Sarmia Privacy Policy Version 2025.1 – Last updated 31 March 2025

​

Sarmia Pty Ltd (“Sarmia,” “we,” “us,” or “our”) operates the website www.sarmia.com (“Site”) and provides at-home DNA saliva testing with personalised nutrition reports.

​

We are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, and share your personal information – including sensitive health and genetic data – in compliance with applicable Australian privacy laws

By using our services or the Site, you consent to the practices described in this Privacy Policy. We aim to use clear, user-friendly language so you can understand your rights and our obligations.

​

1. Who We Are and Legal Compliance Sarmia is an Australian-owned company based in Queensland, Australia. We adhere to the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), and all other applicable privacy laws. Because we handle health and genetic information (which is considered “sensitive information”), we take extra measures to protect your data and obtain your consent. Relevant laws we comply with include: • Privacy Act 1988 (Cth) – Federal law governing personal information and privacy.

• Queensland Information Privacy Act 2009 – State law for personal information in Queensland.

• NSW Health Records and Information Privacy Act 2002 – State law for health information in New South Wales.

• VIC Health Records Act 2001 – State law for health information in Victoria.

• SA Health Care Act 2008 – Relevant privacy provisions under South Australian law.

• Other applicable state or territory legislation – We follow any other privacy requirements that apply based on where you reside or receive our services.

If any of these laws provide a higher standard of protection than our practices, we will adjust our handling of your information to meet that higher standard. We also uphold professional confidentiality standards for health information.

​

2. Personal Information We Collect We only collect personal information that is reasonably necessary to provide our DNA-based nutrition services and run our business. The types of personal information we may collect include:

• Basic Identification Details: Your full name, date of birth, and gender.

• Contact Information: Your residential or mailing address, phone number, and email address.

• Health and Lifestyle Information: Details you provide about your health history or concerns, dietary habits or preferences, exercise routine, and other lifestyle factors relevant to our nutritional recommendations (for example, any allergies or dietary restrictions).

• Genetic Data: Your DNA sample saliva test results, which include genetic information (specific genetic markers related to nutrition and health). This data is obtained after processing your saliva sample through our partner laboratory.

• Payment Information: If you make purchases, we (or our payment processor) collect payment details such as your credit/debit card information or bank account details. This information is handled securely and only used to process transactions you authorize.

• Online Usage Data: When you use our Site, we may collect information about your visit via cookies and similar technologies. This can include your IP address, browser type, device information, and browsing activity on our Site. This data helps us improve our website and services (see Section 3 on Collection Methods for more details). Sensitive Information: Some of the information we collect (health, genetic, etc.) is considered sensitive under the Privacy Act. We will only collect this information with your consent (for example, when you voluntarily provide it through a questionnaire or when you submit your DNA sample for analysis). If you choose not to provide certain personal information (such as health details or contact information), we may not be able to provide you with our full range of services or an accurate personalised report. Anonymity and Pseudonymity: You have the option to interact with us anonymously or under a pseudonym (for example, if you just call with a general inquiry). However, due to the nature of our DNA testing service, we typically need to identify you to process your sample and provide results. When ordering a test or receiving a report, you will need to provide true identifying information so we can accurately deliver our services.

​

3. How We Collect Your Information We collect personal information through several methods:

• Direct Collection from You: Most information is provided directly by you. For example, when you:

◦ Sign up for an account on our Site or fill out forms (such as when purchasing a DNA test kit or registering your kit online).

◦ Complete our health and lifestyle questionnaire to give us context for your genetic report.

◦ Communicate with us via email, phone, or customer support (we may keep records of correspondence).

◦ Provide a saliva sample: when you send us your DNA saliva sample, it is identified with a unique kit ID that links to your account.

• Automated Collection: When you use our website or online services, we use cookies, web beacons, analytics tools, and server logs to automatically collect usage data (see “Online Usage Data” in Section 2). For example, our site may record your IP address, browser type, pages visited, and the time of your visits.

These tools help us understand how users navigate our Site, enable certain features (like keeping you logged in), and improve your user experience. You can usually adjust your browser settings to refuse cookies or alert you when cookies are being used. However, some site features may not function properly without cookies.

• Third-Party Sources: In some cases, we receive information about you from trusted third parties, but only where it’s necessary for our services and you have consented or would reasonably expect us to receive that information. Key examples include:

◦ Laboratory Results: We partner with the Australian Genome Research Facility (AGRF), a certified lab, to process your DNA saliva sample. The lab analyzes your sample and sends us your genetic data (the test results). This allows us to generate your personalised nutrition report. The data we receive from AGRF is linked to your kit ID and used by Sarmia to prepare your report.

◦ Compounding Pharmacy: If your service includes personalised supplements, we work with ACPHARM (a compounding pharmacy) to formulate and deliver custom vitamins based on your genetic results and nutritional needs. We may receive confirmation from the pharmacy about the products they provided to you (e.g. formulation or delivery status).

◦ Payment Providers: If you make a payment, our secure payment processor (e.g., credit card gateway or bank) will confirm to us that your payment was completed. We do not directly receive or store your full credit card number; it’s handled by the payment provider. ◦ Healthcare Professionals: (If applicable) If you were referred to us by a healthcare provider or you share your report with a dietitian/nutritionist through our platform, we might collect additional information from that provider with your consent. (Note: We generally do not collect info from doctors or others unless you explicitly engage us to do so.) Unsolicited Information: If we happen to receive personal information that we did not request (for example, if someone sends us another person’s details unsolicited), we will handle it in accordance with the Privacy Act. If it’s not needed for our purposes, we will securely delete or de-identify that information. We will always collect personal information by lawful and fair means. We do not engage in unjustified or covert data collection. When practical, we will collect information directly from you. If we need to collect from someone else (like those third parties above), we will ensure you’re aware or have consented, as required by APP 5 (Notification of Collection).

​

4. How We Use Your Personal Information We use the personal information we collect for the primary purpose of providing our genetic testing and nutrition services to you, as well as related purposes you would expect or that are required or authorized by law. Specifically, we may use your information to:

• Provide and Personalise Our Services: This includes processing your DNA sample and health information to generate your personalised nutrition report and recommendations. We use your data to tailor the report’s content (for example, highlighting specific nutrient needs based on your genetics and lifestyle). If you opt for personalised supplements, we use your information to determine an appropriate vitamin formulation.

• Communicate with You: We use your contact details (email, phone, address) to send you important information. This may include updates on your test kit (shipping notifications), confirmation when we receive your sample, your genetic report results, and any follow-up advice. We also respond to your inquiries, support requests, or complaints using these details.

• Facilitate Payments and Orders: We use payment information to process transactions for our services or products you purchase. For example, charging your credit card for a test kit or subscription. (Payment processing is handled securely via our payment partner; we use the information only as needed for billing and to maintain transaction records).

• Deliver Products: If our service to you involves physical items (test kits, printed reports, or supplement shipments), we use your name and address to deliver those items through postal or courier services.

• Improve and Develop Our Services: We may analyze aggregate data and feedback to improve Sarmia’s offerings. For instance, we might review how users as a whole respond to certain recommendations, or which website pages are most visited, to refine our content and user experience. We may also internally research new nutrigenomic insights using deidentified data (data that cannot identify you personally) to enhance our reports over time. Any research or analysis we do with your data will either be done on anonymised data or in compliance with privacy laws and, where required, with your consent.

• Marketing (with your consent): We may use your contact information to send you promotional materials about new services, products, or special offers from Sarmia that we think may interest you (for example, a new vitamin plan or an update to our DNA analysis features). We will only send you marketing communications in accordance with applicable spam and privacy laws – typically this means we will ask for your consent (for instance, you might opt-in to a newsletter) or only send such communications if you have a reasonable expectation of receiving them from us. You will always have the ability to “opt-out” or unsubscribe from marketing emails or texts if you do not wish to receive them.

• Compliance and Legal Obligations: We may use or disclose your information when required by law or regulation, or necessary for the establishment, exercise, or defense of legal claims. For example, retaining transaction records for tax and accounting purposes, or providing information if required by a court order or to cooperate with law enforcement investigations (where legally obligated).

• Other Purposes with Your Consent: If we ever need to use your personal information for a purpose that is different from the ones listed in this policy, we will seek your consent first, unless an exception in the law applies. For instance, if in the future we want to use your identifiable health data in a research study or share a testimonial, we would ask for your explicit permission. We will not use your personal information in ways that you would not reasonably expect us to, without your permission. We do not sell your personal data to third parties for their own marketing or purposes.

​

5. How We Share or Disclose Your Information Sarmia respects the confidentiality of your personal and sensitive information. We do not share your personal information with third parties except in the circumstances described here. Whenever we disclose information, we only share what is necessary and we ensure the third party has obligations to protect your data. The situations where we may share your information include:

• Service Providers and Partners: We may disclose relevant parts of your personal information to trusted third-party service providers who help us run our business and deliver services to you. Key partners include:

◦ Laboratory (DNA Analysis): We send your physical DNA saliva sample (labelled with a unique identifier rather than your name) to our partner lab, Australian Genome Research Facility (AGRF). AGRF performs the genetic analysis and provides us with your genetic data. AGRF is an accredited laboratory and is bound to keep your information confidential and secure. They use your sample and associated data only for the purpose of the test we requested.

◦ Compounding Pharmacy: If you choose to receive personalised supplements through Sarmia, we share the necessary information with ACPHARM (Australian Custom Pharmaceuticals), our compounding pharmacy partner. This may include details like your name and address (for delivery), and the specific nutrient formula or health information needed to create your custom vitamins. ACPHARM will use this information only to formulate and send you the supplements, and they are required to protect your data in line with privacy laws and our instructions.

◦ Payment Processors: For processing payments, your payment details may be handled by third-party payment gateways or financial institutions (e.g., credit card processors or banks). These entities process your payment information securely in accordance with financial regulations. We share with them the information required to verify and complete the transaction (such as the purchase amount, your card details or account number, and your billing information). These payment providers are PCI-DSS compliant and do not use your information for other purposes.

◦ Shipping and Logistics: If we send you physical goods (like test kits or supplements), we provide your necessary contact details to postal or courier services (for example, Australia Post or a courier company) to deliver the package. This typically includes your name, delivery address, and possibly phone number for delivery updates.

◦ IT and Cloud Services: We use reputable third-party companies for web hosting, cloud data storage, email distribution, and other IT support. For instance, our website hosting service will store data (including possibly your account info) on their servers. We ensure any cloud or IT providers we use implement strong security and privacy measures. Some providers may store data on servers located outside Australia (see Section 8 on Overseas Disclosure). We have agreements in place to ensure they safeguard your information.

• Within Sarmia Group: If Sarmia operates through multiple related entities or if we have employees and contractors, your information may be shared internally with staff who need it to perform their duties (for example, a customer support representative or a nutrition specialist preparing your report). All Sarmia personnel are trained in confidentiality and are bound by this Privacy Policy and contractual privacy obligations.

• Legal Requirements and Protection: We may disclose personal information if required by law, or if we believe in good faith that such action is necessary to comply with legal processes. For example, we might need to respond to a subpoena, court order, or a request from law enforcement or a government regulator (such as the Office of the Australian Information Commissioner) where disclosure is mandated. We may also share information to investigate or enforce compliance with our own terms and conditions, to detect or prevent fraud or security issues, or to protect the rights, property, or safety of Sarmia, our customers, or the public as required or permitted by law.

• Business Transfers: If Sarmia undergoes a business transaction such as a merger, acquisition by another company, or sale of some or all assets, your personal information (as part of our business assets) may be transferred to the new owner or successor organisation. If such a transfer occurs, we will ensure the new entity is bound to protect your personal information at the same level as we have promised in this policy, and we will notify you or provide an opportunity to opt out if required by law.

• With Your Consent: Apart from the above, if there are any other situations where we might want to share your information, we will only do so if you have expressly consented. For example, if you want us to share your nutrition report with your doctor or a family member, we would do so only with your approval. No Unauthorized Third-Party Use: We do not give or sell your personal information to third parties for their own marketing or unrelated purposes. We do not share your genetic data with any third party except as necessary to provide our service (lab and relevant health partners) or unless required by law. For instance, we will never voluntarily share your genetic results with insurance companies or employers, and in fact we treat such data as highly confidential. All third parties who receive personal information from us are contractually or legally obliged to handle it in accordance with privacy laws and only for the purposes we stipulate. We take reasonable steps (such as due diligence and data processing agreements) to ensure they protect your information. If a third party no longer needs your data for the purpose we provided it, we require them to securely destroy or de-identify it.

​

6. Storage and Security of Your Information We understand that your personal and genetic information is highly sensitive, and we take security seriously. We have implemented measures to protect your personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure. These measures include:

• Secure Data Storage: Personal information we hold is stored on secure servers and systems. We use industry-standard encryption and access controls to safeguard digital data. For example, our databases and cloud storage solutions have encryption (both during transfer of data and at rest on the server) to prevent unauthorized reading of data.

• Restricted Access: Only authorized personnel at Sarmia (or trusted contractors who are bound by strict privacy obligations) can access personal information, and even then, only on a need-to-know basis. This means our team members can only see the information required to do their job (for instance, a genetic analyst might see your genetic data and associated ID, but only our support team might have access to your contact details, etc.). All staff undergo privacy training and must comply with confidentiality policies.

• Physical Security: Any physical records or samples are handled with care. Your DNA saliva sample is identified by a code when sent to the lab, not by your full name, to maintain privacy during analysis. Samples are stored in secure laboratory facilities while being processed. We ensure that once the necessary testing is completed, physical samples are destroyed after analysis, so that they are not stored indefinitely. Any paper records (if we have, for example, a printed form or backup) are kept in locked facilities and shredded or securely disposed of when no longer needed.

• Data Retention and Destruction: We retain your personal information only for as long as it is needed for the purposes described in this Policy, or as required by law. For example, if you are an ongoing customer, we will keep your information on file so we can continue to provide services to you. If you discontinue using Sarmia’s services, we may retain certain information for a period of time in backups or as necessary for legal obligations (such as financial record-keeping, or if we believe you might return to reactivate your account). When personal information is no longer required, we will take reasonable steps to deidentify or securely destroy it. Genetic data and health information, in particular, will not be kept longer than necessary. You may request that we delete your data, and we will do so wherever possible (see Section 7 on your rights for more detail on deletion requests).

• Network and System Security: We protect our IT systems from unauthorized access. This includes maintaining up-to-date firewalls, antivirus and anti-malware tools, intrusion detection systems, and monitoring for suspicious activity. We also enforce strong password policies and multi-factor authentication for our internal systems where appropriate, to reduce the risk of unauthorized logins.

• Secure Communications: Pages on our website that collect personal information (like account registration or login) are encrypted via SSL/TLS (you’ll see a padlock in your browser, and “https” in the URL). This means data transmitted between your device and our website is encrypted. We also encrypt sensitive communications or data transfers to our partners (for instance, when sending data to AGRF or receiving results, we use secure methods or encrypted channels).

• Third-Party Security: When using third-party service providers (mentioned in Section 5), we select reputable providers and ensure they have robust security practices. We have agreements in place requiring them to protect your information. We do not allow your data to be handled by providers that do not meet our security standards.

• Monitoring and Improvement: We regularly review our security measures and update them in line with technological advancements. We also have an internal data breach response plan (see Section 7) that we practice and refine, to ensure we can act quickly if an issue arises. While we strive to protect your information with strong security, it’s important to understand that no method of transmission over the internet or electronic storage is 100% secure. However, we continuously work to improve and follow best practices to minimize risks. You can also help by keeping your account credentials (username/password) confidential and notifying us immediately if you suspect any unauthorized use of your account.

​

7. Data Breaches and Notification Despite our security measures, in the unlikely event that there is a data breach involving your personal information, we have protocols in place to respond swiftly and effectively. A “data breach” means unauthorized access or disclosure of personal information, or loss of personal information that could lead to unauthorized access or disclosure. If a data breach occurs, we will:

• Contain and Assess: Quickly identify the breach and take steps to contain it (for example, shutting down a compromised system). We will investigate to understand what happened, what data is affected, and the risk of harm to individuals.

• Notify Affected Individuals: If we have reason to believe that a data breach has occurred which is likely to result in serious harm to you (or any affected individuals), we will notify you as soon as possible. Our notification will outline the nature of the breach, the information involved (to the extent we know), and recommendations for steps you can take in response (for example, resetting passwords or watching out for suspicious emails).

• Notify Authorities (Notifiable Data Breaches Scheme): We comply with the Notifiable Data Breaches scheme under the Privacy Act. This means that if a breach is likely to result in serious harm, we will also notify the Office of the Australian Information Commissioner (OAIC) as required. We will follow any guidance from the OAIC in addressing the breach.

• Remedial Action: We will take steps to prevent future breaches, such as improving our security or practices where necessary. We’ll review what went wrong and update our systems or training to mitigate any further risk. Our goal is to be transparent and proactive. If you suspect any misuse of your personal information or have concerns about the security of your data with us, please contact us immediately (see Section 10 for contact details). We take all possible breaches seriously, even if they don’t meet the threshold of “notifiable,” and will work with you to address any issues.

​

8. Overseas Disclosure of Personal Information Sarmia is based in Australia, and we primarily store and process personal information within Australia. In general, we aim to keep your data on servers located in Australia to ensure it is protected under Australian privacy laws. For example, our DNA testing is done in Australia (via AGRF), and our compounding pharmacy partner is in Australia. However, some of our service providers or technological tools might operate overseas or use cloud infrastructure that spans multiple countries. Examples might include cloud-based email or data storage services, or analytics providers that process data in the United States, European Union, or other locations. If we do need to disclose your personal information to an overseas recipient (outside Australia), we will take steps to ensure your information is given a similar level of protection as it is under Australian law. These steps may include:

• Only dealing with overseas organisations in countries with strong privacy laws, or

• Contractual arrangements with the overseas recipient to require them to comply with Australian Privacy Principles (or equivalent standards) in handling your information, or

• Obtaining your consent for the cross-border disclosure if appropriate. For instance, if we use a cloud IT provider with servers in the United States, we will ensure through our contract and due diligence that your data is stored securely and used only for our purposes, and not misused or disclosed further. By using our services and providing us your information, you acknowledge that some data may be processed or stored overseas as described, and you consent to that where it is necessary for the service (per APP 8.2). We will not transfer your sensitive personal information (like genetic or health data) to overseas entities unless it is necessary for the service or we have taken the aforementioned protective measures. If in the future we consider a new overseas disclosure (for example, partnering with a foreign research institution or an international service provider that will handle personal data), we will update this Privacy Policy and notify you if required, ensuring compliance with the Privacy Act’s cross-border data rules.

 

9. Accessing and Correcting Your Information Accessing Your Personal Information: You have the right to request access to personal information that we hold about you (APP 12 – Access to Personal Information). We believe in being open and will generally provide you with access to your information upon request.

• How to Request Access: If you want to access your information, you can contact us (see Section 10) and let us know what information you need. To protect your privacy, we may ask you to verify your identity before we give you access. This is to ensure we don’t accidentally send your information to someone else.

• Format of Access: We will work with you to provide the information in a suitable format. That might be a copy of the personal details we have on file, or an export of certain data. If the information is extensive, we might arrange for you to view it or discuss a summary.

• Timeframe: We will respond to access requests within a reasonable time. Usually, we try to get you the information within 30 days. If it’s urgent, please let us know and we will do our best to accommodate.

• Cost: In most cases, requesting access is free. We will not charge you to make a request. However, if your request is complex or requires significant resources (for example, retrieving archived data), we may charge a reasonable fee to cover our costs. We will let you know in advance about any fee and get your agreement before proceeding.

• Exceptions: In a few situations, we might not be able to give you access to your information. The Privacy Act allows us to refuse access in certain circumstances, such as if giving access would unreasonably impact another person’s privacy, or if it would pose a serious threat to someone’s health or safety, or if the request is frivolous or vexatious. Also, we might need to refuse if the information relates to existing or anticipated legal proceedings and would not be accessible through those proceedings, or if giving access would reveal our own commercially sensitive decision-making process. If we ever have to refuse access, we will provide you with a written explanation of the reasons (unless legal restrictions prevent us from doing so) and inform you of any steps available to challenge our decision. Correcting Your Personal Information: We want to ensure that the personal information we hold is accurate, up-to-date, and complete (APP 13 – Correction of Personal Information). If you believe any information we have about you is incorrect, incomplete, or outdated, you have the right to request that we correct it. • How to Request a Correction: Contact us (see Section 10) and let us know what information needs updating or correction. It could be as simple as a new address or a change in your health status that you want reflected in your profile.

• Our Response: We will promptly consider all correction requests. If the information is indeed wrong or incomplete, we will correct it as soon as practicable. This could involve updating our database records, or in the case of information that was passed to a third party (like the lab or pharmacy), we might need to inform them of the correction as well.

• If We Disagree: If we are unable to correct your information as you requested (for example, if we believe the information we have is accurate and your request cannot be substantiated), we will let you know our reasons in writing. You then have the right to request that we add a note to the record stating that you claim the information is inaccurate, out-of-date, incomplete, or misleading. We will take reasonable steps to attach that statement so it will be read with the information.

• No Charge: We will not charge you for asking us to correct your information, nor for us correcting it. We also periodically review the data we hold and correct it when we discover inaccuracies. However, we do rely on you to let us know of any changes (like updated contact details or health information). Please help us keep your information current by notifying us of any updates.

 

10. Your Choices and Consent Using our services is voluntary, and we strive to give you meaningful choices in how your personal information is used and disclosed. Here are some key ways you can exercise control:

• Consent to Sensitive Information Collection: By engaging with Sarmia (for example, by submitting a DNA test or giving us health info), you are consenting to us collecting and using your sensitive information for the purposes outlined. If you do not consent to this, please do not provide a DNA sample or health details. We will explicitly ask for your agreement to this Privacy Policy (and our Terms) when you sign up. If at any point you wish to withdraw your consent for us to hold or use your sensitive information, you can contact us to discuss options (note: withdrawing consent may mean we can no longer provide certain services to you, but we will explain the consequences and work with you).

• Marketing Communications: As mentioned, we may send you marketing emails or messages if you have consented or if you would reasonably expect to receive them. You have the right to opt out at any time. To opt out, you can use the “unsubscribe” link in an email newsletter, reply “STOP” to an SMS, or contact us directly requesting to be removed from marketing lists. Once you opt out, we will stop sending you promotional material, though we may still send administrative or service-related communications (e.g., an update about your order or changes to our terms).

• Account Settings: If you have an online account with us, we may provide features in your account dashboard to view and update certain personal details, or adjust preferences (like communication preferences). Make use of these tools to ensure your information is accurate and your preferences are known.

• Cookie Controls: For data collected via cookies/online tracking, you can manage your cookie preferences using your web browser settings. You can delete or block cookies, and you can also opt out of certain analytics or advertising tracking (for example, Google Analytics offers a browser opt-out plugin). See our separate Cookies Notice (if available on our website) or contact us for more information on how to control or opt out of online data collection.

• Refusal to Provide Information: You always have the choice not to provide personal information. If you prefer not to share certain details (like not answering an optional health questionnaire question), that is okay. We will make clear which fields or data are required for the service. Keep in mind that if you withhold information, it may limit our ability to deliver the full service (for instance, we might not be able to give specific advice without certain background info).

• Deactivate or Delete Account: If you wish to stop using Sarmia’s services entirely, you can request that we deactivate your account. Contact us with such a request, and we will guide you through the process. Account deactivation means you will no longer be able to log in or use our services. We can also, upon request, delete your personal information. As noted in Section 6, if we do not have a legal need to retain the data, we will comply with deletion requests. Some data might be retained in backups for a short period but will be overwritten in due course, and any data we must keep (e.g., for financial record obligations) will be securely protected and isolated from active use.

​

11. Complaints and How to Contact Us Your privacy is extremely important to us, and we want to address any concerns you have. If you have questions about this Privacy Policy, or if you believe your privacy has been impacted or wish to make a complaint, please contact us. We take all complaints seriously and will respond promptly. How to Contact Us:

• Email: You can email our privacy team at hello@sarmia.com. This is the quickest way to reach us with any privacy-related questions or requests (such as access or correction requests, or to lodge a complaint).

• Phone: If you prefer, you may call our customer service number at +61 401293049 (example number) during business hours. If your matter is about privacy, please let the representative know so they can direct you to the appropriate staff or escalate as needed.

• Mail: You can send us a letter. Address it to Privacy Officer. Our mailing address is 27 Samantha Drive Bli Bli, QLD, Australia 4560.

When you contact us with a complaint, please provide as much detail as possible about your concern (for example, the date of the issue and what you think went wrong). This will help us investigate the matter quickly.

Our Process for Complaints:

1. Acknowledgement: We will acknowledge receipt of your complaint within a reasonable time, typically within 5 business days, so you know we have received it and are looking into it.

2. Investigation: We will investigate your complaint. This may involve reviewing relevant records, speaking to staff members, and assessing our systems or practices. We may reach out to you for more information during this process to ensure we fully understand the issue.

3. Response: After investigation, we will contact you with the outcome and any actions we have taken (or will take) in response. If we made a mistake, we will let you know what we’re doing to fix it. If there was a misunderstanding, we will attempt to clarify the situation. We aim to resolve all complaints in a timely manner (generally within 30 days, though more complex issues might take a little longer – if so, we will keep you updated on progress).

4. Further Action: If you are not satisfied with our response, we will inform you about further steps you can take. This includes your right to escalate the matter to an external authority. Contacting the Regulator: If you feel we have not resolved your privacy concern, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC). The OAIC is the independent government body that oversees privacy law compliance. They can be contacted through their website (www.oaic.gov.au), by email at enquiries@oaic.gov.au, or by phone at 1300 363 992. Before contacting the OAIC, the OAIC’s guidelines encourage you to try to resolve issues with the organisation first (which we welcome you to do with us), but you are free to contact them at any time. We welcome feedback of all kinds, as it helps us improve our policies and services. Our aim is to ensure you feel safe and confident in how we handle your personal information.

​

12. Updates to This Privacy Policy We may update or revise this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. For example, if we launch a new product that involves new data uses, or if laws change, we will update our policy accordingly. When we make significant changes, we will notify you in a suitable manner. This might include posting a prominent notice on our website, or contacting you directly via email (especially if you are a current customer). The “Last updated” date at the top of this Policy will always indicate when the latest changes were made. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use our services or the Site after a change to the policy, we will take that as acknowledgement of the updated policy, but we will not use your information in new ways without your consent if required. If you have any questions or concerns about changes to the Privacy Policy, please reach out to us (contact details in Section 11). We are happy to explain any updates or what they mean for you. Thank you for trusting Sarmia with your genetic and personal information.

 

We are dedicated to safeguarding your privacy while providing you with valuable insights into your nutrition and health. If you have any questions about this Privacy Policy or about how we handle your data, please do not hesitate to contact us. Your privacy and satisfaction are our priority.