Privacy Policy

INLOGIK GROUP PTY LIMITED

SCOPE

This policy applies to Inlogik, which includes Inlogik Group Pty Limited and its subsidiary companies around the world.

It sets out how we treat privacy generally, and includes special rules for information contained in Customer Data which is defined below. Privacy in relation to our employees’ information is covered in a separate policy.

All Inlogik employees must understand and comply with this policy.

THE BASIC PRINCIPLES

In this policy ‘you’ is the individual whose personal information is involved.

Personal information about you will only be collected from you, unless it is unreasonable or impractical to obtain it from you. Where it is obtained from somewhere else, you should receive notice that we have obtained it. Inlogik employees must promptly consider whether unsolicited personal information could have been collected as above. If not, they should destroy or de-identify it as soon as practicable after receipt (unless it is illegal to do so or retention is approved by our Privacy Officer).

Personal information is only used or disclosed for the purpose for which it is collected (or a secondary purpose related to that purpose for which you would reasonably expect it to be used or disclosed), or with your consent or as required by law (for example under a warrant or court order).

Inlogik is bound by the Privacy Requirements (which includes Australian Privacy Principles and other international privacy obligations). We have adopted internal policies and procedures to ensure that personal information we collect, store, use and disclose is dealt with in accordance with the Privacy Requirements. Our general intention is to meet a common standard everywhere which, as far as reasonably possible, meets the highest standard required in any jurisdiction where we operate. However special provisions for jurisdictions may be inserted to this policy or procedures as required.

We do not collect, store, use or disclose sensitive personal information. Sensitive personal information includes information or opinions about an individual’s racial or ethnic origin, political opinions or associations, religious beliefs or affiliations, philosophical beliefs, trade and professional memberships, sexual preferences or practices, criminal record or health, genetic or biometric information.

DATA PROTECTION OFFICER (DPO) and Privacy Officer

Inlogik's Head of Risk is the Data Protection Officer (aka Privacy Officer) who may be contacted at dg-head-of-risk@inlogik.com; or you may contact our group Privacy Team at any time at privacy@inlogik.com

THE INLOGIK BUSINESS & CUSTOMER DATA

Inlogik provides expense and card management services for organisations (called Customers), including working with banks. These services are branded ProMaster and Inlogik or whitelabel under the name of a bank or issuers. We do not deal with individual or retail customers. Our head office is in Australia, but Inlogik has operations in the US and the UK, and receives data from other jurisdictions.

Services are provided as hosted software. It is a system into which employees of organisations enter data. The system also receives data feeds relating to expenses transactions and cards from the relevant card schemes and banks and the HR structure of organisations from client organisations.

The information in the system is referred to in this policy as Customer Data. It is owned by the Customer (or in some cases a bank), but is still subject to Privacy Requirements in respect of personal information.

The system records transactions related to Customer’s employees. The information is presented in a form for review by the employee, or entered by the employee for approval and for the generation of reports from the system. Personal information is entered by or in relation to the employee relating to applications for cards, and for verification relating to access to the system. Information is hosted on a managed secure third-party hosting facility in Australia, where the hosting facility employees do not have access to any personal information.

Inlogik ensures that Customer Data is encrypted in transit and at rest, stored securely and handled in accordance with PCI DSS requirements [which includes encryption of card and bank account information and hashing (that is not decryptable) of password information] and applicable legislation relating to data security. Privacy Requirements are closely related to data security, but must still be considered separately.

Inlogik also provides some services to organisations related to insurance and travel. These operations are similar to our Inlogik business in that they involve hosted software services in which clients enter information. Those operations also comply with applicable Privacy Requirements and data security legislation, but are not subject to PCI DSS.

HOW CUSTOMER DATA IS TREATED

The kind of personal information we collect and hold is:

  • name, email address, date of birth, phone, business address, card limits, and reporting lines;
  • information entered by the user which may include details such as drivers licence and security questions (and answers);
  • transactions and approvals relating to Customer expenses and other expenses recorded in a card feed; and
  • events and requests relating to cards in the system, including invoices or receipts.

Inlogik collects some personal information from the Customer or bank when establishing a service or creating a file for you in the service. This will typically identify you and be used in identifying you to give you access to the system. You will then enter into the system and will be asked to provide other information. You or your employer may also provide information in seeking to resolve any support issue. By using the system you will be consenting to use of your personal information in accordance with this policy. If you do not consent you will not be able to use the functions of the system. Where applicable under Privacy Requirements, more formal consent will be sought.

Feeds of data will also provide details of expense and card transactions, your reporting lines, and information in relation to your card (such as limits).

Inlogik holds that information in a database set aside for the Customer including backups as part of our Business Continuity Plan.

Inlogik collects, holds, uses and discloses that information for the purpose of providing the functions of the service, including recording and authorising transactions, and preparing reports. This may include solving any issues in relation to the operation of the service, including complaints handling;

  • verifying entitlement to access the information on the service, and preventing unauthorised access or change;
  • providing newsletters and updated information provided that you have elected to receive this (and have not unsubscribed); and
  • data analytics (in a form not disclosing personal information).

Customer Data is shared with the Customer and the relevant bank. Personal information will not be provided except as permitted by this Policy. We do not otherwise sell or make Customer Data available to third parties outside Inlogik.

You may access your personal information that is held by Inlogik and seek correction of such information by approaching our Privacy Officer (see below). Information will be provided unless we are not required to do so by the Privacy Requirements (for example because your request is vexatious or we are prevented by law). We reserve the right to make a reasonable charge for providing the information.

If you are an employee of a Customer, you may also want to approach a relevant Privacy Officer of your employer.

Customer Data is generally retained in accordance with relevant law minimum requirements, and can be extended in contract with the Customer. Most contracts provide for retention for 7 years unless otherwise agreed. Inlogik will make efforts to contact the Customer (on last known contact address) before destroying data. Data past its retention period is destroyed quarterly as perPCI DSS requirements.

BUSINESS DATA

We also receive information which is not Customer Data or Employee Data, which is classified as Business Data. The following applies to Business Data:

  • The kind of personal information which we collect is information to contact you (such as name and contact details), and relating to your position and role, including in some cases details of relevant experience to identify whether you might be interested in talking to us.
  • Inlogik collects that information when you or your employer provides it to us. In some cases we may obtain it from public data, or a third party may also provide it to us recommending you as a person we might or should contact in the way of business.

Inlogik will hold that information in its CRM system or other systems and may also hold details in a physical file relating to your employer.

  • Inlogik collects, holds, uses and discloses that information only for the purposes of providing services to you or your employer, including responding to queries, supporting services, keeping you informed of opportunities, and any other use where you have consented to that use, or where it is a related use to that for which it was connected, which you would reasonably expect from us.
  • You may access your personal information that is held by Inlogik and seek correction of such information by contacting our Privacy Officer (see below). Information will be provided unless we are not required to do so by the Privacy Requirements (for example because your request is vexatious or we are prevented by law). We reserve the right to make a reasonable charge for providing the information.

GIVING INLOGIK OTHER PEOPLE’S PERSONAL INFORMATION

Anybody giving personal information to Inlogik is asked to ensure, and confirm to us, that that person has consented to that the information being given, and directed to this privacy policy.

Personal information should be given to Inlogik securely and will be stored securely.

DISCLOSURE GENERALLY

We may disclose information subject to Privacy Requirements to related bodies corporate (i.e. members of Inlogik).

We may send you information about various products and services if you elect to receive our e-letters. However at all times you will have the option to unsubscribe.

We will not sell, trade or rent your personal information to third parties independent from our business.

OVERSEAS

Inlogik's aim is to support the system in the country where it has operations. UK and European data is handled by our UK office. Information may be accessed by Australian employees if required in assisting or providing technical assistance to the UK employees.

Information is hosted in encrypted form in Australia.

Only UK and European personal information is accessible by our UK staff. Personal Information is not likely to be disclosed to overseas recipients. Limited data may be sent by Inlogik entities outside Australia to Australian experts in an encrypted form to assist in resolving any service issues.

Photos for optical reading will be transmitted to a subcontractor in the United States for processing.

Information might be accessed from overseas by a person with appropriate authorisation. For example authority may be given by your employer to a person overseas.

PRIVACY REQUIREMENTS

EUROPEAN UNION PRIVACY REQUIREMENT

European law includes certain rights summarized below:

  • Right of Consent - the controller shall be able to demonstrate that you have consented to processing of his or her personal data;
  • Right of Access – an obligation to confirm to you whether or not your personal data is being processed, where and for what purpose, and to provide a copy of that personal data, free of charge, in an electronic format;
  • Right of Rectification – the right to obtain from the controller without undue delay the rectification of inaccurate personal data. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement;
  • Right to be Forgotten/Data Erasure – an obligation on your request to erase your personal data, cease further dissemination of that data, and potentially have third parties halt processing of that data; but this is subject to legal requirements to retain your personal data;
  • Data Portability – the obligation to give you personal data, which you have previously provided, in a common use and machine readable format.
  • Right to Restriction of Processing – You can request from Inlogik that your personal data be restricted from any further processing for any of the following: (i) you state that the personal data Inlogik has about you is incorrect, (but only for a period enabling Inlogik to verify its accuracy), (ii) no controller needs your personal data for the purposes of processing, (iii) your personal data is no longer required but you require us to retain them in relation to legal claims or (iv) in case where you object to our processing of your personal data, pending verification of our right to do so.
  • Right to Object - the right to object to processing of your personal data, but this is subject to limitations (such as overriding legitimate grounds).
  • Right to lodge complaint - You can lodge a complaint with the data protection authority of the country where you live or with the data protection authority of the country or state where your controller collected your personal data is registered.

Inlogik shall comply with these requirements subject to conditions under those requirements. In particular it is noted that the data held is not owned by Inlogik, so that in the case of the Right to be Forgotten/Data Erasure Inlogik will consult with the data owner to ascertain whether the right applies to that data.

PRIVACY REQUIREMENTS GENERALLY

Different jurisdictions have requirements which vary slightly in detail from jurisdiction to jurisdiction but generally cover data protection and security of processing. Mandatory Breach Notification is an example where different jurisdictions impose rules with slight differences as to timing, and requirements for notification.

WEBSITE

Inlogik may use cookies to enhance your experience of our website, to analyse the use of our website through Google Analytics software, and to authenticate and assist users authorised to modify the site.

The cookies our website uses do not collect any information such as your name, address, email address, or any other contact details.

To fully disable cookies on our website you will need to change the settings in your website browser.

CHANGES TO OUR POLICY

We may update this policy. Where we do so, we will publish the current policy on our website.

ANONYMOUS OR PSEUDONYM INTERACTIONS

We will consider anonymous, pseudonym or confidential requests. However Customer Data is not the property of Inlogik, and there will be practical limits to the information which can be provided in relation to an anonymous, pseudonymous or confidential request. In such a situation we believe it may be appropriate to refer that request, with the requester’s consent, to the relevant Customer.

ISSUE RESOLUTION AND COMPLAINTS

If you have a concern about how we handle your personal information, or suspect possible a breach of this Policy, the APPs, or any other Privacy Requirement, please contact our Privacy Officer to give us an opportunity to resolve the issue.

If you are not satisfied with the result, you may contact the relevant authority, and we will seek to work with that relevant authority. The relevant authority in Australia is The Office of the Australian Information Commissioner, telephone 1300 363 992, email enquiries@oaic.gov.au, and postal address GPO Box 5218, Sydney NSW 2001.

DEFINITIONS

In this Policy:

  • APPs means the Australian Privacy Principles set out in the Privacy Act 1988.
  • Inlogik, we, us and our refers to Inlogik Group Pty Limited and its subsidiaries.
  • personal information refers to any information or an opinion whether true or not, and whether recorded in material form or not, about an identified individual, or an individual who is reasonably identifiable.
  • PCI DSS refers to the latest version of an international standard used by the card industry in relation to the security of data, including requirements such as system security and monitoring.
  • the Privacy Requirements means the Australian APPs, data protection laws with and principles in other jurisdictions to which the operations of Inlogik relate including legal and any other binding requirements of the United States of America, the United Kingdom, the European Union and New Zealand. The full text of the APPs can be seen at www.oaic.gov.au.
  • You and your means the individual to whom the personal information relates.

CONTACT INFORMATION - PRIVACY OFFICER

If you wish to access any personal information that we hold about you, or have a query about this policy, or wish to put forward any concerns or suggestions, please contact our Privacy Officer.

Our Privacy Officer is: The Head of Risk, PO Box R202, Royal Exchange, NSW 1225, Australia, or Level 13, 20 Hunter Street, Sydney NSW 2000, Australia. Telephone +61 2 9225 1000 or email privacy@inlogik.com.

Employees should consult with and obtain direction from our Privacy Officer in relation to any uncertainty as to this Policy or the Privacy Requirements.

Richard Eskell

CEO

2018