Privacy Policy

1. About This Policy

This Privacy Policy governs the collection, use, storage, and disclosure of personal information and data by Haycar Global Pty Ltd (ABN pending) trading as Animalis aRK Commercial ("we", "us", "our") through the animalisark.io website, commerce platform, API services, and Animalis-IC device registration systems.

We are committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where our services are accessed by persons in the European Economic Area or United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR as applicable.

By using our services or products, you acknowledge this Privacy Policy and consent to the collection and use of information as described herein. If you do not agree, you should cease using our services.

2. Data We Collect

2.1 Personal Identification Information (PII)

We collect the following categories of personal information from clients, customers, and users:

• Full name (first name, last name)
• Email address
• Phone number
• Company or organisation name
• Billing address and country
• Payment reference information (we do not store full card numbers; payment processing is handled by authorised third-party processors)
• Professional credentials (veterinary registration number, research institution affiliation)

2.2 Veterinary and Clinical Records

Where you register an animal with an Animalis-IC device or use our veterinary practice integration module, we collect:

• Animal owner name, contact details, and billing information
• Animal identification data (species, breed, age, sex, microchip number, chip ID)
• Veterinary practice and practitioner details
• Clinical history and diagnosis records (where shared by the veterinary practitioner)
• Vaccination and treatment records
• Geographic location of treatment (suburb/city level)

2.3 Technical and Usage Data

• IP address and general location (country, region)
• Browser and device type
• Pages visited, time on site, referral source
• API access logs and query parameters
• Error logs

2.4 Voluntarily Submitted Data

Information you provide via enquiry forms, order forms, support tickets, or direct email correspondence.

3. Animal Health Telemetry Data

Animalis-IC implanted devices continuously transmit health and environmental sensor data. This telemetry includes:

• Body temperature (continuous)
• Heart rate and SpO2 (oxygen saturation)
• 6-axis inertial measurement (movement, activity level)
• Ambient environmental conditions at the sensor location
• GPS or network-derived location (where device and network support permits)
• Chip activation and registration events

Data from DePIN sensor nodes (marine buoys, freshwater sensors, land towers) constitutes environmental and biodiversity monitoring data. This data does not directly identify individuals but may be associated with your registered account and DePIN node subscription.

4. How We Use Your Data

We use collected data for the following purposes:

• Delivering and managing products and services you have ordered
• Processing payments and managing billing
• Registering and managing Animalis-IC device identities on Cardano
• Providing veterinary practice integration and clinical dashboard services
• Delivering API access for data licence customers
• Providing technical support and responding to enquiries
• Sending transactional communications (order confirmations, invoices, service notices)
• Generating anonymised and aggregated biodiversity and wildlife health statistics for research partnerships and the Animalis aRK Foundation
• Complying with legal obligations under Australian law and applicable international regulations
• Improving our services and platform through usage analysis

We do not sell your personal information to third parties. We do not use your data for unsolicited marketing without your explicit consent.

5. Legal Basis for Processing

Under the Australian Privacy Act 1988, we process personal information where it is reasonably necessary for our functions and activities, and where individuals would reasonably expect us to do so in the context of the commercial relationship.

For customers in the EEA/UK under GDPR, our legal bases are:

• Contract performance: processing necessary to deliver services you have ordered
• Legitimate interests: fraud prevention, security monitoring, service improvement
• Legal obligation: compliance with tax, financial, and healthcare data laws
• Consent: for optional marketing communications (where separately obtained)

6. Third-Party Processors

We engage the following categories of third-party processors who may access your data to provide services on our behalf:

• Payment processors: Stripe Inc. and/or BSB/NPP bank transfer systems for billing and invoicing. We do not store full card data.
• Cloud infrastructure: Server hosting and database services located in Australia and/or Singapore. Data residency for Australian health records is maintained within Australia where technically feasible.
• Email service providers: For transactional email delivery (order confirmations, invoices).
• Dreamscape Networks: Domain registration and DNS services (Hayden Walker reseller account).
• ASI Alliance / SingularityNET: On-chain inference and AI agent processing for biodiversity analytics. Data shared with these processors is anonymised and aggregated prior to transmission.
• Cardano blockchain infrastructure: Device DID registration and AARK token operations are recorded on the Cardano public blockchain. See Section 7 for important information about on-chain data.

All processors are bound by contractual data processing agreements consistent with APP 8 (cross-border disclosure) and, where applicable, GDPR Chapter V.

7. On-Chain Data and DID / NFT Data

We minimise the personal information recorded on-chain. Specifically:

• Device DID identifiers are pseudonymous (e.g. did:haycar:device:aic-A1B2C3D4E5F6) and do not contain your name or contact details
• Health telemetry hashes (not raw telemetry data) may be anchored on-chain as integrity proofs
• Cardano wallet addresses are recorded as part of AARK token transactions; wallet addresses are pseudonymous but publicly visible on the Cardano blockchain
• DAO governance votes are recorded on-chain and are publicly visible

Before using any on-chain features, including device registration and AARK token operations, you should understand that on-chain records cannot be removed in response to a right-to-erasure request. If you have concerns about on-chain data, please contact [email protected] before proceeding.

Animal TWIN NFTs, where issued, represent an on-chain digital twin of the animal's verified identity. The NFT metadata is stored on IPFS and anchored to Cardano. The same immutability considerations apply.

8. Data Retention

We retain personal information for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations:

• Animal health and veterinary records: 7 years from the date of last clinical event or device deactivation, in accordance with veterinary record-keeping obligations under Australian state veterinary practice acts and consistent with the Medical Records Act 1971 (Qld) principles
• Financial and billing records (invoices, payment records): 7 years from the date of the transaction, as required under the Income Tax Assessment Act 1997 (Cth) and ATO record-keeping obligations
• Client account data: For the duration of the active commercial relationship plus 3 years after account closure
• Support correspondence: 3 years from resolution
• API access logs: 12 months for security and fraud prevention purposes
• Marketing data (where consent given): Until you withdraw consent or 3 years of inactivity, whichever is earlier

After the applicable retention period, personal data is securely deleted or irreversibly anonymised. On-chain data is subject to blockchain immutability as described in Section 7.

9. International Data Transfers

Animalis aRK operates globally with research partnerships in Kenya (Nairobi), Peru (Lima/UPCH), Vanuatu, and the United Kingdom. Where data is transferred internationally, we take steps to ensure the receiving party provides comparable data protection through:

• Contractual data processing agreements (DPAs)
• Standard contractual clauses (SCCs) for transfers to countries without adequacy decisions
• Anonymisation and pseudonymisation before transfer wherever possible

Public blockchain data (Cardano) is replicated globally across thousands of nodes by the nature of the network. This is an inherent characteristic of public blockchain technology.

10. Your Rights

Under the Australian Privacy Act 1988 and applicable GDPR provisions, you have the following rights:

• Access: Request a copy of personal information we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Erasure (GDPR): Request deletion of personal data where processing is no longer necessary (subject to on-chain data limitations in Section 7 and legal retention obligations in Section 8)
• Data portability (GDPR): Request your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request restriction of processing while a complaint is investigated
• Withdraw consent: Withdraw consent at any time where processing is consent-based

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or 1 month under GDPR).

11. Children's Privacy

Our services are directed at commercial and professional users and are not designed for or targeted at children under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact [email protected] immediately.

12. Cookies and Analytics

The animalisark.io website may use the following types of cookies and local storage:

• Strictly necessary: Session management and security tokens required for the website and API to function
• Functional: Remembering preferences (e.g. selected country in order form)
• Analytics: Aggregated, anonymised usage statistics to improve our services. We do not use third-party advertising trackers.

You can control cookies through your browser settings. Disabling strictly necessary cookies will impair the functionality of order forms and authenticated services.

13. Data Breaches

In the event of an eligible data breach as defined by the Notifiable Data Breaches Scheme (Part IIIC of the Privacy Act 1988), we will:

• Assess the breach within 30 days of becoming aware
• Notify affected individuals as soon as practicable
• Notify the Office of the Australian Information Commissioner (OAIC) as required
• For breaches affecting EEA/UK individuals: notify the relevant supervisory authority within 72 hours under GDPR Article 33

We maintain technical and organisational security measures including encrypted data storage, access controls, ATECC608B hardware security modules in Animalis-IC devices, and audit logging of all data access events.

14. Contact and Complaints

For any privacy enquiries, data subject requests, or complaints:

If you are dissatisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

EEA/UK individuals may also lodge complaints with their local data protection authority.

This Privacy Policy may be updated from time to time. The current version and effective date are shown at the top of this page. We will notify active account holders of material changes via email.