IMPACTORA PTY LTD - PRIVACY POLICY

This privacy policy applies to the collection, use, and management of your Personal Data (defined below) by or on behalf of IMPACTORA PTY LTD ACN 673 812 603 its subsidiaries and affiliates in Australia or abroad (collectively referred to as (“Impactora”/“we”/“us”/“our”)).

Impactora offers software as a service and associated mobile or tablet applications (Service). Our Service is designed to provide employees easy to access contextual advice and insights to help them resolve issues, make informed decision and tailored to the individual employee and their business. This Privacy Policy applies to all Personal Data collected by us, including Personal Data collected or submitted through our website or our Services.

We have created this Privacy Policy to demonstrate our commitment to the Australian Privacy Act 1988 Cth (“Privacy Act”), the Australian Privacy Principles and other applicable Australian privacy laws (together, the “Australian Privacy Laws”) as well as the privacy laws of other countries which may apply including without limitation the EU General Data Protection Regulation (2016/679), UK GDPR and the UK Data Protection Act 2018 (together, “Data Protection Laws”). It sets out how we may collect, hold, use or disclose your Personal Data. Other terms may also apply to you and the Personal Data we hold about you (for example where we provide you with a specific privacy collection notice or if our Data Processing Agreement applies).

In collecting Personal Data, by law, we are required to provide you with information about us, about why and how we use your Personal Data, and about the rights you have over your Personal Data. If you do not agree with this policy you should not access or use our website or Services or otherwise interact with our business.

References to “you” and “your” include:

• any person or their authorised representative who are users of our Services (if you have entered an end user licence agreement with us (EULA), this includes our Client organisations and (if applicable) their Authorised Users); and
• our contractors, suppliers, employees and potential employees, and other individuals that we engage and interact with in the course of running our business.

“Personal Data” means any information or opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in material form or not.

What information do we collect?

The type of Personal Data we collect will vary depending on the nature of your dealings with us.

Information collected from our Clients, their Authorised Users and other businesses

We may collect the following types of Personal Data:

• your name;
• your contact details including your email address, phone number and physical address;
• your professional details including your job title, role, employer name and industry;
• your employer or organisation information;
• your workplace goals, challenges, and topics of interest relevant to the Services;
• information about how you use and interact with our Services (including usage data, session logs and analytics);
• payment and billing information;
• any other information you provide to us through the Services, via email, over the phone or in person.

If you provide us with Personal Data about other people (for example, employees or authorised users within your organisation), you must ensure that those individuals are aware of this Privacy Policy and have consented to their Personal Data being provided to us.

Prospective employees and contractors

If you are applying for a position with us, we may collect your name, contact details, employment history, qualifications, references and any other information included in your application or resume.

Before offering you a position, we may also collect additional details such as your right to work status, professional registrations, and results of background or reference checks.

If you are offered a position, we may collect your tax file number, superannuation details, bank account details and emergency contact information.

What happens if you don’t provide us your information?

If you do not provide us with the Personal Data we request, we may not be able to provide you with our Services, process your application, or otherwise engage with you effectively.

How we collect your information

We generally collect Personal Data directly from you, for example when you register for our Services, fill in a form on our website, communicate with us by email or phone, or interact with us in person.

We may also collect Personal Data from other sources, including:

• our affiliated companies;
• third party suppliers and service providers (such as analytics or IT service providers);
• Authorised Users who provide information on behalf of our Clients;
• recruitment agencies or referees (for prospective employees).

Where we collect Personal Data about you from a third party, we will take reasonable steps to ensure that you are made aware of this Privacy Policy.

Technical Information

When you visit our website or use our Services, we may automatically collect technical information including:

• your IP address;
• your approximate geographic location;
• your browser type and version;
• your operating system;
• information collected through cookies, pixel tags and similar technologies;
• pages you visit, features you use, links you click and the time and duration of your sessions.

Why do we need your Personal Data?

We only collect Personal Data that is reasonably necessary for one or more of our functions or activities. We may use your Personal Data for the following purposes:

• enabling you to access and use our Services;
• providing, maintaining and improving our Services;
• researching and developing new features, products and services;
• administering your account;
• analysing how you interact with our Services to improve user experience;
• monitoring compliance with our terms of use and policies;
• keeping accurate records of our dealings with you;
• communicating with you about your account, our Services, updates and changes;
• sending you important notices and information;
• responding to your enquiries, feedback or complaints;
• maintaining and improving our customer service;
• managing our relationships with Clients, suppliers and business partners;
• employee use (such as managing employment relationships, payroll, performance and compliance);
• complying with our legal and regulatory obligations;
• where we believe it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or the public.

These are collectively referred to as the “Permitted Purposes”.

Where possible, we will de-identify or aggregate Personal Data so that it no longer identifies you before using it for analytics, research or product development purposes.

How do we use your information?

We may use your Personal Data for the following:

• the Permitted Purposes described above;
• a Secondary Purpose that is related to a Permitted Purpose and that you would reasonably expect;
• purposes you have agreed to; and
• purposes required or authorised by law.

Secondary Purposes may include direct marketing communications about our Services, invitations to surveys, events or feedback opportunities, internal training and quality assurance, and risk management and fraud prevention.

When do we disclose or share your information?

We may disclose your Personal Data to third parties in the circumstances described below. We take reasonable steps to ensure that any third party to whom we disclose your Personal Data is bound by confidentiality and privacy obligations.

Managed accounts and administrators

If your use of our Services is managed by an organisation (for example, your employer), the administrator of that account may be able to access and manage your account, including viewing your usage data and restricting or terminating your access.

Disclosing or sharing with other third parties

Contractors and service providers: We may disclose your Personal Data to our contractors and third party service providers who assist us in providing our Services, including hosting providers, analytics providers, payment processors and customer support services.

Third Party Sites: Our Services may contain links to third party websites or services. We are not responsible for the privacy practices or content of those third party sites.

Law Enforcement, Public or Governmental Agencies: We may disclose your Personal Data to law enforcement, government authorities or other third parties where we are required or authorised to do so by law, regulation, court order or governmental request.

With your approval: We may disclose your Personal Data to other third parties where you have given your consent.

Sharing with our affiliates

Affiliates: We may share your Personal Data with our affiliated companies for the Permitted Purposes described in this Privacy Policy.

Corporate Transactions: In the event of a merger, acquisition, reorganisation, sale of assets or bankruptcy, your Personal Data may be transferred to the relevant third party as part of that transaction.

For prospective employees and job applicants: We may share your Personal Data with our affiliated companies for recruitment and employment purposes.

Can you remain anonymous or use a pseudonym?

Where it is lawful and practicable, you may deal with us on an anonymous basis or by using a pseudonym. However, in most cases we will need to identify you in order to provide you with our Services or to comply with our legal obligations.

If you choose not to provide us with your Personal Data, we may not be able to provide you with the Services you have requested or interact with you effectively.

What disclosures (including international disclosures) do we make?

We may disclose your Personal Data to recipients located outside of Australia where it is necessary for the Permitted Purposes described in this Privacy Policy.

Our primary servers and data storage are located in Australia. However, some of our third party service providers may store data in other countries, including in Europe, the United Kingdom and the United States of America.

Where we transfer Personal Data outside of the UK or the European Economic Area, we ensure that appropriate safeguards are in place as required by the Data Protection Laws, such as standard contractual clauses or other approved transfer mechanisms.

By providing us with your Personal Data, you consent to the disclosure of your Personal Data to overseas recipients. We will take reasonable steps to ensure that overseas recipients handle your Personal Data in accordance with the Australian Privacy Laws.

Is your information confidential and secure?

We take reasonable steps to protect the Personal Data we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

We store Personal Data in secure server environments with access controls, encryption and other industry-standard security measures. However, no data transmission over the internet or electronic storage system can be guaranteed to be completely secure.

Online Transactions

Where purchases are made through third party sites linked from our website, those transactions are subject to the privacy and security policies of the relevant third party.

Where purchases are made directly through our website:

• we use a PCI-DSS compliant third party payment gateway to process transactions;
• all payment information is transmitted using TLS (Transport Layer Security) encryption;
• we do not store your full credit card details on our servers.

While we take all reasonable precautions, we cannot guarantee the absolute security of information transmitted to us online.

Do we use “cookies”?

Yes. Cookies are small text files that are placed on your device when you visit our website or use our Services. We use cookies to enhance your experience, analyse usage patterns and improve our Services. Cookies may collect information such as your browser type, the pages you visit and your preferences.

You can manage your cookie preferences through your browser settings. Please note that disabling cookies may affect the functionality of our website and Services.

Using third party websites and services

Our website and Services may contain links to websites and services operated by third parties. Those third party websites and services are not under our control and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third party websites you visit.

Changes to our Privacy Policy

We may amend this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements or other factors. We will notify you of any material changes by posting the updated Privacy Policy on our website. Your continued use of our Services after any changes constitutes your acceptance of the revised Privacy Policy.

Managing your information

We take reasonable steps to ensure that the Personal Data we hold is accurate, up-to-date, complete and relevant. However, we rely on you to advise us of any changes to your Personal Data.

You have the right to request access to the Personal Data we hold about you. To make an access request, please contact us using the details provided below.

We may need to verify your identity before granting access to your Personal Data.

We will provide you with a summary of your Personal Data free of charge. If you require a more detailed report, we may charge a reasonable cost to cover the time and resources involved.

If you believe that the Personal Data we hold about you is inaccurate, incomplete or out-of-date, you have the right to request that we correct it.

We may decline your request for access or correction in certain circumstances permitted by law, in which case we will provide you with reasons for our decision.

We will endeavour to respond to all access and correction requests within 30 days of receiving the request.

How long will we keep your personal data for?

Where we act as a data processor on behalf of our Clients (including for Authorised Users in the UK or EEA), we will retain Personal Data in accordance with the instructions and agreements we have with those Clients.

We will retain your Personal Data for as long as reasonably necessary to fulfil the Permitted Purposes, to comply with our legal and regulatory obligations, to resolve disputes and to enforce our agreements.

When your Personal Data is no longer required, we will take reasonable steps to delete or anonymise it.

Notice to Authorised Users

If you are an Authorised User and your use of our Services is managed by an organisation (for example, your employer), that organisation’s administrator may control and manage your account and access to the Services.

In those circumstances, we act as a data processor on behalf of the organisation (the data controller) in respect of the Personal Data processed through the Services.

Where you contact us directly (for example, to make an enquiry or submit feedback), we act as the data controller for the Personal Data you provide to us in that context.

Your rights under EU/UK data protection laws

Data protection law in the EU and UK is complex and not all of it applies to every situation. However, if you are located in the EU or UK, you may have the following rights in relation to your Personal Data:

• Right to erasure: You may request that we delete your Personal Data in certain circumstances.
• Right to restrict handling: You may request that we restrict the processing of your Personal Data in certain circumstances.
• Right to transfer to a third party: You may request a copy of your Personal Data in a structured, commonly used and machine-readable format, and have it transferred to another controller.
• Right to object to use: You may object to the processing of your Personal Data in certain circumstances, including for direct marketing purposes.
• Right to withdraw approval: Where we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time.

If you are an Authorised User and wish to exercise any of the above rights in relation to Personal Data processed through the Services, please contact your organisation’s administrator in the first instance, as they are the data controller for that data.

Queries and complaints

If you have any questions about this Privacy Policy, or if you wish to make a complaint about how we have handled your Personal Data, please contact us at:

Email: hello@impactora.com

We will endeavour to respond to your complaint within 30 days. If you are not satisfied with our response, you may escalate your complaint to the relevant regulatory authority:

• Australia – Office of the Australian Information Commissioner: https://www.oaic.gov.au/contact-us
• UK – Information Commissioner’s Office: https://ico.org.uk/global/contact-us/
• EEA – European Data Protection Supervisor: http://www.edps.europa.eu/EDPSWEB/

Last updated: July 2024