Privacy Policy

INLOGIK GROUP PTY LIMITED

SCOPE

This policy applies to Inlogik, which includes Inlogik Group Pty Limited and its subsidiary companies around the world.

It sets out how we treat privacy generally, and includes special rules for information contained in Customer Data which is defined below. Privacy in relation to our employees’ information is covered in a separate policy.

All Inlogik employees must understand and comply with this policy.

THE BASIC PRINCIPLES

In this policy ‘you’ is the individual whose personal information is involved.

Personal information about you will only be collected from you, unless it is unreasonable or impractical to obtain it from you. Where it is obtained from somewhere else, you should receive notice that we have obtained it. Inlogik employees must promptly consider whether unsolicited personal information could have been collected as above. If not, they should destroy or de-identify it as soon as practicable after receipt (unless it is illegal to do so or retention is approved by our Privacy Officer on the basis we are permitted to retain it).

Personal information is only used or disclosed for the purpose for which it is collected (or a secondary purpose related to that purpose for which you would reasonably expect it to be used or disclosed), or with your consent or as required by law (for example under a warrant or court order).

Inlogik is bound by the Privacy Requirements (which includes Australian Privacy Principles, data protection laws in the EEA, and other international privacy obligations). We have adopted internal policies and procedures to ensure that personal information we collect, store, use and disclose is dealt with in accordance with the Privacy Requirements. Our general intention is to meet a common standard everywhere which, as far as reasonably possible, meets the highest standard required in any jurisdiction where we operate. However special provisions for jurisdictions may be inserted to this policy or procedures as required.

We do not collect, store, use or disclose sensitive personal information. Sensitive personal information includes information or opinions about an individual’s racial or ethnic origin, political opinions or associations, religious beliefs or affiliations, philosophical beliefs, trade and professional memberships, sexual preferences or practices, criminal record or health, genetic or biometric information.

THE INLOGIK BUSINESS & CUSTOMER DATA

Inlogik provides expense and card management services for organisations (called Customers), including working with banks. These services are branded ProMaster, ExpenseMe and Inlogik or white-label under the name of a bank or issuers. We do not deal with individual or retail customers. Our head office is in Australia, but Inlogik has operations in the US and the UK and receives data from other jurisdictions. Data will not be hosted, processed or stored outside of agreed jurisdiction without consent from Customer/Data Controller.

Services are provided as hosted software. It is a system into which employees of organisations enter data. The system also receives data feeds relating to expenses transactions and cards from the relevant card schemes and banks and the HR structure of organisations from client organisations.

The information in the system is referred to in this policy as Customer Data which includes any personal information. Customer Data is owned by the Customer (or in some cases a bank) but is still subject to Privacy Requirements in respect of personal information.

The system records transactions related to Customer’s employees. The information is presented in a form for review by the employee or entered by the employee for approval and for the generation of reports from the system. Personal information is entered by or in relation to the employee relating to applications for cards and for verification relating to access to the system. Information is hosted on a managed secure third-party hosting facility in agreed jurisdiction (Australia, North America and India etc.), where the hosting facility employees have no access to any Customer Data including personal information.

Inlogik ensures that Customer Data is encrypted in transit and at rest, stored securely and handled in accordance with PCI DSS requirements [which includes encryption of card and bank account information and hashing (is one way – cannot be decrypted) of password information] and applicable legislation relating to data security. Inlogik is also ISO27001 and ISO27701 compliant which ensures that our information security management is managed and scrutinised under these standards. Privacy Requirements are closely related to data security, but must still be considered separately.

HOW CUSTOMER DATA IS TREATED

The kind of personal information we collect and hold is:

1. name, email address, date of birth, phone, business address, card limits, and reporting lines;
2. information entered by the user which may include details such as drivers licence and security questions (and answers);
3. transactions and approvals relating to Customer expenses and other expenses recorded in a card feed;
4. events and requests relating to cards in the system, including invoices or receipts; and
5. user file attachments – files may be attached by the user.

Inlogik collects some personal information from the Customer or bank when establishing a service or creating a file for you in the service. This will typically identify you and be used in identifying you to give you access to the system. You will then enter into the system and will be asked to provide other information. You or your employer may also provide information in seeking to resolve any support issue. By using the system you will be consenting to use of your personal information in accordance with this policy. If you do not consent you will not be able to use the functions of the system. Where applicable under Privacy Requirements more formal consent will be sought.

Inlogik holds or stores personal information collected in the following locations:

1. Imported files (or feeds of information) are loaded into a database set aside for the customer.
2. Imported files are stored encrypted on file storage.
3. All information (including files and database) is encrypted and stored in a separate datacentre for offsite backup.
4. All information (including files and database) is stored in separate disaster recovery datacentre.

Inlogik collects, holds, uses and discloses that information for the purpose of providing the functions of the service, including recording and authorising transactions, and preparing reports. This may include:

• solving any issues in relation to the operation of the service, including complaints handling;
• verifying entitlement to access the information on the service, and preventing unauthorised access or change;
• providing newsletters and updated information provided that you have elected to receive this (and have not unsubscribed);
• use of telephone numbers or emails to contact you through third parties, such as SMS notifications and alerts; and
• data analytics (in a form not disclosing personal information).
• Processing of personal data may include:

• 1. Importing of feeds of data from customers, banks and/or card service providers with details of expense and card transactions, your reporting lines, information in relation to your card (such as limits), and may include some personal information depending on the feed.
  2. Imported information is held in a database (set aside for the customer) and any necessary SQL Server database processing jobs may be run to keep database healthy.
  3. Entry of information directly by the you including potential personal information, including file attachments.
  4. File attachments may be emailed by you to Inlogik whereby an attachment manager will process and attach for you.
  5. Credit card management related functions (new cards, cancel card, limit increase, card replacement, etc.).
  6. Regular jobs/activities run to update totals, help with data presentation and perform performance related tasks. All jobs are related to proper and effective function of the systems.
  7. Business reporting including reporting directly for the data subject is available. Report output can be setup by the data subject to output in an email.
  8. Data exports (expense management systems) to feed information back into systems such as General Ledger as journals, Accounts Payable for payments, and other business related functions which are based on Customers requirements.
  9. All information is backed up to separate datacentre nightly (encrypted in transit and at rest).
  10. All information is synced with disaster recovery datacentre for business continuity purposes.

Note some customers have activated an Optical Character Recognition (OCR) module. Under this module the User can send images (which should not normally include PII) for reading. The image is transmitted to Taggun in Australia where it is rendered into text and returned to the Inlogik system. Taggun privacy policy can be seen at https://www.taggun.io/privacy.

You may access your personal information that is held by Inlogik and seek correction of such information by approaching our Privacy Officer (see below). Information will be provided unless we are not required to do so by the Privacy Requirements (for example because your request is vexatious, or we are prevented by law). We reserve the right to make a reasonable charge for providing the information where permitted by Privacy Requirements. You will be advised of that charge in advance.

Customer Data is generally retained in accordance with relevant law minimum requirements, and can be extended in contract with the Customer. Most contracts provide for retention for a maximum of 7 years unless otherwise agreed. Inlogik will make efforts to contact the Customer (on last known contact address) one month before destroying data. Data past its retention period is destroyed quarterly as per PCI DSS requirements.

Customer Data is shared with the Customer and the relevant bank. Personal information will not be provided except as permitted by this Policy. We do not otherwise sell or make Customer Data available to third parties outside Inlogik.

If you are an employee of a Customer, you may also want to approach a relevant Privacy Officer of your employer.

BUSINESS DATA

We also receive information which is not Customer Data or Employee Data, which is classified as Business Data. The following applies to Business Data:

• The kind of personal information which we collect is information to contact you (such as name and contact details), and relating to your position and role, including in some cases details of relevant experience to identify whether you might be interested in talking to us.
• Inlogik collects that information when you or your employer provides it to us. In some cases we may obtain it from public data, or a third party may also provide it to us recommending you as a person we might or should contact in the way of business.

Inlogik will hold that information in its CRM system or other systems and may also hold details in a physical file relating to your employer.

• Inlogik collects, holds, uses, processes and discloses that information only for the purposes of providing services to you or your employer, including responding to queries in a timely manner, supporting services, keeping you informed of opportunities, and any other use where you have consented to that use, or where it is a related use to that for which it was connected, which you would reasonably expect from us.
• You may access your personal information that is held by Inlogik and seek correction of such information by contacting our Privacy Officer (see below). Information will be provided unless we are not required to do so by the Privacy Requirements (for example because your request is vexatious or we are prevented by law). We reserve the right to make a reasonable charge for providing the information.

GIVING INLOGIK OTHER PEOPLE’S PERSONAL INFORMATION

Anybody giving personal information to Inlogik is asked to ensure, and confirm to us, that that person has consented to the information being given, and directed to this privacy policy.

Personal information should be given to Inlogik securely and will be stored securely.

DISCLOSURE GENERALLY

We may disclose information subject to Privacy Requirements to related bodies corporate (i.e. members of Inlogik).

We may send you information about various products and services if you elect to receive our e-letters. However at all times you will have the option to unsubscribe.

We will not sell, trade or rent your personal information to third parties independent from our business.

OVERSEAS

Inlogik’s aim is to support the system in the country where it has operations. UK and European data is handled by our UK office. Information stored/processed in all jurisdictions may be accessed by Australian employees if required in assisting, or providing support or technical assistance.

Customer Data is hosted, stored and processed in encrypted form in the agreed jurisdiction. Data will not be hosted, processed or stored outside of agreed jurisdiction without consent from Customer (or Data Controller).

Only UK and European personal information is accessible by our UK staff. Personal Information is not likely to be disclosed to overseas recipients. Limited data may be sent by Inlogik entities outside Australia to Australian experts in an encrypted form to assist in resolving any service issues.

Information might be accessed from overseas by a person with appropriate authorisation. For example authority may be given by your employer to a person overseas.

PRIVACY REQUIREMENTS

EUROPEAN UNION PRIVACY REQUIREMENT

European law includes certain rights summarised below:

• Right of Consent – the controller shall be able to demonstrate that you have consented to processing of his or her personal data.
• Right of Access – an obligation to confirm to you whether or not your personal data is being processed, where and for what purpose, and to provide a copy of that personal data, free of charge, in an electronic format.
• Right of Rectification – the right to obtain from the controller without undue delay the rectification of inaccurate personal data. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• Right to be Forgotten/Data Erasure – an obligation on your request to erase your personal data, cease further dissemination of that data, and potentially have third parties halt processing of that data; but this is subject to legal requirements to retain your personal data.
• Data Portability – the obligation to give you personal data, which you have previously provided, in a common use and machine readable format.
• Right to Restriction of Processing – You can request from Inlogik that your personal data be restricted from any further processing for any of the following: (i) you state that the personal data Inlogik has about you is incorrect, (but only for a period enabling Inlogik to verify its accuracy), (ii) no controller needs your personal data for the purposes of processing, (iii) your personal data is no longer required but you require us to retain them in relation to legal claims or (iv) in case where you object to our processing of your personal data, pending verification of our right to do so.
• Right to Object – the right to object to processing of your personal data, but this is subject to conditions under those requirements to retain information.
• Right to lodge complaint – You can lodge a complaint with the data protection authority of the country where you live or with the data protection authority of the country or state where your controller collected your personal data is registered.

PRIVACY REQUIREMENTS GENERALLY

Different jurisdictions have requirements which vary slightly in detail from jurisdiction to jurisdiction) but generally cover data protection and security of processing. Mandatory Breach Notification is an example where different jurisdictions impose rules with slight differences as to timing, and requirements for notification. Data will not be hosted, processed or stored outside of agreed jurisdiction without consent from Customer/Data Controller.

WEBSITE

Inlogik may use cookies to enhance your experience of our website, to analyse the use of our website through Google Analytics software, and to authenticate and assist users authorised to modify the site.

The cookies our website uses do not collect any information such as your name, address, email address, or any other contact details.

Note some key client contacts are invited to use sites hosted by Hubspot. Before use they must consent to certain cookies. The website https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser sets out details of the cookies used (noting Inlogik only uses Necessary and Analytical cookies and not Functional cookies such as Webchat and Advertisement cookies).

To fully disable cookies on our website you will need to change the settings in your website browser.

CHANGES TO OUR POLICY

We may update this policy. Where we do so, we will publish the current policy on our website.

ANONYMOUS OR PSEUDONYM INTERACTIONS

We will consider anonymous, pseudonym or confidential requests. However Customer Data is not the property of Inlogik, and there will be practical limits to the information which can be provided in relation to an anonymous, pseudonymous or confidential request. In such a situation we believe it may be appropriate to refer that request, with the requester’s consent, to the relevant Customer.

ISSUE RESOLUTION AND COMPLAINTS

If you have a concern about how we handle your personal information, or suspect possible a breach of this Policy, the APPs, or any other Privacy Requirement, please contact our Privacy Officer to give us an opportunity to resolve the issue.

If you are not satisfied with the result, you may contact the relevant authority, and we will seek to work with that relevant authority. The relevant authority in Australia is The Office of the Australian Information Commissioner, telephone 1300 363 992, email enquiries@oaic.gov.au, and postal address GPO Box 5218, Sydney NSW 2001.

DEFINITIONS

In this Policy:

• APPs means the Australian Privacy Principles set out in the Privacy Act 1988.
• Inlogik, we, us and our refers to Inlogik Group Pty Limited and its subsidiaries.
• personal information refers to any information or an opinion whether true or not, and whether recorded in material form or not, about an identified individual, or an individual who is reasonably identifiable.
• PCI DSS refers to the latest version of an international standard used by the card industry in relation to the security of data, including requirements such as system security and monitoring.
• the Privacy Requirements means the APPs, data protection laws and by comparable laws and principles in other jurisdictions to which the operations of Inlogik relate including legal and any other binding requirements of the United States of America, the United Kingdom, the European Union and New Zealand. As an example of Privacy Requirements, the full text of the APPs can be seen at oaic.gov.au
• GDPR means the General Data Protection Regulation which is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
• You and your means the individual to whom the personal information relates. You are also known as the ‘data subject’ in GDPR and may be referred to as a ‘user’ of the system
• Privacy Officer is also known as the Data Protection Officer