Values
Inlogik Privacy Policy
Protecting your privacy is very important to Inlogik. This policy sets out the types of Personal Information we collect, the purpose for the collection of the Personal Information, the other parties we may share the information with and measures that we take to protect the security of the data. This policy also informs you how to contact us and tells you about your rights and choices with respect to your Personal Information.
Our commitment to Privacy is the same in each country we operate, however our practices may vary across countries to reflect local practices, regulations and legal requirements.
Inlogik is bound by Privacy Requirements in all countries we operate in. These include Australian Privacy Act and Privacy Principles, NZ Privacy Act, EU GDPR, UK GDPR, Canadian Federal and provincial statutes, US state and federal Privacy laws and other international privacy obligations. We have adopted internal policies and procedures to ensure that personal information we collect, store, use and disclose is dealt with in accordance with the privacy requirements of each region and our general intention is to meet a common standard everywhere which, as far as reasonably possible, meets the highest standard required in any jurisdiction where we operate. Special provisions for jurisdictions may be inserted to this policy or procedures where required by local laws and regulations.
Who we are and what we do
Inlogik is an Australian headquartered, global specialist software provider. Inlogik has operations in Australia, New Zealand, United States, Canada and United Kingdom.
Inlogik provides services which are used for the secure processing of Personal Information belonging to third parties. We do this in two ways –
| Software as a Service | Provided to | Purpose |
|---|---|---|
| Card Management for Corporate Credit Card Software Services | Service provided to banks and card providers | Management of Corporate Cards issued by Banking Institutions / Card Providers to allow for identification, validation and issuance of Corporate Credit Cards |
| Corporate Card Expense Management | Service provided to Employers | Management of Corporate Card Expense programs for employers to allow users to approval/processing of transactions. |
Our Brands
Our brands are:-
i) ExpenseMe
ii) Inlogik
iii) Or your bank or card provider may provide you with a white label product provided by Inlogik. Your bank will notify you where they utilise Inlogik services for Corporate Card and/or Expense Management before you enter into a contract.
Privacy by Design
Inlogik adopts the principle of Privacy by Design and incorporates technical and organisational measures at the earliest stages of design of software and processing activities to safeguard privacy and data protection principles right from the start. A Privacy Risk Assessment is carried out prior to any changes to the storage, processing, handling or collection of Personal Information.
Our Privacy and Security Accreditations
We take the Privacy and Security of your information very seriously. We hold the following accreditations and constantly work to maintain, and often exceed, these requirements
· ISO 27001– Information Security Management Systems.
· ISO 27701 – Privacy Information Management System
· PCI: DSS – Payment Card Industry Data Security Standard
· SOC 2 Type 2 – Service Organisation Control Type 2 (A cyber security compliance framework developed by the American Institute of Certified Public Accountants (AICPA) to ensure third party providers store and process client data securely.
Type of Personal Information we collect and how we use it.
Inlogik processes/collects Information
Typically, we receive data:-
· in a data feed from Banking and Employer partners for processing in our software as a service.
· from you or your employers bank when establishing a service or creating a file for you in the service
· from lead generation partners.
· We may collect Personal Information using Cookies and similar tracking technology on our website or from our CRM if you are provided access. To find out more about which Cookies we use, why and how you can control them, please visit our Cookie Declaration at https://www.inlogik.com/cookie-declaration
You provide Information
You may provide information/data when:-
· obtaining Help Desk support,
· coding transactions, or
· general maintenance of data in a software system.
· Visiting our website or LinkedIn page
· Entering your data on our website, LinkedIn page, and/or at an event or conference.
By using an Inlogik system you will be consenting to use of your personal information in accordance with this policy. If you do not consent, you will not be able to use the functions of the system.
| Types of Personal Information | Examples of What this may include and why we collect it |
|---|---|
| Personal and contact details | Name, email address, phone, business address, card limits, reporting lines. This information is collected to provide the identification details for the provision of corporate credit card services via your employer’s bank or employer, for solving any issues in the operation of the service including complaints or to investigate incidents.Date of birth may be collected if required by your bank to verify ID or if your employer has requested DOB details are collected to utilise Corporate Card Expense Management |
| Photographs, videos and audio recordings | When you contact our call centres we may record the call. This may include screen recording or screen shots on a video call. |
| Sensitive Information | We do not collect information relating to your citizenship, residency status and biometric data to verify your identity and authorise transactions unless requested by your bank or required by your banking regulator in your country. |
| Transaction information | Transactions and approvals relating to Customer expenses and other expenses recorded in a card feed from your Banking institution, Events and Requests relating to cards in the systems, including invoices or receipts and user file attachments, including attachments uploaded by you. |
| Interaction and behavioural information | Pages viewed and browsing behaviour on our websites and applications, how you navigate through our websites and interact with our webpages – including any training videos watched, fields completed in forms, |
| Digital (or electronic information) | The date and time of your visits to our webpages, geographical information, and information about the device used to access our webpages and how you interacted with our pages. This information is used to improve the features and usability of our websites and to comply with sanctions regulations. |
| Imported Data Feeds | From your employer’s bank, customers, card service providers with details of transactions, your (Company structure) reporting lines for approvals/approvers, information in relation to your card (such as credit limits), transaction details including date, merchant identification and amount and may include personal information based on the feed from your Bank. |
| Exporting data Feeds | Data exports (expense management systems) to feed information back into systems such as General Ledger as journals, Accounts Payable for payments, and other business related functions which are based on Customers’ requirements. |
| Employer HR Information | Employee title, Employee ID, Approver, Reporting lines |
| Entry of Information by you directly in our website or via email | This may include attachments and any information completed to access Inlogik services via your Employer’s Bank, Employer or directly and/or for participating in marketing programmes, geolocation data and/or your address. |
| Credit card management related functions for your bank or employers bank | Credit limit increases, new cards, cancel card, limit increase. |
| Registration and Payment information | Corporate Bank account number and BSB, corporate name on account and bank name and personal bank account number and BSB for reimbursement. This information is collected as an identifier for transactions. |
| Job Applicants | Related information when you apply for a job. |
How we Share your Personal Information
We do not “sell” your Personal Information to third parties.
We may provide your Personal Information to a sub-contractor or third party that provides features that you use in relation to the product and services or with your consent. All third parties or sub-contractors have been reviewed under the Inlogik Supplier Management Policy.
| Sub-contractor / Third Party | Purpose | |
|---|---|---|
| Microsoft Azure | Cloud Data Hosting | All data is encrypted at rest. Data centre employees do not have access to Personal Information. |
| Macquarie Data Centre | Cloud and Premises Data Hosting | All data is encrypted at rest. Data centre employees do not have access to Personal Information. |
| Taggun Limited | Optical Character Reader provider (eg photos of receipts or invoices) | Does not record or store data. Supplier Due Diligence undertaken for Suppliers to provide similar level of security. |
| Software and Software Service Providers | Software and programs that help us to provide our service – Customer Relationship Management software, Microsoft Office Suite, Accounting and Financial Software, Security Software | Supplier Due Diligence undertaken for Suppliers to provide similar level of security. |
| Collection Agencies | If you fail to make a payment and recovery of monies due under your agreement with us. | Your contact details and balance owing may be shared. |
| Law enforcement, government agencies | We will share Personal Information where required or authorised by law, regulation, governmental request or legal process | We will only share necessary information to comply. |
Where and how is your data stored
All customer data held or stored by Inlogik is encrypted in the following locations:
| CMP | EMS | |
|---|---|---|
| Imported Files or data feeds | Database for individual bank customer | Database for individual employer customer |
| Encryption of Data | All data is encrypted in transit and at rest on file storage | All data is encrypted in transit and at rest on file storage |
| Separate offsite backup data centre (cloud or physical) | All encrypted data is backed up to a separate data centre – either cloud or physical environment | All encrypted data is backed up to a separate data centre – either cloud or physical environment |
| Disaster recovery | All files and databases have a separate disaster recovery datacentre from the day to day datacentre | All files and databases have a separate disaster recovery datacentre from the day to day datacentre |
| PCI:DSS requirements | All data is handled in accordance with PCI:DSS. (Payment Card Industry Data Security Standard) | All data is handled in accordance with PCI:DSS. (Payment Card Industry Data Security Standard) |
| Hashing of Password Information | Passwords are stored as a one way hash value that cannot be reversed | Passwords are stored as a one way hash value that cannot be reversed |
| Geographic location of data | Managed, secure, third party data hosting facility in country of customer operations, unless otherwise agreed by Data Controller or Customer | Managed, secure, third party data hosting facility in country of customer operations, unless otherwise agreed by Data Controller or Customer |
How we transfer Personal Data Internationally
Personal Information we collect or store about you will typically be stored in the jurisdiction it was collected. We may have reason to transfer data internationally but will always take steps to ensure your personal information has equivalent levels of protection and rights as required under the country it was collected.
| Reason for Transfer Internationally | Jurisdiction |
|---|---|
| Support | Support is typically provided in the country of customer, unless a Disclosure to Overseas Recipient request has been authorised. |
| Access/Support by Australian based employees | Australian based Inlogik employees may provide support or expertise to other jurisdictions to resolve any service or technical issues |
| Disclosure to Overseas recipients – Inlogik Request | Following customer consent, limited encrypted data may be sent to an Inlogik employee or Third Party to assist in resolving any issues. |
| Disclosure to overseas recipients – Customer Request | Following consent from Data Controller (e.g. your employer, bank) authority may be given to provide encrypted data to a person overseas. |
| UK/European /EEA Data | UK/European /EEA data is handled by our UK office. Only UK/ European/EEA data is accessible by our UK staff, unless a Disclosure to Overseas recipient request has been authorised. We will only transfer data to a third party where we have approved transfer mechanisms in place to protect your personal data, including entering into the European Commissions Standard Contractual Clauses (https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en . ) |
Your Rights and Choices
Inlogik is typically a Data Processor and is required to follow instructions of a Customer / Data Controller to comply with requests for Rights in relation to Personal Information. Inlogik shall comply with reasonable requests in accordance with the regulations in the country of origin of request.
Where there is no Data Controller, for example you provided your details on a website query, Inlogik will comply with all reasonable requests in accordance with the regulations in the country of origin of request.
Anonymous or pseudonym interactions
We will consider anonymous, pseudonym or confidential requests. However, Customer Data is not the property of Inlogik, and there will be practical limits to the information which can be provided in relation to an anonymous, pseudonymous or confidential request. In such a situation we believe it may be appropriate to refer that request, with the requester’s consent, to the relevant Customer.
| Privacy Right | Request Requirements |
|---|---|
| Access, Correction or Deletion | Upon request from your Data Controller, or from you where there is no Data Controller, Inlogik will comply with all reasonable requests for access, correction, updates or deletion of your Personal Data |
| Objection | Upon request from your Data Controller, or from you where there is no Data Controller, Inlogik will comply with all reasonable requests for restriction of processing of your Personal Information |
| Withdraw Consent | Upon request from your Data Controller, or from you where there is no Data Controller, Inlogik will comply with all reasonable requests for Withdrawal of Consent. Withdrawing consent will not affect the lawful processing conducted prior to your withdrawal. |
| Provide Consent | We collect and use your data only where we have your consent, for the purposes for which it was collected or a secondary purpose that you would reasonably expect or as required by law. Your consent will be required and requested for all other use of data. Anybody (e.g. your bank, your employer) giving personal information to Inlogik is asked to ensure, and confirm to us, that that person has consented to that the information being given, and directed to this privacy policy. |
| Right to Lodge a Complaint | You have the right to lodge a complaint directly with the relevant Supervisory authority about how we process your personal data. |
| Stop receiving marketing materials | You are able to Unsubscribe from non-essential materials and communications on any email sent to you. To ensure we are able to contact you for any Legal notices (including cyber breach notifications), the Unsubscribe option will maintain your contact details for essential communications. If you wish not to receive any essential communications, please contact our Privacy Officer |
| Control Device Location, Tracking or other Cookies | Please see the Cookie Policy https://www.inlogik.com/cookie-declaration |
| Data Portability | UK and European data is handled by our UK office. Only UK and European data is accessible by our UK staff, unless a Disclosure to Overseas recipient request has been authorised or access/support is required to be provided by Inlogik Australian staff. |
| Data Retention | Data is generally retained in accordance with relevant law minimum requirements (typically 7 years) 6 months after termination of your contract or as otherwise agreed. Data past its retention period will be destroyed quarterly in accordance with PCI:DSS requirements. Customers will be contacted one month before destroying on the last known contact address. |
| Right to Non-Discrimination | You will not receive any discriminatory treatment when you exercise one of your privacy rights. |
UK/European Union/ EEA residents
The UK Data Protection Act of 2018 (DPA 2018) and the EU General Data Protection Regulation (GDPR) provide certain rights regarding the processing of personal data of EU/EEA/UK data subjects. This Privacy Notice applies if you are in the United Kingdom or a country that is a Member of the European Union or EEA, and supplements the information in the Privacy Notice.
Californian Data Rights
You have certain rights regarding Personal Information we collect or store about you. This Privacy Notice applies to those rights.
Inlogik Employees
Employees should consult with and obtain direction from our Privacy Officer in relation to any uncertainty as to this Policy or the Privacy Requirements.
Who to Contact
If you have a concern about how we handle your personal information, or suspect a possible breach of this Policy or Privacy Regulations, please contact our Privacy Officer to give us an opportunity to resolve the issue.
If you are not satisfied with the result, you may contact the relevant authority, and we will seek to work with that relevant authority.
Contact Details – Privacy@Inlogik.com or Suite 2/10, 20 Hunter Street, Sydney, NSW, 2000, Australia.
Change to this Policy
We may update this policy. Where we do so, we will publish the current policy on our website.
Definitions
In this Policy:
- Data Controller – the person(s) who determine the purposes for which and the way any personal data are, or are to be, processed. (GDPR terminology)
- Data Processor – the person(s), public authority, agency or any other body which processes personal data on behalf of the Data Controller. (GDPR terminology)
- Inlogik, we, us and our refers to Inlogik Group Pty Limited its subsidiaries and Affiliates. The Inlogik companies are:
- Inlogik Pty Ltd, (ABN 35 058 997 121) Suite 10, 20 Hunter Street, Sydney, NSW
- Inlogik Ltd (VAT 839 4959 63), Abbey House, 282 Farnborough Rd, Farnborough, UK, GU14 7NA
- Inlogik Inc (EIN 37-1794092) 224W W 35st, Ste 500 PMB290, New York, NY, 10001, USA
- Inlogik New Zealand Limited (8811410) Level 4, 123 Victoria Street, Christchurch Central, 8013 New Zealand
· Personal Information refers to any information or an opinion whether true or not, and whether recorded in material form or not, about an identified individual, or an individual who is reasonably identifiable.
- PCI DSS refers to the latest version of an international standard used by the card industry in relation to the security of data, including requirements such as system security and monitoring.
- GDPR means the General Data Protection Regulation (EU) which is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
- You and your means the individual to whom the personal information relates. You are also known as the ‘data subject‘ in GDPR and may be referred to as a ‘user‘ of the system.
- Privacy Officer is also known as the Data Protection Officer.