Privacy Policy

Date: 30/09/2018

This Privacy Policy describes how Hexicom Software Pty Limited manages personal information of the subscribers to our online platforms and their end users. In this Privacy Policy, “we“, “our” and “us” are all references to Hexicom Software Pty Ltd ABN 99 129 473 472 of PO Box 299 Berowra Heights, NSW 2082.

Our legal obligations

We are committed to respecting your privacy and complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (the “Privacy Act“) . We also comply with the EU General Data Protection Regulation (GDPR) to the extent it applies to the personal data that we process (“GDPR Data“).

About this Privacy Policy

This Privacy Policy sets out our policy on the collection, use and disclosure of personal data of our subscribers and end users of our cloud based software (collectively, the “Platform) in accordance with our statutory obligations under the Privacy Act (and how we process personal data for the purposes of the GDPR when the GDPR applies to that processing). Unless otherwise defined in this Privacy Policy, the capitalised terms and expressions used in this Privacy Policy have the meanings given to them in the Privacy Act or GDPR (as applicable). It also describes:

  • The period for which we store personal data;
  • Your rights to access and rectify or to request erasure of personal data;
  • Your right to withdraw consent;
  • The right to lodge a complaint with the Office of the Australian Information Commissioner or the other relevant authority;
  • Why we collect and process personal data, the categories of personal data that we process, and who we disclose it to;
  • Details of the security measures that we take to help protect your personal data;
  • Other information about how we collect, use, disclose and process personal data.

If we decide to change this Privacy Policy, we will post those changes here so that you will always know what personal data we gather, how we might use that information, and whether we will disclose it to anyone. If you are a subscriber of the Platform, we will notify you of any changes to our Privacy Policy by sending an email to you using the email address that you provide to us when subscribing to the Platform or any new email address that you specify in your account on the Platform.

Personal data we collect and how we use it

We collect personal data that you give us, whether by email, telephone, in person, via forms or otherwise. We may obtain personal data directly from third parties such as our contractors, resellers, related companies, installers, sales agents and any of their representatives. In addition, we may obtain personal data from public sources, where available. However, if it is reasonable and practicable to do so, we will collect personal data about an individual only from that individual. We will only collect GDPR Data for specified, explicit and legitimate purposes and we will not further process GDPR Data that we collect in a manner that is incompatible with those purposes. If you enter and/or upload into the Platform and/or otherwise provide us with personal data about any person other than you, please notify us so that we can ensure that they are provided with the information required by Australian Privacy Principle 5 and Article 14 of the GDPR.

We will not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of our entity’s functions or activities and we will not collect sensitive information unless you consent to the collection and the sensitive information is reasonably necessary for one or more of our functions or activities, or we collect it pursuant to subclause 3.4 of the Australian Privacy Principles. Please notify us if you are not at least 16 years old or are not otherwise able to provide us with consent, and do not provide us with any consent for the purposes of applicable privacy law.

We will not process GDPR Data that is special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, except where permitted by the GDPR.

The personal data that we collect and how we use it is as follows:

  • Subscription/registration, payment, transaction and profile data: If you become a Subscriber of the Platform, we will collect, hold and otherwise process the following categories of personal data: names, telephone numbers, mobile numbers, email addresses. We will process this personal data in order to administer our subscribers’ subscriptions, registrations and accounts on the Platform, for the purposes of providing subscribers and end users with access to and use of the Platform, to enforce our subscribers’ obligations to pay fees and charges to us and to otherwise enforce compliance by our subscribers with our Terms of Use and the contractual obligations that they owe to us. We will also process this personal data in order to provide subscribers with information and assistance about the Platform, and to communicate with our subscribers in connection with any maintenance notices, renewal notices and service status updates for the purposes of keeping our end users informed and up to date about the status of our Platform.
  • Data entered into and/or uploaded into our Platform by the Customer and/or end users when accessing our Platform: Any personal data that subscribers and end users upload or enter into the Platform either manually or via computer systems, smartphone devices and tablets, namely: names, telephone numbers, mobile numbers, email addresses, credit card details, tax file numbers, bank account details, postal addresses, residential addresses, business addresses, and order, estimate, job, purchase and invoice data. The Platform will also process any other personal information that our end users voluntarily enter or upload to the Platform. We will process this personal data on behalf of our subscribers in our capacity as a processor in order to provide them with access to the Platform in accordance with their specific instructions (unless applicable law to which we are subject requires other processing of that personal data by us, in which we will inform them of that legal requirement (unless that law prohibits us from doing so on important grounds of public interest). We will also process this personal data as a controller to monitor compliance with the terms and conditions of our end users agreements, to maintain backups of our databases and to detect unauthorised use and faults with the Platform (such as, by examining log files and error messages). The personal data will also be used to provide our subscribers with professional services (including technical support and training services) if and where required pursuant to our subscriber agreements.
  • Data relating to communications between us and our end users: When our subscribers contact us, we will process personal data including the name of the subscribers, the IP address of the subscribers and any other personal data that the subscribers provide to us during the communications. For example, our subscribers and potential subscribers may contact us to ask questions about our Platform, seek technical support or advice and to express their interest in subscribing to the Platform or for the purposes of upgrading or modifying their accounts on the Platform. We will process this personal data in order to provide our subscribers with information and assistance about our Platform, and to communicate with our subscribers in connection with any breach, expiry, termination or suspension of the Platform.
  • Analytics data: We will process personal data known as analytics data for statistical and analytical purposes, designed to measure and monitor how our Platform are being used and to highlight any areas for improvement, optimisation and enhancement of our Platform, including   IP addresses,   We will process this personal data in order to monitor and detect unauthorised use of the Platform and to establish how our Platform are used and to highlight areas for potential improvement of the Platform.

Lawful basis of processing

Under the GDPR, GDPR Data can only be processed where there is a lawful basis to do so. We will only process GDPR Data where we have a lawful basis to do so. Except where specified otherwise in this Privacy Policy to the contrary or implied in this Privacy Policy to the contrary, we will only process personal data where necessary for our legitimate interests or the legitimate interests of a third party, where consented or expressly authorised by you or where we are required to do so pursuant to a contract or other legal obligation.

Who we share personal data with

We only disclose personal data to third parties who perform services on our behalf to the extent necessary for them to perform those services. We do not sell personal data to third parties for their own marketing purposes. We may disclose personal data that we collect for all or any of the following purposes:

  • To provide subscribers with access to our Platform – in which case we disclose their personal data to our upstream hosting suppliers who host the Platform and the personal data that they and end users enter into and/or upload in to the Platform;
  • So that we can obtain assistance with the provision of the Platform – in which case we may disclose subscribers’ and end users’ personal data to members of our corporate group who we may subcontract the provision of all or part of the Platform to;
  • Handling claims and complaints – in which case we may disclose subscriber personal data to our lawyers and insurers;
  • Sending out a newsletter – in which case we may disclose subscriber personal data to our email and newsletter service providers;
  • In order to identify our end users when we are contacted with questions or concerns regarding the products and services we provide;
  • In order to configure a new service for our subscribers;
  • In order to record billing details;
  • In order to interface with third party platforms – where you configure your account on the Platform or use the Platform to do so;
  • For professional advice – when providing information to our legal, accounting or financial advisors/representatives or debt collectors for debt collection or other legitimate purposes;
  • If we sell the whole or part of our business of the Platform or merge with another entity – in which case we will provide to the purchaser or other entity the personal data that is the subject of the sale or merger;
  • Where required by law.

To enforce our rights and defend any claims, we may also provide your personal data to our lawyers, insurers and professional advisors and any court or administrative body, for one or more of the following purposes:

  • For the purposes of obtaining professional advice;
  • To obtain or maintain insurance;
  • The prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
  • To protect or enforce our rights;
  • Enforcement of our claims against you or third parties;
  • The enforcement of laws relating to the confiscation of the proceeds of crime;
  • The protection of the public revenue;
  • The prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
  • The preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of the court or tribunal;
  • Where disclosure is required to protect the safety or vital interests of employees, end users or property.

Third party platforms

The Platform may include links to third party websites and platforms. Our linking to those websites and platforms does not mean that we endorse or recommend them. Where a subscriber uses the Platform or to provide personal data to a third party website or platform, the subscriber does so at its own risk. We do not warrant or represent that any third party website or platform operator complies with applicable data protection laws. You should consider the privacy policies of any relevant third party websites and platforms prior to sending your personal data to them.

You may interact with social media platforms via social media widgets and tools such as the Facebook Like button and the Facebook pixel that may be installed on the Platform. These widgets and tools may collect your IP address and other personal data. Your interaction with such widgets and tools, and any single sign-on services such as Open ID is governed by the privacy policies of the relevant social media operators and single sign-on service providers.

Security

We only process personal data in a manner that ensures appropriate security of the personal data, including by protecting the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.

The technical and organisational measures that we have implemented, and will continue to implement if and when you are a subscriber of the Platform are as follows:

  • requiring all employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements;
  • carrying out security audits of our systems which seek to find and eliminate any potential security risks in our electronic and physical infrastructure as soon as possible;
  • having a Data Breach Response Plan in place;
  • having data backup, archiving and disaster recovery processes in place; and
  • having processes in place to ensure integrity and resilience of systems, servers and personal data.

If you refuse to provide us with personal data

You can only browse limited pages of the Platform without becoming a subscriber of the Platform, such as the pages that generally describe the services that we make available through the Platform, and our About Us and Contact Us pages. However, when you subscribe to the Platform, we need to collect personal data from you in order to identify you and setup an account for you on the Platform. We will also collect personal data from you when you use the Platform when you enter the personal data into the Platform, when you contact us for technical support and assistance with your account and when gathering analytics data about your use of the Platform. You have the option of not identifying yourself or using a pseudonym when contacting us to enquire about our Platform, but not if you wish to actually access our Platform or any of our other services.

Spam email

We do not send “junk” or unsolicited e-mail in contravention of the Spam Act 2003 (Cth). We will, however, use e-mail in some cases to respond to inquiries, confirm purchases, or contact end users. These transaction-based e-mails are automatically generated. Anytime an end users or visitor receives e-mail it does not want from us the end users can request that we not send further e-mail by contacting us via email at: support@hexicomsoftware.com

Contractors and offshore providers

We may transfer your personal data entered into our websites to our contractors and service providers, who assist us with providing our services to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance.

Provided that we comply with applicable law, including the provisions of Australian Privacy Principle 8 (Cross-border disclosure of personal information), and the GDPR – in relation to GDPR Data, we may transfer personal data that we collect to our offshore contractors and service providers as well, who may be located outside the European Union (EU) or the European Economic Area (EEA). Our offshore contractors and service providers are currently located in [insert names of countries].

Retention and de-identification of personal data

We will not keep personal data in a form which permits identification of any person for longer than is necessary for the purposes for which the personal data is processed. We will only process personal data that you enter into the Platform, and only thereafter for the purposes of deleting or returning that personal data to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain GDPR Data to protect your or any other person’s vital interests). We will, following your cessation of use of the Platform, at your option delete or return to you all of the personal data uploaded and/or entered into the Platform by you. Where you require that personal data to be returned, it will be returned to you after the end of the provision of services relating to the processing (“Processing Conclusion Date“), and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, but in any event not more than 30 days after the Processing Conclusion Date, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.

Where required under the Privacy Act, we will destroy and/or de-identify personal data that we collect about you in accordance with our legal obligations.

Your rights under the GDPR

Subject to the provisions and exceptions set out in the Privacy Act and GDPR, under the Privacy Act and/or GDPR, you have a number of rights, including:

  • the right to request from us access to and rectification or erasure of your personal data or restriction of processing concerning your personal data;
  • the right to object to the processing of your data;
  • the right to data portability;
  • the right to withdraw consent (where you have consent to the processing of your personal data for one or more specific purposes);
  • the right to lodge a complaint with the Office of the Australian Information Commissioner or any supervisory authority;
  • the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or it similarly significantly affects you.

Please contact us if you wish to opt out of any communications that we send you or if you wish to exercise any of your rights under the GDPR. We will handle all such requests in accordance with our statutory obligations. If you withdraw your consent for processing, object to the processing of your personal data or request us to erase your personal data and as a result it is not possible or practical for us to continue providing you with the Platform, we may, but we are not obliged to, terminate your subscription and/or access to the Platform.

How to access and correct personal data held by us

Please contact us if you wish to access your personal data that we hold about you, using the details set out at the end of this Privacy Policy. We will handle your request for access to your personal data in accordance with our statutory obligations. To ensure that we only obtain, collect, use and disclose accurate, complete and up to date personal data, we invite you to contact us and inform us if any of your personal details we hold change or if any of the personal data held by us is otherwise incorrect or erroneous. In exchange for your payment to us of a reasonable fee, we will provide you (or if you wish, another controller) with a copy of the personal data they we hold about you in a structured, commonly used and machine readable format, except where charging such a fee is prohibited by applicable law. You can access, modify and delete the personal data that you have uploaded or entered into the Platform.

Notifiable data breaches

Since 22 February 2018, data breaches that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner, except where limited exceptions apply. For the purposes of the GDPR, certain types of data breaches must also be reported to affected individuals if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. In addition, the GDPR requires organisations to report certain types of data breaches to the relevant supervisory authority. We have prepared a response plan for addressing data breaches that may occur and have allocated responsibility for managing breaches to a relevant individual or team. We will notify you of any data breach that may affect you where we are required to do so in accordance with our legal obligations.

Our contact details

The Platform is owned and operated by Hexicom Software Pty Ltd, ABN 99 129 473 472, of PO Box 299 Berowra Heights, NSW 2082 Australia. If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us at the following address:

Data Protection Officer
Philip Rutherford
Hexicom Software Pty Ltd
PO Box 299 Berowra Heights, NSW, 2082 Australia
support@hexicomsoftware.com

We will use our best endeavours to resolve any privacy complaint within 10 business days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.

If you are not satisfied with the outcome of a complaint you make refer the complaint to the Office of the Australian Information Commissioner (OAIC) who can be contacted using the following details:

Call: 1300 363 992
Email: enquiries@oaic.gov.au
Address: GPO Box 5218, Sydney NSW 2001

In relation to GDPR Data, you may lodge a complaint with any relevant supervisory authority.

1.3 An APP entity must have a clearly expressed and up to date policy (the APP privacy policy) about the management of personal information by the entity.

1.4 Without limiting subclause 1.3, the APP privacy policy of the APP entity must contain the following information:

  1. the kinds of personal information that the entity collects and holds;
  2. how the entity collects and holds personal information;
  3. the purposes for which the entity collects, holds, uses and discloses personal information;
  4. how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
  5. how an individual may complain about a breach of the Australian Privacy Principles, or a registered APPcode (if any) that binds the entity, and how the entity will deal with such a complaint;
  6. whether the entity is likely to disclose personal information to overseas recipients;
  7. if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.