1. The information outlines how we, Incent Loyalty Pty Ltd, ACN 617 123 636 (“Incent Loyalty”,”us”, “our” or “we”), an Australian incorporated company, comply with the requirements of:
- the Privacy Act 1988 (Ct) ; and
- the Australian Privacy Principles,
in protecting and maintaining the personal information we hold about you.
2. Personal information is any information or opinion about you from which you could reasonably be identified. For example, this may include, but not limited to, your name, email address, residential address and contact details. Personal information includes sensitive information such as:
- your racial or ethnic origin;
- political opinions or membership of political associations;
- religious or philosophical beliefs;
- membership of a professional or trade association or trade union;
- sexual orientation or criminal record;
- health, biometric information, and genetic information.
Sensitive information is subject to stricter requirements under the Privacy Act 1988.
3. We will work to protect your personal and sensitive information in accordance with the Australian Privacy Principles and the Privacy Act 1988.
PURPOSES OF COLLECTION OF PERSONAL INFORMATION
1. We collect, hold, use and disclose personal and/or sensitive information for the following purposes:
- to provide our products and services;
- to send service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested;
- to send marketing and promotional messages and other information that may be of interest to clients;
- to enable clients to access and use our website and services;
- to identify and control or minimise risks to our services;
- to enable us to monitor suspicious or fraudulent activity in relation to our services;
- to enforce compliance with our terms;
- to provide information to representatives and advisors, including lawyers and accountants, to help us comply with legal, accounting, or security requirements;
- where we believe it is necessary to protect our legal rights, interests and the interests of others, including in connection with legal claims, compliance, regulatory and audit functions, prevention of fraud, ensuring data security;
- to comply with our legal obligations, resolve any disputes that we may have with any of our clients, and enforce our agreements with third parties;
- for any purpose you have consented to; and
- for any purpose related to the above.
2. We may de-identify the information in your Account and your Rewards Profile and share it with third parties on an aggregate basis. For the purposes of this provision, ‘Aggregate basis’ means the information of many members is combined to form one measurement or quantity that cannot be used to identify any person. For example, a client may be told that their advertising campaign is going to be received by 1,000 members between 18 and 25 years of age, and received by 500 members between 25 and 45 years of age.
3. We will ask you for your online banking details which will be used by us to have access to your bank feed data to enable us to allocate reward points you are entitled to receive. The bank feed integration is provided by a third-party service provider, Yodlee Inc (Yodle, whom we have engaged. Yodlee will have access to your bank account information and other personal information which is made available through its integration. Yodlee may only disclose or use this information to the extent required to perform its services and must ensure that any third-parties it engages only use the information to the same extent. Yodlee may use the information internally to improve its services or to perform fraud screening or identity verification services or to verify information contained within its accounts throughout its broader network. It may use, sell, licence, distribute and disclose information about you, but only if that information has been de-identified, which means that you cannot be identified directly or indirectly from that information.
4. We may share the information in your Account, included but not limited to your personal information, spending record, and a deduction/analytic of those information with a third party after a specific consent is provided by you. The third parties may or may not reside in Australia. We may receive remuneration from a third party as a result. You agree that Incent Loyalty (and its affiliates) will be fully entitled to such remuneration. You will have the right to withdrawl the consent at any time via our website.
5. You are not obliged to provide the personal information we request, however, if you do not provide us with the personal information we request, you will not be able to become a member of the Service and/or we may not be able to provide you with the services you have requested. In this case the service may be restricted and/or account may be closed. Any reward accumulated may be forfeited /lost permanently, and Incent Loyalty will not be held responsible should this occur.
6. We may ask you to review and update your personal information on a regular basis e.g. new ID number, new expiry date, new address/phone number etc. If you do not update the personal information we request, we may suspend or cancel your membership. Any reward accumulated may be forfeited/lost permanently, and Incent Loyalty will not be held responsible should this occur.
7. If you are an individual in the European Union (EU), we collect and process information about you only where we have a legal basis for doing so under the GDPR. The legal basis for processing your personal information will depend on the products or services you use and your relationship with us (for example, whether you are our client or you are a beneficial owner or controlling person of a client). We will only collect and use your personal information where one of the following legal bases apply:
- it is required to provide you with the relevant products or services in accordance with our agreement with you;
- it is necessary for the purposes of our legitimate interests (which is not overridden by your data protection interests), including in connection with legal claims, compliance, regulatory and audit functions, prevention of fraud and ensuring data and system security;
- you have given us consent to do so for a specific purpose; or
- it is necessary for us to comply with our legal obligations
8. If you are an individual in the EU and you have consented to our use of your personal information for a specific purpose, you have the right to withdraw your consent at any time, but this will not affect any processing that has already taken place.
DIRECT MARKETING AND COMMUNICATION
1.We may use or disclose personal information we hold about you for the purpose of direct marketing. Direct marketing means that we can use your personal information to provide you with information on our products and services that may interest you. This may take the form of emails, SMS, mail or other forms of communication, in accordance with the Spam Act and the Privacy Act.
2.You will receive direct marketing emails from us whether as a direct result of data profiling, or general blanket direct marketing. If you wish to opt-out of receiving marketing information or any communication from us altogether, you can email us on firstname.lastname@example.org or by selecting the appropriate option on our website. Your op-out of receiving direct marketing material will not affect other membership features, but you may miss out on promotions or other opportunities.
INFORMATION WE MAY COLLECT
1.The personal and sensitive information we collect generally consists of name, physical address, date of birth, gender, social media accounts, occupation, education, contact details (including telephone, and e-mail), the actual image of the identification document (e.g. passport, driver’s license, utility bills, internet use, shopping preferences/ habits, financial information, banking transactional information, Identification Information such as License/passport number, expiry date etc. We will also collect and maintain your specific purchase transactions completed in third party platform(s) for reward allocation and verification purposes.
2.We also collect information about your internet use. This information includes the URL of any website you visit, and how long you spend on any website, if you make purchases online, other online behaviour. We will only collect the root URL of any website you visit, and will not collect information of any sub-pages of any website.
3.We are required to identify you in various situations, include but not limited to, allocating any reward, crypto currency, ensure correct redemption payment etc. Anti-money laundering laws may require us to sight and/or record details of certain documents (i.e. photographic and non-photographic documents such as drivers’ licence, passport, birth certificate in order to meet the standards set under those laws.
HOW WE COLLECT THE INFORMATION
1.We will only collect personal information about you directly from you (rather than someone else, unless it is unreasonable or impracticable to do so. For example, in order to verify your identity, we will need to collect information from a third party such as a digital identity service provider and other sources we deem fit and necessary.
2.We may collect information when you:
- provide your bank linking detail for the purpose of reward recognition and allocation;
- provide your bank account detail for reward redemption purposes
- download/Install/have not objected to the “use” of our Applications/toolbars/plug-in/Add on/Cookies on all your devices (e.g. personal computers, laptop computers, tablets, smartphones et. The definition of “use” may include passive “use” such as allowing the toolbar/cookies running in the background;
- communicate with us through phone calls, correspondence, email, update your personal information online or when you share information with us from other social applications, services or websites;
- fill out a membership application form with us, complete a survey (including electronically) or provide further information to support your membership application or as otherwise requested by us e.g. sharing of social network/media (e.g. Facebook, Linkedin, Twitter etc).
- make purchase(s) through our dedicated URL from the relevant merchant;
- authorise Incent Loyalty to obtain your bank/financial transaction details (directly or through an independent third party) to verify the eligible transaction or for other data analytical (in aggregate purpose; and
- authorise Incent Loyalty under this policy to perform ID verification Independent identification verification service. The verification service provider may have access to various government or non- government registers to which Incent Loyalty does not have direct access.
3. Your friends and family pass on your information to us under the “Refer a friend” program. Please refer to our Terms and Conditions for more detail.
4.We may collect information about you from others such as related entities, 3rd party suppliers and service providers in connection with providing our products and services, public sources, banks, financial institutions and other financial product providers etc.
Using our website and cookies
1.We may collect personal information about you when you use and access our website.
2.While we do not use browsing information to identify you personally, we may record certain information about your use of our website, such as which pages you visit, the time and date of your visit and the internet protocol address assigned to your computer.
3.We may also use ‘cookies’ or other similar tracking technologies on our website that help us track your website usage and remember your preferences. Cookies are small files that store information on your computer, TV, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser but our websites may not work as intended for you if you do so.
DISCLOSURE OF PERSONAL INFORMATION
1.The entities we may exchange your personal information with include but are not limited to:
- affiliated product and service providers and external product and service providers for whom we act as agent;
- external product or service providers that help us to provide our services, including supporting systems or applications;
- auditors/consultants we appoint to ensure the integrity of our operations;
- any person acting on your behalf, including your solicitor, settlement agent, accountant, executor,administrator, trustee, guardian or attorney;
- other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorised or permitted by law;
- other organisations who in conjunction with us provide products and services (so that they may provide their products and services to you);
- service providers with whose applications we have integrated; and
- Independent Identification verification provider(s) to verify the information you have provided is true, accurate and up to date.
2.We may disclose personal information if we outsource certain functions, including bulk mailing, market research, direct marketing, statement production, and information technology support. We also seek expert help from time to time to help us improve our systems, products and services.
3. In all circumstances where personal information may become known to our contractors, agents and outsourced service providers, there are confidentiality arrangements in place. Contractors, agents and outsourced service providers are not able to use or disclose personal information for any purposes other than our own.
DISCLOSING PERSONAL INFORMATION TO CROSS-BORDER RECIPIENTS
1.We may disclose personal information outside of Australia/EU/US to various service providers (e.g. email service provider(s)) or suppliers that we may engage. The service providers may or may not be located in Australia and it may not be possible for us to inform you of any cross – border changes in a timely manner.
2.We will take reasonable steps to ensure that any overseas recipient will deal with such personal information in a way that is consistent with the Australian Privacy Principles. However, some of these third parties may not have equivalent privacy and data protection laws to the country in which you reside and may not, in the case of individuals located in the EU, be subject to an adequacy decision of the European Commission that the third country ensures an adequate level of protection. We will use our best endeavours to ensure that personal information will receive protection similar to that which it would have if the information were in Australia by implementing standard data protection obligations in its contractual agreements with these overseas service providers. For more information, please contact the Privacy Officer.
3.Please refer to our website to the countries to which we may disclose your personal information, if any. The list may be changed without, or under very short, notice.
SECURITY OF PERSONAL INFORMATION
1.We may hold your personal information in either electronic or hard copy form. We are committed to ensure that we protect any personal information we hold from misuse, interference, loss, unauthorised access, modification and disclosure.
2.Accordingly, we have a range of practices and policies in place to provide a robust security environment. We ensure the adequacy of these measures by regularly reviewing them on an ongoing basis.
3.If you are being directed to an external site for various reasons, included but not limited to: making eligible purchases (e.g. on merchant sites); provide bank linking detail (e.g. Yodle; ID verification (e.g. Australia Digital ID/Trulioo/BonID), the responsibility of personal information security resides with that independent third party. Incent Loyalty does not have control over, and therefore will not be held responsible for another entity’s information security.
4.Our security measures include, but are not limited to:
- educating our staff as to their obligations with regard to your personal information;
- requiring our staff to use passwords when accessing our systems;
- encrypting data sent from your computer to our systems during Internet transactions and customer access codes transmitted across networks;
- employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from entering our systems;
- destroying and de-identifying data when it is no longer required, or the mandatory record keeping time frame (typically 7 years) has elapsed;
- using dedicated secure networks or encryption if we transmit electronic data for purposes of outsourcing; and
- providing secure storage for physical records.
However, we cannot guarantee the security of your information.
ADOPTION, USE, OR DISCLOSURE OF GOVERNMENT IDENTIFIERS
1.We will not adopt a government related identifier of an individual as our own identifier unless required or authorised to do so by or under an Australian law, regulation or court/tribunal order.
2.Before using or disclosing a government related identifier of an individual, we will ensure that such use or disclosure is reasonably necessary for us to verify your identity for the purposes of our activities or functions or required or authorised by law.
ACCESS TO, CONTROL AND CORRECTION OF, PERSONAL INFORMATION
1.You can request us to provide you with access to the personal information we hold about you. If we deny you access to your personal information, we will let you know why.
2.Requests for access to limited amounts of personal information, such as checking to see what address or telephone number we have recorded, can generally be handled over via the online platform or the telephone. Online access of your personal information will generally be free of charge.
3.If you would like to request access to more substantial amounts of personal information such as details of what is recorded in your account file, we will require you to complete and sign a “Request for Access to Personal Information” form.
4.Following receipt of your request, we will provide you with an estimate of the charge for processing your request and confirm that you want to proceed. We will not charge you for making the request for access. Any processing charge will reflect the costs we incur in giving you access to the requested personal information.
5.We will respond to your request as soon as possible and in the manner requested by you. We will endeavour to comply with your request within 14 calendar days of its receipt but, if that deadline cannot be met owing to exceptional circumstances, your request will be dealt with within 30 calendar days. It will help us provide access if you can tell us what you are looking for.
6.You may be required to provide officially certified documents such as marriage certificate, change of name certificate etc. should you require any name change. There may be a fee involved, as change of name may require re-verification of identity with an external identity provider.
7.Data Portability is the ability to obtain your information in a format you can move from one service provider to another (e.g. when you transfer your telephone mobile (‘cell’) account to another carrier). We will provide you with an electronic file of your basic account information upon your written request in a format that is mutually convenient and/or technically possible.
8.Your identity will be confirmed before access to the information held about you, and any data portability can be provided.
REFUSAL TO GIVE ACCESS, AND OTHER MEANS OF ACCESS
1.In particular circumstances we are permitted by law to deny your request for access, or limit the access we provide. We will let you know why your request is denied or limited if this is the case. For example, we may give an explanation of a commercially sensitive decision rather than direct access to evaluative information connected with it.
2.If we refuse to give access to the personal information or to give access in the manner requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.
3.Additionally, we will endeavour to give access in a way that meets both yours and our needs.
CORRECTION OF PERSONAL INFORMATION
1.We will correct all personal information that we believe to be inaccurate, out of date, incomplete, irrelevant or misleading given the purpose for which that information is held or if you request us to correct the information.
2.Please contact us if any of the details you have provided to us change, or if you believe that the information we have about you is not accurate or up to date.
3.If we correct your personal information that we previously disclosed to another APP entity you can request us to notify the other APP entity of the correction. Following such a request, we will give that notification unless it is impracticable or unlawful to do so.
REFUSAL TO CORRECT INFORMATION
1.If we refuse to correct the personal information as requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant information.
2.If we refuse to correct the personal information as requested by you, you can request us to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading. We will then associate the statement in such a way that will make the statement apparent to users of the information.
1.Sometimes you may be directed to a third party’s web site where an advertiser or market research company asks you to provide your personal information. It is your choice whether to provide your personal information to that third party. We cannot be held responsible for the privacy practices or actions of any third party.
DELETION OF PERSONAL INFORMATION
1.You may require your information to be deleted permanently. Incent Loyalty may remove your Personal Information from the production database upon your express written request. However, the information may still be archived for regulatory record-keeping purposes for the required time frame (generally 7 years), at the sole discretion of our AML Officer.
2. Incent Loyalty may only remove the Personal Information we control, and cannot facilitate the removal of personal information which may already have been disclosed under this policy.
3.We cannot provide any membership services once your information has been deleted. Please refer to our Terms and Conditions regarding the balance of your reward/INCNT upon cancellation of membership.
ADDITIONAL RIGHTS FOR INDIVIDUALS LOCATED IN THE EU
If you are an individual in the EU, you have the following additional rights:
- Erasure of your personal information: You may request erasure of your personal information in certain circumstances. For example, if you believe your personal information is no longer necessary for the purpose which we collected it or if you have withdrawn your consent for us to process your personal information.
- Restriction or objection to processing personal information: You may request us to restrict or stop the processing of your personal data in certain circumstances. For example, if you believe the personal information we hold is not accurate, if you believe that the data has been unlawfully processed or if we are using your personal information for direct marketing activities.
- Data portability: You may request us to provide you with a copy of your personal information in a format that you can easily move or provide to another service provider. Your right to data portability applies to some, but not all, of your personal information.
Requests should be made by in writing and addressed to the Privacy Officer, using the contact details below. We may refuse your request, for example if we still have a legitimate business interest in keeping and continuing to process that personal information, if processing of your personal information is necessary to comply with a legal obligation, or if the request is manifestly unfounded or excessive (as applicable). If we deny your request, we will provide our reasons in writing.
CONTACT US AND COMPLAINTS
1.If you have any question, or would like further information about our privacy and information handling practices, please email us on email@example.com.
2.We offer a free internal complaint resolution scheme to all of our customers. Should you have a privacy complaint, please contact us to discuss your concerns using the following details on the subject line:
Privacy Officer: firstname.lastname@example.org
3.To assist us in helping you, we ask you to follow a simple three-step process:
- Gather all supporting documents relating to the complaint.
- Contact the Privacy Officer using the contact details set out above and we will review your situation and if possible resolve your complaint immediately.
- If the matter is not resolved to your satisfaction, please contact our Complaints Officer: email@example.com
4. If you are still not satisfied, you can contact the Office of the Australian Information Commissioner using any of the following details:
GPO Box 5218 Sydney NSW 2001
Phone: 1300 363 992
Effective: Nov 2019