Privacy Policy
1. PURPOSE OF OUR POLICY
1.1 Collective Shift Pty Ltd ACN 650 977 325 (we, us or our) has adopted this Privacy Policy to ensure that we have standards in place to protect the Personal Information that we collect about individuals that is necessary and incidental to:
a) Providing the services that we offer; and
b) The normal day-to-day operations of our business.
1.2 This Privacy Policy follows the standards of both:
a) The Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988 (Cth) (Privacy Act);
b) The regulations and principles set by the European Union’s General Data Protection Regulation (GDPR) for the handling of Personal Data; and
c) The United Kingdom’s implementation of the GDPR (UK GDPR), (together, the Privacy Law).
1.3 By publishing this Privacy Policy we aim to make it easy for our customers and the public to understand what Personal Information we collect and store, why we do so, how we receive and/or obtain that information, and the rights an individual has with respect to their Personal Information in our possession.
2. WHO AND WHAT THIS POLICY APPLIES TO
2.1 Our Privacy Policy deals with how we handle “personal information” and “personal data” as those terms are defined in the Privacy Act, the GDPR and the UK GDPR respectively (together, Personal Information).
2.2 We handle Personal Information in our own right and also for and on behalf of our customers and users.
2.3 Our Privacy Policy does not apply to information we collect about businesses or companies, however, it does apply to information about the people in those businesses or companies which we store.
2.4 The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy.
2.5 If, at any time, an individual provides Personal Information or other information about someone other than themself, the individual warrants that they have that person’s express consent to provide such information for the purpose specified.
2.6 We consider the protection of privacy of children very important. We do not knowingly collect Personal Information from children under the age of 18 without obtaining parental consent. If we learn that Personal Information has been collected from persons under 18 years of age without verifiable parental consent, then we will take the appropriate steps to delete such information.
3. THE INFORMATION WE COLLECT
3.1 In the course of business it is necessary for us to collect Personal Information. This information allows us to identify who an individual is for the purposes of our business, share Personal Information with that individual when asked of us, contact the individual in the ordinary course of business and transact with the individual. Without limitation, the type of information we may collect is:
a) Personal Details. We may collect personal details such as an individual’s name, location, date of birth, nationality, family details and other information defined as “Personal Information” in the Privacy Act that allows us to identify the individual;
b) Contact Information. We may collect information such as an individual’s email address, telephone number, third-party usernames, residential, business and postal address and other information that allows us to contact the individual;
c) Financial Information. We may collect financial information related to an individual that allows us to transact with the individual and/or provide them with our services, however, we do not store or collect credit card information;
d) Statistical Information. We may collect information about an individual’s online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and the modes in which the individual uses our website as well as other information for statistical purposes and to help us improve our products and services; and
e) Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities.
3.2 We may collect other Personal Information about an individual, which we will maintain in accordance with this Privacy Policy.
3.3 We may also collect data about an individual which is not Personal Information, such as data regarding their computer, network and browser. Where such data is collected (which is not Personal Information), the Privacy Laws shall not apply.
4. HOW INFORMATION IS COLLECTED
4.1 Most information will be collected in association with an individual’s use of our “Collective Shift’ digital platform (Collective Shift), an enquiry about Collective Shift or generally dealing with us. However we may also receive Personal Information from sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, recruitment agencies and our business partners. Whilst not an exhaustive list, information is likely to be collected in the following ways:
a) Registrations/Subscriptions. When an individual registers or subscribes for a service, email list, newsletter, account, connection or other process whereby they enter Personal Information details in order to receive or access something, including a transaction;
b) Accounts/Memberships. When an individual submits their details to open an account and/or become a member with us;
c) Supply. When an individual supplies us with goods or services;
d) Contact. When an individual contacts us in any way, whether for the purposes of accessing our services, for the purposes of employment, or other reasons;
e) Access. When an individual accesses us physically we may require them to provide us with details for us to permit them such access. When an individual accesses us through the internet we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services; and/or
f) Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened.
4.2 As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is aware of when their Personal Information is being collected wherever it is reasonably practical to do so.
4.3 Where we become aware that we have obtained Personal Information of an individual without that individual’s knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Privacy Laws.
5. WHEN PERSONAL INFORMATION IS USED & DISCLOSED
5.1 Generally speaking, we will not use any Personal Information other than for the purpose for which it was collected unless we have an individual’s permission to do so. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
5.2 We will only process Personal Information when we can identify a lawful basis to do so. We take seriously our responsibility to ensure that a lawful basis applies to the particular processing purpose.
5.3 The most common lawful bases relied upon are:
a) Consent: we will only rely upon express, clear and informed consent. Any consent provided may specify and/or restrict the purpose and can be withdrawn at any time by the individual without penalty. We will, where reasonably practicable, keep a record of when and how we got consent from an individual.
b) Legitimate interests: we will only rely upon an identifiable legitimate interest where we can demonstrate that the processing of Personal Information is necessary to achieve it by balancing it against the individual’s interests, rights and freedoms. Where legitimate interests assessments are conducted, we will keep a record of such assessments as part of our ongoing compliance efforts.
5.4 We will retain Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.
5.5 If it is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with the Privacy Laws in the course of our business, we will inform the individual that we intend to do so, or have done so, as soon as is reasonably practical.
5.6 We will not disclose or sell an individual’s Personal Information to unrelated third parties under any circumstances.
5.7 Personal Information is used to enable us to operate our business, especially where the aspect of our business relates to that individual. This may include:
a) The provision of goods and services between an individual and us;
b) Verifying an individual’s identity;
c) Communicating with an individual about:
i. Their relationship with us;
ii. Our goods and services;
iii. Our own marketing and promotions to customers and prospects;
iv. Competitions, surveys and questionnaires;
d) Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity;
e) Researching, developing and improving our products and services including the mode and quality of delivery of those products and services;
f) Recruitment processes (including for volunteers, internships and work experience); and/or
g) As required or permitted by any law (including the Privacy Act).
5.8 We will also use and disclose Personal Information for a range of administrative, management and operational purposes. This includes:
a) administering billing and payments and debt recovery;
b) statistical analysis and internal reporting; and
c) staff training;
d) risk management and management of legal liabilities and claims (for example, liaising with insurers and legal representatives); and
e) obtaining advice from professional advisers.
5.9 The individual shall have the right to object at any time to the processing of their Personal Information for the purpose direct marketing to them, which includes profiling to the extent that it is related to such direct marketing. If we receive such a request, we will stop the processing of Personal Information for direct marketing purposes immediately without charge or penalty.
5.10 There are some circumstances in which we must disclose an individual’s information:
a) Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
b) As required by any law (including the Privacy Act) such as responding to subpoenas and other legal orders and obligations imposed by a court or government authority; and/or
c) In order to sell our business (in that we may need to transfer possession or control of the Personal Information to a new owner of the business so that they may continue to operate the business).
5.11 We will not disclose an individual’s Personal Information to any entity outside of Australia that is in a jurisdiction that does not have a similar regime to the Australian Privacy Principles or an implemented and enforceable privacy policy similar to this Privacy Policy. We will take reasonable steps to ensure that any disclosure to an entity outside of Australia will not be made until that entity has agreed in writing with us to safeguard Personal Information as we do.
5.12 We may utilise third-party service providers to communicate with an individual and to store contact details about an individual. Some third-party service providers have operations in the United States of America, however, these are limited to cloud data storage operators who store limited information only in that country.
6. OPTING “IN” OR “OUT”
6.1 An individual may opt to not have us collect their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:
a) Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us; or
b) Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us.
6.2 If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us on the details set out in section 11 below.
6.3 Generally, it is not practicable for us to deal with individuals anonymously or pseudonymously. If we do not collect Personal Information about an individual, the individual may be unable to utilise our services or participate in our events, programs or activities we manage or deliver.
7. THE SAFETY & SECURITY OF PERSONAL INFORMATION
7.1 We may appoint a Privacy Officer to oversee the management of this Privacy Policy and compliance with the Privacy Laws. This officer may have other duties within our business and also be assisted by internal and external professionals and advisors.
7.2 We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
7.3 We maintain physical security over paper and electronic data stores, such as through locks and security systems at our premises and limit hard copy documents where possible. We also maintain computer and network security, for example, we use firewalls and other security systems such as user identifiers and passwords to control access to our computer systems. We also use trusted third-party information technology providers who maintain industry standard data protection measures.
7.4 We use SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.
7.5 All areas of our website use SSL encryption or other technologies to ensure the secure transmission of information via the internet. Users of our website are nonetheless encouraged to exercise reasonable care in sending personal information via the internet.
7.6 We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies maintained by those third parties.
7.7 If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.
7.8 We are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorised to provide that person with the Personal Information.
7.9 Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information, then:
a) We will immediately establish the likelihood and severity of the resulting risk to wider rights and freedoms of natural persons;
b) If we determine there is a risk from the security breach, then we will immediately notify the relevant supervisory authority and provide all relevant information on the particular breach, and by no later than 72 hours after having first become aware of the breach;
c) If we determine there is a high risk from the security breach (a higher threshold than set for notifying supervisory authorities), we will immediately notify the affected individuals and provide them with all relevant information on the particular breach without undue delay.
7.10 We will document the facts relating to any security breach, its effects and the remedial action taken, and investigate the cause of the breach and how to prevent similar situations in the future.
8. HOW TO ACCESS, UPDATE AND/OR REMOVE INFORMATION
8.1 Users of Collective Shift can update their Personal Information from within their account or user profile.
8.2 Subject to the Privacy Laws, an individual has the right to request from us the Personal Information that we have about them, and we have an obligation to provide them with such information within as soon as practicable, and by no later than 28 days of receiving the written request. The individual is free to retain and reuse their Personal Information for their own purposes. We may be required to transmit the Personal Information directly to another organisation if this is technically feasible.
8.3 If an individual cannot update its own information, we will correct any errors in the Personal Information we hold about an individual within 28 days of receiving written notice from them about those errors, or two months where the request for rectification is complex.
8.4 It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.
8.5 Where a request to access Personal Information is manifestly unfounded, excessive and/or repetitive, we may refuse to respond or charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within 28 days.
8.6 We may be required to delete or remove all Personal Information we have on an individual upon request in the following circumstances:
a) Where the Personal Information is no longer necessary in relation to the purpose for which it was originally collected and/or processed;
b) When the individual withdraws consent;
c) When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
d) The processing of the Personal Information was otherwise in breach of the Privacy Laws;
e) The Personal Information has to be erased in order to comply with a legal obligation; and/or
f) The Personal Information is in relation to a child.
8.7 We may refuse to delete or remove all Personal Information we have on an individual where the Personal Information was processed for the following reasons:
a) To exercise the right of freedom of expression and information;
b) To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
c) For public health purposes in the public interest;
d) Archiving purposes in the public interest, scientific research historical research or statistical purposes;
e) Holding or maintaining business records in compliance with applicable laws; or
f) The exercise or defence of legal claims.
9. COMPLAINTS AND DISPUTES
9.1 If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the details as set out in section 11 below.
9.2 If we have a dispute regarding an individual’s Personal Information, we both must first attempt to resolve the issue directly between us at the first instance.
9.3 If you make a complaint and are not satisfied with our response to your complaint, or you consider that we may have breached the Australian Privacy Principles or the Privacy Act, a complaint may be made to the Office of the Australian Information Commissioner. The Office of the Australian Information Commissioner can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au.
9.4 An individual may also have the right to seek a judicial remedy where he or she considers that his or her rights under the Privacy Laws have been infringed as a result of the processing of his or her Personal Information in non-compliance with Privacy Laws. Any such proceedings should be commenced in Victoria, Australia.
10. ESSENTIAL COMMUNICATIONS
From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies or where the individual may experience service interruptions. Where such information is materially important to the individual’s interaction with us, they may not opt out of receiving these communications.
11. CONTACTING US
11.1 All correspondence with regards to privacy should be addressed to:
Attention: Privacy Officer
Collective Shift Pty Ltd
Email: [email protected]
11.2 IN THE EUROPEAN UNION AND UNITED KINGDOM
Persons to whom the GDPR and UK GDPR applies have, among others, the following rights in relation to of Personal Data:
- to request access and request a copy;
- to request rectification;
- to request erasure;
- to restrict the processing of Personal Data;
- to object to the processing of Personal Data; and
- to portability (i.e. request the transfer of Personal Information in a structured, commonly used, and machine-readable format to another organisation where technically feasible).
As we are not established in the European Union (EU) or United Kingdom (UK), we have appointed an EU and UK representative, namely Prighter, who you may address to raise any issues or queries you may have relating to our processing of your Personal Data under this Privacy Policy more generally.
Prighter gives you an easy way to exercise your privacy-related rights. If you want to contact us via our representative Prighter or make use of your data subject rights, please visit: https://prighter.com/q/12677933
12. ADDITIONS TO THIS POLICY & PRUDENT PRACTICE
12.1 If we decide to change this Privacy Policy, we will post the changes on our webpage at https://www.collectiveshift.io/. Please refer back to this Privacy Policy to review any amendments.
12.2 We take seriously our obligations to collect and manage Personal Information responsibly and prudently. Accordingly, we may do things or take certain steps in addition to those outlined in this Privacy Policy in order to comply with the Privacy Laws and in an ongoing effort to safeguard Personal Information.
12.3 This Privacy Policy is not intended to be an exhaustive statement of all action and steps we will or should take. It is not practical to outline our response to every possible situation or potential legal obligation in one document. Any failure to outline a step or course of action (that we may be required to undertake under Privacy Laws) should not be construed as a conclusive statement that such action or step will not be taken. If you have questions in relation to this Privacy Policy, please contact our Privacy Officer.
This Privacy Policy was last updated in September 2021