New psychosocial health regulations are coming to Victoria
PRIVACY POLICY
Last Updated: 22 December 2025
This Privacy Policy applies to all Personal Information collected by Mindway Group PTY LTD, trading as Mindway EAP (ABN: 29682230075) (we, us or our) via the Mindway EAP mobile application (App), Employee Assistance Program services (EAP Services), website at www.mindwayeap.com.au (Website), telephone hotline, and all counselling services including phone-based, video, and in-person sessions booked through any of these channels.
1. DEFINITIONS
Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in material form or not. If information does not disclose or enable ascertainment of your identity, it is not classified as Personal Information and is not subject to this Privacy Policy.
Sensitive Information is defined in the Privacy Act 1988 (Cth) (Privacy Act) as information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of professional bodies, criminal record, or health information. We collect Sensitive Information only when providing EAP Services and counselling.
User means any person who activates an account, uses the App, Website, or accesses EAP Services. While our services are primarily intended for users aged 18 and over, minors (persons under 18) may access services with documented written parental or guardian consent.
Employer means the organisation that has engaged Mindway EAP to provide services to its employees and provides employee contact details to enable account activation.
Cookies means small data files placed on your device to enable functionality, collect analytics, and improve user experience.
De-identified Data means information that has been processed to remove all personal identifiers, making it impossible to identify any individual from the data.
Aggregated Data means combined data from multiple users presented as statistical information with no individual user identifiable.
2. INFORMATION WE COLLECT
The Personal Information we collect depends on how you use our services.
2.1 Information from Your Employer
Your employer provides your name, email address, and (where applicable) department information to our platform to enable your account activation.
2.2 Information You Provide
When you register, use our services, or complete forms on the platform, you may provide contact details (such as name, email address, phone number), account credentials (access code, password), personal information submitted through intake forms and questionnaires, preferences and settings, communications with our support team, and any other information you choose to provide when using our services.
2.3 Information Collected Automatically
3. HOW WE USE YOUR INFORMATION
We collect only the Personal Information necessary for service delivery and support, adhering to data minimisation principles.
Requirement to Provide Information
We cannot practically provide services if you are not prepared to provide your Personal Information. To deliver EAP Services, your Personal Information must be provided, accurate, and up to date to enable us to verify your identity and provide such services.
We use your Personal Information to:
4. HOW WE DISCLOSE YOUR INFORMATION4.1 Disclosure to Employers
Account Provisioning
Your employer provides your name and email to enable account activation. If you sign up manually without prior employer registration, your name and email will be shared with your employer for account management purposes.
Privacy Protection
While your employer knows you have been given access to services, your participation in counselling and use of specific features remains confidential, subject to the protections outlined in Section 5.
Aggregated Reporting
We provide employers with De-identified and Aggregated Data only. To protect individual privacy, thematic data is only reported when a sufficient number of employees have used services to prevent individual identification. Aggregated reporting may include overall utilisation rates, general engagement metrics, broad service categories, departmental usage statistics (where department data is available), and session dates for billing verification purposes. We never disclose your identity in relation to counselling participation, counselling session content or clinical notes, individual app usage patterns, specific details from counselling sessions, or individual service usage data.
4.2 Disclosure to Service Providers
Information from your profile and forms you complete may be shared with relevant service personnel (including counsellors and support staff) to provide appropriate care and support. Clinical session notes are maintained by counsellors using their chosen practice management software, which is required to comply with this Privacy Policy and Australian professional standards. We do not store clinical session notes on our systems.
4.3 Disclosure to Third-Party Providers
We engage trusted third-party service providers who process Personal Information on our behalf under Data Processing Agreements for purposes including cloud hosting, data management, analytics, email communications, and secure form management. All service providers are bound by contractual obligations to protect your data in accordance with Australian standards.
4.4 Legal and Regulatory Disclosure
We may disclose Personal Information where required or authorised by law, including to comply with legal processes, court orders, regulatory requirements, or to protect the rights, safety, or property of Mindway EAP, our users, or others.
5. CONFIDENTIALITY OF COUNSELLING SERVICES
We maintain strict confidentiality of all counselling services in accordance with professional ethical standards. Your identity and participation in counselling will not be disclosed to your employer except in the following limited circumstances:
6. DATA SECURITY
We store your Personal Information on AWS (Amazon Web Services) servers located in Sydney, Australia. We may also use other secure storage and processing systems that meet industry-standard security requirements.
We implement industry-standard security measures to protect your Personal Information:
7. DATA RETENTION
We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected or as required by law:
Upon expiry of retention periods, we securely destroy or permanently de-identify your Personal Information in accordance with Australian Privacy Principles.
8. YOUR RIGHTS UNDER THE PRIVACY ACT
Under the Privacy Act 1988 (Cth) and Australian Privacy Principles, you have the right to:
Access (APP 12): Request a copy of the Personal Information we hold about you
Correction (APP 13): Request correction of inaccurate, incomplete, or out-of-date information
Deletion: Request deletion of your account and associated Personal Information, subject to legal retention obligations
Objection: Object to certain processing of your Personal Information, including service communications and processing based on our functions and activities
Portability: Request your Personal Information in a structured, machine-readable format
Withdraw Consent: Withdraw previously provided consent where processing is based on consent
To exercise these rights, contact us at support@mindwayeap.com.au. We will acknowledge your request within 2 business days and respond substantively within 10 business days.
You may delete your account directly through the App settings. Upon deletion, your Personal Information will be permanently removed within 30 days, except where retention is legally required.
9. SERVICE COMMUNICATIONS
Collection from Your Employer
Your employer provides us with your name and email address to enable your access to our services. This information is collected for the sole purpose of service delivery and support.
Service-Related Communications
You will receive service-related communications that are necessary for accessing and using the platform effectively. These are transactional messages, not marketing communications.
Types of Service Communications:
You may request to limit non-essential service communications by contacting support@mindwayeap.com.au or using the unsubscribe link in our emails.
Please note that certain essential communications cannot be opted out of, including:
10. COOKIES AND TRACKING TECHNOLOGIES
We use cookies for:
Third-party cookies (e.g., Google Analytics) are governed by the respective provider's privacy policy.
11. INTERNATIONAL DATA TRANSFERS
Some of our service providers may process Personal Information outside of Australia. When international transfers occur, we ensure appropriate safeguards through:
12. MINORS
Our services are primarily intended for individuals aged 18 years and over. Minors (persons under 18) may access services only with documented written parental or guardian consent.
If We Become Aware of Unauthorised Minor Access
If we become aware that a person under 18 has accessed our services without documented parental or guardian consent, we will:
Where documented written parental or guardian consent has been obtained:
13. DATA BREACH NOTIFICATION
In the event of a data breach likely to result in serious harm:
14. CHANGES TO THIS POLICY
We may update this Privacy Policy at any time. When changes are made, we will update the "Last Updated" date at the top of this document. Your continued use of our services after changes constitutes acceptance of the revised policy.
15. COMPLAINTS AND DISPUTE RESOLUTION
If you have concerns about our handling of your Personal Information:
Step 1: Contact Us
Email: support@mindwayeap.com.au
Step 2: Formal Complaint Process
We will acknowledge your complaint within 2 business days and provide a reference number. Our privacy team will investigate and aim to resolve the matter within 30 business days. If additional time is required, we will notify you with an explanation.
Step 3: External Review
If unsatisfied with our response, you may lodge a complaint with:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
16. CONTACT INFORMATION
Privacy Enquiries
Email: support@mindwayeap.com.au
Response Time: Acknowledgement within 2 business days, substantive response within 10 business days
Privacy Officer
Available for complex privacy matters upon request
Business Details
Mindway Group PTY LTD
Trading as Mindway EAP
Victoria, Australia
ABN: 29682230075
17. GOVERNING LAW AND JURISDICTION
This Privacy Policy is governed by the laws of the State of Victoria, Australia. Any disputes arising out of or relating to this Privacy Policy or our handling of Personal Information shall be subject to the exclusive jurisdiction of the courts of Victoria, Australia.
This Privacy Policy is subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where applicable, we also comply with state and territory privacy legislation.
ACKNOWLEDGEMENT
By accessing or using the Mindway EAP App, Website, or EAP Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must immediately cease using our services.
Last Updated: 22 December 2025
This Privacy Policy applies to all Personal Information collected by Mindway Group PTY LTD, trading as Mindway EAP (ABN: 29682230075) (we, us or our) via the Mindway EAP mobile application (App), Employee Assistance Program services (EAP Services), website at www.mindwayeap.com.au (Website), telephone hotline, and all counselling services including phone-based, video, and in-person sessions booked through any of these channels.
1. DEFINITIONS
Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in material form or not. If information does not disclose or enable ascertainment of your identity, it is not classified as Personal Information and is not subject to this Privacy Policy.
Sensitive Information is defined in the Privacy Act 1988 (Cth) (Privacy Act) as information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of professional bodies, criminal record, or health information. We collect Sensitive Information only when providing EAP Services and counselling.
User means any person who activates an account, uses the App, Website, or accesses EAP Services. While our services are primarily intended for users aged 18 and over, minors (persons under 18) may access services with documented written parental or guardian consent.
Employer means the organisation that has engaged Mindway EAP to provide services to its employees and provides employee contact details to enable account activation.
Cookies means small data files placed on your device to enable functionality, collect analytics, and improve user experience.
De-identified Data means information that has been processed to remove all personal identifiers, making it impossible to identify any individual from the data.
Aggregated Data means combined data from multiple users presented as statistical information with no individual user identifiable.
2. INFORMATION WE COLLECT
The Personal Information we collect depends on how you use our services.
2.1 Information from Your Employer
Your employer provides your name, email address, and (where applicable) department information to our platform to enable your account activation.
2.2 Information You Provide
When you register, use our services, or complete forms on the platform, you may provide contact details (such as name, email address, phone number), account credentials (access code, password), personal information submitted through intake forms and questionnaires, preferences and settings, communications with our support team, and any other information you choose to provide when using our services.
2.3 Information Collected Automatically
- Device Data: Device type, operating system, IP address, unique device identifiers, device timezone
- Usage Data: Features accessed, session data, navigation patterns
- Technical Data: App crashes, error logs, performance metrics
- Cookies: Analytics and functional cookies (retained up to 365 days)
3. HOW WE USE YOUR INFORMATION
We collect only the Personal Information necessary for service delivery and support, adhering to data minimisation principles.
Requirement to Provide Information
We cannot practically provide services if you are not prepared to provide your Personal Information. To deliver EAP Services, your Personal Information must be provided, accurate, and up to date to enable us to verify your identity and provide such services.
We use your Personal Information to:
- Provide, operate, and maintain our services
- Match you with appropriate service providers based on your needs and preferences
- Personalise your experience and content
- Process account registration, authentication, and provide technical support
- Analyse service performance, improve user experience, and ensure platform security
- Comply with legal obligations and professional record-keeping standards
- Generate Aggregated Data for employer reporting (see Section 4.1)
4. HOW WE DISCLOSE YOUR INFORMATION4.1 Disclosure to Employers
Account Provisioning
Your employer provides your name and email to enable account activation. If you sign up manually without prior employer registration, your name and email will be shared with your employer for account management purposes.
Privacy Protection
While your employer knows you have been given access to services, your participation in counselling and use of specific features remains confidential, subject to the protections outlined in Section 5.
Aggregated Reporting
We provide employers with De-identified and Aggregated Data only. To protect individual privacy, thematic data is only reported when a sufficient number of employees have used services to prevent individual identification. Aggregated reporting may include overall utilisation rates, general engagement metrics, broad service categories, departmental usage statistics (where department data is available), and session dates for billing verification purposes. We never disclose your identity in relation to counselling participation, counselling session content or clinical notes, individual app usage patterns, specific details from counselling sessions, or individual service usage data.
4.2 Disclosure to Service Providers
Information from your profile and forms you complete may be shared with relevant service personnel (including counsellors and support staff) to provide appropriate care and support. Clinical session notes are maintained by counsellors using their chosen practice management software, which is required to comply with this Privacy Policy and Australian professional standards. We do not store clinical session notes on our systems.
4.3 Disclosure to Third-Party Providers
We engage trusted third-party service providers who process Personal Information on our behalf under Data Processing Agreements for purposes including cloud hosting, data management, analytics, email communications, and secure form management. All service providers are bound by contractual obligations to protect your data in accordance with Australian standards.
4.4 Legal and Regulatory Disclosure
We may disclose Personal Information where required or authorised by law, including to comply with legal processes, court orders, regulatory requirements, or to protect the rights, safety, or property of Mindway EAP, our users, or others.
5. CONFIDENTIALITY OF COUNSELLING SERVICES
We maintain strict confidentiality of all counselling services in accordance with professional ethical standards. Your identity and participation in counselling will not be disclosed to your employer except in the following limited circumstances:
- You provide explicit written consent for disclosure
- Disclosure is required by law (e.g., court order, subpoena)
- There is an imminent risk of serious harm to you or others
- There is evidence or reasonable suspicion of child abuse or elder abuse
- As mandated by professional ethical guidelines and legal reporting obligations
6. DATA SECURITY
We store your Personal Information on AWS (Amazon Web Services) servers located in Sydney, Australia. We may also use other secure storage and processing systems that meet industry-standard security requirements.
We implement industry-standard security measures to protect your Personal Information:
- Encryption of data in transit and at rest
- Multi-factor authentication for administrative systems
- Role-based access controls limiting data access to authorised personnel only
- Regular security audits, vulnerability assessments, and patch management
7. DATA RETENTION
We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected or as required by law:
Data Type | Retention Period |
Counselling records and clinical notes | 7 years from last session (Australian professional standards) |
Account and profile information | Active account period + 30 days post-closure |
App usage and meditation data | Active account period + 30 days post-closure |
Service communications | Until unsubscribe or removal request |
8. YOUR RIGHTS UNDER THE PRIVACY ACT
Under the Privacy Act 1988 (Cth) and Australian Privacy Principles, you have the right to:
Access (APP 12): Request a copy of the Personal Information we hold about you
Correction (APP 13): Request correction of inaccurate, incomplete, or out-of-date information
Deletion: Request deletion of your account and associated Personal Information, subject to legal retention obligations
Objection: Object to certain processing of your Personal Information, including service communications and processing based on our functions and activities
Portability: Request your Personal Information in a structured, machine-readable format
Withdraw Consent: Withdraw previously provided consent where processing is based on consent
To exercise these rights, contact us at support@mindwayeap.com.au. We will acknowledge your request within 2 business days and respond substantively within 10 business days.
You may delete your account directly through the App settings. Upon deletion, your Personal Information will be permanently removed within 30 days, except where retention is legally required.
9. SERVICE COMMUNICATIONS
Collection from Your Employer
Your employer provides us with your name and email address to enable your access to our services. This information is collected for the sole purpose of service delivery and support.
Service-Related Communications
You will receive service-related communications that are necessary for accessing and using the platform effectively. These are transactional messages, not marketing communications.
Types of Service Communications:
- Account activation and access instructions
- Service availability and feature updates
- Technical support and platform guidance
- Important notices related to your account or services
- Security notifications and critical service updates
You may request to limit non-essential service communications by contacting support@mindwayeap.com.au or using the unsubscribe link in our emails.
Please note that certain essential communications cannot be opted out of, including:
- Account security notifications
- Critical service updates affecting your access
- Legally required notices
- Communications necessary for service delivery
10. COOKIES AND TRACKING TECHNOLOGIES
We use cookies for:
- Essential Functionality: Required for account authentication and core App features
- Analytics: Understanding usage patterns to improve services (Google Analytics)
- Performance Monitoring: Identifying and resolving technical issues
Third-party cookies (e.g., Google Analytics) are governed by the respective provider's privacy policy.
11. INTERNATIONAL DATA TRANSFERS
Some of our service providers may process Personal Information outside of Australia. When international transfers occur, we ensure appropriate safeguards through:
- Data Processing Agreements with adequate protection clauses
- Compliance with Australian Privacy Principles
- Contractual obligations requiring service providers to protect your data in accordance with Australian standards
- Regular monitoring of third-party security practices
12. MINORS
Our services are primarily intended for individuals aged 18 years and over. Minors (persons under 18) may access services only with documented written parental or guardian consent.
If We Become Aware of Unauthorised Minor Access
If we become aware that a person under 18 has accessed our services without documented parental or guardian consent, we will:
- Immediately suspend account access
- Contact the individual (where possible) to cease use of services
- Request documented parental or guardian consent
- Notify the employer contact (where applicable)
- Delete the information within 30 days if consent is not provided, except where retention is required by law or professional ethical obligations
Where documented written parental or guardian consent has been obtained:
- The minor may access services in accordance with professional standards and ethical guidelines
- Parental or guardian consent documentation will be retained with the minor's records
- Confidentiality protections apply as outlined in Section 5, balanced with parental rights and professional obligations
13. DATA BREACH NOTIFICATION
In the event of a data breach likely to result in serious harm:
- We will notify affected individuals within 72 hours
- We will report the breach to the Office of the Australian Information Commissioner (OAIC)
- We will provide guidance on protective measures
- We will conduct a comprehensive investigation and implement remedial actions
14. CHANGES TO THIS POLICY
We may update this Privacy Policy at any time. When changes are made, we will update the "Last Updated" date at the top of this document. Your continued use of our services after changes constitutes acceptance of the revised policy.
15. COMPLAINTS AND DISPUTE RESOLUTION
If you have concerns about our handling of your Personal Information:
Step 1: Contact Us
Email: support@mindwayeap.com.au
Step 2: Formal Complaint Process
We will acknowledge your complaint within 2 business days and provide a reference number. Our privacy team will investigate and aim to resolve the matter within 30 business days. If additional time is required, we will notify you with an explanation.
Step 3: External Review
If unsatisfied with our response, you may lodge a complaint with:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
16. CONTACT INFORMATION
Privacy Enquiries
Email: support@mindwayeap.com.au
Response Time: Acknowledgement within 2 business days, substantive response within 10 business days
Privacy Officer
Available for complex privacy matters upon request
Business Details
Mindway Group PTY LTD
Trading as Mindway EAP
Victoria, Australia
ABN: 29682230075
17. GOVERNING LAW AND JURISDICTION
This Privacy Policy is governed by the laws of the State of Victoria, Australia. Any disputes arising out of or relating to this Privacy Policy or our handling of Personal Information shall be subject to the exclusive jurisdiction of the courts of Victoria, Australia.
This Privacy Policy is subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where applicable, we also comply with state and territory privacy legislation.
ACKNOWLEDGEMENT
By accessing or using the Mindway EAP App, Website, or EAP Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must immediately cease using our services.
© All Rights Reserved. Mindway EAP 2024.
Mindwayeap.com.au
Mindwayeap.com.au