In this Policy, ZeroCap, we or us is a reference to ZeroCap Pty Ltd ABN 99 164 874 597 trading as ZeroCap.
This Policy explains how personal information provided by ZeroCap’s clients (Clients) relating to Clients’ individual customers (Customers) will be handled by ZeroCap.
Personal information is any information about a person where their identity is apparent, or can reasonably be ascertained (Personal Information).
1. What this Policy is about
This Policy explains the key measures we have taken to implement the requirements of the Privacy Act 1988. It aims to answer the questions Clients might have about how we collect, use and disclose the information we collect from Clients in relation to Customers, including Personal Information. If a Client has any further questions about ZeroCap’s privacy practices, please contact us at firstname.lastname@example.org.
We endorse fair information handling practices and uses of information in compliance with our obligations under the privacy laws in force in Australia from time to time. Any information provided, including identification of individuals, will be used only for the purpose/s intended and where the intention includes confidentiality, information will be treated as such unless otherwise required by law.
This Policy represents the default position that ZeroCap will take in its treatment of Personal Information. ZeroCap will treat all Personal Information in a manner consistent with this Policy unless the Customer (either directly or via the Client) has provided their express consent otherwise.
2. What information we collect and how it is collected
We hold information that has been directly provided to us by Clients or otherwise obtained through the provision of our services to Clients and their Customers.
Personal information will be typically collected:
- from an application to ZeroCap, or on behalf of a Client (Client App);
- directly from a Client;
- from a system or application programming interface (API) operated by a Client to which we have been granted access by the Client;
- directly from Customers in providing services on behalf of a Client.
This information may include:
- Customers user registration information, including their name, address and contact details;
- identification documents, including but not limited to, passport, drivers license, utility bills, bank statements;
- detailed personal information disclosed in forms, such as financial, property, and medical information both current and historical;
- credit card details;
- information volunteered through online discussion tools such as blogging, commenting and forums.
We wish to provide Customers with a positive user experience. To assist us in doing this,
ZeroCap reserves the right to collect anonymous usage data through Client Sites, Client Apps, other websites and online systems.
Most web browsers automatically accept cookies and this function can be disabled by changing the browser settings of the user.
3. Data Sovereignty
ZeroCap will not transfer any data including Personal Information overseas unless directed to do so by a Client to a recipient that has agreed to comply with the Australian Privacy Principles (as set out in under the Privacy Act 1988) in dealing with the Personal Information.
We may collect website usage data which does not personally identify individuals and store that data on external analytics platforms which may not be owned by Australian companies or may reside outside of Australia.
4. What we do with this information
ZeroCap collects Personal Information of Customers to facilitate the provision of services to Clients.
We may also use Personal Information we collect for related purposes such as:
- to record information about Customer’s usage, preferences and behaviour in relation to the Client Site, Client App and third party websites, as well as any feedback provided by Customers;
- to perform statistical analyses of user behaviour;
- to optimise marketing activities, user experience, and content;
- maintaining the relationship between the Client and the Customer, including responding to Customer questions;
- protecting Customers and Clients from fraud; and
- any other use for which we obtain permission from the Customer (either directly or via the Client).
From time to time we may disclose Personal Information to a Client where the disclosure has been requested by the Client as part of the services.
5. Retention and Disposal of Personal Information
We will retain Personal Information of Customers for as long as it is required to provide Clients with our services and to comply with legal requirements.
If we no longer require Personal Information for any purpose, including legal purposes, we will take reasonable steps to securely destroy or permanently de-identify the Personal Information.
We securely destroy Personal Information held by us in the following manner:
- data provided to us on paper is disposed of by shredding;
- data on decommissioned storage devices is securely deleted through formatting;
- data stored on the cloud is securely deleted, with provisions to reinstate only by a Director of ZeroCap.
We de-identify data containing Personal Information held by us by removing, modifying, obfuscating or otherwise altering that data such that analysis of that data for the purpose of revealing the identity of a person would be infeasible.
Personal Information is backed up frequently and tested regularly in line with the ZeroCap’s standard backup procedures. Personal Information that has been deleted may therefore persist within backups for a period of time after which it falls outside the backup rotation.
6. Access Management
ZeroCap recognises the trust Clients place in us when they give us access to Customers Personal Information. Other than disclosure to service providers (explained below) or as required by law (for example, disclosure to various Government departments or to courts), our policy is that we do not give Personal Information to other organisations unless we have disclosed the use in this Policy or the Customer (either directly or via the Client) has expressly consented for us to do so.
Where it is possible and reasonable to do so, Personal Information of Customers is stored electronically with electronic access controls to allow/restrict access to authorised parties.
All data and Customer Personal Information obtained from Clients is classified (public, sensitive, private, and confidential) and is controlled by policies which determine how each classification of data is handled internally.
The parties we may share Personal Information with are employees, subcontractors, suppliers and affiliates on a need to know basis. Access to Personal Information will be revoked within a reasonable timeframe of access no longer being required.
Occasionally, ZeroCap might also use Personal Information for other purposes or share Personal Information with another organisation because:
- we believe it is necessary to protect the rights, property or personal safety of another Customer;
- we believe it is necessary to do so to prevent or help detect fraud, money laundering or serious credit infringements – for example, we may share information with other, credit reporting agencies, law enforcement agencies and fraud prevention units;
- we believe it is necessary to protect the interests of ZeroCap – for example, disclosure to a court in the event of legal action to which ZeroCap is a party; or
- the assets and operations of ZeroCap’s business are being transferred to another party as a going concern.
When we share information with other organisations and service providers as set out above, we do so in accordance with this Policy. To the extent that these organisations and service providers gain access to Personal Information, their use is governed by the rules set out in the Privacy Act 1988.
7. Accessing information we keep about you
Customers can access the Personal Information held about them at any time. To do so the Customer should in the first instance contact the Client. If Customers are unsatisfied with the response they have received from the Client, the Customer may contact us to make a request at email@example.com.
We will always endeavour to meet requests for access. However, in some circumstances we may decline a request for access. This includes the following circumstances:
- we no longer hold or use the information;
- providing access would have an unreasonable impact on the privacy of other persons;
- the request is frivolous or vexatious;
- the information relates to existing or anticipated legal proceedings and would not normally be disclosed as part of those proceedings;
- providing access would be unlawful;
- providing access would be likely to prejudice the detection, prevention, investigation and prosecution of possible unlawful activity; and
- the information would reveal our Client’s commercially sensitive decision-making processes.
If we decline a request for access, we will provide reasons for our decision when we respond to the request.
We reserve the right to charge Clients or Customers a reasonable fee for access to information. These charges will be limited to the cost of recouping our expenses for providing the Customer with information, such as document retrieval, photocopying, labour and delivery. Despite anything contained in this Policy to the contrary, if the Freedom Information Act 1982 applies to any Clients on whose behalf we hold Personal Information, the access and correction requirements in the Privacy Act 1988 operate alongside and do not replace other informal or legal procedures by which an individual can be provided access to, or correction of, their Personal Information.
8. Changing or deleting the information
To provide Clients with the best possible service, it is important that the information we hold about Customers is accurate. We will take reasonable steps to ensure that Personal Information is accurate, complete and up-to-date at the time of collecting the Personal Information from the Client or Customer (as applicable), using or disclosing the Personal Information, or during other interactions with the Customer (or Client).
ZeroCap endeavours to take all reasonable steps to keep Personal Information secure, as follows:
- electronic access to Personal Information of Customers is controlled via username and multi-character password’
- where it is possible and reasonable to do so, data is stored electronically with electronic access controls;
- if Personal Information is provided to us on paper or on removable media unencrypted and we are required to keep it in its current form, it is kept in a secure location where unauthorised individuals are prevented from accessing it;
- ZeroCap will not store full credit card details directly and where credit card details are taken they are processed and stored by a PCI-DSS compliant entity;
- where ZeroCap has Personal Information stored on removable and mobile devices it will be encrypted with a minimum of 256 bit encryption;
- Personal Information stored on our infrastructure is protected by Firewalls and Intrusion Detection Systems.
Notwithstanding the above, ZeroCap is not responsible for any third-party access to Personal Information as a result of:
- interception while it is in transit over the internet;
- an unpatched vulnerability, a zero-day vulnerability, or an attack within 48 hours of a vendor releasing a patch or update;
- spyware or viruses on the device (such as a computer or phone) from which Customers access the Client Site or Client App; nor
- as a result of a Client or Customer’s failure to adequately protect their user name or password.
ZeroCap is also not responsible for any losses, expenses, damages and costs, including legal fees, resulting from such third-party access.
ZeroCap’s staff are regularly trained and updated on our privacy, data protection and security practises and are required to adhere to them.
11. What to do if you have a problem, question or complaint
From time to time, our policies will be reviewed and may be revised. ZeroCap reserves the right to change this Policy at any time and notify Clients.