● Data Protection Laws means the data protection and privacy laws applicable to the processing on Personal Data that we are committed to comply with, including:
○ the Privacy Act 1993 (New Zealand);
○ the Privacy Act 1988 (Cth, Australia); and
○ where we are dealing with persons based in the European Union (EU), the European Union General Data Protection Regulation (GDPR).
● Grant Application Form means the digital form created by a Grant Organisation that a Grant Applicant uses in order to apply for a grant.
Collection of Personal Information
Personal Data and Information Collected From You
We collect Personal Information about you when you provide (or make available) that Personal Information to us, including
● via the Website, WebApp and Services;
● through any registration or subscription process with us;
● through any form submission process on our WebApp or Subscription Service;
● through any contact with us, whether face-to-face, telephone call, email or otherwise;
● when you sign up to our email marketing lists, or when you enter into a transaction with us.
If possible, we will collect Personal Information from you directly.
The Personal Information we may collect includes, but not limited to, your name, physical address, email address, login for the Services, feedback and suggestions for the Services, IP address, phone number, billing information (if applicable), occupation, employer, and job title.
Personal Information Collected Automatically
We may automatically collect information about your usage and web browsing when you use any of our Services or Website. We may collect the Personal Information as log files, or through cookies or other tracking technologies (see the “Cookies and Tracking” below for more information), store it against the associated User ID, and link it to the other Personal Information we hold about an End User or User ID.
The Personal Information we may collect includes, but is not limited to, your IP address, your operating system, your browser ID, time, date, your browsing activity, your interaction with the Services (including any Content, comments, and location).
Personal Information Uploaded and Transferred to the Subscription Service By Another End User
We collect Personal Information about persons indirectly when you or other End Users use our Services, such as when:
● An End User invites a person to become and Authorised User or a Grant Assessor.
○ Personal Information of End Users may include, but not limited to, first name, last name, phone number, and email address.
● A Grant Applicant invites a person to collaborate on a Grant Transaction.
○ Personal Information of End Users may include, but not limited to, first name, last name, and email address.
● A Grant Applicant completes a Grant Application Form which may request Personal Information about additional persons. Grant Application Forms are created by the Grant Organisation and they determine what Personal Information about additional persons is required for the grant.
○ As an example, some Grant Organisations require Grant Applicants to name “Key Personnel” in the Grant Application Form. In this example, Personal Information that may be collected are first name, last name, email address, and role.
We may collect Personal Information about you from third parties where you have consented to such collection or the information is publicly available.
We may collect statistical (non-personal) information about your use of our Services and Website to improve the features and overall user experience. This may include statistical information such as, but not limited to, pages accessed on our Services and Website, search terms, links that are clicked on, browsers and operating systems, IP address, and cookies.
Cookies and Tracking
● Personal Information may be collected as log files, or through cookies or other tracking technologies, stored against associated User IDs, and linked to the other Personal Information we hold about associated End Users or User IDs.
● The Services, WebApps and Website do not currently recognize Do Not Track (DNT) signals sent by our End Users’ web browsers.
● In addition, third parties that have content embedded on the Services, WebApps or Website, such as videos or social media buttons, may set cookies on an End User’s browser and/or obtain information about the fact that a web browser visited the Services, WebApps or Website from a certain IP address.
Disclosure of Personal Information
We may disclose your Personal Information to:
● another company within our group for the purpose of providing Services and otherwise complying with the Terms;
● any business that supports our Services and Website, including any person that hosts or maintains any Underlying System that we use to provide our Services and Website;
● a credit reference agency for the purpose of credit checking you;
● a third-party who acquires Tahua or substantially all of Tahua’s assets, Personal Information we hold may be one of the transferred assets (subject to the same constraints and disclosure under this policy);
● other third parties, for anonymised statistical information;
● a person who can legally require us to supply your Personal Information (e.g. a regulatory authority);
● any other person authorised by the Data Protection Laws or another law (e.g. a law enforcement agency); and
● any other person authorised by you.
Use of Personal Information
We process Personal Information:
● perform the Services and otherwise carry out our obligations under the Terms;
● to provide, tailor and improve the Website, WebApp and Services;
● to respond to communications from you, including a complaint;
● to identify you when you sign-in to your account and verify that your account is not being used by others;
● to combat and prevent breaches of our Terms and our other policies;
● to enforce compliance with our Terms, protect and/or enforce our legal rights and interests and comply with laws;
● to bill you and to collect money that you owe us, including authorising and processing credit card transactions; and
● to undertake credit checks (if necessary),
and such processing is necessary for the performance of the contract between you and us.
We also process Personal Information:
● to comply with our obligations to our third-party suppliers and service providers;
● to analyse usage of the Website, WebApp and Services, or carry out research and analysis, so we can improve the Website, WebApp and/or Services;
● to market our Services to you, including contacting you electronically;
● to ensure the security of our Services, WebApp and Website; and
● to personalise the WebApp and Services for you and your Authorised Users,
and such processing is necessary for the purposes of a legitimate interest pursued by us, and we have assessed that our interests are not overridden by the interests or fundamental rights and freedoms of the person to whom the Personal Information relates.
We may also use Personal Information collected for such other purposes that are compatible with the original purposes described above, or that you otherwise consented to from time to time.
We also process Personal Information to communicate with you in relation to the WebApp or the Services from time to time, including to respond to your contact request and any related communication. You can unsubscribe from any communications from us by contacting us as directed in any such communications.
If you are based in the EU at the time we are processing your Personal Information, you have the right to object to the way we process your Personal Information where the processing is based on legitimate interests.
Trans-border Personal Data and Information Flows
Tahua’s head office is located in New Zealand, so some limited Personal Information is transferred and/or stored there. The vast majority of Personal Information we handle is stored and hosted in Australia.
Some limited Personal Information may be provided to companies located overseas who offer software as a service products that process content for inclusion on the Subscription Service (for example, conversion of images and videos to make them suitable for viewing online/ through a web browser). Those third parties located overseas are not permitted to (and are contractually obligated to not) access or use the Personal Information except for those limited purposes. We only choose reputable service providers and have agreements with such third parties that prevent them from using or disclosing to others the Personal Information we share with them, other than as is necessary to assist us.
While the information resides outside of the territory where you reside, it may be accessible to the local courts, law enforcement and national security authorities in a foreign jurisdiction.
Retention of Personal Information
We will delete your Personal Information once:
▪ the purpose for collection of that information is no longer relevant; and
▪ we are no longer required to comply with any legal obligation that necessitates the retention of that information.
However, despite this, we may retain a copy of Personal Information (in a static form, not accessible online) for archival purposes only.
Protecting your Personal Information
We will take reasonable steps to keep your Personal Data and Information safe from loss, unauthorised activity, or other misuse.
Accessing and correcting your Personal Information
Subject to certain grounds for refusal set out in the Data Protection Laws, you have the right to access your readily retrievable Personal Information that we hold and to request a correction to your Personal Information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the Personal Information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the Personal Information, we will make the correction.
If you are an EU-based person you have the right (under the GDPR) to:
● access and correct your Personal Information;
● in certain circumstances, have your Personal Information erased;
● restrict the processing of your Personal Information;
● move, copy or transfer your Personal Information easily for your own purposes across different services in a safe and secure way;
● object to processing where we relying on legitimate interests as the basis for processing and at any time to processing of Personal Information for direct marketing purposes; and
● withdraw your consent to our processing of your Personal Information if your consent is being relied on by us.
Please note that in certain circumstances we may refuse to respond to a GDPR rights request where we have the right to do so under the GDPR, for example, where a request is manifestly unfounded or excessive.
If you want to exercise either of the above rights, contact us using our Inquiries form. Your email should provide evidence of who you are and set out the details of your request (e.g. the Personal Information, or the correction, that you are requesting).
We may charge you our reasonable costs of providing to you copies of your Personal Information or correcting that information.
While we take reasonable steps to maintain secure internet connections, if you provide us with Personal Information over the internet, the provision of that information is at your own risk.
PART B: YOUR OBLIGATIONS
By accessing and using our Website, WebApp and Services to upload and transfer other people’s Personal Information, you agree that you:
● will comply with your obligations under all Data Protection Laws;
● have obtained (or shall obtain) all consents necessary under the Data Protection Laws, for us to process the Personal Information through our Services as you direct, and that such consent is obtained from the correct person; we may, but shall not be required to, offer through the functionality of the Services a pop-up or embedded form to allow End Users to give their consent, retrospectively, to the processing of their Personal Information through our Services. However, you shall not rely on any such functionality, and it is your responsibility to ensure that you obtain consent from the appropriate person(s).
● must notify us without undue delay if any person withdraws their consent, or any part of their consent, or objects to any processing of Personal information through our Services;
● will make sure that you are frequently updating any Personal Information stored within your account or Subscription Service that relates to another person when requested to do so by that person;
● upon becoming aware of a security incident, or any other breach, or suspected breach, of your security safeguards, must notify us without undue delay and shall provide timely information relating to the security incident as it becomes known or as is reasonably requested by us;
● will not upload or transfer “sensitive data” (as that term is defined in the Data Protection Laws) to the Subscription Service;
● are responsible for your secure use of our Services, including securing your User ID, protecting the security of Personal Information when in transit to and from the Subscription Service and taking any appropriate steps to securely encrypt or backup any Personal Information uploaded to the Subscription Service;
● are responsible for reviewing the information made available by Tahua relating to data security and making an independent determination as to whether the Services meet your requirements and legal obligations under the Data Protection Laws.