JMACK HEALTH — PRIVACY POLICY

JMack Health Personal Training · ABN: 49 709 055 421

Effective Date: 1 July 2026 | Version 1.0

This Privacy Policy explains how Justin Mackellin, trading as JMack Health (ABN: 49 709 055 421), collects, holds, uses, and discloses your personal information, including sensitive health information. It is prepared in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

JMack Health is a private-sector health service provider operating out of Goodlife Health Club, Camberwell, Victoria. Because we collect and handle health information as part of delivering personal training services, the Privacy Act 1988 (Cth) applies to us regardless of annual turnover, and we take our obligations seriously.

Please read this policy carefully. By engaging our services, booking a session, or providing your personal information through our website or intake forms, you consent to the collection and handling of your information as described in this policy.

1. Definitions

Personal information

Information or an opinion about an identified individual or an individual who is reasonably identifiable, whether true or not, and whether recorded in material form or not (Privacy Act 1988, s 6).

Sensitive information

A subset of personal information including health information, information about an individual's race, religion, sexual orientation, criminal record, and biometric data. Sensitive information receives a higher level of protection under the APPs.

Health information

Information or an opinion about the health or disability (at any time) of an individual, the individual's expressed wishes about the future provision of health services, or a health service provided or to be provided to an individual.

We / Us / Our

Justin Mackellin, trading as JMack Health (ABN: 49 709 055 421).

You / Your

Any individual whose personal information we collect, hold, use, or disclose, including clients, prospective clients, and website visitors.

Website

jmackhealth.com.au (or the current Squarespace-hosted domain in use).

APPs

The Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024.

OAIC

The Office of the Australian Information Commissioner.

2. What Personal Information We Collect

2.1 Client and prospective client information

We collect the following categories of personal information from clients and prospective clients:

(a) Identity and contact information

• Full name

• Email address

• Phone number

• Emergency contact name and phone number

(b) Health and sensitive information

Health information receives heightened protection under APP 3 and APP 6. We only collect health information that is reasonably necessary to provide safe, appropriate personal training services.

• Current and past injuries, medical conditions, and physical impairments

• Cardiovascular history (including cardiac events, diagnoses, or conditions)

• Medications that may affect exercise capacity or safety

• Physical assessment data including fitness test results, body measurements, and movement screening outcomes

• Exercise history and current fitness levels

• Dietary information and nutritional goals (where relevant to your program)

• Responses to the Pre-Activity Readiness Questionnaire (PAR-Q)

• GP or specialist referral information (where provided or required

(c) Program and session information

• Training goals and program records

• Session notes and progress data

• Milestone and outcome tracking records

(d) Financial and payment information

• Payment records (processed via Stripe — we do not store full card details)

• Transaction history and package records

• Direct debit authorisation details (where applicable)

(e) Website and booking information

• Appointment bookings made via our Squarespace Scheduling (Acuity) system

• Contact form submissions

• Website usage data collected via cookies and analytics tools (see Section 9)

2.2 Information we do not collect

We do not collect government identifiers (such as tax file numbers or Medicare numbers) unless specifically required and authorised by law. We do not collect information about racial or ethnic origin, religious beliefs, or sexual orientation unless you choose to disclose it and it is relevant to your health and training needs.

3. How We Collect Your Personal Information

3.1 Direct collection

Wherever reasonably practicable, we collect personal information directly from you. We collect information:

• Through our client intake and PAR-Q forms (completed online via Acuity Scheduling or in person)

• During your initial health and fitness assessment

• Through ongoing session notes and progress records

• Via contact forms, emails, or phone calls

• Through our website booking system

• Via direct debit agreements and payment forms

3.2 Collection from third parties

In some circumstances we may collect information from third parties, including:

• Medical practitioners or allied health professionals (with your consent, where you have been referred or where we require medical clearance)

• Goodlife Health Club Camberwell (for facility-related information where relevant)

We will always notify you if we collect personal information about you from a third party, unless doing so is impracticable or unreasonable in the circumstances.

3.3 Anonymity and pseudonymity

Where lawful and practicable, we offer you the option to interact with us anonymously or by pseudonym — for example, when making a general enquiry via our contact form or website. However, we cannot provide personal training services or process bookings without collecting personal information sufficient to identify you and assess your suitability for exercise.

4. Why We Collect and How We Use Your Personal Information

Under APP 3, we only collect personal information that is reasonably necessary for our functions and activities. Under APP 6, we only use or disclose personal information for the primary purpose of collection, or for a secondary purpose where an exception applies.

4.1 Primary purposes

We collect and use your personal information primarily to:

• Assess your fitness levels, health status, and suitability for exercise programs

• Design, deliver, and adjust personalised training programs tailored to your goals and health needs

• Monitor your progress and adapt programming over time

• Ensure your safety during exercise, including responding to medical events

• Process bookings, payments, and scheduling

• Communicate with you about your sessions, program, and health progress

• Maintain records of our professional obligations and duty of care

4.2 Secondary purposes

We may also use your personal information for the following secondary purposes, where you would reasonably expect this use:

• Sending appointment confirmations, reminders, and cancellation notices

• Responding to your enquiries and feedback

• Complying with legal, regulatory, and professional obligations

• Improving the quality and safety of our services

4.3 Health information — additional protection

We only use your health and sensitive information for purposes directly related to providing you with safe and appropriate training services, or as otherwise required or permitted by law. We do not use health information for marketing purposes without your explicit consent.

4.4 Direct marketing

We may use your contact details to send you information about our services, special offers, or relevant health and fitness content, but only where you have consented or where it is otherwise permitted under the APPs. Every marketing communication will include a clear and easy way to opt out. We will honour all opt-out requests promptly and within a reasonable time (no longer than 5 business days).

5. Disclosure of Your Personal Information

5.1 When we may disclose your information

We do not sell your personal information. We may disclose your personal information to third parties in the following limited circumstances:

(a) Service providers

• Squarespace Inc. — website hosting and scheduling platform (Acuity Scheduling)

• Stripe Inc. — payment processing

• Google LLC — analytics and email services (where used)

These providers are engaged to assist us in running our business and are required to handle your information only as directed by us and in accordance with applicable privacy laws. Some of these providers are based outside Australia — see Section 6 for further information.

(b) Health and emergency purposes

• Medical practitioners, emergency services, or other health professionals where necessary to respond to an emergency or where you or another person faces a serious risk to life, health, or safety

• Allied health professionals (physiotherapists, GPs, etc.) where you have consented to a referral or where medical clearance is being sought

(c) Legal and compliance purposes

• Courts, tribunals, law enforcement agencies, or regulatory bodies where we are required to do so by law

• Our legal advisers or professional indemnity insurers where necessary to protect our legal rights

5.2 Goodlife Health Club

Our sessions take place at Goodlife Health Club, Camberwell. Goodlife operates under its own privacy policy. We do not share your personal information with Goodlife as a matter of course, but you should be aware that you may interact directly with Goodlife when accessing the facility and that its privacy practices are separate from ours.

5.3 We will not otherwise disclose your information

We will not disclose your personal information to any other third party without your consent, except where required or permitted by law.

6. Overseas Disclosure

APP 8 requires us to take reasonable steps to ensure overseas recipients protect your personal information in a way that is consistent with the APPs before disclosing information to them.

Some of our service providers are based or store data overseas, including:

Squarespace / Acuity

United States. Squarespace adheres to the EU-US Data Privacy Framework and maintains industry-standard security measures. Privacy policy: squarespace.com/privacy

Stripe

United States and other locations. Stripe is certified under the EU-US Data Privacy Framework and complies with applicable privacy laws. Privacy policy: stripe.com/au/privacy

Google (if used)

United States and globally distributed. Google adheres to Standard Contractual Clauses and applicable privacy frameworks. Privacy policy: policies.google.com/privacy

By using our services and providing your personal information, you consent to the disclosure of your information to these overseas recipients. We take reasonable steps to ensure these providers maintain privacy protections consistent with the APPs; however, where an overseas recipient handles your information in a way that breaches the APPs, we may not be accountable under the Privacy Act for that conduct in certain circumstances.

7. Storage and Security of Your Personal Information

7.1 How we store your information

Your personal information is stored:

• Digitally via Squarespace and Acuity Scheduling (cloud-hosted, password-protected systems)

• Via Stripe for payment records

• In encrypted email communications (Gmail or equivalent)

• In physical records (session notes, signed agreements) securely stored at our business premises

7.2 Security measures

We take reasonable steps under APP 11 to protect your personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure. Our security measures include:

• Password protection and multi-factor authentication on all digital systems

• Use of trusted, industry-standard third-party platforms (Squarespace, Stripe, Acuity) with their own security certifications

• Physical security for any paper records

• Limiting access to personal information to Justin Mackellin as the sole operator

• Encrypted email communications where practicable

7.3 Data breach response

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

• Take immediate steps to contain the breach

• Assess whether notification is required under the NDB scheme

• Notify the OAIC and affected individuals as required by law

• Take steps to prevent future breaches of a similar nature

7.4 Retention and destruction

We retain your personal information for as long as it is necessary for the purposes for which it was collected, or as required by law. When your information is no longer required:

• Digital records will be permanently deleted or de-identified

• Physical records will be securely destroyed (shredded)

As a health service provider, we are generally required to retain health records for a minimum of 7 years after last service, or until the individual turns 25 years of age (whichever is later), in accordance with applicable state guidelines and our professional obligations.

8. Access to and Correction of Your Personal Information

8.1 Your right to access

Under APP 12, you have the right to request access to the personal information we hold about you. We will respond to your request within a reasonable period (generally within 30 days). We will provide access unless an exception under the Privacy Act applies (for example, where providing access would unreasonably impact the privacy of other individuals, or where required by law to refuse access).

Access to your information is free of charge. If your request requires significant effort to compile, we will notify you of any applicable fee before proceeding.

8.2 Your right to correction

Under APP 13, you have the right to request correction of personal information we hold that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond to your correction request within a reasonable period and, if we correct information, we will notify any third parties to whom the information was disclosed (where it is reasonably practicable to do so).

If we refuse to correct your information, we will give you our reasons in writing and inform you of how you can complain about our decision.

8.3 How to make an access or correction request

To request access to or correction of your personal information, please contact us using the details in Section 11. We may need to verify your identity before processing your request.

9. Cookies and Website Analytics

9.1 Cookies

Our website is hosted on Squarespace. Squarespace may use cookies — small text files stored on your device — to enable website functionality, remember your preferences, and collect analytics data. Cookies may be session-based (deleted when you close your browser) or persistent (stored on your device for a set period).

You can control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

9.2 Analytics

We may use analytics tools (such as Squarespace's built-in analytics or Google Analytics) to understand how visitors use our website. This data is aggregated and does not personally identify you. Analytics data may include pages visited, time on site, device type, and approximate geographic location.

9.3 Third-party embeds

Our website embeds third-party tools including Acuity Scheduling (booking) and Stripe (payments). These tools may collect their own data when you interact with them. Please refer to the privacy policies of these providers:

• Squarespace / Acuity: squarespace.com/privacy

• Stripe: stripe.com/au/privacy

10. Privacy Complaints

10.1 Making a complaint to us

If you believe we have handled your personal information in a way that breaches the Privacy Act 1988 or this Privacy Policy, we encourage you to contact us first so we can address your concerns directly.

Please set out your complaint in writing and send it to us using the contact details in Section 11. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we are unable to resolve your complaint within that period, we will inform you of the reason for the delay.

10.2 Escalating a complaint to the OAIC

If you are not satisfied with our response, or if we fail to respond within a reasonable time, you have the right to complain to the Office of the Australian Information Commissioner (OAIC):

Website oaic.gov.au

Phone 1300 363 992

Post GPO Box 5218, Sydney NSW 2001

Email enquiries@oaic.gov.au

11. Contact Us

For all privacy-related enquiries, access requests, correction requests, or complaints, please contact:

Name Justin Mackellin

Trading as JMack Health

ABN 49 709 055 421

Email jmack.health@gmail.com

Phone 0447 888 168

Address PO Box 508 Hawthorn Vic 3122

Website jmackhealth.com.au

12. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, legal obligations, or operational requirements. When we make material changes, we will update the effective date at the top of this document and, where appropriate, notify clients by email.

The current version of this Privacy Policy is always available on our website. We encourage you to review it periodically.

LEGAL NOTE: This Privacy Policy has been prepared in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) as amended by the Privacy and Other Legislation Amendment Act 2024. It addresses JMack Health's obligations as a private-sector health service provider. Before publishing this policy, we recommend you insert your ABN and website URL in the placeholder fields marked 49 709 055 421, and consider having this policy reviewed by a legal practitioner to confirm its suitability for your specific circumstances.

Effective Date: 1 July 2026 | Version 1.0 | Next review: 1 July 2027