REBOTIFY
REBOTIFY Pty Ltd ABN
63 618 361 792
PRIVACY POLICY
1
PURPOSE OF OUR POLICY
1.1
Rebotify Pty
Ltd ABN 63 618 361 792 (we, us or our) has adopted this
Privacy Policy to ensure that we have standards in place to protect the
Personal Information that we collect about individuals that is necessary and
incidental to:
(a)
Providing the system and services that we offer; and
(b)
The normal day-to-day operations of our business.
1.2
This Privacy Policy follows the standards of both:
(a)
The Australian Privacy Principles set by the Australian
Government for the handling of Personal Information under the Privacy Act 1988 (Cth)
(Privacy Act); and
(b)
The regulations and principles set by the European
Union’s General Data Protection Regulation (GDPR) for the handling of Personal Data.
1.3
By publishing this Privacy Policy we aim to make it easy
for our customers and the public to understand what Personal Information we
collect and store, why we do so, how we receive, obtain, store and/or use that
information, and the rights of control an individual has with respect to their
Personal Information in our possession.
2
WHO AND WHAT THIS POLICY APPLIES TO
2.1
Our Privacy Policy deals with how we handle “personal
information” and “personal data” as it is defined in the Privacy Act and the
GDPR respectively (Personal Information).
2.2
We handle Personal Information in our own right and also
for and on behalf of our customers and users.
2.3
Our Privacy Policy does not apply to information we
collect about businesses or companies, however it does
apply to information about the people in those businesses or companies which we
store.
2.4
The Privacy Policy applies to all forms of information,
physical and digital, whether collected or stored electronically or in
hardcopy.
2.5
If, at any time, an individual provides Personal
Information or other information about someone other than himself or herself,
the individual warrants that they have that person’s consent to provide such
information for the purpose specified.
2.6
We consider the protection of
privacy of children very important. We do not knowingly collect personal data
from children under the age of 16 without obtaining parental consent. If an
individual is under 16 years of age, then they should not use or access the
service at any time or in any manner. If we learn that Personal Information has
been collected on the service from persons under 16 years of age and without
verifiable parental consent, then we will take the appropriate steps to delete
such information.
3
THE INFORMATION WE COLLECT
3.1
In the course of business it is
necessary for us to collect Personal Information. This information allows us to
identify who an individual is for the purposes of our business, share Personal
Information when asked of us, contact the individual in the ordinary course of
business and transact with the individual.
Without limitation, the type of information we may collect is:
(a)
Personal Information.
We may collect personal details such as an individual’s name, location,
date of birth, nationality, family details and other information defined as
“Personal Information” in the Privacy Act that allows us to identify who the
individual is;
(b)
Contact Information.
We may collect information such as an individual’s email address,
telephone & fax number, third-party usernames, residential, business and
postal address and other information that allows us to contact the individual;
(c)
Financial Information.
We may collect financial information related to an individual such as
any bank or credit card details used to transact with us and other information
that allows us to transact with the individual and/or provide them with our
services;
(d)
Technical Information. We may collect the IP Addresses of
users accessing our systems, the actions of users on our website and other
digital information created by an individual’s use of our online systems.
(e)
Statistical Information.
We may collect information about an individual’s online and offline
preferences, habits, movements, trends, decisions, associations, memberships,
finances, purchases and other information for statistical purposes; and
(f)
Information an individual
sends us. We may collect any personal correspondence
that an individual sends us, or that is sent to us by others about the
individual’s activities.
3.2
We may collect other Personal Information about an
individual, which we will maintain in accordance with this Privacy Policy.
3.3
We may also collect non-Personal Information about an
individual such as information regarding their computer, network and browser.
Where non-Personal Information is collected the Australian Privacy Principles
and the GDPR do not apply.
4
HOW INFORMATION IS COLLECTED
4.1
Most information will be collected in association with an
individual’s use of our chatbot service (Rebotify),
an enquiry about Rebotify or generally dealing with us. However, we may also receive Personal
Information from sources such as advertising, an individual’s own promotions,
public records, mailing lists, contractors, staff, recruitment agencies and our
business partners. In particular,
information is likely to be collected as follows:
(a)
Registrations.
When an individual registers for a service,
account, connection or other process whereby they enter Personal Information
details in order to receive or access something, including a transaction;
(b)
Supply. When an individual supplies
us with goods or services;
(c)
Contact. When
an individual contacts us in any way;
(d)
Access. When an individual accesses
us physically we may require them to provide us with details for us to permit
them such access. When an individual accesses us through the internet we may collect
information using cookies (if relevant – an individual can adjust their
browser’s setting to accept or reject cookies) or analytical services; and/or
(e)
Pixel Tags. Pixel tags enable us to send email
messages in a format customers can read and they tell
us whether mail has been opened.
4.2
As there are many circumstances in which we may collect
information both electronically and physically, we will endeavour to ensure
that an individual is always aware of when their Personal Information is being
collected.
4.3
Where we obtain Personal Information without an
individual’s knowledge (such as by accidental acquisition from a client) we
will either delete/destroy the information, or inform the individual that we
hold such information, in accordance with the Australian Privacy Principles and
the GDPR.
5
WHEN PERSONAL INFORMATION IS USED and DISCLOSED
5.1
In general, the primary principle is that we will not use
any Personal Information other than for the purpose for which it was collected
other than with the individual’s permission.
The purpose of collection is determined by the circumstances in which
the information was collected and/or submitted.
5.2
We will only process Personal Information when we can
identify a lawful basis to do so. It is always our responsibility to ensure
that we can demonstrate which lawful basis applies to the particular processing
purpose.
5.3
The most common lawful bases relied upon are:
(a)
Consent: we will only rely upon express, clear
and informed consent. Any consent provided may specify and/or restrict the
purpose, and can be withdrawn at any time without penalty. We will keep a
record of when and how we got consent from an individual.
(b)
Legitimate interests: we will only rely upon an identifiable
legitimate interest where we can demonstrate that the processing of Personal
Information is necessary to achieve it by balancing it against the individual’s
interests, rights and freedoms. We will keep a record of our legitimate interests assessments.
5.4
We will retain Personal Information for the period
necessary to fulfil the purposes outlined in this Privacy Policy unless a
longer retention period is required or permitted by law.
5.5
If it is necessary for us to disclose an individual’s
Personal Information to third parties in a manner compliant with the Australian
Privacy Principles and the GDPR in the course of our business, we will inform
you that we intend to do so, or have done so, as soon as practical.
5.6
We will not disclose or sell an individual’s Personal
Information to unrelated third parties under any circumstances, unless the prior
written consent of the individual is obtained.
5.7
Information is used to enable us to operate our business,
especially as it relates to an individual.
This may include:
(a)
The provision of goods and services between an individual
and us;
(b)
Verifying an individual’s identity;
(c)
Communicating with an individual about:
i
Their relationship with us;
ii
Our goods and services;
iii
Our own marketing and promotions to customers and
prospects;
iv
Competitions, surveys and questionnaires;
(d)
Investigating any complaints about or made by an
individual, or if we have reason to suspect that an individual is in breach of
any of our terms and conditions or that an individual is or has been otherwise
engaged in any unlawful activity; and/or
(e)
As required or permitted by any law (including the
Privacy Act).
5.8
The individual shall have the right to object at any time
to the processing of their Personal Information for direct marketing purposes,
which includes profiling to the extent that it is related to such direct
marketing. If we receive such a request, we will stop the processing of
Personal Information for direct marketing purposes immediately without charge
or penalty.
5.9
There are some circumstances in which we must disclose an
individual’s information:
(a)
Where we reasonably believe that an individual may be
engaged in fraudulent, deceptive or unlawful activity that a governmental
authority should be made aware of;
(b)
As required by any law (including the Privacy Act);
and/or
(c)
In order to sell our business (in that we may need to
transfer Personal Information to a new owner).
5.10 We will not
disclose an individual’s Personal Information to any entity outside of
Australia that is in a jurisdiction that does not have a similar regime to the
Australian Privacy Principles or an implemented and enforceable privacy policy
similar to this Privacy Policy. We will take reasonable steps to ensure that
any disclosure to an entity outside of Australia will not be made until that
entity has agreed in writing with us to safeguard Personal Information as we
do.
5.11 We may utilise
third-party service providers to communicate with an individual and to store
contact details about an individual. These service providers may be located
outside of Australia.
5.12 An individual who
uses Rebotify from outside of Australia will be sending information (including
Personal Information) to the United States where our servers are located. That
information may then be transferred within the United States or back out of the
United States to other countries outside of the individual’s country of
residence, depending on the type of information and how it is stored by us.
These countries may not necessarily have data protection laws as comprehensive
or protective as those in your country of residence, however our collection,
storage and use of Personal Information will at all times continue to be
governed by this Privacy Policy.
6
OPTING “IN” OR “OUT”
6.1
An individual may opt to not have us collect and/or
process their Personal Information. This
may prevent us from offering them some or all of our services and may terminate
their access to some or all of the services they access with or through
us. They will be aware of this when:
(a)
Opt
In. Where relevant, the individual will have the
right to choose to have information collected and/or receive information from
us (for clarity, consent must involve an unambiguous positive action to opt
in); or
(b)
Opt
Out. Where relevant, the individual will have the
right to choose to exclude himself or herself from some or all collection of
information and/or receiving information from us.
6.2
If an individual believes that they have received
information from us that they did not opt in or out to receive, they should
contact us using the details as set out in section 11 below.
7
THE SAFETY & SECURITY OF PERSONAL INFORMATION
7.1
We may appoint a Data Protection Officer to oversee the
management of this Privacy Policy and compliance with the Australian Privacy
Principles, the Privacy Act and the GDPR.
This officer may have other duties within our business and also be
assisted by internal and external professionals and advisors.
7.2
We will take all reasonable precautions to protect an
individual’s Personal Information from unauthorised access. This includes appropriately securing our
physical facilities and electronic networks.
7.3
We use SSL encryption to store and transfer Personal
Information. Despite this, the security of online transactions and the security
of communications sent by electronic means or by post cannot be
guaranteed. Each individual that
provides information to us via the internet or by post does so at their own
risk. We cannot accept responsibility
for misuse or loss of, or unauthorised access to, Personal Information where
the security of information is not within our control.
7.4
We are not responsible for the privacy or security
practices of any third party (including third parties that we are permitted to
disclose an individual’s Personal Information to in accordance with this policy
or any applicable laws), unless otherwise required by the Privacy Act and the
GDPR. The collection and use of an
individual’s information by such third parties may be subject to separate
privacy and security policies.
7.5
If an individual suspects any
misuse or loss of, or unauthorised access to, their Personal Information, they
should let us know immediately.
7.6
We are not liable for any loss, damage or claim arising
out of another person’s use of the Personal Information where we were
authorised to provide that person with the Personal Information.
7.7
Where there
is a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, Personal
Information, then:
(a)
We will immediately establish the
likelihood and severity of the resulting risk to wider rights and freedoms of
natural persons;
(b)
If we determine there is a risk from the security breach,
then we will immediately notify the relevant supervisory authority and provide
all relevant information on the particular breach, and by no later than 72
hours after having first become aware of the breach;
(c)
If we determine there is a high risk from the security
breach (a higher threshold than set for notifying supervisory authorities), we
will immediately notify the affected individuals and provide all relevant
information on the particular breach without undue delay.
7.8
We will document the facts relating to any security
breach, its effects and the remedial action taken, and investigate the cause of
the breach and how to prevent similar situations in the future.
8
HOW TO ACCESS, UPDATE AND/OR REMOVE INFORMATION
8.1
Users of Rebotify can update their Personal Information
from within their account or profile at any time to ensure it is accurate and
complete.
8.2
Subject to the Australian Privacy Principles and the
GDPR, an individual has the right to request from us the Personal Information
that we have about them, and we have an obligation to provide them with such
information as soon as practicable, and by no later than 28 days of receiving
the written request. The individual is free to retain and reuse their Personal
Information for their own purposes. We may be required to transmit the Personal
Information directly to another organisation if this is technically feasible.
8.3
If an individual cannot update their own information, we
will correct any errors in the Personal Information we hold about an individual
within 28 days of receiving written notice from them about those errors, or two
months where the request for rectification is complex.
8.4
It is an individual’s responsibility to provide us with
accurate and truthful Personal Information. We cannot be liable for any
information that is provided to us that is incorrect.
8.5
Where a request to access Personal Information is
manifestly unfounded, excessive and/or repetitive, we may refuse to respond or
charge an individual a reasonable fee for our costs incurred in meeting any of
their requests to disclose the Personal Information we hold about them. Where
we refuse to respond to a request, we will explain why to the individual,
informing them of their right to complain to the supervisory authority and to a
judicial remedy without undue delay and at the latest within 28 days.
8.6
We may be required to delete or remove all Personal
Information we have on an individual upon request in the following
circumstances:
(a)
Where the Personal Information is no longer necessary in
relation to the purpose for which it was originally collected and/or processed;
(b)
When the individual withdraws consent;
(c)
When the individual objects to the processing and there
is no overriding legitimate interest for continuing the processing;
(d)
The processing of the Personal Information was otherwise
in breach of the GDPR;
(e)
The Personal Information has to be erased in order to
comply with a legal obligation; and/or
(f)
The Personal Information is in relation to a child.
8.7
We may refuse to delete or remove all Personal
Information we have on an individual where the Personal Information was
processed for the following reasons:
(a)
To exercise the right of freedom of expression and
information;
(b)
To comply with a legal obligation for the performance of
a public interest task or exercise of official authority.
(c)
For public health purposes in the public interest;
(d)
Archiving purposes in the public interest, scientific
research historical research or statistical purposes; or
(e)
The exercise or defence of legal claims.
9
COMPLAINTS AND DISPUTES
9.1
If an individual has a complaint about our handling of
their Personal Information, they should address their complaint in writing to
the details below.
9.2
If we have a dispute regarding an individual’s Personal
Information, we both should first attempt to resolve the issue directly between
us.
9.3
An individual shall have the right to seek a judicial
remedy where he or she considers that his or her rights under the GDPR have
been infringed as a result of the processing of his or her Personal Information
in non-compliance with the GDPR. Any proceedings should be commenced in
Victoria, Australia, where we are established.
9.4
If we become aware of any unauthorised access to an
individual’s Personal Information we will inform them
at the earliest practical opportunity once we have established what was
accessed and how it was accessed.
10
Contacting INDIVIDUALS
10.1 From time to time,
we may send an individual important notices, such as
changes to our terms, conditions and policies. Where such information is
materially important to the individual’s interaction with us, they may not opt
out of receiving these communications.
11
CONTACTING US
11.1 All correspondence
with regards to privacy should be addressed to:
Data Protection Officer
Rebotify Pty Ltd
Level 1, 333 Exhibition Street
Melbourne VIC 3000
team@rebotify.com
You may contact the Data Protection Offer
via email in the first instance.
12
ADDITIONS TO THIS POLICY
12.1 If we decide to
change this Privacy Policy, we will post the changes on our webpage at
http://rebotify.com. Please refer back to this Privacy Policy to review any
amendments.
12.2 We may do things in
addition to what is stated in this Privacy Policy to comply with the Australian
Privacy Principles and the GDPR, and nothing in this Privacy Policy shall deem
us to have not complied with the Australian Privacy Principles and the GDPR.