Privacy policy

Last updated: May 2026

Vitamin D Test ("we", "our", "us") is committed to protecting your privacy and the security of the personal and health information you share with us. This Privacy Policy explains what information we collect, why we collect it, how we use and store it, who we share it with, and your rights under Australian privacy law.

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as state-based health records legislation where applicable.

Our test kit is registered with the Therapeutic Goods Administration as a Class IIa Medical Device (ARTG 526367). Sample analysis is performed through our analytical partnership with Masdiag.

What information we collect

Personal information you provide directly

  • Identity information: your full name, date of birth, and (where you choose to provide it) sex assigned at birth used to interpret your test result against appropriate reference ranges
  • Contact information: email address, postal address, phone number (optional)
  • Order information: purchase history, products ordered, payment confirmation (we do not store full credit card numbers payment is processed by Shopify Payments or your chosen provider)
  • Account credentials: if you create an account, your password is stored in hashed form
  • Communications: any correspondence you send to us (email, contact forms)

Health information (sensitive information)

Because we provide a clinical testing service, we collect, process, and store health information about you. Under the Privacy Act, this is "sensitive information" and is subject to stronger protections than ordinary personal information.

  • Sample collection details: date and time of sample collection, kit barcode, the identity of the individual whose sample is being tested (if different from the purchaser)
  • Test results: your measured 25(OH)D level, D2/D3 breakdown, VMR (if applicable), and our laboratory's interpretation against reference ranges
  • Historical results: we retain prior test results to enable trend tracking across repeat tests
  • Self-reported health information: any health information you provide voluntarily when requesting interpretation or support (e.g., medications, symptoms, conditions)

We collect your health information with your consent, which you provide when you purchase a test, register a sample at the lab portal, and accept this policy at checkout.

Information we collect automatically

  • Website usage: pages visited, time spent, referring URLs, browser type, IP address, device type collected via cookies and analytics tools
  • Cookies: we use first-party cookies for session management, cart persistence, and basic analytics. We use third-party cookies (Shopify, Google Analytics) for site performance and marketing analytics

Why we collect it (purposes of collection)

We collect, use and store your personal and health information only for the following purposes:

  • To process your order, fulfil shipping, and deliver your test kit
  • To analyse your sample and return your test result
  • To provide you with trend tracking across multiple tests over time
  • To respond to your enquiries and provide customer support
  • To send transactional emails (order confirmations, shipping updates, result notifications)
  • To send marketing communications, but only with your express consent, and you can withdraw consent at any time
  • To improve our service, website, and customer experience
  • To meet our legal obligations (record retention under TGA, health records legislation, tax law)

Who we share your information with

We share your information only with the third parties listed below, and only to the extent necessary for the purposes described above.

Service providers and partners

  • Masdiag (analytical partner): we share your sample, sample identifier, and identity information (name, DOB, sex) with Masdiag for laboratory analysis. 
  • Shopify: our e-commerce platform, payment processor, and email service provider. Shopify processes order, payment, and customer data on our behalf
  • Australia Post: for kit shipping and reply-paid returns. We share your postal address and order reference
  • Email service providers: for transactional and marketing emails (where you have consented)
  • Cloud storage providers: we store your test history and account information using secure cloud infrastructure (located in Australia where reasonably practicable)

As required by law

We may disclose your information if compelled to do so by Australian law, court order, or government request, including but not limited to:

  • Subpoena, search warrant, or other legal process
  • Required reporting under public health legislation
  • Australian Tax Office requests for transaction records
  • TGA post-market surveillance requirements for our registered medical device

We will not disclose your health information for any other purpose without your consent unless required by law or to prevent serious harm to you or another person.

By purchasing a test or using our service, you consent to this cross-border disclosure of your information for the purposes described in this Privacy Policy.

How we protect your information

  • All website traffic is encrypted using TLS/SSL
  • Payment data is handled by PCI-DSS compliant payment processors — we never see or store your full card details
  • Sample identifiers use barcodes rather than your name, so lab personnel processing your sample do not see identifiable personal information without authentication
  • Access to your health information is restricted to authorised personnel on a need-to-know basis
  • Our cloud infrastructure uses encrypted storage and authentication controls
  • We have a data breach response plan and will notify affected individuals and the Office of the Australian Information Commissioner if a notifiable data breach occurs, as required by the Privacy Act

How long we keep your information

  • Order and account information: for as long as your account is active, and for 7 years after your last order to meet tax and consumer protection record-keeping requirements
  • Health information and test results: retained for at least 7 years from the date of the test, in accordance with medical record retention obligations under Australian health records legislation
  • Marketing communications data: until you withdraw consent or unsubscribe
  • Website analytics: typically 24 months in aggregated form

After these retention periods, we will securely delete or de-identify your information.

Your rights

Under the Privacy Act, you have the following rights regarding your personal information:

  • Right of access: you can request a copy of the personal and health information we hold about you. We will respond within 30 days
  • Right of correction: you can request that we correct any inaccurate, out-of-date, incomplete, or misleading information
  • Right to withdraw consent: you can withdraw consent to marketing communications at any time by clicking unsubscribe in any marketing email, or by contacting us. Withdrawal of consent does not affect processing that occurred before withdrawal
  • Right to lodge a complaint: if you believe we have breached your privacy rights, you can complain to us first (see "Contact us" below). If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992

Note: there are some limited circumstances where we may not be able to provide access or correction for example, where doing so would be unlawful, frivolous, or compromise another person's privacy. We will explain our reasons if this applies.

Marketing and direct communications

We only send marketing communications if you have given us explicit consent (typically by subscribing to our newsletter or ticking a marketing consent box at checkout). Every marketing email we send includes a clear unsubscribe link.

Transactional communications (order confirmations, shipping updates, your test results) are not marketing these are necessary parts of providing the service you purchased, and we will send these regardless of your marketing preferences.

Cookies

Our website uses cookies to provide essential functionality (such as your shopping cart) and to understand how visitors use the site so we can improve it. You can control or block cookies through your browser settings, though blocking some cookies may affect site functionality.

Children and minors

Our service is intended for adults (18 years and older). We do not knowingly collect personal information from anyone under 18 without the consent of a parent or guardian.

Parents or guardians may purchase a test kit for a child or young person under 18 in their care. In doing so, you are providing health information about a minor and consenting on their behalf to the testing and the processing of that information. We will deal with the parent or guardian as the contact point for results and account management.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our service, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email (if you have an account) or by prominent notice on our website. The "Last updated" date at the top of this policy will always reflect the most recent revision.

Contact us

If you have questions about this Privacy Policy, want to exercise your rights under the Privacy Act, or wish to make a privacy complaint, please contact us:

Vitamin D Test
Email: hello@vitamindtest.com.au
Postal: PO Box 2080, Oak Park, VIC 3046, Australia