This Privacy Policy explains how we collect, hold, use and disclose personal information in connection with our business operations and the supply of our business-to-business software-as-a-service products and related services, including implementation, support, maintenance and customer success services.

We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles, and other applicable privacy and data protection laws. Where we process personal data subject to the EU General Data Protection Regulation 2016/679 (GDPR) or UK GDPR, we will also handle that personal data in accordance with those laws to the extent they apply.

In many cases, we act as a service provider or processor on behalf of our business customers, who determine how personal information contained in customer data is collected and used. In other cases, such as where we manage our customer relationships, website enquiries, supplier relationships and recruitment processes, we act as a controller of that personal information.

If we decide to change this Privacy Policy, we will post the updated version on this webpage so that you will always know what personal information we gather, how we might use that information, where we store it and whether we will disclose it to anyone. Our policy is to be open and transparent about our privacy practices.

We provide cloud-based software products and related professional services to business customers, including software subscriptions, onboarding, implementation, integration, configuration, training, support and maintenance (collectively, the Services).

We only enter into a contract with you for your subscription, license or use of one or more of our services. We do not enter into contracts with any of your end users.

The functionality, technical specifications and products that we provide to you depend on the particular requirements set out in the contract that we have with you.

Some of our services provide functionality that can be used by you to collect, process and disclose personal information about your end users.

You are required to comply with all applicable privacy laws.

Where we process personal information on your behalf through the Services, you are responsible for ensuring you have an appropriate legal basis to collect, use and disclose that personal information and to instruct us to process it. You are also responsible for the accuracy, quality and legality of the customer data you provide to the Services.

We encourage you to ensure that your end users are familiar with your privacy policy, so that your end users understand how you collect, use and otherwise process personal information about them, via the services.

We collect the following types of personal information:

1. Customer data and end user information processed through our Services: We process information that our customers, their authorised users, or their end users submit to, store in, send through, or otherwise make available via our Services. Depending on how our customers use the Services, this may include names, business contact details, job titles, user identifiers, transactional data, documents, communications metadata and other personal information chosen by the customer.
2. Information about customer personnel and prospective customers: We collect business contact and account information about customer and prospective customer personnel, such as names, work email addresses, telephone numbers, job titles, company details, billing information and records of commercial, contractual and support interactions.
3. Information about suppliers, contractors and applicants: We collect personal information reasonably necessary to engage and manage suppliers, contractors and job applicants, such as names, business contact details, role information, payment details, qualifications and information relevant to onboarding, due diligence and administration.
4. Service, security and diagnostic data: We collect technical information necessary to operate, secure and support the Services, such as IP addresses, device and browser information, timestamps, user IDs, audit logs, authentication events, diagnostic logs, support ticket content and incident-related records.
5. Telecommunications Data: As an internet service provider, we are required to retain data about communications under Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). This information is retained for 2 years from the date that we create it. We are also required under the TIA Act to retain subscriber information for 2 years from the date the relevant account is closed. The data that we retain in accordance with our obligations under the TIA Act may be disclosed to law enforcement agencies. For further information about the specific types of personal information that we may be required to collect and retain under the TIA Act, please contact us.

Our policy is to be completely transparent about how and why we collect personal information and not to collect personal information by means that are unfair or unreasonably intrusive. We only collect personal information that is necessary to provide the services and to otherwise operate our business.

We collect personal information about your personnel in one or more of the following ways:

1. when they contact us with enquiries about our services, whether by email, via our website or via telephone;
2. during the preparation, negotiation and finalisation of the contract for the provision of services and for billing purposes; or
3. when it is voluntarily disclosed to us (including, but not limited to via telephone, e-mail and online forms).

We will collect personal information about your end users in one or more of the following ways:

1. when end users enter personal information into or via our services;
2. when you provide personal information to us about your end users;
3. in the course of providing our services; or
4. when it is voluntarily disclosed to us (including, but not limited to via telephone, e-mail and online forms).

We will collect personal information about our employees, suppliers and contractors in one or more of the following ways:

1. when we carry out background checks during the recruitment process or otherwise;
2. when they respond to employment or contractor opportunities that we make available, enquire about available positions within our company, and when we conduct reference checks;
3. when we trade business details with our suppliers and contractors;
4. for workplace health and safety reasons;
5. during the preparation, negotiation and finalisation of a contract that we enter into and for billing purposes thereafter; or
6. when it is otherwise voluntarily provided to us;

We use personal information about you, your end users and our suppliers and contractors to enforce our legal rights, comply with our legal obligations and as otherwise set out in the following table:

We also collect information about your end users known as analytics data, such as user location, information about devices accessing our services, the amount of time an end user spends and in which parts of it, and the path navigated through it. However, all such information is de-identified data and not collected in a form that could reasonably be expected to identify an individual. In any event, we only use analytics data for the following internal business purposes:

1. to help us review, enhance and improve our services; and
2. to develop case studies and marketing material without identifying any end user.

We hold and store personal information that we collect in our offices, computer systems and third party owned and operated hosting facilities. In particular:

1. customer data hosted as part of our Services is primarily stored in Microsoft Azure data centre regions located in Australia, including Australia East (New South Wales) and Australia Southeast (Victoria), subject to the configuration of the relevant Service and any disaster recovery or resilience settings selected by us or our customer;
2. personal information that is provided to us via email is held on our servers or those of our cloud-based email providers which have restricted access security protocols;
3. we use third party owned cloud-based customer relationship management (CRM) and marketing platform providers to hold personal information about current and prospective customers;
4. personal information is held on computers and other electronic devices in our offices and at the premises of our personnel; and
5. we hold personal information that is provided to us in hard copy in files and folders in secure locations.

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification and disclosure. Our information security program is designed to support our obligations under applicable privacy laws and includes administrative, technical and physical safeguards appropriate to the nature of the information and the risks involved.

We maintain an independently audited SOC 2 Type II compliance program for relevant in-scope systems and controls. While no environment can be guaranteed to be completely secure, this program supports our ongoing management of security, availability, confidentiality and related control objectives.

For example, we:

1. perform security testing and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management and firewalls;
2. carry out security audits of our systems which seek to find and eliminate potential security risks in our electronic and physical infrastructure as soon as possible;
3. maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of information systems (electronic or otherwise);
4. require all of our employees, agents and contractors to comply with privacy and confidentiality provisions in their employment contracts and subcontractor agreements that we enter into with them;
5. continuously monitor, log analysis, and audit our devices, storage and channels. This may be performed by our suppliers and contractors;
6. have data backup archiving, data breach response plans and disaster recovery processes in place;
7. implement passwords and access control procedures into our computer systems; and
8. with respect to personal information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such personal information is securely de-identified (where permitted by law) or destroyed.

We only disclose personal information that we collect to third parties as follows:

1. in order to provide the services to you;
2. when performing contracts, we may outsource certain obligations to third party contractors in accordance with our contractual rights (such as hosting, consulting and other professional services). Professional services carried out by them may require access to an individual’s personal information. We ensure that all staff and contractors are aware of their information security responsibilities, are appropriately trained to meet those responsibilities and have entered into agreements which require them to comply with privacy and confidentiality obligations that apply to personal information that we provide to them;
3. when we engage third parties to make marketing calls, to provide customer satisfaction surveys or send marketing emails. All individuals will be given the opportunity to ‘opt out’ of any direct marketing calls or emails;
4. when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we request their representation in relation to a legal dispute;
5. where a person provides written consent to the disclosure of their personal information;
6. where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person;
7. for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation);
8. when we de-identify personal information and then use it for our or third party research purposes;
9. where required in connection with a merger, sale or corporate reorganisation;
10. in the event of a merger, dissolution, reorganisation or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal information, would be transferred to the surviving entity in a merger or the acquiring entity, and in such case all such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal information as set out in this Privacy Policy;
11. when required to disclose personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements, or to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas; or
12. where required by law.

Our website may include links to third party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third party website operator complies with applicable data protection laws. You and your end users should consider the privacy policies of any relevant third party website prior to sending personal information to them.

If a person does not provide us with their personal information, they can only have limited interaction with us. For example, a person can browse our public facing websites without providing us with personal information such as the pages that generally describe the services that we make available. However, when a person submits a form on our websites or an organisation enters into a contract with us, we need to collect personal information for identification purposes, so that we can provide our services, and for the other purposes described in this Privacy Policy.

Any person has the option of not identifying themselves or using a pseudonym when contacting us to enquire about our services.

Although our Services are designed to be hosted in Australian Azure regions, we may disclose personal information to service providers, contractors and affiliates located outside Australia where reasonably necessary for support, operations, security monitoring, product improvement or other business functions. Where we disclose personal information to overseas recipients, we will take reasonable steps required by applicable law, including under APP 8, to ensure those recipients handle the information in a manner consistent with applicable privacy obligations.

Subject to verification of your identity, you can contact us directly to access and correct personal information that we hold about you.

End users who have access to the services can amend personal information contained in their accounts, or delete their accounts, at any time, by logging into their accounts but only where such functionality is available or by contacting you, in the first instance. Once an account is deleted, we may still be required to retain the data in accordance with our contractual obligations or where required by law. End users who wish to make enquiries about the personal information held by them, should contact you in the first instance.

We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law.

For the purposes of the Privacy Act 1988 (Cth), we may take such steps as are reasonable in the circumstances to de-identify the personal information that we hold about an individual where we no longer need it for any purpose for which it was collected and/or used, if the information is not contained in a Commonwealth record and we are not required by Australian law (or a court or tribunal order) to retain it.

You may opt out at any time from the use of your personal information for direct marketing purposes by emailing the instructions to info@axient.com.au or by clicking on the “Unsubscribe” link located on the bottom of any of our marketing emails. Please allow us a reasonable time to process your request. You cannot opt out of receiving transactional e-mails related to the services.

Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or to make a privacy complaint, may contact us using the following details:

We will acknowledge and investigate privacy complaints within a reasonable time and seek to resolve them in accordance with applicable law and our internal complaint-handling procedures.

If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the Australian Privacy Principles, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:

Personal Data. This section of our Privacy Policy applies to personal data of customers and end users that may be collected by us that is governed by the EU General Data Protection Regulation 2016/679 (GDPR). Article 4(1) of the GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person.

Collection of personal data. You are responsible for the collection of personal data of your end users and for obtaining all relevant consents and authorisations necessary for us to process end user personal data in accordance with this Privacy Policy. Paragraph 5 above sets out how we collect personal data about you, your personnel, your end users and suppliers and contractors.

Purpose of processing personal data and our legal basis for doing so. The table in paragraph 6.1 above sets out the legal basis under which we process personal data for the purposes of Article 6(1) of the GDPR.

Who will receive personal data. Detailed information about who we disclose personal information to is set out in paragraph 9 above. This applies equally to personal data governed by the GDPR.

International transfers. We only transfer personal data internationally as set out in paragraph 12 above in compliance with the GDPR. We have legally binding agreements in place that govern the receipt and processing of personal data transferred offshore. Information about other appropriate or suitable safeguards is available, on request.

Retention of personal data. We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with our contractual and legal obligations, resolve disputes, enforce agreements and maintain appropriate business and security records. Retention periods may vary depending on the type of data, the Service configuration and applicable law.

Where you require personal data to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.

Requirement to provide personal data to us. Please see paragraph 11 above for information about the requirement to provide personal information to us and the limitations that apply where personal information is not provided. Those requirements and limitations apply equivalently to personal data governed by the GDPR.

Further processing activities by us. We will not carry out any further processing activities on personal data, other than as set out in this Privacy Policy.

Rights under the GDPR. Under the GDPR, data subjects have a number of rights, including:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing

You and your end users also have the right to lodge a complaint with the relevant supervisory authority.

End Users are encouraged to contact you in the first instance, if they wish to exercise any of their applicable rights under the GDPR.