V3.0 - last updated 6 October 2021
We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (“Privacy Act”), the United Kingdom Data Protection Act 2018 and the European Union General Data Protection Regulation 2016/679 (GDPR) (each of which are deemed applicable laws for the purpose of this policy).
2. Summary of Key Points
Our identity and contact details
Personal data that we process
- Subscription/registration, payment and e-commerce transaction data;
- Data entered into and/or uploaded into StoreConnect by our StoreConnect Subscribers when accessing the StoreConnect and/or their eCommerce customers when accessing a StoreConnect Subscriber’s eCommerce store set up on StoreConnect;
- Data relating to communications between us and our StoreConnect Subscribers;
- Analytics data;
- Cookies data;
- user information including IP addresses, email addresses, network information, user access logs, usernames, passwords, statistical data and information included by our customers in technical support tickets, telephone calls to our support team and error messages.
The purposes for the processing
Who we disclose personal data to
We only disclose personal data to hosting providers who perform hosting services on our behalf to the extent necessary for them to perform those services. We will not sell personal data to third parties (other than if we decide to sell or merge StoreConnect or the shares in our company). We also disclose personal data to Salesforce as part of providing StoreConnect Services.
Transfer of data to other countries
We may transfer your personal data to our hosting providers located in Australia, the United States of America or the European Union unless you are a StoreConnect customer and you and we agree otherwise. Such transfer shall be carried out in order for them to host StoreConnect and data stored in StoreConnect. We comply with applicable law when we transfer personal data overseas. We require any overseas hosting provider that we transfer personal data to, to contractually agree to comply with applicable law in processing that data.
How long we store personal data for
In relation to personal data that we collect through StoreConnect, we only retain this personal data 30 days after the relevant StoreConnect Subscriber’s subscription expires or terminates or earlier upon request by the StoreConnect Subscriber. We will destroy (or de-identify the personal data where we are entitled to do so) or return it to the relevant data subject.
3. Personal data
The Privacy Act defines “personal information” as information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- a. whether the information or opinion is true or not; and
- b. whether the information or opinion is recorded in a material form or not.
4. Principles relating to the collection of personal data
We rely on our subscribers to obtain all relevant privacy consents and authorisations from eCommerce customers required by law, in order for the personal information that is entered into our platforms to be collected, disclosed and otherwise processed by us. We also rely on our subscribers to ensure that all personal information of their eCommerce customers held by us is accurate, up to date, complete, relevant and not misleading.
Our policy is to minimise the amount of personal data we collect. Accordingly, we only collect personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We collect personal data that you give us, whether by email, telephone, in person, via application forms or otherwise. In addition, we may obtain personal data from public sources, where available. However, if it is reasonable and practicable to do so, we will collect personal data about an individual only from that individual.
We encourage StoreConnect Subscribers to ensure that their data subjects are familiar with their privacy policies so that their eCommerce customers understand how they will collect, use and otherwise process personal information about them, via their eCommerce store.
We will not collect personal data unless the information is reasonably necessary for one or more of our entity’s functions or activities.
StoreConnect Subscribers are responsible for the collection of explicit consents from their eCommerce customers, where required by applicable law. With respect to any such consents where required by applicable law, StoreConnect Subscribers must ensure that all eCommerce customers have the capacity to consent and that any consents obtained from any individual under the age of 16 are authorised by a parent or guardian. With respect to any such consents required by applicable law, StoreConnect Subscribers must notify us if StoreConnect has collected personal information from an eCommerce customer who is unable to provide us with explicit consent for the purposes of applicable law or if an eCommerce customer withdraws their consent.
We do not wish to process any data that is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. StoreConnect is not designed to capture those types of personal data. Please do not enter any such personal data into StoreConnect.
5. Personal data that we collect and how we use it
Our policy is to minimise the amount of personal data we collect. Accordingly, we only collect personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
The personal data that we collect and how we use it is as follows:
- a. Payment Data and other data entered into and/or uploaded into StoreConnect by StoreConnect Subscribers when accessing the StoreConnect: If you are a StoreConnect Subscriber who has registered or subscribed to StoreConnect, we will collect and otherwise process the following categories of personal data about your staff: names, telephone numbers, mobile numbers, email addresses, credit card details, bank account details, postal addresses, residential addresses, business addresses and social media accounts. We will process this personal data in order to administer our StoreConnect Subscriber subscriptions, registrations and accounts on the StoreConnect, for the purposes of providing you, as a StoreConnect Subscriber, with access to and use of StoreConnect, to enforce your obligations to pay Service Charges to us and to otherwise enforce compliance with our Terms & Conditions and the contractual obligations that you, as a StoreConnect Subscriber, owe to us. We will also process this personal data in order to provide you with information and assistance about StoreConnect, and to communicate with you in connection with any maintenance notices (that we may issue when the StoreConnect is unavailable), renewal notices and service status updates for the purposes of keeping you informed and up to date about the service status of StoreConnect.
- b. Data entered into and/or uploaded into StoreConnect by StoreConnect Subscriber eCommerce customers: We collect and process any personal data that eCommerce customers upload or enter into eCommerce stores setup by StoreConnect Subscribers using StoreConnect. This data is contact, payment and store transaction data and any other fields set out in the StoreConnect documentation. We will process this personal data on behalf of our StoreConnect Subscribers and eCommerce customers in order to provide our StoreConnect Subscribers with the functionality provided by StoreConnect. We will also process this personal data to monitor compliance with our Terms & Conditions, to maintain backups of our databases and to detect unauthorised use and faults with StoreConnect (such as, by examining log files and error messages). The personal data will also be used to provide our StoreConnect Subscribers with technical support and training with respect to StoreConnect if and where we agree to do so.
- c. Data relating to communications: When our StoreConnect Subscribers contact us, we will collect and process personal data which is the name of the StoreConnect Subscriber, the IP address of the StoreConnect Subscriber and any other personal data that the StoreConnect Subscriber provides to us during the communications. For example, a StoreConnect Subscriber may contact us to ask questions about StoreConnect, seek technical support or advice and to express their interest in upgrading or modifying their accounts on StoreConnect. We will process this personal data in order to provide our StoreConnect Subscribers with information and assistance about StoreConnect, and to communicate with them in connection with any breach, expiry, termination or suspension of StoreConnect.
6. Who we share personal data with
We only disclose personal data to third parties who perform services for us or where required to provide StoreConnect Services in accordance with applicable law. We will not sell personal data to third parties (other than if we decide to sell or merge StoreConnect or the shares in our company) and we only disclose the minimum amount of personal data required. We will also disclose and/or transfer your personal information to our personnel, contractors, professional advisors and insurer and as otherwise required by law. We may disclose personal data that we collect to third parties for all or any of the following purposes:
- To procure hosting of StoreConnect – in which case we disclose your personal data to our upstream hosting supplier who hosts StoreConnect (Heroku and Salesforce) and the personal data that you enter into and/or upload in to the StoreConnect. Our hosting suppliers host that personal data on their computer servers;
- As required to provide StoreConnect Services – which may require us to disclose personal data, such as when we disclose transaction data to Salesforce that the StoreConnect Services are designed to disclose in order to maintain database records in Salesforce concerning StoreConnect eCommerce store transactions;
- Handling claims and complaints – in which case we may disclose your personal data to our lawyers and insurers;
- Sending out newsletters and other relevant marketing material to StoreConnect Subscribers (if you have expressed an interest in our products) – in which case we may disclose your personal data to our email, marketing and newsletter service providers for such purposes;
- In order to record billing details – in which case we provide your bank account and credit card details to our bank and merchant facility providers;
- For professional advice - when providing information to our legal, accounting or financial advisors/representatives or debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
- If we sell the whole or part of our business of StoreConnect or the shares in our company or merge with another entity – in which case we will provide to the purchaser or other entity the personal data that is the subject of the sale or merger;
- Where required by law.
We may also provide your personal data to our lawyers, insurers and professional advisors and any court or administrative body, for one or more of the following purposes:
- For the purposes of obtaining professional advice;
- To obtain or maintain insurance;
- The prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
- To protect or enforce our rights or defend claims;
- Enforcement of our claims against you or third parties;
- The enforcement of laws relating to the confiscation of the proceeds of crime;
- The protection of the public revenue;
- The prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
- The preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of the court or tribunal.
- Where disclosure is required to protect the safety or vital interests of employees, eCommerce customers or property.
7. Third party platforms
StoreConnect may include links to, or interface with third party websites and platforms. Our linking to those websites and platforms does not mean that we endorse or recommend them. We do not warrant or represent that any third party website or platform operator complies with applicable data protection laws. You should consider the privacy policies of any relevant third party websites and platforms prior to sending your personal data to them.
You may interact with social media platforms via social media widgets and tools such as the Facebook Like button and the Facebook pixel that may be installed on StoreConnect. These widgets and tools may collect your IP address and other personal data. Your interaction with such widgets and tools, and any single sign-on services such as Open ID is governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal data.
We take our privacy obligations very seriously. Accordingly, we only process personal data in a manner that ensures appropriate security of the personal data, including by protecting the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
The technical and organisational measures that we have implemented are as follows:
- We maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms.
- We have data backup processes in place;
- We have anti-virus and security controls for email and other applicable computer software and systems in place;
- We maintain electronic (e-security) measures for the purposes of securing personal information, such as passwords and anti-virus management;
- We implement https encryption protocols, passwords and access control procedures into our computer systems; and
- We and/or our hosting providers have processes in place to ensure integrity and resilience of systems, servers and personal data.
9. If you refuse to provide us with personal data
10. Spam email
We do not send “junk” or unsolicited e-mail in contravention of the Spam Act 2003 (Cth). We will, however, use e-mail in some cases to respond to inquiries, confirm purchases, or contact StoreConnect Subscribers. These transaction-based e-mails are automatically generated. Anytime a StoreConnect Subscriber receives e-mail it does not want from us they can request that we not send further e-mail by contacting us via email. Upon receipt of any such request, we will remove the person from our database to ensure that they cease to receive automated emails from us.
11. Contractors and offshore providers
Subject to the provisions of the Australian Privacy Principle 8 (Cross-border disclosure of personal information), we may transfer your personal data to our hosting providers who host the StoreConnect and the data stored in it. Our hosting providers are located in Australia, the United States and the European Union, and we will only transfer personal data processed by the StoreConnect platform to those hosting providers except where specifically agreed in writing by us and a customer that personal data must be hosted from a specific location.
12. How to access and correct personal data held by us
13. Notifiable data breaches
Since 22 February 2018, data breaches that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner, except where limited exceptions apply. We will notify you of any data breach that may affect you where we are required to do so in accordance with our legal obligations.
Our contact details
StoreConnect is owned and operated by StoreConnect Pty Ltd [ACN 647 990 725]. If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us at the following address:
StoreConnect Pty Ltd
Level 25, 100 Mount Street, North Sydney NSW 2060 Australia
We will use our best endeavours to resolve any privacy complaint within 10 business days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.
If you are not satisfied with the outcome of a complaint you make refer the complaint to the OAIC who can be contacted using the following details:
Call: 1300 363 992
Address: GPO Box 5218, Sydney NSW 2001