Last updated January 2026.

1. Protecting your privacy

MOBIDDICTION Pty Ltd (ACN 160 375 306) and its Related Entities (We, Us) are committed to protecting your privacy. This document provides you with information on how we collect, use, store and disclose your personal information.

We will adhere to the provisions of the Australian Privacy Principles (APPs) which are contained within the Privacy Act, in relation to how we collect, use, disclose and protect your Personal Information.

Where applicable, we also adhere to the requirements of the EU General Data Protection Regulation (GDPR).

We maintain ISO 27001 certification for our information security management system, demonstrating our commitment to protecting your data through internationally recognized security standards. For detailed information about our security practices, please visit our Security Trust Center at: https://trust.mobiddiction.com.au/

This policy aims to provide you with information to understand how We collect, use, store and disclose your Personal Information in accordance with the APPs and the GDPR. This policy applies where we are a ‘data controller’ in relation to your Personal Information. That is, where we are in control of the purposes and methods of processing your Personal Information.

Our legal basis for the collection, storage, use and disclosure of your Personal Information arises from your consent to this policy, the protection of our legitimate interests, including the delivery and improvement of our Services.

2. Definitions

In this policy:

• Cookie means a small piece of data stored on your device used to access our Website.
• Personal Information has the meaning given under the Privacy Act.
• Privacy Act means the Privacy Act 1988 (Cth).
• Related Entities has the same meaning as under the Corporations Act 2001 (Cth) and includes our franchisees.
• Sensitive Information has the same meaning as under the Privacy Act.
• Services means the offers and services provided by us or the companies and individuals who work with us.
• Website means http://www.mobiddiction.com.au/ and it’s sub-pages includes other forms of social media where you post comments or we interact with you.

The meaning of any general language is not restricted by any accompanying example and the words ‘includes’, ‘including’, ‘such as’, ‘for example’ or similar words are not words of limitation.

3. What Personal Information do we collect and why do we need it?

To provide you with our Services or if you apply for a job with us, including by using the links on our Website, we need to collect Personal Information. If we do not collect the Personal Information or if any of the Personal Information you provide is incomplete or inaccurate, we may not be able to provide the Services or process a job application or the employment process may be compromised.

Depending on the nature of the Services we provide to you, the personal information we collect may include:

• your name, email address, telephone numbers as well as residential and/or mailing address;
• any information you provide if you apply for a job with us, including your qualifications;
• date of birth;
• Sensitive Information, for example, if you advise us of any medical conditions such as allergies;
• credit card details; and
• any other Personal Information relevant to the Services we provide to you.

3.1 Meta Platform Data Collection (VR Applications)

When you use our Virtual Reality (VR) applications on Meta Quest devices, we may collect and process the following information from the Meta Platform:

• User Profile Information: Your Meta account display name, profile picture, and account identifier (User ID) to authenticate your access to the application and personalize your experience.
• User ID: A unique identifier provided by Meta to verify your ownership of the application, manage your account within our services, authenticate your VR headset, and enable access to licensed content.

Why We Collect Meta Platform Data:

• Authentication & Authorization: To verify that you have a valid license to use our VR applications and to authenticate your VR headset with your account.
• Content Delivery: To provide you with personalized VR content and experiences based on your account and subscription status.
• Account Management: To create and maintain your user profile within our platform, link your VR headset to your workspace, and manage your content library.
• Service Delivery: To enable the core functionality of our VR applications, including content synchronization, progress tracking, and multi-device support.
• Technical Support: To provide customer support and troubleshoot issues related to your VR headset and application usage.

What We Do NOT Collect:

We do not collect or access sensitive VR data such as room mapping, hand tracking data, eye tracking data, body tracking, voice recordings, photos/videos captured within the headset, or your physical location data from the Meta Platform beyond what is necessary for authentication.

4. How do we collect the Personal Information?

We aim to collect Personal Information directly from you. We may also collect Personal Information:

• through our Website and by other electronic communication channels (e.g. when you send us an email or post an entry on our Facebook page);
• from third parties;
• from publicly available sources of information;
• when we are required to do so by law;
• when you log onto or connect to our Website and our server automatically records information your browser sends (e.g. your IP address, how and when you travel through our Website, the pages and documents accessed, information about your usage, e.g. by way of cookies and other information provided by downloading information from our website). However, unless your name is part of your email address or you specifically provide it, our server does not automatically collect this information. You can also adjust the settings on your computer to decline any cookies if you wish;
• over the phone, if you tell us information about you;
• from a third party engaged by you (such as a web developer);
• if you use any of our online forums;
• when you enter a competition or promotion with us, participate in a survey or register to receive information from us or register to receive information on any of our Services.
• If at any time you supply Personal Information to us about any other person (e.g. another member of your household or you post a photo on our Website), you represent and we accept that information on the basis that you are authorised to do so and that the relevant person has consented to the disclosure to us.

4.1 Collection of Meta Platform Data (VR Applications)

When you use our VR applications on Meta Quest devices, we collect information from the Meta Platform through the following methods:

• Application Launch: When you first launch our VR application on your Meta Quest device, the application requests authentication from the Meta Platform to verify your identity and app ownership.
• Meta Platform API: Our application uses Meta’s Platform APIs to retrieve your User ID and basic profile information (display name, profile picture) that you have authorized us to access through your Meta account permissions.
• Device Authentication: Your VR headset communicates with our servers using your Meta User ID to authenticate and authorize access to content and features you are entitled to use.
• Ongoing Session Management: During your use of the VR application, we maintain your authentication session to provide continuous access to services and content.

Your Control Over Meta Platform Data:

• You can revoke our application’s access to your Meta account data at any time through your Meta Quest privacy settings or Meta account settings.
• Revoking access will prevent the application from accessing your profile information, but may limit or prevent functionality of the VR application.
• You can request deletion of your Meta Platform data from our systems using the mechanisms described in Section 10.

This privacy statement only covers the collection of Personal Information by our sites and applications only and does not cover the collection of Personal Information from other third parties you access via a hyperlink or otherwise on our sites or applications, whether or not affiliated with us. Meta’s collection and use of your data through the Meta Platform is governed by Meta’s Privacy Policy, available at: https://www.meta.com/legal/quest/privacy-policy/

5. How do we use your Personal Information?

We use the Personal Information we collect for operational purposes and to:

• provide our Services, including fulling orders and payment of invoices;
• comply with our licensing and other legal obligations;
• respond to medical emergencies;
• process your inquiries and improve our Services, including to assist our staff training and development initiatives;
• advise you of additional services or information which may be of interest to you;
• provide your contact details to companies and individuals who have agreed to provide you with the offers described on our Website (you may opt out of receiving this information at any time);
• to communicate with you;
• for security purposes; and
• develop our products and services.

5.1 How We Use Meta Platform Data (VR Applications)

Specifically, we use Meta Platform data (User ID and User Profile information) for the following purposes:

• User Authentication: We use your Meta User ID to verify your identity when you access our VR applications, ensuring that only authorized users can access the services.
• License Verification: We verify that you have a valid license or entitlement to use our VR application by validating your Meta User ID against our subscription and licensing records.
• Account Creation & Management: We use your Meta User Profile information (display name, profile picture) to create and maintain your user account within our platform, making it easier for you to identify your account.
• Device Pairing & Management: We link your Meta User ID to your registered VR headsets to enable device management, content synchronization across devices, and headset authentication.
• Content Delivery & Personalization: We use your User ID to deliver appropriate content packages, VR experiences, and features based on your subscription level and licensed entitlements.
• Usage Analytics: We collect aggregated, anonymized usage data to understand how users interact with our VR applications, improve user experience, identify technical issues, and develop new features. This data does NOT include personally identifiable information.
• Customer Support: We use your User ID and profile information to provide technical support, troubleshoot application issues, and respond to your support requests.
• Service Communication: We may use your profile information to send you important service-related notifications, such as content updates, license changes, or security alerts related to your VR application.
• Workspace Management: For organizational/enterprise users, we use your Meta User ID to manage workspace memberships, assign content access permissions, and track workspace usage.

What We Do NOT Do With Meta Platform Data:

• We DO NOT sell, rent, or share your Meta Platform data with third parties for their marketing purposes.
• We DO NOT use your Meta Platform data for targeted advertising or behavioral tracking outside of our VR applications.
• We DO NOT combine your Meta Platform data with other data sources to create detailed user profiles for purposes unrelated to providing our VR services.
• We DO NOT access or process sensitive VR sensor data (such as eye tracking, hand tracking, room mapping) beyond what is necessary for application functionality.

Data Retention:

We retain your Meta Platform data for as long as:

• Your account remains active and you continue to use our VR applications;
• Required to provide ongoing services, maintain device pairings, and preserve your content library;
• Required by law, regulation, or to resolve disputes and enforce our agreements;
• After which time, we will delete or anonymize your data as described in Section 10.

Any communication with us (regardless of mode) is recorded and stored to assist with the operational purposes set-out above.

If at any time you no longer wish to receive any additional marketing material from us or do not want your information disclosed for direct marketing purposes, contact us using the details in section 10 and we will remove your details from our marketing database.

6. Disclosing personal information

We may be required to disclose your Personal Information by law, by court order or to investigate suspected fraud or other unlawful activity.

We may also disclose your Personal Information to third parties in certain circumstances including:

• if you agree to the disclosure;
• when we use it for the purpose for which it was collected, e.g. to provide you with Services;
• in circumstances where you would reasonably be expected to consent to information of that kind being passed to a third party;
• where disclosure is required or permitted by law;
• where it is required to be disclosed for audit purposes;
• to our Related Entities;
• if disclosure will prevent or lessen a serious or imminent threat to someone’s life or health; or
• where it is reasonably necessary for the enforcement of the criminal law, a law imposing a pecuniary penalty or for the protection of public revenue.

6.1 Third-Party Service Providers

We work with carefully selected third-party service providers to deliver our Services. These service providers may process your Personal Information on our behalf for purposes such as:

• Cloud Infrastructure: Amazon Web Services (AWS) for hosting and storage (data stored in Sydney, Australia region)
• Payment Processing: Stripe for secure payment and subscription management
• Email Communications: Email service providers for transactional and service-related emails
• Analytics: Analytics services to understand usage patterns and improve our Services (data is aggregated and anonymized)
• Customer Support: Support ticketing and communication platforms
• Identity Verification: Authentication and identity verification services

When we disclose your Personal Information to our third party service providers, we:

• Ensure they have appropriate data security policies and practices in place
• Require them to process data only according to our instructions
• Conduct security assessments before onboarding new providers
• Maintain contracts that require compliance with privacy laws and our security standards
• Limit access to only the data necessary to perform their services
• Regularly review and audit their security practices

We do NOT sell, rent, or trade your Personal Information to third parties for their own marketing purposes.

6.2 Legal Disclosure Requirements

We may disclose your Personal Information when required by law, such as:

• In response to a subpoena, court order, or other legal process
• To comply with regulatory requirements or government investigations
• To protect our legal rights, property, or safety, or that of our users or the public
• To investigate and prevent fraud, security threats, or illegal activities
• In connection with a corporate transaction (merger, acquisition, sale of assets) where appropriate safeguards are in place

7. Jurisdiction and Cross-Border Transfers

Due to the nature of the Services provided, your Personal Information may be stored and processed in any country where we have operations or where we engage service providers, and we may transfer your Personal Information to countries outside of your country of residence.

These countries may have different privacy and data protection rules to those of Australia and/or your country. However, we will endeavour to ensure that any such transfers comply with applicable laws and that your Personal Information remains protected.

In some circumstances, courts, law enforcement agencies, regulatory agencies or other official authorities in those countries may be entitled to access your Personal Information.

7.1 International Data Transfers

Our primary data storage is located in:

• Australia: AWS Sydney (ap-southeast-2) region for Australian users
• United States: For certain service providers and platform integrations
• European Union: For EU/UK users where applicable

When we transfer Personal Information internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU data transfers
• Privacy Shield or equivalent frameworks where applicable
• Binding Corporate Rules for transfers within our corporate group
• Adequacy decisions by relevant data protection authorities
• Your explicit consent where required by law

For more information about how we protect your data in international transfers, please contact our Privacy Officer.

1. Children’s Privacy

We are committed to protecting the privacy of children who use our Services, particularly our VR applications on Meta Quest devices.

7.5.1 Age Requirements

• General Services: Users must be at least 13 years of age to create an account and use our web-based services.
• VR Applications: Users must meet Meta Quest’s minimum age requirements (typically 13+ years, though this varies by jurisdiction and specific content ratings).
• Healthcare/Medical Services: Some services may require users to be 18+ or have appropriate parental/guardian consent and supervision.

7.5.2 Age Verification

We implement age verification measures including:

• Requiring date of birth during account registration
• Relying on Meta Platform’s age verification for VR applications
• Blocking access for users who do not meet minimum age requirements
• Verifying parental consent where required by law

7.5.3 Parental Controls and Consent

For users under 18 years of age (or under 16 in certain jurisdictions):

• We may require verifiable parental or guardian consent before collecting Personal Information
• Parents/guardians can review, request deletion of, or refuse further collection of their child’s Personal Information by contacting us
• For VR applications used in healthcare settings (e.g., PatientVR), we require healthcare provider authorization and may require parental consent
• Parents/guardians can use Meta Quest’s parental controls to manage their child’s VR experience

7.5.4 Limited Data Collection for Minors

For users we know to be under 18, we:

• Limit data collection to what is necessary to provide the Services
• Do not collect Sensitive Information without explicit parental consent
• Do not use children’s data for marketing or profiling purposes
• Do not disclose children’s Personal Information to third parties except as necessary to provide Services
• Apply stricter data retention policies (deletion within 90 days of account closure)

7.5.5 Educational and Healthcare Use

When our VR applications are used in educational or healthcare settings:

• We rely on the school or healthcare provider to obtain appropriate consent from parents/guardians
• Data is only used for educational or therapeutic purposes, not for commercial purposes
• We provide institutions with tools to manage student/patient privacy settings

7.5.6 Parent/Guardian Rights

Parents or guardians may:

• Review the Personal Information collected from their child
• Request deletion of their child’s Personal Information
• Refuse to permit further collection or use of their child’s information
• Contact us at: contactus@mobiddiction.com.au

For more information about Meta Quest’s approach to age-appropriate experiences, see: Meta Quest Age-Appropriate Experiences

8. Considerations when you send information to us

While we do all we reasonably can to protect your Personal Information from misuse, loss, unauthorised access, modification or disclosure, including investing in security software, no data transfer over the Internet is 100% secure.

The open nature of the Internet is such that information exchanged via the Internet may be accessed and used by people other than those for whom the data is intended. If you send us any information, including (without limitation) Personal Information, it is sent at your own risk.

If you provide Personal Information to us electronically, there are steps you can take to help maintain the information’s privacy.  These include:

• always closing your browser when you have finished your session;
• NEVER providing Personal Information by using a public computer; and
• NEVER disclosing your user name and password to another person.

You are responsible for all actions taken using your username, email or password. If at any time you believe your username or password has been compromised, you should immediately contact us and also change your password.

You should also contact us immediately if you believe:

• someone has gained access to your Personal Information;
• we have breached our privacy obligations or your privacy rights in any way; or
• you would like to discuss any issues about our Privacy Policy.

9. How your information is stored and secured

We endeavour to keep our information systems and files secured from unauthorised access. Those who work with us, including our third-party service providers are aware of the importance we place on protecting your privacy and their role in helping us to do so.

9.1 ISO 27001 Certified Information Security

We maintain ISO 27001 certification for our information security management system. This internationally recognized standard demonstrates our commitment to protecting your personal information through:

• Risk Assessment & Management: We regularly assess and manage risks to the confidentiality, integrity, and availability of your personal information.
• Access Controls: Strict controls over who can access personal information, based on the principle of least privilege and need-to-know.
• Encryption: Personal information is encrypted both in transit (using TLS/SSL) and at rest in our databases and storage systems.
• Security Monitoring: Continuous monitoring of our systems for security threats, unauthorized access attempts, and anomalous behavior.
• Incident Response: Documented procedures for detecting, responding to, and recovering from security incidents and data breaches.
• Regular Audits: Independent third-party audits to verify our security controls and compliance with ISO 27001 standards.
• Employee Training: All employees receive regular training on information security, privacy practices, and their responsibilities in protecting your data.
• Physical Security: Secure data center facilities with environmental controls, surveillance, and restricted access.
• Business Continuity: Disaster recovery and business continuity plans to ensure your data remains available and protected.

For detailed information about our security practices and ISO 27001 certification, please visit our Security Trust Center at: https://trust.mobiddiction.com.au/

9.2 Technical and Organizational Security Measures

Our procedures to securely store Personal Information include:

• Multi-factor authentication for administrative access
• Regular security patching and vulnerability management
• Network segmentation and firewall protection
• Intrusion detection and prevention systems
• Secure backup procedures with encrypted storage
• Password protection software and password policies
• Security logging and audit trails
• Regular penetration testing and security assessments
• Vendor security assessments for third-party service providers

9.3 Data Breach Notification

In the unlikely event of a data breach that affects your Personal Information, we will:

• Notify you as soon as reasonably practicable (within 72 hours where required by law)
• Notify relevant regulatory authorities as required by applicable laws
• Provide details about what information was affected and what actions we are taking
• Recommend steps you can take to protect yourself
• Investigate the cause and implement measures to prevent future breaches

9.4 Data Retention

When the Personal Information that we collect is no longer required, we will remove or de-identify the Personal Information as soon as reasonably possible. We may, however, retain Personal Information for as long as is necessary to comply with any applicable law, for the prevention of fraud, for insurance and governance purposes, in our IT back-up, for the collection of any monies owed and to resolve disputes. There may also be residual Personal Information that will remain within our databases and other records, which will not be removed.

Specific Retention Periods:

• Account Data: Retained while your account is active and for 90 days after account closure (unless deletion is requested)
• Transaction Records: Retained for 7 years as required by Australian taxation law
• Audit Logs: Retained for 2 years for security and compliance purposes
• Usage Analytics: Aggregated and anonymized data may be retained indefinitely for statistical purposes
• Backup Systems: Data in backups is retained for up to 90 days, after which backups are overwritten
• Marketing Communications: Retained until you opt-out or unsubscribe, after which your details are removed within 30 days

10. How you can update, correct, or delete your Personal Information

You may request access to your Personal Information, request correction of any inaccurate or out-of-date information, or request deletion of your Personal Information by contacting our Privacy Officer using the details below. For security purposes, before we process your request, we may require you to provide evidence of your identity.

You may also request information about the source of any Personal Information we collect from a third party. We will provide this information at no cost, unless there is a lawful reason under the Privacy Act or another applicable law for withholding it.

If there is a reason under the Privacy Act or another law for us to refuse access, correction, or deletion of your Personal Information, we will provide you with a written notice of refusal that sets out the reasons for the refusal (unless it would be unreasonable to do so) and the mechanisms available to you to make a complaint.

10.1 Data Deletion Requests

You have the right to request deletion of your personal data. You can request deletion through any of the following methods:

Method 1: Through Your Account (Recommended)

If you have an active account, the fastest way to request deletion is through your account settings:

• Mapiddiction Users: Log in to app.mapiddiction.com.au → Profile → Privacy → “Delete My Account”
• PatientVR Users: Log in to app.patientvr.com → Profile → Privacy → “Delete My Account”
• Follow the on-screen instructions to confirm your deletion request
• Your account will be immediately deactivated and data will be permanently deleted within 30 days

Method 2: Public Deletion Request (If You Cannot Log In)

• Visit our Data Deletion Portal at: https://www.mobiddiction.com.au/privacy-data-deletion/ 
• Follow the instructions to submit a deletion request via email to contactus@mobiddiction.com.au
• Include your name, email address, and which service you used (Mapiddiction, PatientVR, etc.)
• We will respond within 5 business days to confirm receipt and process your request within 30 days

What Happens When You Request Data Deletion:

When you request deletion of your data, we will:

1. Immediate Actions (within 48 hours):
   • Deactivate your account and prevent further data collection
   • Revoke access to our VR applications
   • Send you a confirmation email acknowledging your request
2. Complete Deletion (within 30 days):
   • Permanently delete your Meta User ID and associated profile information (display name, profile picture)
   • Remove all device pairing records and authentication tokens
   • Delete your user account and associated workspace memberships
   • Anonymize usage analytics data (removing all personally identifiable information)
   • Delete any stored preferences, content library associations, and subscription records
3. Data Retention Exceptions:
   • We may retain certain data if required by law, for fraud prevention, to resolve disputes, or to enforce our agreements
   • Backup systems may retain data for up to 90 days after deletion request, after which backups will be overwritten
   • Aggregated, anonymized analytics data that cannot be used to identify you may be retained for statistical purposes
   • Transaction records for accounting and tax purposes may be retained for 7 years as required by Australian law

Impact of Data Deletion:

Please be aware that deleting your data will result in:

• Loss of access to our VR applications on your Meta Quest device
• Removal of all saved preferences, progress, and content library associations
• Inability to recover your account or data after deletion is complete
• You may create a new account in the future, but previous data cannot be restored

Third-Party Platform Data:

This deletion request only covers data we collect and store. To delete data held by Meta about your use of the Meta Platform (including the Meta Quest store), you must submit a separate request directly to Meta through your Meta account privacy settings at: https://www.meta.com/help/quest/articles/accounts/privacy-information-and-settings/access-your-information/

11. Changes to our Privacy Policy

This document sets out our current Privacy Policy.

Our Privacy Policy will be updated from time to time. You should review our Privacy Policy each time you visit our Website or provide us with Personal Information.

If you would like further information on our Privacy Policy or if you have any concerns over the protection of the information you have given to us or that we have collected from others, please contact us by contacting our Privacy Officer at:

Privacy Officer Contact Information:

Email:
contactus@mobiddiction.com.au

Post:
Privacy Officer
MOBIDDICTION Pty Ltd
Level 14, 167 Eagle Street
Brisbane, QLD 4000
Australia

Security Trust Center:
https://trust.mobiddiction.com.au/
For information about our ISO 27001 certification, security practices, and compliance documentation

Data Deletion Requests:
Web Portal: https://www.mobiddiction.com.au/privacy-data-deletion/
Email: contactus@mobiddiction.com.au

Australian Privacy Complaints:

More information about your rights and our obligations in respect to privacy and information on making a privacy complaint are available from the Office of the Australian Information Commissioner:

Website:
www.oaic.gov.au

Post:
GPO Box 5218
Sydney NSW 2001
Australia

Email:
enquiries@oaic.gov.au

Phone:
1300 600 670 (within Australia)

EU/GDPR Complaints:

If you are located in the European Union or European Economic Area, you have the right to lodge a complaint with your local data protection authority.

Version History:

• January 2026: Updated to include Meta Platform data collection details, comprehensive data deletion mechanisms, ISO 27001 security information, children’s privacy provisions, and third-party service provider details.
• December 2025: Updated deletion of data request policy.