Skip to main content
For Practitioners
  • For Practitioners
  • For Patients

Privacy Policy

Last updated: March 27, 2026

Your privacy is important

This Privacy Policy outlines how we collect, hold, use, protect and disclose personal data that we obtain about you directly or indirectly in accordance with applicable data protection laws.

We are very aware of the sensitivity of some of the information that we process by virtue of the services we provide and take the security of your personal data very seriously. We appreciate that your privacy is very important, and we are strongly committed to handling your personal data (including your health information and any other sensitive information about you) in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles, the General Data Protection Regulation (EU) 2016/679, the Data Protection Act 2018 (UK) and any other applicable data protection legislation as amended, replaced or superseded from time to time.

Our websites are not intended for use by children under the age of 18 years old (“minors”), and we will only collect data relating to minors with the explicit consent of their parent or guardian. Where tests or services are requested by a parent or guardian on behalf of a minor, we will only process data relating to such child with parental or guardian consent.

It is important that you read this Privacy Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.

 

Controller

Controller

Microba is made up of different legal entities. This Privacy Policy is issued on behalf of the Microba Group, so when we mention “Microba”, “we”, “us” or “our” in this Privacy Policy, we are referring to the relevant company in the Microba Group responsible for processing your personal data.

Australia and most non-UK/EEA customers: Microba Pty Limited (ABN 30 628 603 225) is generally the data controller, unless we tell you otherwise at the point of collection.

Website visitors: Microba Pty Limited is the controller for data collected via Microba websites and online services (unless a different controller is stated on the relevant site or at the point of collection).

United Kingdom customers (including practitioner and patient services marketed through Invivo):
Invivo Clinical Ltd (trading as Invivo Healthcare) is the data controller for UK customers where Invivo markets and supplies microbiome testing services and manages UK customer relationships and UK GDPR compliance (including ICO registration). In these circumstances, Microba Pty Limited acts as a data processor on behalf of Invivo Clinical Ltd, providing laboratory analysis and related support services from Australia under contract and on Invivo’s instructions.

If you are unsure which entity is the controller for your personal data, please contact us using the details in the “Contact details” section. We have appointed a Data Protection Officer (DPO) responsible for overseeing privacy compliance and responding to questions and requests in relation to this Privacy Policy. You can contact the DPO at [email protected].

 

Contact Details

If you have any questions about this Privacy Policy or our privacy practices, please contact our data privacy manager in the following ways:

Full name of legal entity: Microba Pty Limited ABN 30 628 603 225

Postal address: Level 10, 324 Queen Street, Brisbane, Queensland, 4000, Australia
Quality Manager, Microba Pty Limited,
GPO Box 469, Brisbane QLD 4001,
Phone: 1300 974 621, e-mail address: [email protected].

 

Our contact details for our EU Representative are as follows:

EU Representative: Scheja & Partners GmbH & Co. KG

EU Representative Contact address: Adenauerallee 136, 53113 Bonn, Germany
Tel: +49 228 227 226 0

Submit a privacy data request here: https://www.scheja-partners.de/en/contact/contact.html

Our contact details for our UK Representative are as follows:

UK Representative: FAO DPO, Invivo Healthcare

UK Representative Contact Address: The Coach House, 3 Lewiston Mill, Toadsmoor Road, Brimscombe, Stroud, Gloucestershire, GL5 2TE
Tel: 0333 241 2997

Submit a privacy data request here: [email protected]

 

Scope of Privacy Policy

This Privacy Policy explains and describes:

  • When this Privacy Policy applies.
  • How we collect your personal data.
  • The legal basis for usage of your personal data.
  • How we use the personal data we collect.
  • How and when we may disclose personal data that we collect.
  • What happens if your personal data is transferred overseas.
  • How long we hold your personal data.
  • How we protect your personal data and keep it secure.
  • What cookies are and how we use them.
  • What happens when you access third-party services and content.
  • Your legal choices and rights.

The status of this Privacy Policy and any changes that are made to it.

 

When this Privacy Policy applies

This Privacy Policy applies:

  • to personal data we collect and process in connection with the delivery of microbiome testing and related services, including those services supplied to UK customers via Invivo Clinical Ltd;
  • where you apply to us for a job or work placement;
  • to your supply of services to us where this involves any personal data; and/or
  • to any other personal data collected from third parties where we Microba Pty Limited is the controller of such information.

This Privacy Policy additionally applies to our website and online services, including www.microba.com, discover.microba.com, healthcare.microba.com and education.microba.com and any other website, mobile app or other online service created or hosted by us from time to time on which this Privacy Policy appears (together, our “online services”) through which we may collect certain details if, for example, you want to subscribe to newsletters, or tests and services offered by us.

Please note that our online services make use of cookies and similar technologies, as described in more detail in the Cookies section below.

 

Kinds of personal data we collect

‘Personal data’ means any information that identifies you or could reasonably identify you. It does not include data where your identity has been permanently removed (anonymous information).

We collect and process personal data about customers and potential customers, healthcare practitioners, contractors, job applicants and other individuals who interact with us.

Depending on how you interact with Microba, we may collect, use, store and process the following categories of personal data:

  • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, delivery address, email address and telephone numbers.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us, your communication preferences, and information relating to how you interact with our marketing campaigns, websites and advertisements.

Special category / sensitive information

Because of the nature of our services, we may also process certain categories of sensitive personal information.

For individuals in the UK and EEA, this may include “special category personal data” under UK GDPR / EU GDPR, such as:

  • health data;
  • microbiome data, and
  • pathology-derived data (including biometric identifiers) obtained from biological samples and related questionnaires.

For individuals in Australia, this may include “sensitive information” under the Privacy Act 1988 (Cth), such as health information.

We do not intentionally collect other special category personal data (such as information about race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership, or sex life or sexual orientation).

Where we process special category or sensitive personal data, we apply enhanced safeguards and rely on appropriate lawful bases and conditions under applicable data protection laws.

Aggregated Data

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from personal data but is not considered personal data where it does not identify you (directly or indirectly).

If we combine aggregated data with personal data so that it can identify you, we treat it as personal data and use it in accordance with this Privacy Policy.

 

Failure to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

 

How we collect your personal data

We use different methods to collect data from and about you including through:

  • Direct Interactions. We will generally collect personal data about you directly from you, including:
    • where you have submitted a microbiome request, responded to our online survey(s) or questionnaire(s), or provided us with samples;
    • by way of forms and other documents or information that you submit to us (whether in paper or electronic form), correspondence you provide to us and telephone calls or meetings with you;
    • when you communicate with us via email or other channels;
    • when you sign up for or request that we send you newsletters, alerts, or other materials;
    • when you sign up for a webinar or event; and
    • when you respond to our communications or requests for information.

The main exception to this is where the data subject is a minor, in which case we will collect the relevant data directly from their parent or guardian.

  • Third parties or publicly available sources. We may collect information from other sources, such as social media platforms that share information about how you interact with our social media content, and any information gathered through these channels will be governed by the privacy settings, policies, and/or procedures of the applicable social media platform, which we strongly encourage you to review.

We will handle any unsolicited information in accordance with law, including destroying or de-identifying such information where we are required to do so.

  • Automated technologies or interactions. When you use our online services, we may collect details of visits made to our online services including, but not limited to, the volume of traffic received, logs (including, where available, the IP address and location of the device connecting to the online services and other technical information and identifiers about the device and the nature of the visit) and the resources accessed.

If you apply for a job or work placement with Microba,

we will collect and process personal data relevant to your application. This typically includes your contact details, employment history, qualifications, skills, references and information you choose to provide as part of the recruitment process.

We use this information to assess your suitability for a role, manage the recruitment process, communicate with you, and comply with our legal and regulatory obligations as an employer. Our lawful bases for processing recruitment data include taking steps prior to entering into a contract, our legitimate interests in recruiting and managing our workforce, and compliance with applicable employment and regulatory laws.

Where required or permitted by law, we may carry out pre-employment checks (such as identity, right-to-work, professional registration or background checks). Any such checks will be conducted in accordance with applicable laws and only where relevant to the role.

We do not use recruitment data for automated decision-making. Further information about how we handle applicant data can be obtained by contacting us using the details in this Privacy Policy.

 

How we use your personal data

Where we intend to use your personal data, we rely on the following legal grounds:

  • Performance of a contract: We may need to collect and use your personal data to enter into a contract with you or to perform a contract that you have with us. For example, provision of a microbiome test ordered by or for you, and where we respond to your requests and provide you with services in accordance with our Terms and Conditions or other applicable terms of business agreed with you or with your employing organisation.
  • Legitimate interests: Where we consider use of your information as being (a) non-detrimental to you, (b) within your reasonable expectations, and (c) necessary for our own, or a third party’s legitimate purpose, we may use your personal data, which may include:
    • for our own direct marketing or continued communication;
    • the prevention of fraud;
    • our own internal administrative purposes;
    • personalisation of the service(s) we provide to you;
    • ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems; and/or
    • reporting possible criminal acts or threats to public security to a competent authority.
  • Compliance with a legal obligation: We may be required to process your information due to legal requirements, including employment laws, tax laws and other regulatory provisions applicable to Microba as a provider of microbiome testing and related services .
  • Consent: You may be asked to provide your consent in connection with certain services that we offer, for example in respect of any processing of your personal data for our marketing purposes where you or your employing organisation is not a client of Microba, or in respect of certain special categories of personal data such as your health or racial background for which we are legally obliged to gain your consent due to the sensitive nature of such information and the circumstances in which it is gathered or transferred. Where we are reliant upon your consent, you may withdraw this at any time by contacting us in accordance with the Contact Us section above, however please note that we will no longer be able to provide you with the products or services that rely on having your consent. Where the data subject is a minor, any requisite consent will be obtained from their parent or guardian.

 

Purposes for which we use your personal data

We will only use your personal data where the law allows us to do so. The legal basis we rely on will depend on the purpose for which we are using your personal data and the relationship you have with us (for example, whether you are a customer, a practitioner, a participant in a research study, a supplier, or a job applicant).

For individuals located in the UK and EEA, our processing is carried out in accordance with the UK GDPR / EU GDPR. For individuals located in Australia, our handling of personal information is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we collect sensitive information (including health information), we will generally only do so with your consent unless an exception under Australian privacy law applies.

Special category data (health and microbiome data)

Some of the information we process in connection with our services is sensitive and is treated as “special category data” under the UK GDPR / EU GDPR (including health information and microbiome data).

Where we process special category data about UK/EEA individuals, we do so only where permitted by law and subject to appropriate safeguards. Depending on the service and the circumstances, this will typically be because:

  • you have provided explicit consent; and/or
  • processing is necessary for the provision of health services and related management and administration; and/or
  • processing is necessary for scientific research or for reasons of public interest in the area of public health, where lawful.

Where Invivo Clinical Ltd is the data controller (for UK customers), Microba Pty Limited acts as Invivo’s data processor and processes personal data only on Invivo’s instructions and in accordance with the applicable data processing agreement and transfer safeguards.

Table: How we use your personal data and our lawful basis

  • Note:We may rely on more than one lawful basis depending on the specific circumstances. If you would like more information about the lawful basis we rely on for a particular activity, you can contact us using the details in this Privacy Policy.
Purpose/Activity  Type of Data Lawful basis (UK GDPR / EU GDPR) & justification APP basis/justification
To provide you with the products and services you request (including microbiome testing services, reports and customer support) Identity, Contact Transaction, Financial, Special Category UK/EU GDPR: Performance of a contract. Special category: Explicit consent and/or permitted health-related processing, with safeguards. APP: Necessary for providing the service you requested; sensitive information handled with consent where required.
To respond to enquiries and customer support requests Identity, Contact, Profile, Marketing & Communications Performance of a contract (where related to services) and/or legitimate interests (supporting customers and improving service). Necessary for responding to enquiries and providing support.
To administer payments, billing, refunds and fulfilment (including dispatch and delivery) Identity, Contact, Financial, Transaction Performance of a contract; compliance with legal obligations (tax/accounting). Necessary for service delivery and legal compliance.
To manage complaints, product issues, adverse events, recalls, quality investigations and corrective actions Identity, Contact, Transaction, Special Category Compliance with legal obligations; legitimate interests (quality and safety); special category processing where permitted and safeguarded. Necessary for product safety, quality management and regulatory compliance.
To comply with legal and regulatory obligations (including recordkeeping, accreditation, reporting and audit requirements) Identity, Contact Transaction, Special Category Compliance with legal obligation. Required or authorised by law; necessary for compliance.
To maintain internal business operations, security, and IT systems Identity, Contact, Technical Legitimate interests (business continuity, security, fraud prevention). Necessary for business operations and security.
To manage and maintain our relationship with you (including account management and communications) Identity, Contact, Profile, Marketing & Communications Performance of contract and/or legitimate interests (relationship management). Necessary for ongoing relationship management.
To maintain and update our databases of contacts (including practitioners, customers, suppliers and stakeholders) Identity, Contact, Profile Legitimate interests (keeping records accurate, business communications). Necessary for operational purposes.
To improve our services, products, reporting, and online services Technical, Usage, Profile Legitimate interests (improving services, performance and user experience). Necessary for service improvement and business operations.
To measure the effectiveness of newsletters, campaigns and event invitations Technical, Usage, Profile, Marketing & Communications Legitimate interests. Where required, consent (particularly for cookies/trackers). Necessary for marketing evaluation; opt-out available.
To deliver marketing communications (email/SMS/newsletters) Identity, Contact, Marketing & Communications Legitimate interests and/or consent (depending on the channel and local law). Individuals can opt out at any time. Consent or opt-out model depending on applicable requirements.
To use marketing technology partners (e.g. Google, Meta) for audience targeting, measurement, and lookalike audiences Identity, Contact, Technical, Usage Legitimate interests and/or consent depending on applicable law and cookie requirements. Where required, data is shared in hashed/pseudonymised form. Where sensitive info is involved, handled cautiously; opt-out and cookie controls provided.
To administer and protect our website (including troubleshooting, testing, analytics, reporting and hosting) Technical, Usage Legitimate interests. For non-essential cookies: consent where required. APP-compliant website operation; cookie controls.
To allow secure login and use of interactive features Technical, Profile Performance of contract and/or legitimate interests. Necessary for providing the online service.
For research, service validation, and product development (including where using pseudonymised or aggregated data) Technical, Usage, Profile, Special Category (pseudonymised) Legitimate interests and/or scientific research basis where applicable; special category only processed with safeguards and legal permission. Research handled with safeguards; sensitive info handled with consent where required.
To manage corporate restructures, acquisitions, or business transfers Identity, Contact, Transaction Legitimate interests; compliance with legal obligations. Business necessity with safeguards.
To detect and prevent fraud, misuse, or security incidents Identity, Contact, Technical, Transaction Legitimate interests; compliance with legal obligations where relevant. Necessary for security and risk management.
To recruit and assess job applicants Identity, Contact, Profile, Employment Legitimate interests; steps prior to entering into a contract; compliance with legal obligations. Special category only where permitted and necessary. Necessary for recruitment and employment administration.
To carry out pre-employment screening (where relevant and lawful) Identity, Employment, potentially Special Category Legitimate interests and/or legal obligation depending on the check. Special category only where lawful and proportionate. Only where lawful and relevant to role.
To comply with legal process and protect rights (e.g. court orders, law enforcement requests, legal claims) Identity, Contact, Financial, Transaction, Special Category Legal obligation; public interest; establishment/exercise/defence of legal claims. Required or authorised by law.

Marketing and cookie-related consent

Some marketing and advertising activities (particularly those involving cookies, pixels, tags and similar tracking technologies) require consent under UK and EU ePrivacy laws. Where consent is required, we will not carry out these activities unless you have provided it through our cookie consent tool or other appropriate mechanism.

 

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us, or purchased goods or services from us, and you have not opted out of receiving that marketing.

Third-party marketing

We may use trusted marketing technology partners (such as advertising platforms, social media platforms and analytics providers) to help us deliver, measure and improve our marketing campaigns.

This may include:

  • showing Microba advertisements to you on third-party platforms;
  • measuring the effectiveness of our advertising and communications;
  • creating “custom audiences” based on people who have interacted with our websites, services or communications;
  • using “audience matching” (for example, matching hashed email addresses or other identifiers to users of those platforms); and
  • creating “lookalike” or similar audiences to reach people who may be interested in Microba’s products or services.

To support these activities, we may share limited personal data with these partners, such as email addresses, device identifiers or online identifiers. Where possible, this data is shared in hashed and/or pseudonymised form. However, hashed and pseudonymised data may still be personal data under applicable data protection laws.

We will only use these marketing techniques where permitted under applicable laws. In particular:

  • Where required under UK or EU ePrivacy laws (including the UK Privacy and Electronic Communications Regulations (PECR)), we will obtain your consent before using non-essential cookies or similar tracking technologies for advertising or analytics purposes.
  • Where required, we will obtain your consent before sending you direct electronic marketing communications (such as email or SMS).

You can control or stop this processing at any time by:

  • updating your cookie preferences using our cookie consent tool;
  • unsubscribing from marketing emails using the unsubscribe link; and/or
  • contacting us using the details set out in this Privacy Policy.

You also have the right to object at any time to the processing of your personal data for direct marketing purposes. If you object, we will stop using your personal data for those marketing purposes.

Our marketing technology partners are contractually restricted to using personal data only to provide services to Microba, and not for their own independent marketing purposes. We do not sell your personal data to third parties for their own marketing use.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time, or unsubscribe options within email newsletters we might send you.

Where you opt-out of receiving these marketing messages, this will not apply to the personal data provided to us as a result of a product/service purchase, product/service experience or other transactions.

 

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

 

Disclosure of personal data

  • We may share your personal data with the parties set out below for the purposes set out in the table in “How we use your personal data” section above.
  • Internal Third Parties. In providing our services and operating our business, acting as joint controllers or processors, we may allow access to your personal data to the other companies within Microba’s group for our internal administrative purposes such as billing, promoting our events and services, and providing you or your organisation with services, provided in all instances that such processing is consistent with the legal basis for usage of personal data above and applicable law. Such other companies in the Microba group are based in Australia, the UK and the United States of America.
  • External Third Parties.
    • Service providers acting as processors based in Australian and The United States of America who provide IT, customer communication and system administration services.
    • Postal Services acting as processors based in Australia who provide certain personal data you provide us (such as your email address, phone number and/or residential address) in connection with us providing our services to you (this information may be used by Postal Services for the purposes of providing notification of tracking events and collecting any relevant feedback in relation to the delivery or tracking service).
    • Professional advisers acting as processors including lawyers, bankers, auditors and insurers based in the UK, the United States of America and Australia who provide consultancy, banking and payment, legal, insurance and accounting services.
    • Third party service providers, based in the UK, the United States of America and Australia who provide marketing, communications, CRM and website hosting services.

We may also provide anonymous statistical information about users of our websites and related usage information to reputable third parties, including analytics and search engine providers.

We own the database rights in the information collected via our online services. We do not sell, rent, or otherwise share information that reasonably identifies you or your organisation with unaffiliated entities for their independent use except as expressly described in this Privacy Policy or with your express prior permission.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

If we are required to pass your sensitive personal data onto a third party we will only do so once we have obtained your explicit consent, unless we are legally required to do otherwise. Where the data subject is a minor, the requisite consent will be obtained from their parent or guardian.

We may share information that does not identify you or your organisation as permitted by applicable law.

 

International transfers

We may transfer personal data to recipients located outside the country where you are based. Specifically, personal data may be transferred to Australia, where Microba’s laboratories and core systems operate, the UK or the United States. Where we transfer personal data internationally, we take steps to ensure appropriate safeguards are in place, as required by applicable law however it is important to note that the overseas recipient of your personal data may not be subject to the privacy and data protection laws applicable in the place where you are located.

UK and EEA individuals: Where personal data is transferred outside the UK/EEA to a country that is not recognised as providing an adequate level of protection, we use appropriate safeguards such as the European Commission Standard Contractual Clauses (SCCs) (for EEA transfers), and/or the UK International Data Transfer Addendum to the SCCs or the International Data Transfer Agreement (IDTA) (for UK transfers), together with any additional measures required by law (for example, transfer risk assessments where applicable).

Australian individuals: Where we disclose personal data to overseas recipients, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles, including contractual protections and secure transfer methods.

If you would like more information about the safeguards used for international transfers, please contact us using the details above.

 

Referrals from Health Professionals

We may enter referral arrangements with certain third parties that provide health-related services to their patients or clients (“Health Professionals”). Patient reports may include the referring/ordering practitioner’s professional details (such as name, practice and contact details) where this is necessary to support clinical interpretation, record-keeping and continuity of care. Under these arrangements, the Health Professional will make arrangements for you to access our services and that Health Professional will be responsible for obtaining your (or, if you are a minor or other individual lacking the requisite legal capacity, the your legal representative’s) explicit consent to the use of your personal data in connection with the provision of our services.

In other instances, you may purchase our services directly from us (whether on referral from a Health Professional or otherwise). In these cases, we will request that you acknowledge consent and agree (or, where applicable, that your legal representative acknowledges, consents and agrees), that:

  1. a) we may disclose the Patient Report produced with respect to those services (if any), including the personal data contained in the Patient Report, to the Health Professional that referred you (if any) and any of their associates or contractors that might be involved in providing health-related services to you (each, an “Authorised Health Professional”);
  2. b) we may send the Patient Report via email to the relevant Authorised Health Professional or allow them to view the Patient Report online; and
  3. c) we and our personnel may hold, access and use the Patient Report for the purposes of facilitating the delivery of the Patient Report to the relevant Authorised Health Professional, and assisting them to interpret the Patient Report, in accordance with our Terms and Conditions and this Privacy Policy.

 

How we hold personal data and data security

We may hold personal data in different ways, including in paper form, electronic form and/or in other mediums.

Our information security is supported by a variety of processes and procedures, and we store information in access-controlled premises or electronic databases requiring logins and passwords. All employees, officers or contractors of Microba and third-party providers with access to confidential information are subject to access controls and confidentiality obligations, and we require our third-party data storage providers to comply with appropriate information security industry standards.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

Once we have received your information, we will take reasonable steps to use procedures and security features to try to prevent unauthorised access, modification or disclosure.

You can help us to keep your information secure by ensuring that any username or password in relation to our online services is kept strictly personal to you and not made available to any other person.  You should stop using your username and password and notify us immediately if you suspect that someone else may be using your user details or password.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. In Australia, we comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

 

Retention

We will only retain personal data only as long as necessary to fulfil the purpose it was collected for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law and good governance practice, we may need to keep certain records (including Identity, Contact, Financial and Transaction Data) for at least seven (7) years after you cease being a customer (for example, for tax, accounting, regulatory and audit purposes), unless a different retention period applies to specific records.

In some circumstances you can ask us to delete your data: see the “your legal rights” section below for further information.

A maintained copy of our Retention and Disposal policy is available upon request. Should you wish to review our retention policy then please contact.

 

Pseudonymised and Aggregated Personal Data

In some circumstances, we may use personal data in a pseudonymised or aggregated form for research, quality improvement, statistical analysis, product development, and validation purposes.

Pseudonymisation involves processing personal data in a way that reduces the likelihood of identification by removing or separating direct identifiers and applying technical and organisational safeguards. However, under data protection law, pseudonymised data is still considered personal data.

Where we use pseudonymised data:

  • direct identifiers are removed or replaced with coded references;
  • access to re-identification keys is strictly restricted;
  • technical and organisational measures are applied to minimise re-identification risk; and
  • ongoing risk assessments are conducted to ensure appropriate safeguards remain effective.

We process such data only in accordance with applicable data protection laws and do not attempt to re-identify individuals except where required for permitted purposes such as quality assurance, regulatory obligations, or clinical follow-up.

 

Cookies

Our websites and online services use cookies and similar technologies (such as pixels and tags) to operate effectively, enhance security, improve user experience, analyse performance, and, where permitted, support marketing and advertising activities.

Cookies are small text files that are placed on your device when you visit a website. Some cookies are necessary for the website to function properly, while others help us understand how visitors interact with our websites so we can improve functionality and content.

We may collect information through cookies and similar technologies such as your device type, browser type, operating system, IP address, general location, pages visited, interactions with content, and usage patterns. This information may be collected directly by us or by third-party service providers acting on our behalf.

We use cookies in accordance with applicable laws, including obtaining consent where required. You can manage or withdraw your cookie preferences at any time through our cookie consent tool.

For detailed information about the cookies we use, their purposes, durations, and how to manage your preferences, please refer to our Cookie Policy, which is available at:  https://microba.com/cookie-policy/

Our Cookie Policy forms part of this Privacy Policy and should be read together with it.

We have partnered with Shopify to deliver our MetaXplore/Microbiome Explorer products. If you are subscribing for these products and wish to find out more about the cookies that Shopify uses, visit https://www.shopify.com/legal/cookies

Control of cookies

You can set your browser to refuse cookies through the browser settings, however, this may mean you are unable to take full advantage of our website or our services. Most browsers enable you to block cookies or to block cookies from particular sites. Browsers can also help you to delete cookies when you close your browser. You should note however, that this may mean that any opt-outs or preferences you set on our website will be lost. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org which includes information on how to manage your settings for the major browser providers.

 

Online Services – Links to third party sites, services and content

In addition to our online services, which we control directly, we also use and provide links to websites which are controlled by third parties, which may include:

  • Twitter, LinkedIn and YouTube, where we have certain Microba accounts and profiles.
  • Facebook and Instagram, where we have a social page.
  • Google

If you use or follow a link to any of these third-party websites, please be aware that these websites have their own privacy policies and that we cannot accept any responsibility for their use of information about you.

Our online services may include integrated content or links to content provided by third parties (such as video materials). This Privacy Policy does not address the privacy, security, or other practices of the third parties that provide such content.

We engage third parties that support the operation of our online services, such as analytics providers and technologies. These third parties may use technologies to track your online activities over time and across different websites and online platforms. Please see Cookies section above for more information.

 

Your Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:

  • request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data that we hold about you and to check that we are lawfully processing it.
  • request correction of your personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local laws. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground, as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • request restriction of processing your personal data.
    This enables you to ask us to suspend the processing of your personal data in the following scenarios:

    • If you want us to establish the data’s accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • request transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • withdraw consent where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us using the contact details section above.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 

How to make a complaint about a breach of your privacy rights with us

You have the right to make a complaint at any time, we would, however, appreciate the chance to deal with your concerns before you approach the relevant authority (as below) so please contact us in the first instance.

If you wish to make a complaint, please contact us using the details at the beginning of this Privacy Policy and we will take reasonable steps to investigate the complaint and respond to you.

Your complaint will be handled in accordance with our internal complaints handling procedure, which involves: logging and acknowledging your complaint, categorising and triaging it for resolution or escalation as necessary. Complaints are tracked and managed through our internal ticketing system, with oversight from relevant team members to ensure timely follow-up. Where your complaint relates to a Data Subject Access Request, it will be referred to our Data Protection Officer for review and determination in accordance with applicable regulations.

For individuals in Australia, you may submit a complaint to the Office of the Australian Information Commissioner, details of which can be found at https://www.oaic.gov.au/about-us/contact-us/.

For individuals in the European Economic Area (EEA), you may submit a complaint to your local Data Protection Authority (DPA), details of which can be found at https://www.edpb.europa.eu/notify-data-breach_en

For individuals in the UK, you may submit a complaint to the Information Commissioner’s Office, details of which can be found at https://ico.org.uk/global/contact-us.

If you make a privacy complaint, we will respond to let you know how your complaint will be handled. We may ask you for further details, consult with other parties and keep records regarding your complaint.

 

Changes to this Privacy Policy

Your provision of personal data to us or use of our services constitutes your acceptance of the terms of this Privacy Policy.

We keep our Privacy Policy under regular review take account of new laws, information governance practices and technology developments, as data privacy laws (and surrounding guidance) evolve, as our functions and activities change, and to ensure it remains appropriate. We recommend you visit our website regularly to keep up to date with any changes.

This version was last updated on the date stated at the beginning of it.

We will post any Privacy Policy changes on this page and, if the changes are significant or may materially impact upon your rights, we will provide a more prominent notice or contact you by other means (including, for certain services, email notification of Privacy Policy changes).

 

Refer a Patient

Let’s deliver better, together.

Order a test

We're here to support you

Have questions or need help getting started?

Visit Practitioner Support
Already have an account? Log in. Log in
New to Microba? Sign up today. Sign up to start referring