Table of Contents
LinkTexting Pty Ltd
- using our services, including widgets, Smart App Badges, Smart Links or Smart Prompts on your website or use of our APIs to build your own widget (Services);
- accessing, requesting information on, enquiring about, using, receiving or providing feedback in relation to, LinkTexting's operations or Services (online, in writing, by telephone or in person); or
- otherwise providing, or consenting to the collection of, Personal Information by LinkTexting, its officers, agents or employees,
after this Policy has been brought to your attention, you acknowledge and consent to the use, collection, storage or disclosure of your Personal Information by us in accordance with this Policy and the Privacy Act.
If you do not agree to us handling your Personal Information in the manner set out in this Policy we will not be able to provide our Services to you and you should not provide us with any personal information.
Our Data Breach Policy forms part of this Policy and sets out our approach to any data breach.
1. What is Personal Information?
We follow the definition of Personal Information given in the Privacy Act:
Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
2. What kinds of Personal Information might we collect and hold?
The Personal Information we may collect, hold and process about you depends upon how you interact with us. This information may vary depending on the specific needs of LinkTexting, however, it may include your:
- name, address, email address and telephone number and contact information;
- the manner in which you deal with our clients, or request services from our clients;
- your requests and information you input into our website, systems, widgets, Smart Links, Smart App Badges or Smart Prompts
- demographic information such as age or date of birth, location and activities;
- business relationship and history with us;
- business or associated companies or entities;
- messages, emails, voicemail and other correspondence and frequency of enquiries;
- comments and feedback and responses to surveys;
- interaction with websites, including our website;
- information about how you use our website and apps;
- what computer configurations and software you use;
- your IP address and/or other device identifying data;
- general preferences and interests;
- billing and credit card information;
- other information required to provide a service or information you have requested from us; and
- any additional information relating to you that you provide to us directly.
3. How do we collect Personal Information?
We collect Personal Information:
- directly from you (when you provide that information to us, we contact you, when you contact us, when you use our services, when you engage with us or when we engage with you);
- through our widgets, Smart App Badges, Smart Links or Smart Prompts;
- when conducting and/or providing our Services;
- when you participate in our marketing activities;
- from third parties who you have authorised to provide us with information; and
- from publicly available sources such as the internet and social media.
4. How do we hold and secure your Personal Information?
We store your Personal Information digitally, onsite and at various third party storage providers. All digital material is secured using password protected computers or cloud storage services. Any digital transfer of Personal Information is secured using SSL/TLS 1.2 or later. Any passwords are encrypted with a one way hash which means even we do not see the original password.
LinkTexting uses data storage providers located inside Australia and overseas such as in the United States of America. Where appropriate, LinkTexting has agreements with its storage providers to keep all Personal Information they store secure, using reasonable and appropriate security methods.
We conduct regular audits of our compliance with this Policy and the Act to ensure that our privacy framework is in line with industry best-practice.
5. Why do we collect, hold, use and disclose Personal Information?
LinkTexting may collect Personal Information for a number of reasons, including:
- verifying your identity;
- providing you or a third party with Services;
- providing you with information about our Services and products;
- sending communications you request or contacting you and responding to your enquiries;
- providing third parties, including our clients, with information about you and your activities
- communicating with you and providing you with information about your account with us and the Services;
- ensuring consistency of service across our business and other internal business purposes;
- developing or refining our Services;
- notifying you about changes to our website or products or Services we offer or provide via our website;
- internal business purposes;
- providing you with marketing material;
- contacting you in relation to our business activities;
- tailoring our Services;
- publishing testimonials you provide us; and
- corporate governance, auditing and record keeping.
Our use of Personal Information may extend beyond these uses, but will be restricted to purposes that we consider to be related to our functions and activities.
6. What do we do with your Personal Information?
If we collect Personal Information, we may:
- use that information for the purposes stated in this Policy;
- store that information in accordance with this Policy;
- pass that information amongst entities we work with;
- pass that information to third parties who provide products or services to us (including our accountants, auditors, lawyers, IT contractors, and other service providers);
- provide that information to third parties as required or allowed by law.
7. Do you use my information for Direct Marketing?
We may use your Personal Information to communicate directly with you to promote our Services. We use direct marketing to provide you with information about our Services that we believe you may be interested in. If you receive direct marketing material from us, and do not wish to continue receiving it, please contact us by any of the methods stated in this Policy, asking to be removed from all future direct marketing programs. Once we have received your opt-out request, we will remove you from our direct marketing programs as soon as reasonably practicable.
8. What about Cookies, pixels and analytics?
When you access our website, widgets, Smart App Badges, Smart Links or Smart Prompts, we may receive information about you via automated methods, including (but not limited to) use of a ‘cookie’, a ‘pixel’ or from analytics software.
These are tools that our web server may direct your traffic to, send to your computer, or embed on a website, when you visit our website. These tools help us provide Services to you and our clients, and to recognise when you re-visit the website, serve you customised content and to optimize your experience. We generally don’t collect Personal Information through the use of these tools, though we may be able to access your IP address and information about what your computer technology is when using analytical software.
You may be able to change the settings of your browser so that Cookies are not accepted generally or that you are provided with options to accept or reject them as they are sent to your browser.
9. Do we ever send your information overseas?
Based in Australia, LinkTexting is a global company. Our data is stored in the cloud in the United States of America. Our telecommunications partner who provides SMS services is based in the United Kingdom.
We may upload images and/or footage to our social media accounts from time to time. The social media accounts may be hosted on an overseas server.
Where applicable, in the event that your information is sent overseas, we will use our best endeavours to ensure that any overseas supplier will keep all Personal Information secure.
10. Can you access your Personal Information or request it be corrected?
- You may request access to the Personal Information that we hold about you by contacting us.
- Upon receiving an access request we may request further details from you to verify your identity. We reserve the right not to provide you with access to Personal Information if we cannot verify your identity to our reasonable satisfaction.
- An administrative fee may be charged to cover our costs in providing you with access to your Personal Information. This fee will be explained to you before it has been incurred.
- We will respond to your access request within a reasonable period of time by:
- providing you with access to your Personal Information (including in a structured electronic format if you are a resident of the European Union);
- rejecting your access request, and providing you reasons for this rejection.
- Access requests may be denied where:
- we believe your request is frivolous or vexatious;
- we are entitled to reject a request by law;
- we are unable to verify your identity; or
- you have not paid the administrative fee (if any).
- If you believe that the Personal Information that we hold is inaccurate or otherwise requires correction, you may send us a correction request by contacting us. We will review your Personal Information and respond to the request within a reasonable period of time.
11. What happens if you want to deal with us anonymously or using a pseudonym?
When contacting us, you can do so either anonymously or by using a pseudonym. If you do so, we may not be able to provide you with accurate or useful information, and you may not be able to access a full range of our operations and services. Further, we may not be able to investigate incidents or complaints you have made.
12. Does this policy ever change?
13. What about the General Data Protection Regulation (GDPR)?
The GDPR is the European Union (EU) data protection law. Australian-based organisations that offer goods or services to persons in the EU or target or monitor the behaviour of persons in the EU may be required to comply with the GDPR regulatory regime.
We are an Australian based organisation providing products and services within Australia. From time to time, we may capture or collect Personal Information that passes through the EU. This might occur, for example, if a person in the EU accesses our website and we collect analytical data about them, if a person in the EU signs up for a newsletter, enquiries about our services from the EU, or if one of our customers gives us information about a person in the EU. If this occurs, we will treat the Personal Information received in accordance with this Policy.
Where data is processed or monitored in the EU, you may have additional rights, such as:
- The right to request that we delete your Personal Information (unless we require that information to comply with a legal obligation, or need it to bring or defend a legal claim); and
- The right to restrict our processing of your Personal Information (where it is inaccurate, would be unlawful to process, or where it has not been deleted due to us needing it to meet a legal obligation).
14. What happens if you have a question or complaint about how we have handled your Personal Information?
If you have a question or complaint, you can raise it with us by:
Emailing: firstname.lastname@example.org; or
Sending a letter to: Level 3, 97 Pirie Street, Adelaide, SA 5000, Australia
We take all complaints seriously and will respond to you within a reasonable period of time, unless we consider your complaint to be frivolous or vexatious or if we are unable to verify your identity. If you aren’t satisfied with the way we have handled your complaint, you can make a complaint to the Office of the Australian Information Commissioner at http://oaic.gov.au.
Table of Contents
LinkTexting Pty Ltd
Data Processing Agreement
1. Basis of Agreement
- Where you, or the organisation you represent (Data Controller) instruct LinkTexting Pty Ltd (Data Processor) to process Personal Data, the provisions of this Data Processing Agreement will apply.
- By instructing the Data Processor to process Personal Data, you agree that you will be bound by the terms of this Data Processing Agreement.
- If you do not agree with the terms of this Data Processing Agreement, you must immediately cease to instruct the Data Processor to process Personal Data.
- Where there is inconsistency between the provisions of this Data Processing Agreement and:
- the Terms of Service, the Terms of Service shall prevail; or
In this Data Processing Agreement:
- GDPR means EU General Data Protection Regulation 2016/679;
- Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including Australia;
- Services means the data processing services offered by the Data Processor as part of its business operations;
- Terms of Service means the terms and conditions of service governing the provision of services by the Data Processor to the Data Controller, as amended from time to time, and available on the Data Processor’s website;
- the terms, Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as in the GDPR.
3. Processing of Personal Data
- The Data Controller may request the Data Processor process Personal Data by:
(each a Request).
- using, or making available to its customers, the Data Processor’s Services, including the Data Processor’s widgets, Smart App Badges, Smart Links, Smart Prompts or other software that interfaces with the Data Processor’s API; or
- making a written request to the Data Processor to process certain Personal Data.
- If the Data Processor agrees to a Request, the Data Processor shall process Personal Data in accordance with:
- the Data Controller’s instructions;
- relevant privacy laws applying to the processing of that Personal Data;
- the provisions of the Terms of Service; and
- This Data Processing Agreement shall continue until such time as the Data Processor ceases to provide Services to the Data Controller.
- The Data Processor shall take reasonable steps to ensure that, in processing Personal Data, it restricts access to the Personal Data to only those individuals who need to access the Personal Data to enable the Data Processor to provide the Services, and to comply with any applicable laws.
- Where Personal Data is confidential (in that it is not freely available in the public domain other than by breach of this Data Processing Agreement), it shall ensure that the Personal Data is kept confidential (unless disclosure is required by law) other than disclosure to:
- the Data Controller;
- the employees, agents and sub-contractors of the Data Processor; and
- the Data Processor’s professional advisors and legal representatives.
5. Security measures
- The Data Processor shall take reasonable steps to ensure the security of its systems and the servers on which Personal Data is processed and stored.
- The Data Processor may process, communicate or store Personal Data on servers located in Australia and the United States of America.
6. Use of sub-processors
- From time to time, the Data Processor may contract with third parties (Sub-Processors) to assist in the processing of Personal Data. Where this occurs, the Data Processor will ensure that each Sub-Processor complies with relevant privacy laws, and the rights of the Data Controller as articulated in this Data Processing Agreement.
- Where the Data Processor engages a Sub-Processor, it shall notify the Data Controller of the identity of the Sub-Processor, and update the list of Sub-Processors maintained on the Data Processor's web site.
7. Data Subject rights
- The Data Processor shall take reasonable steps to assist the Data Controller to implement appropriate measures to allow Data Subjects to exercise their rights in relation to their Personal Data that is processed by the Data Processor.
- The Data Processor shall promptly notify the Data Controller of any queries it receives from Data Subjects relating to the Data Controller.
- The Data Controller shall notify the Data Processor of any query it receives from a Data Subject regarding the processing of Personal Data by the Data Processor.
- The parties will take reasonable steps to work cooperatively in dealing with any query, complaint or request from a Data Subject relating to the Data Processor’s processing of Personal Data.
8. Data Breaches
- The Data Processor will notify the Data Controller as soon as reasonably practicable if it becomes aware of a Personal Data Breach affecting Personal Data provided by the Data Controller.
- The Data Processor will provide relevant information to the Data Controller to assist it in meeting any legal obligation to inform Data Subjects of the Personal Data Breach.
- The Data Processor shall co-operate with the Data Controller and take reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
The Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
10. Return of Data
- Where a Data Subject has a right under the GDPR or other Data Protection Law to access, modify or request deletion of their Personal Data, the Data Processor shall promptly comply with that request to the extent required by law.
- The Data Processor will notify the Data Controller of any such action within a reasonable period of time.
11. Provision of Reasonable Assistance
The Data Processor will provide the Data Controller with reasonable assistance to comply with any auditing, reporting or other legal requirements arising from the engagement of the Data Processor to process Personal Data by the Data Controller.
12. Governing Law and Jurisdiction
- This Agreement is governed by the laws of South Australia.
- Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of South Australia.
Date last modified: This Data Processing Agreement was last modified on April 25, 2019.
Table of Contents
LinkTexting Pty Ltd
Following is a list of Sub-Processors that assist LinkTexting Pty Ltd in the processing of Personal Data.
Date last modified: This Sub-Processor List was last modified on April 25, 2019.
Table of Contents
LinkTexting Pty Ltd
Data Breach Policy
LinkTexting Pty Ltd and its associated entities (together LinkTexting, we, us, or our) is committed to protecting the personal information we collected.
We are required to protect personal information we collect from loss, unauthorised access and unauthorised disclosure (data breach).
Security of data
We are obliged under the Australian Privacy Principles to take such steps as are reasonable to protect personal information:
- from misuse, interference and loss
- from unauthorised access, modification or disclosure
We are also obliged to ensure the security of credit eligibility information.
Should we suspect or believe that a data breach has occurred we will undertake the following 5 steps:
We will maintain systems and procedures to ensure that any suspected or actual data breach can be identified, reported and escalated to management responsible for the implementation of the Data Breach Response Plan. Any staff member of LinkTexting who suspects a data breach has occurred must ensure that a Data Breach Report Form is completed and sent promptly to the Managing Director.
Once identified, we will take all reasonable steps that can be taken to contain that breach. We make a preliminary assessment of any remedial action we should take and provide that assessment to all relevant staff members within 24 hours.
Remedial action is anything we can reasonably do to stop the breach, prevent further similar breaches or prevent harm occurring to the individual whose data has been accessed or lost.
Examples of remedial action include:
- retrieving the personal data
- shutting down our system
- finding the lost device or file
The Data Breach Response Plan and the Data Breach Report Form provide for the proper assessment of the breach including:
- the type of information involved
- whether the breach can be remedied and the information recovered
- the identity and number of individuals affected or likely to be affected
- the possible financial, economic, social and emotional impact on any individual;
- the nature of the breach (i.e. was it loss, access or disclosure of electronic or paper-based data and was it accidental or deliberate)
- the perpetrator of the breach (i.e. internal staff, contractors, third parties whether local or overseas)
- the risk of further breaches if remedial action not taken (i.e. is systemic problem or one-off)
- whether criminality evident (i.e. theft or hacking)
- whether the information was encrypted, de-identified or difficult to access
If we believe (not just suspect) on reasonable grounds that a data breach is likely to result in serious harm to any of the individuals concerned we will:
- Prepare the statement required by the Privacy Act 1988 including the following information:
- our identity and contact details;
- a description of the breach we believe has occurred;
- the kind of information involved in the breach;
- recommendation about the steps the individuals should take in response and
- if the data breach was caused by a third party service provider we engage, we will include their name and contact details.
- Provide a copy of the statement to the Office of the Australian Information Commissioner
- Provide a copy of the statement to each affected individual affected by means determined to communicate effectively and include additional information such as:
- our response to contain the data breach and prevent its recurrence
- any assistance we can offer to the individuals
- that we have reported the breach to the Office of the Australian Information Commissioner and, if relevant, any law enforcement agency/ies
- how individuals can make a complaint to the Office of the Australian Information Commissioner
To prevent future breaches of the same kind, the Data Breach Response Plan must include a requirement for us to conduct a review of our policies, systems and procedures which may include the following:
- a post-investigation audit of physical and technical security controls
- a review of policies and procedures
- additional training of staff members including scenario practices
- identify external resources that may assist in to prevent future breaches, i.e. auditing firms, public relations firms, legal advisers
- review authority levels for access to and transfer of electronic data
- whether the Data Breach Response Plan was adequate.
Date last modified: This Data Breach Policy was last modified on March 11, 2019.