Platform may include or connect to third-party services, such as payment gateways, cloud hosting providers, analytics tools, and communication systems that support its functionality or are used by Healthcare Organisations in the delivery of their services to the Patients.

These third parties may receive or process Personal Information as part of their contracted role in providing infrastructure, integrations, or pharmacy-directed services.

When you interact with or are redirected to these third-party services:

• Their privacy policies apply. The collection, use, and disclosure of your information by third parties are governed by their own privacy policies and data-protection practices. We encourage you to review those policies before engaging with or providing information to such services.
• Processor relationship and limited responsibility. When acting as a Data Processor, Compound Direct facilitates integrations with third-party systems solely on behalf of and under the instructions of Healthcare Organisations. We do not control how these third parties handle Personal Information and cannot be held responsible for their independent privacy or security practices.
• Public or shared features caution. If you voluntarily disclose Personal Information through publicly accessible features of the CD Platform (such as feedback forms, chat modules, or community spaces), that information may be visible to other users or third parties and could be used or shared beyond our control.

Compound Direct limits data sharing with third parties to what is necessary for the operation and maintenance of the CD Platform, or as required by law.

De-identified Data shared with third parties is not subject to data processing or transfer restrictions applicable to Personal Information as such data does not constitute Personal Information.

When you use the CD Platform, we and our authorised Subprocessors (see Appendix "A") may use cookies and similar technologies (such as pixels, web beacons, and local storage) to support the secure and reliable operation of the platform.

These technologies are used for limited, functional purposes, including to:

• Maintain session integrity and remember user preferences, so that authorised users remain securely logged in and their settings persist between sessions;
• Monitor system performance and detect technical issues, helping us ensure platform stability and troubleshoot errors efficiently; and
• Generate aggregated and anonymised usage analytics, which allow us to improve reliability, optimise performance, and enhance user experience.

Data derived from cookies or tracking technologies may be processed into De-identified Data, which does not constitute Personal Information and may be used for analytics and legitimate business purposes.

Compound Direct does not use cookies or similar technologies to deliver third-party advertising, profile users, or track activity across unrelated websites or applications.

We do not use cookies or tracking technologies to collect or infer Patient clinical, health, or treatment information, nor are such technologies used to create De-identified Data or Aggregated Data derived from Patient health data.

You can manage or disable cookies through your browser settings.

Where cookies are not strictly necessary for the operation of the CD Platform, we or the relevant Healthcare Organisation (as the Data Controller) will seek your consent before enabling them.

We may update this Policy from time to time to reflect legal, technical, or operational changes. The latest version of this Policy will always govern how we process Personal Information through the CD Platform.

When we update this Policy, we will let you know in the following ways:

• For minor updates such as clarifications or improvements in wording, we will simply publish the revised privacy policy on our website or within the CD Platform.
• For major updates such as significant changes to how we collect, use, or share personal information, we will take reasonable steps to notify affected Healthcare Organisations, and, where appropriate, their Patients, which may include sending an email or displaying a notice within the CD Platform.

We encourage you to review this Policy regularly to stay informed about how we protect your information. Your continued use of the CD Platform after any updates indicates your acceptance of the revised Privacy Policy.

Should you have any questions, concerns, or requests regarding this Policy or the way your Personal Information is managed, please do not hesitate to contact us at:

Compound Direct Pty Ltd.Email: support@compound.directPhone: 1300 191 676

If you are a Patient, please direct privacy-related requests, such as access, correction, or deletion, to your pharmacy or healthcare provider, which acts as the Data Controller of your information.

Compound Direct Pty Ltd engages the following third-party subprocessors to support the operation and delivery of the Compound Direct Platform ("CD Platform"). Each Subprocessor is engaged solely for the purposes described below and is subject to appropriate contractual, technical, and organisational safeguards to protect Personal Information.

1. Amazon Web Services, Inc. (AWS)

• Purpose: Cloud hosting, data storage, backup, infrastructure services for the CD Platform, and delivery of transactional email and SMS messages
• Categories of Data Processed: Personal Information and Sensitive Information submitted through the CD Platform (including patient risk assessments, prescription-related data, technical usage data, and contact details required to deliver secure access links via email or SMS), as instructed by Healthcare Organisations
• Notes: SMS messages are used solely to deliver secure platform access links. No patient health information or assessment content is transmitted via SMS.
• Primary Data Location: Australia

2. Nuvei / Till Payments

• Legal Entity: Nuvei Corporation and its affiliated entities operating the Till Payments platform
• Purpose: Secure payment processing for transactions initiated through the CD Platform
• Categories of Data Processed: Payment and transaction data (e.g. transaction amount, billing identifiers, payment confirmation details)
• Notes: Compound Direct does not collect, store, or have access to full payment card details. All cardholder data is handled directly by the payment processor using secure, tokenised payment flows.
• Primary Processing Locations: Australia and other jurisdictions in which Nuvei/Till Payments operates, in accordance with their payment processing infrastructure

3. Starshipit Ltd

• Purpose: Shipping and delivery management services
• Categories of Data Processed: recipient name, delivery address, contact details, and shipment information
• Notes: Shipping information is provided only where required to facilitate order delivery. No payment card data or patient health information is processed by Starshipit.
• Primary Data Location: Australia

4. Mailchimp (The Rocket Science Group LLC)

• Purpose: Delivery of platform access links and limited service-related communications
• Categories of Data Processed: Email address only
• Notes: No Patient Personal Information, health data, or assessment content is transmitted to or stored by Mailchimp
• Primary Data Location: United States

General

Compound Direct may update this Subprocessor List from time to time to reflect changes in its service providers. Where required by applicable law or contract, Healthcare Organisations will be notified of any material changes.

All Subprocessors are engaged under written agreements that require confidentiality, data security, and compliance with applicable privacy and data protection laws.