Personal Data Protection Notice
CA Enterprise — Connect Auz Pty Ltd (ACN 52 616 631 577)
Last updated: 12 May 2022
1 Introduction
In order to conduct our business, Connect Auz Pty Ltd (collectively referred to as "CA Enterprise", "we", "our" or "us") needs to process personal data of individuals who interact with us and our products and services.
We process personal data when we perform any operation on it — including collecting, recording, storing, altering, retrieving, using, disclosing, or destroying such data, whether by automated means or otherwise.
We consider the protection of your personal data a paramount corporate responsibility and will always process personal data lawfully, fairly, and transparently. This Personal Data Protection Notice ("Notice") sets out the personal data we collect, why we collect it, how it is used and shared, and your choices and rights regarding that data.
2 Scope
This Notice describes how we process personal data of:
- Our suppliers, customers, business partners and their representatives
- Users of CA Enterprise's websites, web applications, mobile applications, and desktop applications ("Products and/or Services")
- CA Enterprise's shareholders and their representatives
This Notice does not cover the processing of personal data belonging to CA Enterprise's employees, contractors, or job applicants. If you are one of these individuals, please refer to our separate internal Privacy Notice.
3 What is personal data?
Personal data is any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if they can be identified — directly or indirectly — by reference to an identifier such as a name, identification number, location data, an online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
4 How we collect your personal data
We collect personal data primarily directly or indirectly from your interactions with us and our Products and/or Services. In some cases we may also collect data about you from third parties who provide services to us, such as credit information agencies.
Our Products and/or Services may use cookies — small data files stored on your browser — for site administration, analytics, and tailored content delivery. You may configure your browser to reject cookies, although this may disable or limit certain features of our Products and/or Services.
5 What types of personal data we collect
We collect and process different types of personal data depending on who you are and how you interact with us:
| Type | Examples |
|---|---|
| Identification data | Name, gender, job title, photograph, date of birth |
| Contact details | Home and business address, email address, telephone number |
| Financial information | Transaction history, credit card details, billing information; bank account details where employee onboarding is used |
| Employment information | Employer details, employment period, remuneration, job function; shift times and dates worked or scheduled |
| Sales-related information | Business name, industry, business size, and billing information required to process payment for our Products and/or Services |
| Usage information | Login data, IP addresses, device type, browser type, operating system, access times, network/connection type, location |
| Geolocation data | Location collected when clocking in or out on a mobile device |
| Device information | Connection type, operating system, browser type, IP address, time zone, unique device identifiers, diagnostic data, cookies |
| Your content | Information submitted via forms, messages, or the Newsfeed service; feedback and survey responses |
| Shareholder information | Contact details, share quantities, share numbers, and proxy nominee details |
| Support information | Information provided to our support teams, including contact details, written summaries, documents, images, and recordings |
Sensitive personal data: Our policy is not to collect Special Category Data or Criminal Offence Data. If we ever need to process such data, we will do so only with your explicit consent and will provide full details at the point of collection.
6 How we process your data — lawful basis and purpose
We only process your personal data when the law allows us to. Unless otherwise stated, we process personal data on the basis of our Legitimate Interests — to conduct our business operations smoothly and efficiently, and to continue to provide and develop our Products and/or Services. We may also process your data to perform a contract with you, to comply with a legal obligation, or where you have provided consent.
Specific processing purposes
- Managing our relationship with you — providing information about our Products and/or Services, improving them, and communicating with you
- Business-related purposes — negotiating, managing and fulfilling contracts, managing accounts and records, resource planning, internal investigations, and debt administration
- Service-related purposes — account setup and integration, delivering purchased services, notifying you of new features, troubleshooting, processing payments, and providing administration and technical services
- Marketing and public relations — analysing website visitors, preparing business intelligence analytics, personalising your website experience, and managing newsletters
- Safety and security — monitoring access to our premises and IT environment, including electronic communications
- Internal operations — troubleshooting, data analysis, testing, research, and statistical purposes
- Shareholder management — maintaining the shareholder register and complying with applicable legal requirements
We may also collect and process your personal data for secondary purposes — such as satisfaction surveys or targeted marketing — upon obtaining your express permission.
7 Why our processing is necessary
We only process personal data when this is necessary for our Legitimate Interests or another lawful basis. Our ability to perform contracts with you and to comply with our legal obligations may be adversely affected if we are unable to process your personal data as described in this Notice.
8 Consent
Except where specifically stated in this Notice, we do not rely on Consent as the primary lawful basis for processing your personal data. Where we do require your consent — for example, for secondary purposes such as targeted marketing — we will request it explicitly and you may withdraw it at any time.
9 Automated decision-making
Automated decision-making occurs when an electronic system uses personal data to make a decision without human intervention. We will only subject your personal data to automated decision-making where:
- We have notified you of the decision and given you 21 days to request a reconsideration
- It is necessary to perform the contract with you and appropriate safeguards are in place to protect your rights
- You have given explicit written consent, with appropriate safeguards in place
10 Sharing your personal data
We may disclose your personal data to related bodies corporate and third parties involved in the running of our business where it is necessary to administer our working relationship with you, or where we have another legitimate interest in doing so. We may also be required to disclose data to a third party:
- To respond to a legal process such as a court order or subpoena, or to comply with applicable law
- To protect the safety of any person
- To address fraud, security, or technical issues
Related bodies corporate
Where necessary for the internal and/or external operations of the CA Enterprise group, we may share your personal data between our related offices across the world. This may result in your data being transferred to countries with different privacy laws. All CA Enterprise entities are subject to the same corporate policies and procedures, including this Notice, and we will only transfer data in accordance with Section 11.
Third parties
Third parties may include technology and media partners, professional advisors (lawyers and accountants), social media platforms, our related companies, law enforcement authorities and government agencies, and any party your employer directs us to share your data with.
11 International transfers
Where disclosure results in data being transferred to another country, we will only do so where we have a lawful basis and where the disclosure complies with all applicable laws. This may include entering into Standard Contractual Clauses (SCCs) with the recipient or relying on adequacy decisions by the European Commission or UK Secretary of State.
CA Enterprise operates in multiple countries and regions including Australia, New Zealand, USA, Canada, the United Kingdom, and the EU. Data may be transferred to and processed in these countries.
You may request a copy of the safeguards we have in place for international data transfers by contacting our Data Protection Officer using the details in Section 20.
12 How we keep your data safe
We have a range of technical and organisational security measures in place to protect your personal data from unauthorised access, accidental disclosure, loss, destruction, or alteration. These measures are regularly reviewed and updated.
CA Enterprise is regularly audited against ISO 27001:2013 standards by independent third-party auditors. In the unlikely event of a data breach, we will notify the relevant data protection authority as required by applicable law and will take immediate steps to investigate and mitigate the effects.
For more information about our security measures, please contact us using the details in Section 20.
13 How long we keep your data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, unless the law requires a longer retention period — for example, where required by legislation or to defend legal proceedings.
When your personal data reaches the end of its retention period, it will be securely destroyed or anonymised in accordance with our retention policy.
14 Third-party links and forums
Our Products and/or Services may contain links to other websites. We are not responsible for the privacy practices or content of those websites. Please read the privacy notice of any external website you visit before submitting personal information.
Any personal data you choose to post on our social media pages or other public forums may be read, collected, or used by others who visit those forums. We are not responsible for personal data you choose to submit in such forums.
15 Your rights
Subject to applicable law and the country where you are based, you may have the right to:
- Request access to and obtain copies of any personal data we hold about you
- Request that your personal data be provided in a portable, machine-readable format
- Correct inaccurate or incomplete personal data
- Request erasure of your personal data ("right to be forgotten") where it is no longer necessary for the purpose for which it was collected
- Request restriction of our processing of your personal data
- Object to processing where it is based on our Legitimate Interests or those of a third party
- Withdraw consent at any time where processing is based on consent
- Request transfer of your personal data to a third party
To exercise any of these rights, please contact our Data Protection Officer using the details in Section 20. We may verify your identity before fulfilling your request and will respond within applicable legal timeframes.
16 EU and UK residents
Lawful basis for processing
Where we act as a controller, we process your personal information on one or more of the following lawful bases:
- Contract — to perform our obligations under a contract entered into with you
- Legitimate interests — to operate and improve our Services, ensure security, and communicate with you, where these interests are not overridden by your rights
- Consent — where you have opted in to specific activities such as marketing or third-party integrations
- Legal obligation — where we are required to process your data under applicable law or regulation
International transfers
For transfers of personal data outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission or UK Secretary of State to ensure your data remains protected.
EU representative
Pursuant to Article 27 of the GDPR, CA Enterprise has appointed European Data Protection Office (EDPO) as its EU representative. You may contact EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium, or via EDPO's online request form.
Our UK representative is CA Workforce EMEA Limited, Herschel House, 58 Herschel Street, Slough, Berkshire, SL1 1PG, United Kingdom.
17 California residents
In the past 12 months, we have collected and disclosed (but not sold) personal information in the following CCPA categories: identifiers; customer records; protected classification characteristics; commercial information; biometric information; internet or electronic network activity; geolocation data; audio, electronic, visual, or similar information; professional or employment-related information; education information; and inferences drawn to create a profile.
You have the right not to be discriminated against for exercising your privacy rights under the CCPA.
California residents may contact us at privacy@connectauz.com.au or call 1-888-532-4785.
The entity responsible for this policy is Deputec Pty Ltd ACN 133 632 327, 4/1-3 Smail St, Ultimo, NSW 2007, Australia.
18 Complaints
We take your privacy concerns seriously. If you have a complaint regarding our handling of your personal data, please contact us using the details in Section 20. We will confirm receipt, open an investigation where appropriate, and respond as soon as practicable.
If we are unable to resolve your complaint to your satisfaction, you may lodge a complaint with your local data protection authority:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- United Kingdom: Information Commissioner's Office — ico.org.uk
- EU: Your national data protection authority — edpb.europa.eu
- United States: Your state Attorney General's office (privacy is regulated at state level)
19 Changes to this notice
We may amend this Notice from time to time to maintain ongoing compliance with applicable privacy regulations. Where changes are material, we will notify you by email or via an in-app notification. The latest version will always be available on the CA Enterprise website at connectauz.com.au/terms.
20 Contact us
For any questions, requests, or complaints relating to this Notice or the use of your personal data, please contact our Data Protection Officer:
Data Protection Officer
ConnectAuz Software Limited
600 Sneydes Road, Werribee
VIC 3030, Australia
600 Sneydes Road, Werribee VIC 3030, Australia
Governed by the laws of Victoria, Australia