INLOGIK GROUP PTY LIMITED
This policy applies to Inlogik, which includes Inlogik Group Pty Limited and its subsidiary companies around the world.
It sets out how we treat privacy generally, and includes special rules for information contained in Customer Data which is defined below. Privacy in relation to our employees’ information is covered in a separate policy.
All Inlogik employees must understand and comply with this policy.
THE BASIC PRINCIPLES
In this policy ‘you’ is the individual whose personal information is involved.
Personal information about you will only be collected from you, unless it is unreasonable or impractical to obtain it from you. Where it is obtained from somewhere else, you should receive notice that we have obtained it. Inlogik employees must promptly consider whether unsolicited personal information could have been collected as above. If not, they should destroy or de-identify it as soon as practicable after receipt (unless it is illegal to do so or retention is approved by our Privacy Officer).
Personal information is only used or disclosed for the purpose for which it is collected (or a secondary purpose related to that purpose for which you would reasonably expect it to be used or disclosed), or with your consent or as required by law (for example under a warrant or court order).
Inlogik is bound by the Privacy Requirements (which includes Australian Privacy Principles and other international privacy obligations). We have adopted internal policies and procedures to ensure that personal information we collect, store, use and disclose is dealt with in accordance with the Privacy Requirements. Our general intention is to meet a common standard everywhere which, as far as reasonably possible, meets the highest standard required in any jurisdiction where we operate. However special provisions for jurisdictions may be inserted to this policy or procedures as required.
We do not collect, store, use or disclose sensitive information. This is personal information which includes information or opinions about an individual’s racial or ethnic origin, political opinions or associations, religious beliefs or affiliations, philosophical beliefs, trade and professional memberships, sexual preferences or practices, criminal record or health, genetic or biometric information.
THE INLOGIK BUSINESS & CUSTOMER DATA
Inlogik provides expense and card management services for organizations (called Customers), including working with banks. These services are branded ProMaster and Inlogik. We do not deal with individual or retail customers. Our head office is in Australia, but Inlogik has operations in the US and the UK, and receives data from other jurisdictions.
Services are provided as hosted software. It is a system into which employees of organisations enter data. The system also receives data feeds relating to expenses transactions and cards from the relevant card schemes and banks and the HR structure of organisations from client organisations.
The system records transactions related to Customer’s employees. The information is presented in a form for review by the employee, or entered by the employee for approval and for the generation of reports from the system. Personal information is entered by or in relation to the employee relating to applications for cards, and for verification relating to access to the system. Information is hosted on a managed secure third party hosting facility in Australia, where the hosting facility does not have access to the encrypted data.
The information in the system is referred to in this policy as Customer Data. It is owned by the Customer (or in some cases a bank), but is still subject to Privacy Requirements in respect of personal information.
Inlogik ensures that Customer Data is encrypted in transmission, kept securely and handled in accordance with PCI DSS requirements (which includes encryption of card, bank account and password information) and applicable legislation relating to data security. Privacy Requirements are closely related to data security, but must still be considered separately.
Inlogik also provides some services to organisations related to insurance and travel. These operations are similar to our Inlogik business in that they involve hosted software services in which clients enter information. Those operations also comply with applicable Privacy Requirements and data security legislation, but are not subject to PCI DSS.
HOW CUSTOMER DATA IS TREATED
1. The kind of personal information we collect and hold is:
- name, email address, date of birth, business address, card limits, and reporting lines;
- information entered by the user which may include details such as drivers licence and security questions (and answers);
- transactions and approvals relating to Customer expenses and other expenses recorded in a card feed; and
- events and requests relating to cards in the system, including invoices or receipts.
2. Inlogik collects some personal information from the Customer or bank when establishing a service or creating a file for you in the service. This will typically identify you and be used in identifying you to give you access to the system. You will then enter into the system and will be asked to provide other information. You or your employer may also provide information in seeking to resolve any support issue. By using the system you will be consenting to use of your personal information in accordance with this policy. If you do not consent you will not be able to use the functions of the system.
Feeds of data will also provide details of expense and card transactions, your reporting lines, and information in relation to your card (such as limits).
Inlogik holds that information in a database set aside for the Customer including backups as part of our Business Continuity Plan.
3. Inlogik collects, holds, uses and discloses that information for the purpose of providing the functions of the service, including recording and authorising transactions, and preparing reports. This may include solving any issues in relation to the operation of the service, including complaints handling;
- verifying entitlement to access the information on the service, and preventing unauthorised access or change;
- providing newsletters and updated information provided that you have elected to receive this (and have not unsubscribed); and
- data analytics (in a form not disclosing personal information).
Customer Data is shared with the Customer and the relevant bank. Personal information will not be provided except as permitted by this Policy. We do not otherwise sell or make Customer Data available to third parties outside Inlogik.
4. You may access your personal information that is held by Inlogik and seek correction of such information by approaching our Privacy Officer (see below). Information will be provided unless we are not required to do so by the Privacy Requirements (for example because your request is vexatious or we are prevented by law). We reserve the right to make a reasonable charge for providing the information.
If you are an employee of a Customer, you may also want to approach a relevant Privacy Officer of your employer.
5. If you have entered photographs of any receipt or invoice into our system for optical reading, that information may be transmitted outside Australia for machine or manual reading. Our current service provider is situated in the US. By entering the photo for optical reading, you are consenting to that transfer.
6. Customer Data is generally retained in accordance with the contract with the Customer. Most contracts provide for retention for 7 years. Inlogik will make efforts to contact the Customer (on last known contact address) before destroying data.
We also receive information which is not Customer Data or Employee Data, which is classified as Business Data. The following applies to Business Data:
- The kind of personal information which we collect is information to contact you (such as name and contact details), and relating to your position and role, including in some cases details of relevant experience to identify whether you might be interested in talking to us.
- Inlogik collects that information when you or your employer provides it to us. In some cases we may obtain it from public data, or a third party may also provide it to us recommending you as a person we might or should contact in the way of business.
- Inlogik will hold that information in its CRM system or other systems and may also hold details in a physical file relating to your employer.
- Inlogik collects, holds, uses and discloses that information only for the purposes of providing services to you or your employer, including responding to queries, supporting services, keeping you informed of opportunities, and any other use where you have consented to that use, or where it is a related use to that for which it was connected, which you would reasonably expect from us.
- You may access your personal information that is held by Inlogik and seek correction of such information by contacting our Privacy Officer (see below). Information will be provided unless we are not required to do so by the Privacy Requirements (for example because your request is vexatious or we are prevented by law). We reserve the right to make a reasonable charge for providing the information.
GIVING INLOGIK OTHER PEOPLE’S PERSONAL INFORMATION
We may disclose information subject to Privacy Requirements to related bodies corporate (i.e. members of Inlogik).
We may send you information about various products and services if you elect to receive our e-letters. However at all times you will have the option to unsubscribe.
We will not sell, trade or rent your personal information to third parties independent from our business.
Inlogik's aim is to support the system in the country where it has operations. UK and European data is handled by our UK office. Information may be accessed by Australian employees if required in assisting, or providing technical assistance, to the UK employees.
Information is hosted in encrypted form in Australia.
Only UK and European personal information is accessible by our UK staff. Personal Information is not likely to be disclosed to overseas recipients. Limited data may be sent by Inlogik entities outside Australia to Australian experts in an encrypted form to assist in resolving any service issues.
Photos for optical reading will be transmitted to a subcontractor in the United States for processing.
Information might be accessed from overseas by a person with appropriate authorisation. For example authority may be given by your employer to a person overseas.
The cookies our website uses do not collect any information such as your name, address, email address, or any other contact details.
To fully disable cookies on our website you will need to change the settings in your website browser.
CHANGES TO OUR POLICY
We may update this policy. Where we do so, we will publish the current policy on our website.
ANONYMOUS OR PSEUDONYM INTERACTIONS
We will consider anonymous, pseudonym or confidential requests. However Customer Data is not the property of Inlogik, and there will be practical limits to the information which can be provided in relation to an anonymous, pseudonymous or confidential request. In such a situation we believe it may be appropriate to refer that request, with the requester’s consent, to the relevant Customer.
ISSUE RESOLUTION AND COMPLAINTS
If you have a concern about how we handle your personal information, or suspect possible a breach of this Policy, the APPs, or any other Privacy Requirement, please contact our Privacy Officer to give us an opportunity to resolve the issue.
If you are not satisfied with the result you may contact the relevant authority, and we will seek to work with that relevant authority. The relevant authority in Australia is The Office of the Australian Information Commissioner, telephone 1300 363 992, email firstname.lastname@example.org, and postal address GPO Box 5218, Sydney NSW 2001.
In this Policy:
- APPs means the Australian Privacy Principles set out in the Privacy Act 1988.
- Inlogik, we, us and our refers to Inlogik Group Pty Limited and its subsidiaries.
- personal information refers to any information or an opinion whether true or not, and whether recorded in material form or not, about an identified individual, or an individual who is reasonably identifiable.
- PCI DSS refers to the latest version of an international standard used by the card industry in relation to the security of data, including requirements such as system security and monitoring.
- the Privacy Requirements means the APPs and by comparable laws and principles in other jurisdictions to which the operations of Inlogik relate including legal and any other binding requirements of the United States of America, the United Kingdom, the European Union and New Zealand. The full text of the APPs can be seen at www.oaic.gov.au.
- You and your means the individual to whom the personal information relates.
CONTACT INFORMATION - PRIVACY OFFICER
If you wish to access any personal information that we hold about you, or have a query about this policy, or wish to put forward any concerns or suggestions, please contact our Privacy Officer.
Our Privacy Officer is: The Executive Director, PO Box R202, Royal Exchange, NSW 1225, Australia, or Level 13, 20 Hunter Street, Sydney NSW 2000, Australia. Telephone +61 2 9225 1000 or email email@example.com.
Employees should consult with and obtain direction from our Privacy Officer in relation to any uncertainty as to this Policy or the Privacy Requirements.