Xemplo Pty Ltd (ABN 17 618 727 290), which operates the Xemplo website and software (Xemplo, we, us), maintains a policy of strict confidence concerning your (you, your) personal information (Privacy Policy).
We value your privacy and treat any Personal Information (as defined in the Privacy Act 1988 (Cth)) that you give to us with the utmost care and respect. We handle personal information in accordance with the Privacy Act1988 (Cth) (Privacy Act), the Australian Privacy Principles and recognised information security standards, including ISO/IEC 27001 principles for managing information security and personal information.
Where you are in the European Union, United Kingdom or another jurisdiction with equivalent protections, we also seek to give you the protections available to you under the General Data Protection Regulation2016/679 (GDPR) and comparable laws.
This Privacy Policy applies to the collection, storage, use and disclosure by us of your personal information. By accessing our websites or mobile applications (Site) and using our services, you accept the terms of this Privacy Policy. This Privacy Policy applies to information provided to us whether via this Site or any other means and explains how we manage personal information in an open and transparent way, as required by the Australian Privacy Principles.
If you have any further questions or if you wish to receive more information on our information practices and Privacy Policy, please contact our Privacy Officer (details below).
Collecting personal information
The types of personal information we collect will depend onyour relationship with us and may include:
- Employees of our clients and other workforce participants: personal information such as the individual’s name, address, e-mail address, user ID, date of birth, payroll details, salary details, superannuation contributions, Tax File Number, relevant awards and PAYG withholding tax, and other employment-related information necessary to provide our services.
- Contact information: contact information from or about clients or prospective clients, including individuals working for clients or prospective clients, and records of interactions with them, such as name, username, mailing address, telephone numbers, email address or other contact details.
- iTransaction and usage information: information about how users interact with us and our services, includingpurchases, inquiries, customer account information, and information about theuse of our websites, applications and platform (for example, feature usage,access logs and configuration changes).
- Job applicants: contact details, employment histroy, qualifications and other background information from job applicants are required and as permitted by law.
- Immigration Services: information required to provide immigration-related services, which may include visa history, financial information, family information, health declarations and biometic information to the extent requested or permitted by law.
We will not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of our functions or activities. We apply data minimisation principles so that we only collect the personal information we need for these purposes.
Where we collect or handle Tax File Numbers, we do so only where permitted or required by law and in accordance with the Privacy Act, the Australian Privacy Principles and applicable Tax File Number rules. We use and disclose Tax File Numbers only for lawful tax, payroll, superannuation and employment-related purposes.
If we are unable to collect personal information we reasonably require, we may not be able to do business with you or the organisation with which you are connected.If it is reasonable and practical to do so, we will collect personal information directly from you. In many cases, we collect personal information about employees and payment recipients directly from our client that employs or engages the relevant individual. This will include contact details and other information relevant to providing services to you.
This may take place in a number of ways, such as:
- when you use our services;
- when you contact us, use our Sites or applications, sign up to receive our newsletters, attend our events or make a purchase from us;
- where your employer or another organisation is a client of ours, from that organisation – we ask our clients to obtain any consents required and to notify individuals about the collection and use of their personal in accordance with this Privacy Policy;
- from third party data suppliers and service providers who enhance our services and help us better understand our customers, where permitted by law; and
- from job applicants directly or from publicly available information and, with the consent of the applicant where required, from referees and background-check providers.
We may collect additional information about job applicants, such as reference, background and criminal record checks, where permitted or required by law.
If someone other than you provides us with personal information about you that we did not ask for and we determine that we could have collected this information from you had we asked for it, we will, as soon as practicable, take reasonable steps to notify you, unless doing so would be in breach of an obligation of confidence or the law. If we could not have collected this personal information directly, we will lawfully de identify or destroy that personal information.
We will not collect sensitive information about you revealing your race, ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, criminal record, sexual orientation or details of health or disability, unless:
- you have given express consent to us to do so and the information is reasonably necessary for us to carry out our functions or activities (for example, membership of a trade union where we pay trade union membership fees on behalf of an employee, or health information required for visa or employment compliance);
- the collection or use of this information is required or authorised under Australian law or a court or tribunal order; or
- the information is necessary for the establishment, exercise or defence of a legal claim.
Where we collect sensitive information, we apply enhanced technical and organisational controls to protect it, such as stricter access control, role-based permissions and additional logging.
Cookies and similar technologies
We collect certain information by automated means, using technologies such as cookies, session cookies, pixel tags, browser analysis tools, server logs, web beacons and similar technologies. We treat this information as personal information when it is associated with the individual’s contact information.
In many cases, this information is not linked to any personal information you may provide and cannot be used to identify you (for example, aggregated website traffic patterns).
Cookies
When you visit our Sites the server may attach a “cookie” to your computer’s memory or device. A cookie assists us to:
- store information on how visitors to theh Site use it and the pages that may be of interest;
- provide a customised experiencer; and
- detect certain kinds of fraud and security issues.
This information (such as operating system, browser type, domain, language, country and IP address) may also be used to provide users of your computer or device with information that we think may be of interest.
If you prefer, you can configure your browser settings to disable cookies or not accept them. Some features of our Sites may not function properly without cookies.
We may also use similar technologies (such as HTML5 local storage). We do not use these technologies for behavioural or interest-based advertising on our own Sites.
Analytics, pixel tags and web beacons
We may use analytics services and pixel tags or web beacons (tiny graphic images placed on website pages or in emails) to:
- understand usage of our Sites and services;
- determine whether a recipient has performed a specific action (for example, opened an email); and
- measure the effectiveness of our communications and promotions.
These tools help us improve our Sites, our user experience and our communications.
Where we use specific analytics or session recording tools (such as Hotjar or similar services), they generally collect usage and device data such as IP address (in anonymised form), device screen size, device type, browser information, geographic location (country only) and preferred language. They use cookies and similar technologies to create pseudonymised user profiles to help us understand how users interact with our Sites. We do not use these tools to directly identify individual users, and we do not attempt to combine this information with other data to identify you.
Use and disclosure of information
We may use personal information about you for the primary purpose of providing you with our services, and for other purposes which you authorise or would reasonably expect us to use that information for.
All personal information that we or our related bodies corporate collect is reasonably necessary for the purposes relating to providing our services to you or for another purpose permitted by law. Those purposes include:
- to operate, enhance and support our Sites, software and services;
- to provide our products or services and related activities such as customer service, account management, support and training;
- to perform payroll, HR and compliance-related services for clients;
- to conduct research and product development, including through aggregated or de-identified information;
- to maintain and improve the security of our systems, including fraud prevention, monitoring and logging;
- to comply with legal, regulatory, tax, employment and other obligations;
- to keep you informed of our activities, industry news and upcoming events, products and services that we think may be of interest to you, including marketing communications (where permitted by law and subject to your marketing preferences); and
- where an individual has applied for employment with us, to consider their application and, i appropriate, manage the employment relationship and related human resources activities.
We will not disclose information that personally identifies you to any third party other than as set out in this Privacy Policy or otherwise permitted or required by Privacy Laws.
In the event of a security incident involving unauthorised access, use or disclosure of personal information where a third party with whom we share personal information is involved, we will seek to work cooperatively with them to protect the personal information we have shared with them and to assess whether notification is required.
Direct marketing
We may use personal information about you for the primary purpose of providing you with our services, and for other purposes for which you would reasonably expect us to use that information. This includes sending you information about new developments, products, services and special offers by post, telephone or any form of electronic communication, in accordance with applicable marketing and spam laws.
Subject to applicable law, you authorise us to use any email address or other contact information you provide to us at any time for this purpose, unless you opt out.
You can, at any time, opt out of receiving marketing material by contacting us using the details below or by using the unsubscribe facility in our communications. You agree and acknowledge that even if you opt out of receiving marketing material, we will still send you essential information that we are legally required to send you relating to the services we provide.
Once you opt out of receiving marketing material from us, you agree and acknowledge that removal from our distribution lists may take several business days after the date of your request.
Accuracy of your information
We take reasonable steps to ensure that your personal information held by us is accurate, up-to-date, complete, relevant and not misleading, consistent with our obligations under the Privacy Act.
If you believe that any of your personal information is not accurate, up-to-date, complete, relevant or not misleading, please contact us and we will take all reasonable steps to correct it within a reasonable time. We may require substantiation of any request to correct personal information.
If you have an online account with us, you may also log into your account at any time to access and update certain information you have provided to us. If you are an individual whose employer uses our services, we encourage you to contact your employer in the first instance to correct your information and we will work with them as appropriate.
Individuals may request not to receive marketing communications from us. We aim to ensure such requests are complied with within five business days.
Third parties and your information
We will only collect, store, use or disclose personal information as set out in this Privacy Policy unless we are required or authorised by law to do so, to protect our rights or property (or those of any third party), or to avoid injury to any person.
In order to deliver the services that we provide to you, we may disclose your personal information to other organisations, only in relation to providing our services to you. For example:
- government agencies as required by law;
- banks and financial institutions;
- superannuation funds and health funds;
- outsourced payroll, IT, hosting and support providers; and
- other contracted service providers and business partners who assit in providing our services.
We may share personal information with business partners, but only to the extent required to provide our services (for example, where you authorise the disclosure, or you purchase or request a third-party product or service via our platform or vice versa, we may provide certain personal information to validate the referral).
We take reasonable steps to ensure that these organisations are bound by confidentiality, security and privacy obligations in relation to the protection of your personal information, including through contracts and vendor management controls where appropriate.
We may also provide certain information about you, including your personal information, to our related bodies corporate. We may disclose personal information in connection with a sale or transfer of business assets, to enforce our rights, protect our property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions.
We may disclose personal information when required or authorised to do so by law.
Linked sites
Although our Sites may link directly to websites operated by third parties (Linked Sites), you acknowledge that Linked Sites are not operated by us. We encourage you to always read the applicable privacy policy of any Linked Site on entering the Linked Site. We are not responsible for the content or practices of the Linked Sites nor their privacy policies regarding the collection, storage, use and disclosure of your personal information.
Where we use third-party advertising or analytics partners, they may place cookies or similar technologies on your device when you visit our Sites in order to provide their services. We do not provide your identifiable personal information to these partners for their own marketing purposes without your consent.
Disclosure of information overseas
We may transfer your personal information to recipients in foreign countries to fulfil the purposes set out in this Privacy Policy. In many cases the transfer will be necessary for the performance of our contract with you, for the implementation of measures taken in response to a request by you, or for the performance of a contract with a third party which is concluded in your interests.
The countries to which such disclosures are made, and the types of personal information disclosed, depend on the specific circumstances of the services being provided by us. For information about where we are located, see our website. We may also store, process or back-up personal information on servers that are located overseas (including through third-party service providers).
In some circumstances, we use third-party service providers to carry out our functions and provide services. These service providers are typically located in countries such as (but not limited to) China, India, Japan, Malaysia and Singapore.
We take reasonable steps to ensure these overseas recipients implement appropriate privacy and security measures. However, you acknowledge that some overseas recipients may not be subject to the Privacy Act and may not be accountable under it, and you consent to the transfer of your information on this basis.
If you are located in the EU or UK, additional restrictions on overseas transfers may apply, and we will seek to ensure that appropriate safeguards are in place in accordance with GDPR (for example, standard contractual clauses or equivalent safeguards).
Your consent
By your use of our Sites and/or services you consent to the collection, storage, use and disclosure of your personal information in accordance with this Privacy Policy and as otherwise permitted under Privacy Laws.
Where required by law (for example, for certain marketing or overseas transfers), we will seek your consent or rely on another lawful basis for processing.
Storage, security and destruction
We take the security of your personal information seriously and use reasonable endeavours to protect your personal information in a secure environment, including, among other things, the use of industry-standard techniques such as:
- access controls and authentification;
- firewalls, encryption and secure network configuration;
- intrusion detection, logging and monitoring;
- vulnerablility management and regular review of security controls; and
- staff training and confidentiality obligations.
We also limit and restrict internal access to personal information to those personnel who need access to the information in order to perform their role, in accordance with the principle of least privilege. These personnel are limited in number and are committed to maintaining confidentiality.
If we no longer need your personal information, unless we are required by law or a court or tribunal order to retain it, we will take reasonable steps to destroy or de-identify your personal information, in accordance with our documented data retention and information lifecycle policies.
Notwithstanding the reasonable steps taken to keep information secure, breaches may occur. We maintain a documented data breach response plan aligned with our information security management system. In the event of a security incident, we will promptly investigate the incident and determine if there has been a data breach involving personal information, and if so, assess whether it is a breach that would require notification.
If it is an eligible data breach under applicable Privacy Laws, we will notify affected parties and regulators in accordance with legal requirements.
Variation and consent to variation
We may vary the terms of this Privacy Policy at any time. You should check this Privacy Policy regularly so that you are aware of any variations made to this Privacy Policy. You will be deemed to have consented to such variations by your continued use of the Site following such changes being made.
GDPR
In addition to the rights outlined in this Privacy Policy, if you are in the EU, UK or certain other jurisdictions, you may have additional rights under GDPR or equivalent laws. When we process personal information relating to individuals in these jurisdictions, we will identify our role (for example, controller or processor) and handle personal information accordingly.
These additional rights may include:
- Right of access, rectification and erasure;
- Right to restriction of processing;
- Right to data portability;
- Right to object to processing (including for direct marketing); and
- Right to withdraw consent where processing is based on consent.
Right to restriction on data processing
In certain circumstances, you may also request a restriction on the processing of your personal data. You can make such a request in the following situations:
- where you believe that the information held is inaccurate;
- where the processing is unlawful;
- where we are storing the information for legal claims, however do not require it for processing purposes; or
- you have legitimate grounds to object to data processing.
If at any time you wish to exercise these rights or withdraw your consent, please contact our Privacy Officer or Data Protection Officer (where appointed). We will respond in accordance with applicable law.
In the unlikely event that we experience a personal data breach that is likely to result in a high risk to individuals in the EU or UK, we will notify those affected individuals without undue delay where required by law.
Access and Complaints
If you request access to the personal information, we hold about you, we will respond to your request within a reasonable period of time and, where reasonable and practicable, give access to the information in the manner you request. This will be subject to any exemptions allowed under the Privacy Laws. We may charge a reasonable fee for providing that information.
You may request information or make a complaint by writing to:
Privacy Officer
Contact: Privacy Officer
By email:
privacy@xemplo.com
Data Protection Officer
Contact: Data Protection Officer
Email:
dpo@xemplo.com
EU Representative
Contact: EU Representative
Email:
gdprrep@xemplo.com
If you are not satisfied with our response to your complaint or believe that we have breached Privacy Laws in the handling of your personal information, you can contact the relevant regulator:
Australia: Office of the Australian Information Commissioner
1300 363 992
enquiries@oaic.gov.au
Europe: Please contact your local Data Protection Authority
When contacting us you have the option to either not identify yourself or to use a pseudonym. However, this will not apply if it is impracticable for us to communicate with you that way or we are required or authorised under law (or a court or tribunal order) to only deal with individuals who have identified themselves.
