In this Policy, uBind, we or us is a reference to Technical Innovation Pty Ltd ABN 40 618 263 684 trading as uBind.
This Policy explains how personal information provided by uBind's clients (Clients) relating to Clients' individual customers (Customers) will be handled by uBind.
Personal information is any information about a person where their identity is apparent, or can reasonably be ascertained (Personal Information).
1. What this Policy is about
This Policy explains the key measures we have taken to implement the requirements of the PrivacyÂ Act 1988. It aims to answer the questions Clients might have about how we collect, use, disclose and manage the information we collect from Clients in relation to Customers, including Personal Information. If a Client has any further questions about uBind's privacy practices, please contact us at email@example.com .
We operate in accordance with the Australian Privacy Principles and endorse fair information handling practices and uses of information in compliance with our obligations under the privacy laws in force in Australia from time to time. Any information provided, including identification of individuals, will be used only for the purpose/s intended and where the intention includes confidentiality, information will be treated as such unless otherwise required by law.
This Policy represents the default position that uBind will take in its treatment of Personal Information. uBind will treat all Personal Information in a manner consistent with this Policy unless the Customer (either directly or via the Client) has provided their express consent otherwise.
2. What information we collect and how it is collected
We hold information that has been directly provided to us by Clients or otherwise obtained through the provision of our services to Clients and their Customers. Personal information will be typically collected:
- from a Client's website hosted by uBind (Client Site);
- from an application operated by uBind on behalf of a Client (Client App);
- directly from a Client;
- from a system or application programming interface (API) operated by a Client to which we have been granted access by the Client;
- directly from Customers in providing services on behalf of a Client.
This information may include:
- Customers user registration information, including their name and contact details;
- detailed personal information disclosed in forms, such as financial, property, and medical information both current and historical;
- credit card details;
- information volunteered through online discussion tools such as blogging, commenting and forums.
3. Anonymity & Pseudonymity
Where practical or not required by law, we will allow customers to deal with us anonymously or by using a pseudonym.
4. Solicited Personal Information
We may collect Personal Information from a Client so that we can operate on their behalf.
5. Unsolicited Personal Information
Where we receive Personal Information which we have not requested, and we could not have collected that information, we will either destroy or de-identify that Personal Information.
6. Notification of Collection of Personal Information
Where we collect Personal Information directly, we will take reasonable steps to inform or notify Customers that we are doing so and why.
7. What we collect and what we do with this information
We collect Personal Information of Customers to facilitate the provision of services to Clients. We may also use Personal Information we collect for related purposes such as:
- to record information about Customer's usage, preferences and behaviour in relation to the Client Site, Client App and third party websites, as well as any feedback provided by Customers;
- to perform statistical analyses of user behaviour;
- to optimise marketing activities, user experience, and content;
- maintaining the relationship between the Client and the Customer, including responding to Customer questions;
- protecting Customers and Clients from fraud; and
- any other use for which we obtain permission from the Customer (either directly or via the Client).
8. Direct Marketing
Where we collect Personal information, we will not use it for direct marketing purposes without asking your permission, and providing a method for you to request to not receive direct marketing communications.
9. Data Sovereignty
uBind will not transfer any data including Personal Information overseas unless directed to do so by a Client to a recipient that has agreed to comply with the Australian Privacy Principles (as set out in under the Privacy Act 1988) in dealing with the Personal Information.
We may collect website usage data which does not personally identify individuals and store that data on external analytics platforms which may not be owned by Australian companies or may reside outside of Australia.
We will not identify Customers by any government related identifier (e.g Driver's License Number) with the exception of:
- The Customer's Name
- The Customers Australian Business Number (ABN)
- Any other valid exception made under the Privacy Act 1988.
11. Quality of Personal Information
To provide Clients with the best possible service, it is important that the information we hold about Customers is accurate. We will take reasonable steps to ensure that Personal Information is accurate, complete and up-to-date at the time of collecting the Personal Information from the Client or Customer (as applicable), using or disclosing the Personal Information, or during other interactions with the Customer (or Client).
12. Security of Personal Information
We endeavour to take all reasonable steps to keep Personal Information secure, as follows:
- electronic access to Personal Information of Customers is controlled via username and strong password with a minimum of 44 bits of entropy;
- Personal Information collected online or transferred over the internet is done with a minimum of 256 bit encryption;
- where it is possible and reasonable to do so, data is stored electronically with electronic access controls;
- where it is possible and reasonable to do so, data is stored encrypted at rest;
- if Personal Information is provided to us on paper or on removable media unencrypted and we are required to keep it in its current form, it is kept in a secure location where unauthorised individuals are prevented from accessing it;
- uBind will not store full credit card details directly and where credit card details are taken they are processed and stored by a PCI-DSS compliant entity;
- where uBind has Personal Information stored on removable and mobile devices it will be encrypted with a minimum of 256 bit encryption;
- Personal Information stored on our infrastructure is protected by Firewalls and Intrusion Detection Systems.
Notwithstanding the above, We are not responsible for any third-party access to Personal Information as a result of:
- interception while it is in transit over the internet;
- an unpatched vulnerability, a zero-day vulnerability, or an attack within 48 hours of a vendor releasing a patch or update;
- spyware or viruses on the device (such as a computer or phone) from which Customers access the Client Site or Client App; nor
- as a result of a Client or Customer's failure to adequately protect their user name or password.
We are also not responsible for any losses, expenses, damages and costs, including legal fees, resulting from such third-party access.
13. Cyber Criminals and No Ransom Payments
uBind has a strict policy of not negotiating with cyber criminals, and never paying ransoms. Unfortunately having a policy that allows paying ransoms would make us a target for cyber criminals, and so we believe never paying ransoms is a better overall protection stance for Personal Information over the longer term.
14. Access Management
uBind recognises the trust Clients place in us when they give us access to Customers Personal Information. Other than disclosure to service providers (explained below) or as required by law (for example, disclosure to various Government departments or to courts), our policy is that we do not give Personal Information to other organisations unless we have disclosed the use in this Policy or the Customer (either directly or via the Client) has expressly consented for us to do so.
Where it is possible and reasonable to do so, Personal Information of Customers is stored electronically with electronic access controls to allow/restrict access to authorised parties.
All data and Customer Personal Information obtained from Clients is classified (public, sensitive, private, and confidential) and is controlled by policies which determine how each classification of data is handled internally.
The parties we may share Personal Information with are employees, subcontractors, suppliers and affiliates on a need to know basis. Access to Personal Information will be revoked within a reasonable timeframe of access no longer being required.
Occasionally, uBind might also use Personal Information for other purposes or share Personal Information with another organisation because:
- we believe it is necessary to protect the rights, property or personal safety of another Customer;
- we believe it is necessary to do so to prevent or help detect fraud or serious credit infringements – for example, we may share information with other, credit reporting agencies, law enforcement agencies and fraud prevention units;
- we believe it is necessary to protect the interests of uBind for example, disclosure to a court in the event of legal action to which uBind is a party; or
- the assets and operations of uBind's business are being transferred to another party as a going concern.
When we share information with other organisations and service providers as set out above, we do so in accordance with this Policy. To the extent that these organisations and service providers gain access to Personal Information, their use is governed by the rules set out in the Privacy Act 1988.
15. Retention and Disposal of Personal Information
We will retain Personal Information of Customers for as long as it is required to provide Clients with our services and to comply with legal requirements.
If we no longer require Personal Information for any purpose, including legal purposes, we will take reasonable steps to securely destroy or permanently de-identify the Personal Information.
We securely destroy Personal Information held by us in the following manner:
- data provided to us on paper is disposed of by destruction whereby particles meet or exceed DIN 66399 Level P5;
- data on decommissioned storage devices is securely deleted or wiped and the storage devices are destroyed and rendered inoperative before disposal.
We de-identify data containing Personal Information held by us by removing, modifying, obfuscating or otherwise altering that data such that analysis of that data for the purpose of revealing the identity of a person would be infeasible.
Personal Information is backed up frequently and tested regularly in line with the uBind's standard backup procedures. Personal Information that has been deleted may therefore persist within backups for a period of time after which it falls outside the backup rotation.
16. Accessing information we keep about you
Customers can access the Personal Information held about them at any time. To do so the Customer should in the first instance contact the Client. If Customers are unsatisfied with the response they have received from the Client, the Customer may contact us to make a request at firstname.lastname@example.org .
We will always endeavour to meet requests for access. However, in some circumstances we may decline a request for access. This includes the following circumstances:
- we no longer hold or use the information;
- providing access would have an unreasonable impact on the privacy of other persons;
- the request is frivolous or vexatious;
- the information relates to existing or anticipated legal proceedings and would not normally be disclosed as part of those proceedings;
- providing access would be unlawful;
- providing access would be likely to prejudice the detection, prevention, investigation and prosecution of possible unlawful activity; and
- the information would reveal our Client's commercially sensitive decision-making processes.
If we decline a request for access, we will provide reasons for our decision when we respond to the request.
We reserve the right to charge Clients or Customers a reasonable fee for access to information. These charges will be limited to the cost of recouping our expenses for providing the Customer with information, such as document retrieval, photocopying, labour and delivery. Despite anything contained in this Policy to the contrary, if the Freedom of Information Act 1982 applies to any Clients on whose behalf we hold Personal Information, the access and correction requirements in the Privacy Act 1988 operate alongside and do not replace other informal or legal procedures by which an individual can be provided access to, or correction of, their Personal Information.
17. Changing or deleting the information
A Customer may also request that data we hold about them be erased in situations where:
- We or our Client no longer requires the personal data for the purpose of initial collection;
- the Customer withdraws consent to the processing of their data; or
- there was a wrongful collection of the personal data.
Where the information we change or delete was originally provided to us by a Client, we will notify the Client of the requests so that they may also change or delete the Personal Information.
We will always ensure that we hold personal information in a in a structured, commonly used and machine-readable format.
At a Customer or Client's request we shall make the personal information available for them to transmit their personal data to another business without any hindrance and within a reasonable timeframe.
19. Objection to Processing
At any time, a Customer may object to the processing of their personal data by notifying us.
uBind's staff are regularly trained and updated on our privacy, data protection and security practises and are required to adhere to them.
21. What to do if you have a problem, question or complaint
From time to time, our policies will be reviewed and may be revised. uBind reserves the right to change this Policy at any time and notify Clients.