Privacy Policy

ENCOMPAAS PRIVACY POLICY

Effective as of 1 February 2024

This policy (Privacy Policy) explains how EncompaaS protects the Personal Information of Individuals. EncompaaS is committed to protecting the safety and security of the Personal Information of Individuals whose information EncompaaS has access to, including the customers and employees of prospective and current EncompaaS clients, and other persons with whom EncompaaS interacts (each an Individual or you).

 

In this Privacy Policy:

EncompaaS or us means the EncompaaS group of entities, which includes EncompaaS Software Ltd (ACN 628 933 371), Informotion Pty Ltd (ACN 161 716 007), EncompaaS Pty Ltd (ACN 618 071 328), EncompaaS Solutions EMEA Ltd (CN 11626507) and EncompaaS LLC (FN 62866052).

Personal Information means information or an option about an identified individual, or an individual who is reasonably identifiable, whether the information or option is true or not and whether the information or opinion is recorded in a material form or not.

The Privacy Policy has been developed in accordance with data protection laws of Australia, the European Union, the United Kingdom and the United States.

Please read this Privacy Policy carefully in order to understand how your Personal Information is collected, held, used, or otherwise processed by us.

EncompaaS reserves the right to make changes or updates to this Privacy Policy from time to time. If this happens we will update this Privacy Policy and notify you of any changes, most likely via email. However, you should also periodically check this Privacy Policy for any updates.

1. ABOUT ENCOMPAAS

EncompaaS is a developer and provider of cloud-based, enterprise level services for data compliance and information governance across regulated industries (Services).

EncompaaS provides its Services through developing and licencing information governance and compliance Software as a Service (SaaS) offerings, through cloud-based platforms (together, EncompaaS Platforms).

In making the EncompaaS Platforms available, we are sensitive to Individuals’ concerns about the safety of their Personal Information.

In essence, EncompaaS will typically only:

• collect, use or share your Personal Information with your consent (unless it is not reasonable in the circumstances to obtain your consent and it is legally permissible for us to do so) or when required by a legal obligation; and
• interact with your Personal Information in order to: (a) provide the EncompaaS Platforms and operate our business generally, and (b) help us improve and develop the EncompaaS Platforms.

We have developed our privacy framework to assist Individuals, and to comply with privacy legislation and regulations applicable to us and our management of your Personal Information.

2. HOW ENCOMPAAS COLLECTS YOUR PERSONAL INFORMATION

EncompaaS collects Personal Information in one of three main ways:

(a) Directly from Individuals, when they interact with EncompaaS or the EncompaaS Platforms (e.g. enquire about the EncompaaS Platforms);

(b) Passively from Individuals, when they interact with the EncompaaS Platforms (e.g. through recording technical data generated while Individuals use EncompaaS Platforms); and

(c) From third-parties in certain, specific circumstances (e.g. if Personal Information about an individual is provided to EncompaaS in the process of developing a platform for one of our clients).

The specifics of Personal Information collected in each situation is discussed further below.

3. WHEN ENCOMPAAS COLLECTS INFORMATION FROM INDIVIDUALS AND WHAT WE COLLECT

(a) Personal Information collected directly

When an Individual makes an enquiry or sends us an expression of interest on our website or other elements of the EncompaaS Platforms following types of Personal Information directly and consensually:

• Basic contact information, including your name, email, phone number, organisation and role;
• Individuals’ identity information, including your residential address, date of birth, government identification number (drivers licence or passport number), photographs and signature;
• Enquiry information, such as the details of indications of interest in having an EncompaaS Platform developed or licenced, or other information provided by in an enquiry; and
• Your social media handle, social media account information and any content that you post and submit to EncompaaS Platforms and our social media pages, which includes any content from third-party platforms.

If an Individual is appointed as their organisation’s point of contact with EncompaaS, we may collect basic contact information (including an Individual’s name, email, phone number and role).

If you access EncompaaS Platforms on behalf of a corporate entity, or through a third-party service or platform (e.g. LinkedIn), we will collect information that is made available to EncompaaS by those services or platforms. You can generally control the information we receive from these sources by using the privacy settings on the third-party services or platforms.

When Individuals order Services (e.g. in respect of a EncompaaS Platform that has been commissioned), we may directly and consensually collect the Personal Information outlined in the relevant correspondence or form. Ordinarily this will include basic contact information required for our record keeping purposes.

When Individuals respond to a survey we may directly and consensually collect the Personal Information disclaimed and explained on the survey form.

When Individuals use the EncompaaS Platform, EncompaaS may directly and consensually collect the Personal Information made available by Individuals through their normal use of the EncompaaS Platform.

When Individuals provide EncompaaS with unsolicited feedback or otherwise interact with EncompaaS on their own accord we may collect any contact information provided (including Personal Information), as well as any feedback.

When Individuals make an application for employment at EncompaaS, we may collect any Personal Information provided within that application, such as the contents of a personal statement made in support of an application.

(b) Personal Information collected passively

As Individuals come into contact with, or otherwise interact with EncompaaS Platforms or EncompaaS’ advertisements, we may collect the following types of Personal Information about their experience:

• Content that is posted and submitted, including posts on our social media accounts or in discussion threads, as well as similar content that is posted about Individuals by others;
• If an Individual’s organisation has requested specific user accounts to be generated for their employees over an EncompaaS Platform, we may collect background account information about those individuals (e.g. notification and other account settings).
• The following types of browser, system and device information regarding EncompaaS’ and other devices Individuals use to access EncompaaS Platforms:
  • Locational information, such as in the form of the IP address from which EncompaaS Platforms are accessed, particularly when accessing the internal;
  • Web data tracking information, such as data from cookies stored on Individuals’ devices, including cookie IDs and settings, as well as logs of your usage of EncompaaS Platforms;
  • Device information provided by devices Individuals link to EncompaaS Platforms (e.g. device information from a smartphone) which at times might result in us collecting other secondary information about Individuals; and
  • System usage information, including logs of an Individuals’ access and use of the EncompaaS Platform.

(c) Personal Information collected from third parties

In certain specific situations, EncompaaS will collect Personal Information about Individuals from third parties. The types of Personal Information collected include:

• Publicly available basic contact and biographical information (e.g. details available on LinkedIn, or any other biographical, display picture or other information);
• Third-party account information made available to us if Individuals link their EncompaaS Platform account or usage to third-party services or platforms; and
• Web data tracking information that fit certain parameters of who we think could become EncompaaS clients (e.g. heat maps developed through Google Analytics which track patterns of individual interactions with our web pages).

EncompaaS may also collect Personal Information through pseudo-anonymised data sets acquired from clients or other third parties. These data sets might contain Personal Information that is not immediately attributable to identifiable individuals, but might come to constitute Personal Information when combined with other information available to EncompaaS.

4. WHY ENCOMPAAS COLLECTS YOUR PERSONAL INFORMATION AND WHAT WE USE IT FOR

Although EncompaaS collects Personal Information from Individuals in a number of circumstances, EncompaaS will only collect this information in order to provide and develop the EncompaaS Platforms and Services. Here are the main ways we use Personal Information to achieve these objectives:

(a) Communicating with Individuals

EncompaaS will use basic contact, enquiry and feedback in order to communicate with Individuals about their enquiries or feedback, interest in EncompaaS Platforms or Services, and for other administrative purposes related to the specific reason for which the Personal Information was collected.

If Individuals have consented, EncompaaS will also use these types of Personal Information to share relevant news and updates about EncompaaS and the EncompaaS Platforms.

(b) Administration and delivery of EncompaaS Platforms

EncompaaS will use Personal Information it collects in order to administer and deliver the EncompaaS Platforms to Individuals For example, EncompaaS may use Personal Information:

• in the normal course of Individuals’ use of the EncompaaS Platform to enable Individuals to effectively use the EncompaaS Platform.
• when Individuals complete an opt-in form to request a Webinar or Demo of the EncompaaS Platform, or download content such as a WhitePaper, in order to commence a marketing relationship or engage in a sales activity with the Individual.
• for administrative purposes (e.g. resetting account information or permissions as applicable).

(c) Ensuring User safety

EncompaaS will use any type of information collected to prevent and address risks to all Individuals (e.g. EncompaaS will use information to investigate suspicious or threatening).

(d) Research and development

EncompaaS will use the following types of information to develop, test and improve the EncompaaS Platforms and Services:

• Survey and feedback information, as well as any content that is submitted;
• Basic account preferences;
• Background account, browser, system and device information; and
• Third-party account or web tracking information.

Together these types of Personal Information are used to provide us with an overview of how the EncompaaS Platforms are being used, any shortcomings the EncompaaS Platforms or Services may have, and subsequently to highlight what will be the best means of improving experiences for all Individuals. For example, EncompaaS may use browser, system and device information to build up profiles of website visitors and improve its web design and content.

EncompaaS’ preference is to de-identify these types information first, and then use it for this purpose in conjunction with de-identified browser and device information.

(e) Marketing

Where Individuals have consented, or subject to law, EncompaaS will use basic contact, enquiry and organisational information to provide Individuals with relevant marketing materials and offers in accordance with applicable laws. To unsubscribe from EncompaaS’ e-mail database or opt-out of communications, please use the opt-out facilities provided in the communication or contact EncompaaS using the details below.

Further, EncompaaS may use Personal Information:

• collected from social media platforms to target contacts for sales and marketing activities.

in sales campaigns or marketing events in order to raise interest in the EncompaaS Platforms.

5. ENCOMPAAS’ DISCLOSURE OF PERSONAL INFORMATION

Generally, EncompaaS does not disclose Personal Information to any third parties except:

• Service providers EncompaaS engages to help us provide and develop the EncompaaS Platforms (e.g. cloud service providers);
• In some specific circumstances, Individuals’ employers (e.g. the organisation of an Individual); and
• Law enforcement agencies, or another party that has a legitimate legal right to access the information.

The above disclosures will only be made in circumstances where the recipient has provided an undertaking that they will maintain the confidentiality of the information and that they recognise the appropriate limitations placed on the use of the information. Disclosures will also always be in accordance with this Privacy Policy. In the case of Individuals’ organisations, EncompaaS will seek the explicit consent of the Individual before disclosing their information.

International Disclosure

EncompaaS may disclose Personal Information to third parties located internationally. This is particularly the case for our cloud service providers which have servers in the United States and the United Kingdom that EncompaaS currently uses.

Sometimes, subject to relevant law, we may also disclose Individuals’ Personal Information to agents of Individuals, or their organisations, that are located internationally.

As with disclosures to third party service providers, international disclosures are always made once EncompaaS has taken all reasonable steps to determine the information will be treated as at least as favourably as the relevant privacy laws applicable to the Privacy Policy.

6. ENCOMPAAS’ TREATMENT AND STORAGE OF INFORMATION

(a) EncompaaS’ general approach

EncompaaS will keep your Personal Information confidential and not sell or knowingly divulge Individual information to any external third-parties, unless:

• We believe, in good faith, that we are required to share the Personal Information with a third-party in order to comply with legitimate legal obligations;
• The disclosure is to a third-party processor of Personal Information that acts on our behalf and/or under our instruction in order to enable us to deliver the EncompaaS Platforms (e.g. a cloud service provider);
• Other entities which may acquire ownership or operation of EncompaaS or the EncompaaS Platforms; and/or
• To protect the safety of Individuals, and the security of our EncompaaS Platforms.

EncompaaS seeks the informed and voluntary consent of Individuals whenever it collects their information, or as soon as possible after.

Individuals can always refuse or revoke this consent, but sometimes this will affect EncompaaS’ ability to provide them with the EncompaaS Platforms. EncompaaS will advise Individuals if this is the case.

(b) De-identification

De-identified information refers to information that cannot reasonably be used to identify a particular Individual.

De-identified information that will never be able to personally identify particular Individuals is referred to as anonymised information (e.g. statistics that show 90% of Users were happy with an EncompaaS Platform). Additionally, de-identified information that can identify individuals only if it is combined with another, separate piece of information is referred to as pseudonymised information (e.g. account ID numbers for a particular EncompaaS Platform).

Where possible EncompaaS will aim to collect, store and use anonymised information as a first preference, and if not, then pseudonymised information.

However, sometimes it will be impractical for Individuals’ information to be de-identified or treated in this way, and in this case, EncompaaS will continue to use and hold the information in a personally identifiable state. For example, if EncompaaS needs to reply to an Individual’s enquiry we will have to use the contact information provided.

(c) Security

EncompaaS is committed to information security. We will use all reasonable endeavours to keep the Personal Information we collect, hold and use in a secure environment. To this end we have implemented technical, organisational and physical security measures that are designed to protect Personal Information, and to respond appropriately if it is ever breached. For example, access to all systems used by EncompaaS requires a valid company username and password with multi-factor authentication. Access to the EncompaaS Platform is controlled by authorised personnel, and every access to any record in the EncompaaS Platform is audited and retained indefinitely.

When information collected or used by EncompaaS is stored on third-party service providers (e.g. Azure or Hewlett Packard cloud servers), EncompaaS takes reasonable steps to ensure these third parties use industry standard security measures that meet the level of information security EncompaaS owes Individuals.

As part of our privacy framework we endeavour to routinely review these security procedures and consider the appropriateness of new technologies and methods.

(d) Data Breaches

In the circumstances where EncompaaS suffers a data breach that contains Personal Information, we will execute our Data Breach Response Plan.

If an individual believes that their privacy has been breached, please contact EncompaaS using the contact information below and provide details of the incident so that it can be investigated. EncompaaS requests that complaints about breaches of privacy be made in writing, so that we can be sure about the details of the complaint. EncompaaS will attempt to confirm as appropriate and necessary with you your understanding of the conduct relevant to the complaint and what you expect as an outcome. We will inform you whether we will conduct an investigation, the name, title and contact details of the investigating officer and the estimated completion date for the investigation process. After EncompaaS completed its enquiries, we will contact you, usually in writing, to advise the outcome and invite a response to our conclusions about the complaint. If we receive a response from you, we will assess it and advise if we have changed our view.

7. RETENTION AND MANAGEMENT OF INFORMATION

(a) Retention and Deletion of Personal Information

EncompaaS retains Personal Information until it is no longer needed to provide or develop the EncompaaS Platforms, or until the individual who the Personal Information concerns asks us to delete it, whichever comes first. You can request EncompaaS to permanently delete your Personal Information by emailing EncompaaS using the contact details available below. It may take up to 30 days to delete Personal Information from our systems following a valid request for deletion.

However, EncompaaS will retain:

• Personal Information in circumstances where we have legal and regulatory obligations to do so (e.g. for law enforcement purposes, employment law, corporate or tax record keeping, and where the information is relevant to legitimate legal proceedings, or in keeping with its’ requirements under other Australian record keeping legislation); and
• anonymised information for analytic and service development purposes.
  

The information we retain will be handled in accordance with this Privacy Policy.

(b) Accessing and ensuring the accuracy of Personal Information

EncompaaS takes reasonable steps to ensure that the Personal Information we collect and hold is accurate, up to date and complete.

Individuals have a right to access and request the correction of any of Personal Information we hold about them at any time. Any such requests should be made by directly contacting us at the details set out below. EncompaaS will grant access to the extent required or authorised by applicable laws, and will take all reasonable steps to correct the relevant Personal Information where appropriate.

There may be circumstances in which EncompaaS cannot provide Individuals with access to information. We will advise you of these reasons if this is the case.

8. SPECIFIC RIGHTS OF AUSTRALIAN RESIDENTS

Individuals who are located in Australia have additional rights in respect of their Personal Information. These rights are primarily governed by the Privacy Act 1988 (Cth) (AU PA).

(a) Data Breaches

In the circumstances where EncompaaS suffers a data breach that contains Personal Information of individuals residing in Australia, we will endeavour to take all necessary steps to comply with the Notifiable Data Breach Scheme outlined under the AU PA. This means we will immediately make an objective assessment of whether a breach of Personal Information is likely to result in serious harm to Individuals, and if this is the case, endeavour to notify the affected Individual(s) and the Australian Information Commissioner.

9. SPECIFIC RIGHTS OF EUROPEAN AND UK RESIDENTS

Individuals who are habitually located in the European Union (EU Residents) and in the United Kingdom (UK Residents) have specific rights under their local laws in respect of their Personal Data. These rights are primarily governed by: (1) with respect to EU Residents, the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR), (2) with respect to UK Residents, (a)   the Retained Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of s 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (UK GDPR), and (b) the UK Data Protection Act 2018.

Personal Data is defined in the EU GDPR and UK GDPR as: “Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. This should be considered fundamentally interchangeable with the term “Personal Information” for the purposes of this Privacy Policy.

Under the EU GDPR and UK GDPR important distinctions are drawn between a “Controller” or “Processor” of Personal Data, where:

• “Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; and
• “Processer” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

To the extent that EncompaaS is primarily a “controller” or “processor” of Personal Data as part of its EU GDPR and UK GDPR compliance, EncompaaS provides the EncompaaS Platforms in a way that ensures:

• Personal Data is:
  • processed fairly, lawfully and in a transparent manner; and
  • collected and processed only for specified and lawful purposes.

• Personal Data that is ‘processed’ (i.e. used, held, disclosed or transferred by EncompaaS) is:
  • adequate, relevant and not excessive;
  • accurate and, where necessary, kept up to date;
  • kept secure, and not longer than necessary;
  • not transferred to countries outside the European Economic Area (EEA) or the United Kingdom without adequate protection; and
  • treated in accordance with Individuals’ legal rights.

Whilst EncompaaS strives to provide all Individuals with appropriate access and control over their data, individuals covered by the EU GDPR and UK GDPR are also able to:

• Prescriptively restrict, limit or otherwise provide instructions to EncompaaS regarding how we can use their Personal Data. This includes being able to object to how and why their Personal Data is used (e.g. by the removal of their consent for particular functions);
• Verbally request the erasure (i.e. deletion) of their information; and
• Request EncompaaS provides all Personal Data held about them in a portable format, meaning in a way that is structured, commonly used and machine-readable. Individuals who exercise this right to data portability are also able to direct EncompaaS to transmit this data to other entities who they intend to allow to process their Personal Data.

EncompaaS will allow and assist Individuals who are EU or UK Residents to exercise these rights, unless we have compelling and legitimate legal grounds not to (e.g. Personal Data has been fully anonymised).

10. SPECIFIC RIGHTS OF US RESIDENTS

Individuals who are habitually located in the United States (US Residents) may be entitled to certain rights with respect to their Personal Information depending on which state the Individual lives in (including California, Colorado, Connecticut, Utah, and Virginia). These are described below.

• Right to Know: Individuals may have the right to know what Personal Information EncompaaS has collected about them, including the categories of personal information, the categories of sources from which it is collected, the business or commercial purposes for collecting, selling, or sharing it, and the categories of third parties to whom we disclose it.
• Targeted Advertising: EncompaaS does not sell Individuals’ Personal Information for monetary or valuable consideration. Individuals may have the right to opt-out of having their Personal Information shared for purposes of targeted advertising.
• Access and Data Portability: Subject to certain exceptions, Individuals may have the right to request a copy of the Personal Information that EncompaaS has collected about you during the 12 months before your request.
• Deletion: Individuals may have the right to request that we delete Personal Information that EncompaaS collected from you and retained, subject to certain exceptions.
• Personal Information: Companies who collect, use, and disclose Individuals’ Personal Information for purposes other than to provide Individuals with the services are required to provide Individuals with the right to limit the use and disclosure of their Personal Information by providing a “Limit the Use and Disclosure of My Sensitive Personal Information” link. EncompaaS only collects, uses, and discloses Individuals’ Personal Information to provide services to Individuals, therefore EncompaaS is not required to provide this link.
• Correct Inaccurate Information: Individuals may have the right to request that EncompaaS corrects inaccuracies in the Personal Information we maintain about you.
• Opt-Out Preference Signals: EncompaaS will honour any opt-out preference signals as required by law.
• Appeals: You may appeal EncompaaS’ decision with respect to a request you have submitted by contacting us as described in the ‘Contacting EncompaaS’ section below.
• Categories of Personal Information Notice: Individuals who are California residents can request a notice disclosing the categories of Personal Information EncompaaS has shared with third parties for the third parties’ direct marketing purposes. To request a notice, please contact us as described in the ‘Contacting EncompaaS’ section below.
• Children under 13: EncompaaS must obtain parental consent before collecting, using or disclosing any Personal Information of children under the age of 13.

EncompaaS will allow and assist US Residents to exercise these rights, unless we have compelling and legitimate legal grounds not to (e.g. Personal Information has been fully anonymised).

11. CONTACTING ENCOMPAAS

EncompaaS has appointed privacy officers in the territories listed in the table below to be the first point of contact for all privacy related matters and to assist in ensuring our compliance with our privacy obligations.

If you have any queries or wish to make a complaint about a breach of this policy or applicable laws, you can contact or lodge a complaint to one of our privacy officers using the contact details above. You will need to provide sufficient details regarding your complaint as well as any supporting evidence and/or information.

The relevant privacy offer will respond to your query or complaint as quickly as possible. EncompaaS will contact you if we require any additional information from you and will notify you in writing (which includes electronic communication via email) of the relevant determination. If you are not satisfied with the determination, you can contact us to discuss your concerns or discuss your concerns or complain to a regulator in the applicable territory below.

This Privacy Policy was last updated on 1 February 2024.