This privacy policy applies to the  collection, use, and management of your Personal Data (defined below) by or on behalf of IMPACTORA PTY LTD ACN 673 812 603 its subsidiaries and affiliates in Australia or abroad (collectively referred to as (“Impactora”/ “we” / “us”/ “our”). 

Impactora offers software as a service and associated mobile or tablet applications (Service). Our Service is designed to provide employees easy to access contextual advice and insights to help them resolve issues, make informed decision and tailored to the individual employee and their business. This Privacy Policy applies to all Personal Data collected by us, including Personal Data collected or submitted through our website or our Services.

We have created this Privacy Policy to demonstrate our commitment to the Australian Privacy Act 1988 Cth (“Privacy Act”), the Australian Privacy Principles and other applicable Australian privacy laws (together, the “Australian Privacy Laws”) as well as the privacy laws of other countries which may apply including without limitation the EU General Data Protection Regulation (2016/679), UK GDPR and the UK Data Protection Act 2018 (together, “Data Protection Laws”). It sets out how we may collect, hold, use or disclose your Personal Data. Other terms may also apply to you and the Personal Data we hold about you (for example where we provide you with a specific privacy collection notice or if our Data Processing Agreement applies).

In collecting Personal Data, by law, we are required to provide you with information about us, about why and how we use your Personal Data, and about the rights you have over your Personal Data. If you do not agree with this policy you should not access or use our website or Services or otherwise interact with our business.

In this Privacy Policy, all references to:

“you” and “your” are references to:

• any person or their authorised representative who are users of our Services (if you have entered an end user licence agreement with us (EULA), this includes our Client organisations and (if applicable) their Authorised Users (those terms are defined in our EULA); and
• our contractors, suppliers, employees and potential employees, and other individuals that we engage and interact with in the course of running our business.

“Personal Data” are references to any data or information which is related to an identified or identifiable natural person. In Australia, that also includes any opinion about an identified individual, or an individual who is reasonably identifiable. However, if an applicable Data Protection Law defines “Personal Data” (or a similar term such as “Personal Information”) differently, then the applicable definition shall take precedence in event of any conflict.

What information do we collect?

The type of Personal Data we collect will vary depending on the nature of your dealings with us. We have outlined this in more detail below.

Information collected from our Clients, their Authorised Users and other businesses

If you provide us with goods or services, when you (or a business you represent) enquires about our Services, or if you become our customer (including a business-to-business customer), a record is made which includes your Personal Data. The type of Personal Data that we collect will vary depending on the circumstances of collection and if you are a natural person. For natural persons, the type of Personal Data we collect typically includes:

• your name;
• contact details including your phone number, email address and mailing/delivery address (including where those details are related to a business you represent);
• your professional details (such as your job title);
• information about your employer or an organisation you represent (if you contact us in a business capacity);
• if you are a user of our Services – information about your workplace goals and aspirations;
• any other information you provide to us through our products and Services; and
• any additional information relating to you that you provide to us directly or indirectly through the use of our Website or online presence.

To enable us to provide our Services, you may provide us with Personal Data which relates to another person (for example, name and business contact details of a person who is the contact in a company or government agency with whom we deal). If you provide us with information about any other person you must obtain that person’s permission to give us the information and inform them of our privacy policy.

Prospective employees/contractors

We collect Personal Data when recruiting employees or contractors to our business. This may include your name, contact details, qualifications, and work history (including references and other information included in a CV or cover letter as part of the application process). Generally, we will collect this information directly from you.

Before offering you a position, we may collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions.

If you are offered a position with us (whether as a contractor or an employee), then we may also collect other Personal Data directly from you including your date and place of birth, your emergency contact’s name and contact details. 

What happens if you don’t provide us your information?

You can always decline to give Impactora any of the information we request (or which is requested via our Services). If you decline, that may mean we cannot provide you with some or all Services or we may not be able to do business with you effectively. If you do not provide us with your Personal Data, we also may not be able to carry out some or all of the Permitted Purposes. If you have concerns about how your Personal Data is used, held or collected, please let us know.

How we collect your information

Generally, we collect your Personal Data directly from you, for instance, we collect your Personal Data as part of us providing and offering our Services (o, if you provide us with goods and services, or as a part of your prospective or current employment.  This includes when you provide your Personal Data to us in person, via our Services (including via our Website, SaaS application or mobile application), when you sign up with us or access our Website, during phone and video calls, by email, via social media, via chatbots or otherwise via any other customer enquiries or communications. For current employees and contractors, we may also collect your Personal Data via internal messaging systems.

If you give us your approval, we may also collect your Personal Data from other people or organisations, for example from:

• our affiliated and related companies;
• third party suppliers, research partners and contractors who assist us to operate our business (including open source software providers); and
• if you are an Authorised User and access our Services in your role as an officer, manager, employee, or consultant to one of our Clients (who in turn will be your employer/head contractor or similar), then we may also collect Personal Data about you from our Client; or
• in respect of prospective employees / job applicants, from recruitment agencies or referees you have nominated.

Where Personal Data is collected from a third party, Impactora will treat your Personal Data in accordance with the practices described in this Privacy Policy. Impactora cannot guarantee the accuracy of Personal Data provided by a third party.

Technical Information

When you contact us, access, or use our products and services, we may collect technical information that may or may not be seen as Personal Data, depending on the applicable Data Protection Law. This may include your IP address, location, and browser or platform information. In addition, we may record how you use and interact with our website and Platform (e.g., where you click, scroll your mouse, and move in between pages). We will only collect information on how you use our website with your approval. Collecting this type of information may help us improve the quality and design of our products and services, and to create new features, promotions, functionality and services by storing, tracking, analysing and processing user preferences and trends as well as user activity and communications. See further below on our use of “Cookies”.

Why do we need your Personal Data?

We only collect or hold your Personal Data where it is reasonably necessary for our business functions or activities, including to assess and manage our customer’s needs and provide Services to Clients and their Authorised Users (as applicable). We may also collect information for employment or service provider related matters, or to fulfil functions associated with our Services, for example, billing and managing customers, and other business relationship and development activities.

The purposes for which we collect and use your Personal Data depends on the nature of your interaction with us, but may include:

• enabling you to access and use our Services;
• enabling us to provide our Services to Clients, including to enable us to meet our contractual obligations, or to exercise our contractual rights;
• researching, developing, expanding and improving our Services (including through the creation of disidentified, derived data where we are legally permitted to do so);
• administering your account with us;
• analysing your interactions and use of our Services and website to understand and improve the effectiveness of our marketing initiatives;
• monitoring your compliance with your contractual obligations;
• keeping and updating records and databases to ensure the smooth operation of our business and Services;
• communicating with you about changes or developments to our Services and business or in the normal course of business dealings;
• to send you communications and notices in connection with your account;
• responding to your enquiries or requests for help or information, including about our Services;
• maintaining and improving our customer service by monitoring our Services for quality and training purposes;
• managing our relationship with you, for example if you are a supplier, or business partner;
• if you are our current or prospective employee, then we will use your Personal Data in relation to your actual or potential employment;
• to comply with the law (including any applicable regulatory requirements) and exercise our legal rights including exercising rights we may have under law or a contract between us and you, or between us and a third party. Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business. For the EU/UK, it is our legitimate interest to ensure that a buyer of our business can continue our business, or that an investor has sufficient knowledge to determine whether to invest in our business;
• if it is necessary to prevent a serious threat to life, health or safety and it is impractical to obtain your approval or consent, we will use your Personal Data without your approval or consent (but only to the extent permitted by law)

          (together, Permitted Purposes).

In some circumstances, we carefully de-identify and anonymize your Personal Data (including Sensitive Information). This means it can no longer be associated with you (“de-identified information”). We may use this de-identified information indefinitely without notifying you. For example, we use de-identified information to improve our Services and create new software products. In addition, we may share de-identified information with third parties, including our suppliers, research partners, and service providers, without limitation.          

How do we use your information?

By providing your Personal Data to us either directly or via our Services or Website, you agree to us using or disclosing your Personal Data for:

• the Permitted Purposes;

• any purpose related to the Permitted Purposes that could be reasonably anticipated at the time your Personal Data was collected (Secondary Purpose);

• any purpose to which you otherwise agree (including as disclosed to you in an information collection statement at the point where we collect your Personal Data or for example, we may publish testimonials to promote our Service, with your permission); and

• any other purpose required or authorised by law (including under Data Protection Laws).

Secondary Purposes may include sending you direct marketing about our products or services, deals and promotions; conducting customer surveys, marketing, administrative, management and operational purposes including statistical analysis and reporting, training staff, contractors and other workers, risk management and management of legal liabilities and claims (for example, responding to legal orders and obligations, liaising with insurers, and obtaining advice from our legal representatives).

When do we disclose or share your information?

Generally speaking (and as described above under the heading “Why do we need your Personal Data”) we will disclose your Personal Data for the Permitted Purposes.  We may also disclose your Personal Data with your approval, or to our affiliates, partners or service providers (including hosting providers, payment processors, and support service providers) in order to assist us to provide our Services to you. We may also use and disclose your Personal Data where authorised or required to do so by law. We have listed below to whom and when we disclose your Personal Data.

Where we disclose your Personal Data to third parties, your Personal Data will also be dealt with in accordance with the privacy policies of those third parties. The types of people we may share your Personal Data with include:

• Managed accounts and administrators

If you register or access the Services using an email address with a domain that is owned by your employer or organisation or associate that email address with your existing account, and such organisation wishes to establish an account or site, certain information about you including your name, profile picture, contact info, content and past use of your account may become accessible to that organisation’s administrator and other Service users sharing the same domain.  If you are an administrator for a particular site or group of users within the Services, we may share your contact information with current or past Service users, for the purpose of facilitating Service-related requests.

• Disclosing or sharing with other third parties

We work with other businesses to help us operate, provide, improve, integrate, customise, support and market our Services and in doing so, we may need to disclose certain information about you in the following circumstances: 

• Disclosure to contractors and other service providers: We may disclose your Personal Data to third parties we engage in order to assist us in providing our Services to you or to administer our relationships with consultants, sales support, suppliers, research partners and service providers such as those providing the payment gateway, data processing, data analysis, customer assistance, information technology services (including IT storage and support and open source software providers), website maintenance/development, and research activities (including market and product development research).

• Third Party Sites: In using the Services, there may be links that direct you to unrelated third party websites or services whose privacy practices may differ from ours. If you submit information to any of those third party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

• Law Enforcement, Public or Governmental Agencies: We may be required to share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and Services, or (d) protect Impactora, our customers or the public from harm or illegal activities.

• With your approval: We share information about you with third parties when you give us approval to do so. For example, we may display personal testimonials of satisfied customers on our public Website with the customer’s permission.

• Sharing with our affiliates
• Affiliates: We share information (excluding Sensitive Information) that we collect with our affiliates and other Impactora entities, and, in some cases, with prospective affiliates, in order to operate and improve our Services and to offer other Impactora-affiliated services to you. Affiliated companies are companies owned or operated by us. This privacy policy applies to the information we disclose to those entities.
• Corporate Transactions: to the extent permitted by law, we may share or transfer information we collect under this privacy policy in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or a prominent notice on our Website if a transaction takes place, as well as any choices you may have regarding your information.
• For prospective employees / job applicants: To assist us with our recruitment process, we may disclose your Personal Data to those employees or team members who it is necessary for your Personal Data to be disclosed to as part of the recruitment process as well as recruitment agents and other advisers who assist with recruitment.

Can you remain anonymous or use a pseudonym?

We will, if practicable, allow you to use a pseudonym or to not identify yourself (unless this is impractical or against the law (including Data Protection Laws)).

In some instances, if you do not provide us with some of your Personal Data, we may not be able to provide you with the relevant product, service or information.  This may have an effect on whether we can begin or continue a relationship with you. If you are a Authorised User, it may mean you cannot use our Services as required by your employer.

What disclosures (including international disclosures) do we make?

Generally speaking (and as described above under the heading “How do we use or disclose your information”) we will disclose your Personal Data for the Permitted Purposes.  We may also disclose your Personal Data in other ways with your approval or to any other party where we are authorised or required to do so by law (including under Data Protection Laws). If you are located in the UK or EEA and we are the processor of your Personal Data, we will also only process your Personal Data in accordance with the controller’s directions.

As we note above, we may disclose your Personal Data to our partners, suppliers and distributors in order to assist us in providing our Services to you. Generally, we store Personal Data in local servers situated in Australia. However, some of our service providers (such as our developers, software and the payment facility providers), or the services they provide (like cloud storage services and open source software), may be based outside Australia (including without limitation in Europe, UK or the USA).  In order to protect your Personal Data, we take care where possible to work with service providers who we consider maintain acceptable standards of data security compliance, and we do our part to meet those standards as they apply to us. This includes us taking steps to ensure your Personal Data receives the protections required by law. So, for example, where the GDPR applies, if we transfer your personal data outside the UK or European Economic Area (EEA), we’ll ensure the transfer complies with applicable data protection law. However, if you are located in the UK or EEA and we transfer your information to a third-party service provider that is located outside the UK or Europe the country to which the data is sent may not have the same level of data protection as the UK or EEA.

By providing us with your Personal Data, you give us your approval to use, store, and disclose your Personal Data overseas (and acknowledge that no additional obligations that may apply to the overseas disclosure of Personal Data under Australian Privacy Laws will apply).

Is your information confidential and secure?

We take all reasonable steps to keep your Personal Data secure and to ensure it is protected against misuse, loss, unauthorised access, modification or inappropriate disclosure. We may hold your Personal Data in both hard copy and electronic forms but will store it in secure systems accessible only to authorised personnel.

We host your Personal Data that we collect in secure server environments that are protected by industry best practices in an effort to prevent interference or access from unauthorised persons.

Online Transactions  

If you purchase our Services via a third party site (including the Apple Appstore, or any other online software distribution service) then your credit card will be processed in accordance with the third party sites terms and conditions, and or privacy policy. We strongly suggest you read the relevant third party sites terms to understand how they handle online transactions.

If Website functionality permits you purchase a Service through our Website, we will:

• process your credit card details securely over the internet using a third party provider’s tier-one PCI-DSS compliant payment gateway;

• protect our Website by industry standard TLS encryption to ensure that your credit card and anonymity are protected when you purchase online; and

• if you opt-in to save your credit card details, our third party provider will retain your credit card details on its servers for future purchases on our website. We do not store your credit card details on our servers.

While we take reasonable steps to protect your Personal Data, no website, internet connection or transmission, computer system or wireless connection is completely secure, and we cannot guarantee or provide assurances regarding the security of transmission of information you communicate to us online or the integrity of transmission over the internet. Any information which you transmit to us online is at your own risk.

Do we use “cookies”?

When you visit our website, the server may attach a “cookie” to your computer’s memory.  A “cookie” assists us to store information about how you use our website and to make assumptions about what information may be of most interest to you. This information is generally not linked to your identity and can include information such as the type of device or browser you’re using, IP address, your device ID (a numeric identifier for your mobile device, if you access our website using a mobile device), the time of your visit, the duration and the pages you accessed on our website. We may use knowledge of your user experience to better understand what products or services may be of interest to you and to collect statistical information. 

Most browsers can be set to detect cookies and you can control how your browser deals with cookies by changing your browser settings (for example by rejecting cookies). However, in doing so, you may not be able to use certain content on our website and may not have the same user experience.

Using third party websites and services

Our Website or Services may contain links to other websites, platforms or applications. Unless the other website, platform or application is one of our products, we are not responsible for the privacy practices of the owners of those websites, platforms, or applications.  We recommend that you read the privacy policy of any website, platform, or application that asks you to provide Your Information.

Changes to our Privacy Policy

We may need to change this privacy policy from time to time. When we do amend it, the changes will be effective immediately upon being made public on our Website. We will use reasonable measures to notify you of any relevant changes to this privacy policy, but please be aware that it is your responsibility to review our privacy policy regularly and make sure you keep up to date with any changes.

Managing your information

You are responsible for ensuring that your Personal Data is accurate, current and complete and we encourage you to contact us to update your Personal Data if it changes.

You may ask us to access your Personal Data in accordance with the relevant Data Protection Law including by asking us to provide you with a summary of your Personal Data that we hold (which may be subject to certain limitations under Data Protection Laws). 

To the extent we hold your Personal Data, for your protection, we may require you to confirm your identity before access to your Personal Data is granted.

In most cases, where held by us, we can provide you with a summary of your Personal Data free of charge.  However, in some circumstances, reasonable costs may be charged to you in accessing your Personal Data in accordance with and subject to the relevant Data Protection Law, including any costs limitations contained in the applicable law.

If you believe that any of your Personal Data, we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your Personal Data.

We may decline your request to access or correct your Personal Data in certain circumstances in accordance with the relevant Data Protection Law (or if we no longer hold any Personal Data about you as disclosed above). This includes for example if fulfilling a request in relation to amending or deleting your Personal Data would reveal information about another person, or if you ask to delete Personal Data which we are permitted by law or that we have compelling legitimate interests to keep. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your Personal Data about the requested correction.

Where you have requested us to manage your Personal Data in some way, we may need time to investigate and facilitate your request.  If there is delay or dispute as to whether we have the right to continue using your Personal Data, we will restrict any further use of your Personal Data until the request is honoured or the dispute is resolved.

How long will we keep your personal data for?

When you’re an Authorised User and the UK or EEA Data Protection Laws applies, we’re acting as a data processor, so we’ll retain your personal data for the period set by our Client, the data controller. Where the UK or EEA Data Protection Laws applies, and in the limited circumstances explained above where we are a data controller, we’ll only retain your Personal Data for as long as we need it.

We may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal, accounting, or regulatory obligations.  If you ask to delete information which we are permitted by law or have compelling legitimate interests to keep, we may not be able to fully meet your request. This means the period of time we keep your Personal Data depends on the category of Personal Data it falls into. 

After such time, we will either delete or anonymise your Personal Data or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further use until deletion is possible. In some instances, you may also request that we delete some or all of your Personal Data, and if requested, subject to our legal, accounting or regulatory obligations to the extent practicable, we will take reasonable steps to destroy your Personal Data or anonymize it.  

Notice to Authorised Users

Where the Services are made available to you through an organisation (for e.g. your employer, who is our Client) as their Authorised User, that organisation is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control.

If you are an Authorised User who based in the EU or UK, we collect your data on behalf of organisations who are our Clients. We therefore act as a data processor on their behalf. Our Client will remain the data controller of your Personal Data – they are responsible for how it is collected and used. If this is the case, please direct your data privacy questions to your organisations administrator, as your use of the Services is subject to that organisation’s policies. Generally speaking, an organisation’s administrators are able to access your first name, surname and email. If Software functionality permits, an organisation’s administrators may also be able to access other information inputted into our Services from time to time. We are not responsible for the privacy or security practices of an organisation, which may be different than this policy. Please contact your organisation or refer to your administrator’s organisational policies for more information.

That said, we act as a data controller of Personal Data if you contact us directly for support or visit our website. In respect of our Clients in the EU or UK, we act as a data controller to manage our relationship with you and provide our goods and services.

Your rights under EU/UK data protection laws

Firstly, EU/UK Data Protection Laws are complicated – the rights set out below won’t always be available to you.

In addition to your rights set out elsewhere in this Privacy Policy, if the EU/UK Data Protection Laws apply to you, you may have other various rights, including the right to:

• erasure (also known as the right to be forgotten):

• ask us to restrict our handling of your Personal Data;

• ask us to transfer your Personal Data to a third party;

• object to how we are using your Personal Data; and

• withdraw your approval to us handling your Personal Data.

If you are an Authorised User, remember that to exercise your rights under EU/UK Data Protection Laws, you need to contact the organization you work for. However, you can still contact us for assistance.

Queries and complaints

If you have a question or want to make a complaint about how we handle your Personal Data, please contact us using the details below.  We will review any question, complaint or concern you may have and will respond to you after we have carefully considered it.  We will, where reasonably possible, take steps to investigate and resolve complaints within 30 days (or such other applicable period under Data Protection Laws). Please note, we may require further information from you to resolve any complaints. If we need more time, we will notify you about the reasons for the delay and seek to agree a longer period with you (if you do not agree, we may not be able to resolve your complaint).

We can be contacted via our Privacy Officer at: hello@impactora.com

If we cannot resolve a complaint relating to your Personal Data (or if you want more information about privacy laws in general), you may contact the relevant data protection authority (who may include):

• in Australia – the Office of the Australian Information Commissioner;

• in the UK – the Information Commissioner’s Office; or

• in the EEA– the European Data Protection Supervisor.

Last date updated: July 2024