Privacy policy

Privacy Policy

Effective date: 19 June 2026 Last updated: 24 June 2026

The short version

We are a family-owned Australian business. We take your privacy seriously. Here is what is true in plain language:

  • What we collect: your name, contact details, delivery and billing address, payment details, the products you order, and your dealings with our team.
  • Why we collect it: to send you your order, run your account, answer your questions, handle business and account customers, and send you the emails you have signed up to receive.
  • Health information: we do not run a clinical service and we keep no medical or clinical records. We never ask you for health details. Some products, like wound care, continence or mobility, can reveal a health condition, so we treat that order record as health information, hold it only to supply what you asked for, and do not profile it. More in the health section below.
  • Who we share it with: the companies that help us run the shop and deliver your order (our e-commerce platform, our payment processor, our Sydney fulfilment centre, our delivery carriers). When we run advertising, we share email addresses in scrambled form with Google so it can build similar audiences; on Meta we currently only retarget visitors who have already been to our site and measure through a pixel. Full detail in the sharing section below.
  • What we do not do: we do not sell your information, and we do not build a health profile from what you buy.
  • Your rights: you can ask to see, change, or delete most information we hold about you. Email us at privacy@firstaiddistributions.com.au.
  • If something goes wrong: tell us first (privacy@firstaiddistributions.com.au). If we cannot sort it out, you can take it to the OAIC at oaic.gov.au.

The full policy below sits underneath this summary if you want the detail.

Quick navigation

This privacy policy explains how First Aid Distributions collects, uses, stores, and shares your information when you visit our website, buy our products, set up an account, or interact with us. We have written it in plain Australian English so you can read it in one sitting.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles. We collect your contact and delivery details and the products you order. We do not ask you for health details and we keep no clinical records. Because some of what we sell is health-related, an order can reveal a health condition, and where it does we treat that order record as health information (see the health section). This policy operates on the basis that the Australian Privacy Principles apply to us in full. We do not rely on any small-business exemption.

If you think we have handled your information in a way that does not match this policy, let us know at privacy@firstaiddistributions.com.au. If we cannot resolve it together, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Who we are

First Aid Distributions is owned and run by Australian First Aid Distributions Pty Ltd (ACN 153 377 185, ABN 54 153 377 185), trading as First Aid Distributions, a family-owned Australian business based at 205 Murphy Street, East Bendigo VIC 3550. First Aid Distributions is the parent brand of the AFAD group. This policy covers the First Aid Distributions website and the dealings described in it. Our other brands run their own websites with their own privacy policies.

When this policy says “we”, “us”, or “our”, we mean Australian First Aid Distributions Pty Ltd (ACN 153 377 185, ABN 54 153 377 185), trading as First Aid Distributions. When it says “you”, we mean any person whose information we hold or who interacts with our website, our products, or our team.

You can contact us about anything in this policy at:

  • Email: privacy@firstaiddistributions.com.au
  • Phone: 03 5443 2239
  • Post: Australian First Aid Distributions Pty Ltd (ACN 153 377 185, ABN 54 153 377 185), trading as First Aid Distributions, 205 Murphy Street, East Bendigo VIC 3550

Privacy at First Aid Distributions sits with a single named role we call the Privacy Contact. The Privacy Contact is the role responsible for handling privacy enquiries and complaints, overseeing access and correction requests, and leading our response if a data breach is suspected. We are a family business, so we do not carry a dedicated Privacy Officer in the large-corporate sense, but accountability for privacy is held at director level and the Privacy Contact reports to our director. You reach the Privacy Contact at privacy@firstaiddistributions.com.au, and we respond within reasonable timeframes.

What we collect

Different parts of your dealings with First Aid Distributions involve us collecting different information. We have broken it down by what we collect and when, so you can see clearly what is happening at each point.

At each point where we collect information directly from you (checkout, account creation, newsletter sign-up, a business or account application, and customer-service forms) we provide a short collection notice that links back to this policy. That notice tells you who is collecting the information and why, and this policy fills in the detail. Together, those notices and this policy are how we meet our notification obligation under Australian Privacy Principle 5. If you do not give us the information we need (for example, delivery and contact details), we may not be able to fulfil your order or provide the service you have asked for. The countries to which we disclose information are set out in “Where your information is stored” below.

When you browse our website without buying:

  • Your IP address and approximate location (city or region level), via standard web analytics
  • Your browser type, device type, and operating system
  • The pages you visit on our site, the time you spend on them, and where you came from (referring website)
  • Cookies and similar technologies that store small text files on your device (see the cookies section)

When you create an account:

  • Your name (first and last)
  • Your email address
  • Your phone number (used for delivery notifications and customer service)
  • Your delivery address and billing address
  • Your account password (stored as a hashed value, not in plain text)

When you place an order, online or in our Bendigo store:

  • The products you have bought, including quantities, sizes, and any product variants
  • Your delivery instructions
  • Your order history and invoice records
  • Your payment confirmation (we do not see or store your full card number, this is handled by Shopify Payments, which also provides Shop Pay, see the sharing section)

The data we hold from an order is the products you bought, the transaction, and the delivery and invoice records. It is not a clinical record or a health file.

When you contact our customer service team:

  • The content of your message (email, phone notes, web form, or live chat)
  • Any photos or attachments you send (for example, a photo of a damaged product)
  • Records of how we resolved your enquiry, including returns and refunds

When you fill out forms on our website:

  • The information you provide in those forms (for example, an account application, a product enquiry, or a competition entry)

When you sign up for our newsletter or email program:

  • Your email address and name
  • Your engagement with the emails (opens, clicks, unsubscribes), used to send you content that is actually relevant rather than blanket-broadcasting
  • Your FAD Rewards loyalty activity, if you join our rewards program

When you write a product review:

  • Your name (first name and last initial only are published)
  • Your email address (not published)
  • The content of your review, your rating, and any photos you submit

When you enquire about or set up a business, school, facility or wholesale account:

  • The contact person's name and role
  • The business, school, or organisation name and address
  • The ABN where relevant
  • Account, order-history and any credit-application details

When you provide an NDIS number for invoicing:

  • An NDIS participant number, where it is provided so we can invoice through the NDIS funding pathway

We treat any NDIS number strictly as a government identifier for invoicing. We do not hold the NDIS plan or any disability or support information behind it. See the NDIS section.

When you use a KitCheck account:

  • Your KitCheck login details
  • The kit-register information you enter and manage in the software

When you apply for a job with us:

  • Your name and contact details, your resume, your work history and references
  • Reference or background checks only with your express consent given before the check, where relevant to the role

We do not collect more than this. If we change what we collect, this policy will be updated and you will be told (see the changes section). Importantly, we do not collect or hold medical records, clinical notes, health histories, adverse-event clinical files, or NDIS plans.

Sensitive and health information

We collect your contact and delivery details and the products you order. We do not ask you for health details, we do not record diagnoses or health histories, we keep no medical or clinical records, and we do not run a clinical service.

Some of the products we sell are health-related, for example wound care, continence, or mobility. An order for one of these can reveal a health condition, so where it does we treat that order record as health information. We collect it for one reason only: you asked us to supply that product. We collect it directly from you and hold only what is reasonably necessary to fulfil and support your order. We do not seek the health reason behind a purchase, and we do not build a health profile from what you buy or use your purchases to target advertising at you. We use your order only to supply it and to provide the related service of fulfilment, returns, and support.

If you mention a health reason for a purchase in a call or email, we do not need it and we do not record it as a health file. Where we receive information we did not need, we assess it and destroy or de-identify it where it is not needed for our dealings with you.

We are based in Victoria. To the extent any information we hold is health information, we handle it consistently with the Health Privacy Principles under the Health Records Act 2001 (Vic).

NDIS participants and government identifiers

Some of our customers are NDIS participants, or are support coordinators ordering on a participant's behalf. First Aid Distributions (Australian First Aid Distributions Pty Ltd (ACN 153 377 185, ABN 54 153 377 185), trading as First Aid Distributions) is a registered NDIS provider, registered to supply assistive products for household tasks and assistive products for personal care and safety. We supply products. We are not a clinical or therapeutic support provider and we hold no clinical or care records. We can invoice for participants whose plans are self-managed, plan-managed, or NDIA-managed. We collect an NDIS participant number where we need it to invoice through the NDIS funding pathway.

We treat that number only as a government-related identifier for invoicing. We do not adopt it as our own customer identifier and we do not use it as an account key in any of our systems. We disclose it only where we are permitted to, which here means to the National Disability Insurance Agency or a plan manager so the order can be invoiced through the funding pathway. We do not hold the NDIS plan behind it.

Whether a particular product is a claimable support under a plan is a decision for the participant and their plan manager, not us. We do not advise that a product can be claimed.

Where a support coordinator, carer or family member orders on someone's behalf, we act on their instruction and treat the person's information accordingly. The participant remains free to choose any supplier.

We do not hold the NDIS plan, the funded support categories, or any disability or support information behind the number. Our registration as an NDIS provider is not an endorsement: we are not endorsed by or affiliated with the NDIA.

We do not collect Medicare numbers.

Business, school, aged-care and wholesale account customers

Many of our customers are organisations: workplaces meeting first aid obligations, schools, aged-care facilities, and wholesale and Partner Program customers.

For these accounts we collect the contact person's name and role, the business, school or facility name and address, the ABN where relevant, and account, order-history and any credit-application details. Where a facility orders on behalf of residents, we hold the facility's and the staff member's contact and order details. We do not collect or hold resident clinical or care records.

We use this information to set up and run the account, process and fulfil orders, invoice, and provide account support. Where a contact person has opted in or would reasonably expect it in a business context, we may send relevant updates, with an opt-out in every message.

KitCheck accounts

KitCheck is our proprietary kit-management software, provided to eligible customers as a free annual subscription. It is customer-operated: you log in and manage your own kits. It is not a managed service run by our staff.

When you use KitCheck we hold your login details and the kit-register information you enter and manage in the software. We use this to provide the software and support your use of it. KitCheck access does not change how the rest of your information is handled under this policy.

Buying in our Bendigo store

You can buy from us in person at our East Bendigo warehouse and retail counter. For a simple over-the-counter purchase you do not need to give us your details. Where you ask for an invoice, place a special order, or buy on an account, we collect the contact and order details we need for that, and they are handled under this policy in the same way as an online order.

Why we collect it

We collect information for these purposes only:

To run the shop and your account. Processing orders, sending products, handling returns, managing your account, and serving our Bendigo store customers.

To provide customer service. Answering your questions, fixing problems, processing refunds and returns.

To run business, school, facility and wholesale accounts. Setting up accounts, invoicing, account support, and processing NDIS-funded invoices where relevant.

To provide KitCheck. Setting up and supporting KitCheck accounts.

To improve our products and our website. Understanding how customers use our site and which products and content help. We aggregate this data to make decisions; we do not single you out.

To send you communications you have asked for. Order confirmations, delivery updates, and (only if you have opted in) marketing emails and rewards updates.

To recruit. Assessing job applications.

To comply with our legal obligations. Tax and consumer-law obligations, and responding to regulatory or law-enforcement requests where legally required.

To protect our business and your security. Preventing fraud, detecting unauthorised account access, and responding to security incidents.

We do not collect information for any purpose not listed here. We use or disclose your personal information only for the purpose it was collected for, except where you consent or you would reasonably expect a directly related secondary use. We will only use your information for a purpose you would reasonably expect, or we will ask for your consent first.

First Aid Distributions is the parent brand of the AFAD group, which trades through one company (Australian First Aid Distributions Pty Ltd (ACN 153 377 185, ABN 54 153 377 185), trading as First Aid Distributions) and also runs sibling brands. We do not share your personal information with the other brands in the AFAD group for their own marketing without your consent.

How we use automated processing

We use automated processing in some parts of our service. We are explicit about this.

Where we use it:

  • Email content selection. Our email platform chooses which marketing email content to send based on what you have bought, what you have engaged with, and which lifecycle stage you are in (for example, new customer or lapsed customer).
  • Email timing. Some email flows send you content at preset intervals. The timing and content are chosen by rules we have set, not individually by a person.
  • Audience modelling for advertising. When we run ads on Google, we sometimes share email addresses in scrambled (hashed) form so the platform can build audiences for us. On Meta we are not currently running this kind of audience prospecting; our Meta activity is retargeting visitors who have already been to our site, plus measurement through the pixel. If we resume audience prospecting on Meta, this policy will say so.

Where we do not use it:

  • Pricing. All customers see the same prices. Automation does not adjust your prices based on your data.
  • Product availability. All customers see the same products. Automation does not restrict what you can buy.
  • Account approval. Whether we accept your account or order is not decided by automation.
  • Service decisions. A real person answers customer service queries. Automation does not approve or deny refunds, returns, or service decisions.

Building profiles from purchases. We do not build a health profile from what you buy, and we do not single you out for advertising because of the health-related nature of a product you have bought.

Forward-looking note. From 10 December 2026, the Privacy Act will require Australian businesses to disclose specific kinds of automated decision-making that have a legal or similarly significant effect on individuals. The automated processing we currently use does not have a legal or similarly significant effect on you: it is content selection and ad targeting, not decision-making about your access to products or services. When the new requirement commences, we will review this section and update it if anything we do falls within scope.

If you have specific questions about how automated processing applies to your data, email privacy@firstaiddistributions.com.au.

Who we share it with

We share your information only with parties who help us run our business, and only the information they actually need. We do not sell your information. Where we share information with third parties, we do so only in line with the disclosures in this section and only for the purposes set out here.

The parties we share information with fall into these categories:

Our e-commerce platform (Shopify). Shopify hosts the store, your account, your orders, and the checkout. It is based in Canada with data centres in several jurisdictions including the United States.

Our payment processor (Shopify Payments, which also provides Shop Pay). Card payments are processed and tokenised by Shopify Payments (which also provides Shop Pay). We do not see or store your full card number.

Our email and marketing platform (Klaviyo). Klaviyo sends our customer emails and stores your engagement data. It is based in the United States.

Our review platform (Judge.me). Judge.me manages product reviews on our site. It is based in Canada.

Google (Google Analytics 4 and Google Ads). Google Analytics provides aggregated and pseudonymous data about how visitors use our site, used for our reporting. Google Ads helps us deliver advertising and measure conversions. Both are operated by Google, based in the United States.

Meta (Facebook and Instagram). We currently use Meta to retarget visitors who have already been to our site and to measure ad performance through a pixel. We are not currently sharing customer email audiences with Meta for prospecting. If that changes, we will share email addresses only in hashed form and will update this policy.

What hashing means in plain language: when we say “email addresses in hashed form”, we mean we convert your email into a one-way scrambled value before sharing it, so we never hand over your email in readable form. The platform uses that scrambled value to build advertising audiences. We do this so we can advertise without giving the platform your email address in a form it can read.

Our rewards platform (Smile.io). If you join FAD Rewards, our loyalty platform holds your name, email, and loyalty activity. It is based in Canada.

Our Sydney fulfilment centre. Our national online orders are fulfilled from our Sydney fulfilment centre, which receives your name, delivery address, phone number, and order details so it can pick, pack, and ship your order. It is based in Australia.

Australia Post and other delivery carriers. They receive your delivery address, phone number, and delivery instructions so they can deliver your parcel. Delivery carrier data is held in Australia.

Our operational systems. We use a small set of business systems that may hold personal information in the course of running the business: our inventory system, our accounting software (Xero, for invoicing, especially business and NDIS-invoiced orders), our document and email storage (Google Workspace, where customer emails are stored), our project-management tool, and our team-communications tool. These systems are located in Australia and overseas, mainly the United States; the cross-border section sets out where your information is stored.

Our advertising agency. Our paid-media agency manages our advertising accounts and has access to the advertising-platform data and audiences involved.

Our developer and freelancers. Our developer and design or content freelancers may have access to our systems while doing development or support work, which can expose personal information in the course of that work. They are bound by confidentiality.

Our accountants, lawyers, and other professional advisers. Where they need access to limited information for advice or compliance work. They are bound by confidentiality.

Government and regulatory bodies. Where we are legally required to disclose information (for example, tax, consumer-law enforcement, court orders, or law enforcement).

We require all of these parties to handle your information securely and in line with their own privacy obligations and the Australian Privacy Principles, where applicable. We work to put written data-protection terms in place with the third parties that handle personal information for us, and we rely on the data-protection commitments in our service agreements with them (see the next section). If we add new parties that handle your information, we will update this policy.

Where your information is stored

Some of your information is stored on servers in Australia, and some is stored on servers overseas (mostly the United States and Canada, and in limited cases other countries where our developer or freelancers work).

Stored in Australia: customer service notes, our internal records, and our Sydney fulfilment centre data.

Stored overseas (mostly the United States and Canada): our e-commerce platform data, payment data with Shopify Payments (which also provides Shop Pay), email and engagement data, review data, Google analytics and advertising data, Meta retargeting and pixel data, and our rewards data. Our document and email storage, our project-management tool, and our team-communications tool are based in the United States, and our accounting and inventory systems may store data in Australia or overseas. Where our developer or freelancers work outside Australia, their access to our systems can involve a cross-border disclosure to the countries they are based in.

What this means for you (in plain language). Storing data overseas is normal for businesses that use modern cloud-based services. When your data sits overseas it may be subject to the laws of that country, which can differ from Australian law. We remain accountable to you under Australian law (Australian Privacy Principle 8 and section 16C of the Privacy Act) for how overseas recipients handle it. Your Australian rights to access, correct, and delete your information do not change.

How we manage the cross-border risk. Australian Privacy Principle 8 requires us to take reasonable steps to ensure that overseas recipients of your personal information handle it consistently with the Australian Privacy Principles. We take those steps, including by relying on the data-protection commitments in our service agreements with overseas recipients. If a recipient breaches those terms, we remain accountable to you under section 16C of the Privacy Act, and we deal with the breach through our incident-response process (see the security section).

There is a mechanism in the Privacy Act for the Government to approve overseas countries as having substantially similar privacy protection. As at the date of this policy no countries have been approved under that mechanism, so we rely on the contractual reasonable steps described above; if an approved-country list is published we will review this section.

If you have specific concerns about overseas data handling, please email us and we will explain how a particular provider handles your information.

Cookies, tracking, and analytics

When you visit our website, we use cookies and similar technologies. Cookies are small text files stored on your device that help our site work properly and help us understand how you use it.

We run a cookie consent banner on our site. When you first arrive, the banner asks for your choice before any non-essential cookies or tags fire. You can accept all cookies, or reject all non-essential cookies, with equal prominence: the reject path is a genuine one-click choice, not buried behind extra steps. Strictly necessary cookies still run because the site cannot work without them, but our analytics and marketing cookies, and the tags that depend on them, stay off until you accept them. We record your choice and apply it on your return visits.

You can change your mind at any time. A persistent cookie-settings link sits in the footer of every page. Open it to review your choice and turn analytics or marketing cookies on or off whenever you like. Updating your choice there takes effect straight away.

Strictly necessary cookies. These are essential for the site to function. They remember your cart contents, keep you logged in, and process your purchase. We cannot operate without them, so they are not controlled by the consent banner and you cannot disable them while continuing to use the site.

Analytics cookies. These collect aggregated and pseudonymous information about how you use our site (which pages you visit, how long you spend, where you came from), used for our reporting. The main analytics provider we use is Google Analytics 4. These cookies fire only after you accept them through the consent banner, and you can withdraw that consent at any time through the footer cookie-settings link. You can also opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on (tools.google.com/dlpage/gaoptout).

Marketing cookies. These remember whether you have visited our site so we can show you relevant First Aid Distributions ads on platforms like Google, Facebook, and Instagram. They fire only after you accept marketing cookies through the consent banner, and you can withdraw that consent at any time through the footer cookie-settings link. You can also manage them using your browser's cookie controls, the Google Ads opt-out tools, and the ad-preference settings on Google, Facebook, and Instagram.

Account and personalisation cookies. When you log into your account, cookies remember your settings. These are used only for the purposes you have consented to.

Marketing communications

We only send you marketing communications if you have opted in.

When you have opted in. You receive emails about new products, promotions, content from our team, and (if you have joined) rewards updates. You can unsubscribe at any time using the link at the bottom of every email, or by emailing privacy@firstaiddistributions.com.au.

Order-related emails. You receive transactional emails about your orders, deliveries, and account changes regardless of marketing opt-in. These are not marketing; they are necessary for the service you have bought. If you unsubscribe from marketing, you still receive transactional emails.

Marketing and what you buy. Our marketing is based on your having opted in. We do not build a health profile from what you buy, and we do not single you out for marketing because of the health-related nature of a product you have bought. Where a purchase could reveal a health condition, we do not use that purchase for marketing unless you have separately consented.

Business contacts. Where you are a business contact, we may send relevant updates in a business context, with an opt-out in every message.

Spam Act and Do Not Call. Our email marketing complies with the Spam Act 2003 (Cth): we send it with consent, we identify ourselves, and every message has a working unsubscribe. We do not currently run SMS or telephone marketing. If we add either in the future, we will request opt-in first, comply with the Spam Act for SMS, and comply with the Do Not Call Register Act 2006 (Cth) for any phone marketing.

How we keep your information secure

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Australian privacy law expects both technical and organisational measures, and we maintain both.

Technical measures.

  • Encrypted connections across our website and account portal
  • Account passwords stored as hashed values, not in plain text
  • Payment information handled and tokenised by our payment processor; we never store full card details
  • Access controls so that information is reachable only by those who need it
  • Backups, managed through our hosting and platform providers

Organisational measures.

  • Access control. We give access to customer information only to team members who need it for their work, on a least-privilege basis, and we review that access when team members change roles.
  • Privacy awareness. Team members with access to customer information are made aware of their privacy obligations and are reminded of them.
  • Vendor management. We choose third parties that handle personal information with privacy in mind, and we work to put written data-protection terms in place with them.
  • Incident response. We maintain an incident-response process that engages our Privacy Contact for any suspected unauthorised access, loss, or disclosure, with an assessment pathway under the Notifiable Data Breaches scheme (see the next section).
  • Governance. Privacy management is a standing responsibility of our Privacy Contact, reporting through to our director.
  • KitCheck data. KitCheck account data is handled within these same access and vendor controls.

We also destroy or de-identify personal information once we no longer need it for any purpose, subject to legal retention requirements (see “How long we keep your information”).

No system is perfectly secure. If we ever discover a breach that affects your information, we will notify you and the OAIC in line with the Notifiable Data Breaches scheme (see the next section).

Notifiable Data Breaches

We take the Notifiable Data Breaches scheme seriously. Under Part IIIC of the Privacy Act, we must notify affected individuals and the OAIC if there is unauthorised access to, disclosure of, or loss of personal information that we hold, where this is likely to result in serious harm to the individual, and we have not been able to prevent that likely harm through remedial action.

How we assess. If we suspect a breach, we will:

  • Begin assessment promptly after we suspect a breach
  • Complete the assessment within 30 days (the maximum permitted under section 26WH of the Privacy Act); we will work to complete it sooner where the facts allow
  • Apply a documented assessment process: who is affected, what information was involved, what harm could result, and what remedial action is possible

Factors we consider in assessing whether a breach is eligible:

  • Whether unauthorised access, disclosure, or loss of personal information has occurred
  • The kind and quantity of information involved (more sensitive categories, including financial details and information capable of enabling identity-related harm, weigh towards eligibility)
  • The number of individuals affected
  • Whether the information was protected by encryption, access controls, or other security measures that reduce the practical risk of harm
  • The nature of any onward access or disclosure (for example, a single accidental misdirection versus systemic exposure)
  • Whether remedial action has been or can be taken before serious harm occurs
  • Whether a third-party service provider that handles our customer information has experienced a breach affecting our customers

What we will do if we determine a breach is eligible:

  • Prepare a statement and notify the OAIC as soon as practicable after we form the view that an eligible breach has occurred
  • Notify affected customers as soon as practicable after that; we do not wait out the 30-day window once we have reached that view
  • Explain what happened, what information was involved, what we are doing about it, and what you can do to protect yourself
  • Provide a contact for affected customers to ask questions

For the OAIC's guidance on this scheme, see oaic.gov.au/notifiabledatabreaches.

How long we keep your information

We keep your information only for as long as we need it for the purposes set out in this policy, or for as long as the law requires.

Category How long we keep it
Active account information While your account is active
Account profile data after account closure (name, address, password hash, preferences) 24 months from account closure, then deleted
Order and transaction records (required for tax and consumer law) 7 years from the date of transaction
Customer service correspondence 3 years from the last interaction
Business, school, facility and wholesale account records While the account is active, then per tax and consumer-law obligations
KitCheck account and kit-register data While the KitCheck account is active
Marketing email subscription data While you remain subscribed, plus 30 days after unsubscribe
Aggregated and pseudonymous analytics data 26 months
Backup and archive data Up to 90 days after live deletion
Unsuccessful job applicant data 12 months from the recruitment decision

Once a retention period ends, the data is deleted or de-identified. When we de-identify data, we will follow current OAIC de-identification guidance, which involves stripping direct identifiers and reducing the risk of re-identification through combination.

If a legal obligation (for example, an active dispute, a regulatory request, or an unresolved legal claim) requires us to keep specific information longer, we keep it only as long as that obligation requires.

Your rights and how to exercise them

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

Access your information. You can ask us what information we hold about you. The law requires us to respond within a reasonable period, and our service commitment is to respond within 30 days. We do not charge a fee to make an access request. To request access, email privacy@firstaiddistributions.com.au with the subject line “Privacy access request” and we will guide you through the process. In limited cases the law allows us to decline access, for example where giving access would pose a serious threat to someone's life, health, or safety; this is rare and we would explain it.

Correct your information. If something we hold about you is wrong (a misspelled name, an outdated address, an incorrect order), let us know and we will fix it. You can also correct most account details yourself from your account page. We also take reasonable steps of our own to keep your information accurate and up to date, including prompting you to confirm delivery details at checkout, processing bounces and unsubscribes to keep our marketing lists current, and updating records when corrections are notified.

Request a statement of disagreement. If you think we hold information about you that is incorrect, out of date, incomplete, irrelevant, or misleading, and we do not agree to correct it, you can ask us to attach a statement of your view to the record. This is your right under APP 13.

Withdraw consent for marketing. Unsubscribe at any time from any marketing email, toggle marketing preferences in your account, or email us to opt out of all marketing.

Request deletion of your information. You can ask us to delete information we hold about you. We will delete it where we can. There are some categories we cannot delete (transaction records we are legally required to retain, ongoing dispute records), and we will explain why we have kept those. To request deletion, email privacy@firstaiddistributions.com.au with the subject line “Privacy deletion request”.

Make a complaint. If you think we have handled your information incorrectly, see the complaints section.

Direct contact. For all of the above, we prefer email (privacy@firstaiddistributions.com.au) so there is a written record. If you would rather call, our number is 03 5443 2239.

Children

First Aid Distributions is not a children's brand and we do not market to children. We do not knowingly collect information directly from people under 18, and we do not knowingly accept account registrations from people under 18. Any detail about a child that reaches us (for example, in a customer service exchange) is provided by an adult account holder, not by the child.

If you become aware that a child has provided us with information without an adult's authorisation, please contact us at privacy@firstaiddistributions.com.au and we will delete that information.

Forward-looking note. The OAIC is currently developing a Children's Online Privacy Code. It has limited relevance to us, but for completeness: when the Code is issued and commences, we will review this policy and update it if required.

Job applicants

If you apply for a role with us, your application is fully covered by the Privacy Act. The Act's exemption for employee records does not apply to job applicants.

We collect your application, resume, work history, and references, and tell you why at the point of collection. We carry out reference or background checks only with your express consent given before the check, where relevant to the role. We keep unsuccessful applicants' information for a defined period and then delete it (see the retention section).

How to make a complaint

If you think we have handled your information incorrectly, please tell us first. We would rather fix it than have you escalate. Telling us first is not a precondition for going to a regulator: you can always go straight to the OAIC if you prefer.

Step 1. Email privacy@firstaiddistributions.com.au with the subject line “Privacy complaint”. Tell us what you think happened, when, and what you would like us to do.

Step 2. We will acknowledge your complaint within 5 business days and respond within 30 days. If we ever need longer than 30 days, we will tell you why and keep you updated.

Step 3. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Online: oaic.gov.au/privacy/privacy-complaints
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001

The OAIC is the primary regulator for a privacy complaint. Where your concern involves health information, the Health Records Act 2001 (Vic) and its Health Privacy Principles are a parallel regime, and you can also raise it with the Victorian Health Complaints Commissioner (hcc.vic.gov.au, 1300 582 113) as an additional pathway.

If your concern relates to our conduct as a registered NDIS provider, you can also contact the NDIS Quality and Safeguards Commission on 1800 035 544 or at ndiscommission.gov.au.

A regulator will usually want to see that you have already raised the issue with us first, but you are not required to.

Changes to this policy

We may update this policy from time to time as our practices evolve, our services change, or the law changes. We will:

  • Update the “Last updated” date at the top of the policy
  • For material changes (changes that affect what we collect, why we collect it, or who we share it with), take reasonable steps to tell you, which may include emailing registered customers and displaying a notice on our website for a period after the change

If you do not agree to a material change, you can close your account or unsubscribe at any time using the mechanisms in the rights section.

We keep a version log at the bottom of the page so you can see what has changed and when. We do not retire previous versions silently.

One last note

This policy is written in plain language on purpose. If something here is unclear, please email us. Privacy law is technical and we would rather explain than have you guess. We would also rather hear that something here is not working than have you stop dealing with us over a privacy concern we could have resolved.

Thanks for reading this far.

The First Aid Distributions team

Australian Privacy Principles compliance map (for solicitors and regulators)

Compliance map for solicitors and regulators

Australian Privacy Principle Where addressed in this policy
APP 1: Open and transparent management of personal information Whole policy; contact details in “Who we are”; no reliance on small-business exemption stated in the intro
APP 2: Anonymity and pseudonymity “Buying in our Bendigo store” (anonymous over-the-counter purchase) and the ability to make a general enquiry without identifying yourself. Browsing analytics are pseudonymous, not anonymous, and are dealt with under the notification and cookies sections (APP 1 and APP 5) rather than relied on for APP 2
APP 3: Collection of solicited personal information “What we collect” (commerce data only: contact, delivery and the products ordered); “Sensitive and health information” (we do not solicit health information and hold no clinical records; where an order in a clinical category reveals a health condition we treat that order record as health information by inference and state the collection basis, collection from the individual and reasonably necessary to fulfil the order the customer initiated); “Job applicants”
APP 4: Dealing with unsolicited personal information “Sensitive and health information” (incidental health detail assessed and destroyed or de-identified where not needed)
APP 5: Notification of the collection of personal information “What we collect” (a short collection notice at each collection point links back to this policy; consequence of not providing information stated) and “Why we collect it”; overseas disclosure set out in “Where your information is stored”
APP 6: Use or disclosure of personal information “Why we collect it” (purpose limitation; general statement that information is used only for the purpose collected or a reasonably expected directly related secondary use; no AFAD cross-brand marketing without consent); “How we use automated processing”; “Who we share it with” (sharing limited to listed parties); no secondary use of order data beyond the stated purposes
APP 7: Direct marketing “Marketing communications” (opt-in only; unsubscribe in every message; Spam Act and Do Not Call alignment; no health profile built from purchases and no singling out for marketing by the health-related nature of a product)
APP 8: Cross-border disclosure of personal information “Where your information is stored” (overseas storage disclosed; reasonable steps via the data-protection commitments in service agreements; section 16C accountability; offshore developer and freelancer access noted; no approved-country list relied upon)
APP 9: Adoption, use or disclosure of government-related identifiers “NDIS participants and government identifiers” (NDIS number collected for invoicing only and treated solely as a government identifier, never as our own identifier; no NDIS plan or support data held; Medicare numbers not collected)
APP 10: Quality of personal information “Your rights” (correction; the proactive data-quality statement that FAD takes reasonable steps of its own to keep information accurate, including checkout confirmation, bounce/unsubscribe processing and record updates); “Marketing communications” (list hygiene); account self-service
APP 11: Security of personal information “How we keep your information secure” (technical and organisational measures, engaging the post-Tranche 1 clarification); “Notifiable Data Breaches”; “How long we keep your information”
APP 12: Access to personal information “Your rights” (access request mechanism, no fee; 30-day response framed as a service commitment within the statutory reasonable-period requirement, not as the statutory deadline; limited statutory exceptions noted, such as a serious threat to life, health or safety). Because we hold no clinical records, a health-specific access exception is unlikely to apply in most cases
APP 13: Correction of personal information “Your rights” (correction mechanism and statement of disagreement)

Notifiable Data Breaches scheme (Part IIIC of the Privacy Act): the Notifiable Data Breaches section addresses the 30-day assessment window, serious-harm threshold, and OAIC plus affected-individual notification, on a factors-based assessment.

Health Records Act 2001 (Vic) and Health Privacy Principles: First Aid Distributions holds no clinical or medical records and runs no clinical service; it holds commerce data only (contact details and the products ordered). Where an order in a clinical product category (for example continence or wound care) reveals a health condition, that order record is treated as health information by inference under the Privacy Act (s6FA), and to the extent First Aid Distributions holds health information it handles it consistently with the Health Privacy Principles under the Health Records Act 2001 (Vic). The OAIC is the primary regulator. Where a complaint involves health information, the Victorian Health Complaints Commissioner is named as an additional complaint pathway.

NDIS: First Aid Distributions (Australian First Aid Distributions Pty Ltd (ACN 153 377 185, ABN 54 153 377 185), trading as First Aid Distributions) is a registered NDIS provider for assistive products for household tasks and assistive products for personal care and safety. It is a product supplier, not a clinical or therapeutic support provider, and holds no NDIS plan or clinical or support information. Registration is not an endorsement; First Aid Distributions is not endorsed by or affiliated with the NDIA. NDIS numbers are collected for invoicing only and treated under APP 9 as a government identifier. Whether a product is a claimable support is a decision for the participant and their plan manager. Complaints about our conduct as a registered NDIS provider can also go to the NDIS Quality and Safeguards Commission.

Privacy Act Tranche 1 reforms: the security section's technical-and-organisational split engages the post-Tranche 1 APP 11 clarification (in force 11 December 2024). The organisational measures (training awareness, vendor management, least-privilege access, incident response, governance) are the practical mitigation for the statutory tort of serious invasion of privacy (in force 10 June 2025). The automated-processing section includes a forward-looking note on the automated decision-making transparency commencement (10 December 2026). The cross-border section notes the approved-country mechanism exists but is not relied upon. The children's section includes a forward-looking note on the Children's Online Privacy Code in OAIC development.

Section 6D(4) exclusions: First Aid Distributions applies the APPs in full and does not rely on the small-business exemption, regardless of any potential exemption availability.

Version history

This policy was last updated 24 June 2026.

  • Version 1.0 (effective 19 June 2026): Initial publication.
  • Version 1.1 (20 June 2026): Clarified that our other AFAD brands run their own websites with their own privacy policies; this policy covers First Aid Distributions only.
  • Version 1.2 (24 June 2026): entity naming standardised; cookies and consent updated to reflect the live consent banner.
  • Version 1.3 (24 June 2026): NDIS registered-provider wording corrected; APP 7.4 marketing-consent line; Victorian Health Records Act and NDIS Commission complaint pathways added.