Effective date: 1 July 2018
- The information outlines how we, Incent Loyalty Pty Ltd, ACN 617 123 636 (“Incent Loyalty”,”us”, “our” or “we”), an Australian incorporated company, comply with the requirements of:
- the Privacy Act 1988 (Cth); and
- the Australian Privacy Principles, in protecting and maintaining the personal information we hold about you.
- Personal information is any information or opinion about you from which you could reasonably be identified. For example, this may include your name, email address, residential address and contact details. Personal information includes sensitive information such as:
- your racial or ethnic origin;
- political opinions or membership of political associations;
- religious or philosophical beliefs;
- membership of a professional or trade association or trade union;
- sexual orientation or criminal record; and
- health, biometric information, and genetic information.
Sensitive information is subject to stricter requirements under the Privacy Act 1988.
We will work to protect your personal and sensitive information in accordance with the Australian Privacy Principles
and the Privacy Act 1988.
By providing your personal information to us, you consent to us collecting, using and disclosing your personal
Purposes of collecting personal information
- We collect, hold, use and disclose personal and/or sensitive information for the following purposes:
- to provide you with/administer the products and services you request;
- unless you tell us otherwise, to provide information on products and services offered by us, and external product and service providers for whom we act as agent (if you have provided us with your email or mobile phone details, we may provide information to you electronically with respect to those products and services);
monitoring and evaluating products and service;
- gathering and aggregating information for statistical, actuarial and research purposes;
- assisting you with queries;
- taking measures to detect and prevent fraud;
- for compliance and risk management purposes;
- to help prevent and detect illegal activity;
- to comply with our regulatory obligations, including customer verification under Anti-money laundering laws;
- for any purpose related to the above.
- We may de-identify the information in your Account and your Rewards Profile and share it with third parties on an aggregate basis. For the purposes of this provision, ‘Aggregate basis’ means the information of many members is combined to form one measurement or quantity that cannot be used to identify any person. For example, a client may be told that their advertising campaign is going to be received by 1,000 members between 18 and 25 years of age, and received by 500 members between 25 and 45 years of age.
- If you do not provide us with the personal information we request, you will not be able to become a verified member of
the Service and/or we may not be able to provide you with the services you have requested. In this case the service may be restricted and/or account may be closed. Any INCNT accumulated may be forfeited /lost permanently, and Incent Loyalty will not be held responsible should this occur.
- We may ask you to review and update your personal information on a regular basis e.g. new ID number, new expiry date, new address/phone number etc. If you do not update the personal information we request, we may suspend or cancel your membership. Any INCNT accumulated may be forfeited/lost permanently, and Incent Loyalty will not be held responsible should this occur.
Direct marketing and communication
- We may use or disclose personal information we hold about you for the purpose of direct marketing. Direct marketing means that we can use your personal information to provide you with information on our products and services that may interest you. This may take the form of emails, SMS, mail or other forms of communication, in accordance with the Spam Act and the Privacy Act.
- You will receive direct marketing emails from us whether as a direct result of data profiling, or general blanket direct marketing. If you wish to opt-out of receiving marketing information or any communication from us altogether, you can email us on [email protected] or by selecting the appropriate option on our website. Your op-out of receiving direct marketing material will not affect other membership features, but you may miss out on promotions or other opportunities.
Information we may collect
- The personal and sensitive information we collect generally consists of name, physical address, date of birth, gender, social media accounts, occupation, education, contact details (including telephone, and e-mail), the actual image of the identification document (e.g. passport, driver’s license, utility bills etc) internet use, shopping preferences/ habits, financial information, banking transactional information, Identification Information such as License/passport number, expiry date etc. We will also collect and maintain your specific purchase transactions completed in third party platform(s) for INCNT allocation and verification purposes.
- We also collect information about your internet use. This information includes the URL of any website you visit, and how long you spend on any website, if you make purchases online, other online behaviour. We will only collect the root URL of any website you visit, and will not collect information of any subpages of any website.
- We are required to identify you if you wish to become a verified member and receive INCNT. Anti-money laundering laws may require us to sight and/or record details of certain documents (i.e. photographic and non-photographic documents such as drivers’ licence, passport, birth certificate) in order to meet the standards set under those laws.
How we collect information
- We will only collect personal information about you directly from you (rather than someone else), unless it is unreasonable or impracticable to do so. For example, in order to verify your identity, we will need to collect information from a third party such as a digital identity service provider and other sources we deem fit and necessary.
- We may collect information when you:
- download/Install/have not objected to the “use” of our Applications/toolbars/plug-in/Add on/Cookies on all your devices (e.g. personal computers, laptop computers, tablets, smartphones etc). The definition of “use” may include passive “use” such as allowing the toolbar/cookies running in the background;
- communicate with us through phone calls, correspondence, email, update your personal information online or when you share information with us from other social applications, services or websites; or
- fill out a membership application form with us, complete a survey (including electronically) or provide further information to support your membership application or as otherwise requested by us e.g. sharing of social network/media (e.g. Facebook, Linkedin, Twitter etc).
- make purchase(s) through our dedicated URL from the relevant merchant.
- authorise Incent Loyalty to obtain your bank/financial transaction details (directly or through an independent third party) to verify the eligible transaction or for other data analytical (in aggregate) purpose.
- authorise Incent Loyalty under this policy to perform ID verification Independent identification verification service. The verification service provider may have access to various government or non- government registers to which Incent Loyalty does not have direct access.
Disclosure of personal information
- The entities we may exchange your personal information with include but are not limited to:
- affiliated product and service providers and external product and service providers for whom we act as agent;
- external product or service providers that help us to provide our services, including supporting systems or
- auditors/consultants we appoint to ensure the integrity of our operations;
- any person acting on your behalf, including your solicitor, settlement agent, accountant, executor, administrator,
trustee, guardian or attorney;
- other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required,
authorised or permitted by law;
- other organisations who in conjunction with us provide products and services (so that they may provide their products
and services to you);
- service providers with whose applications we have integrated; and
- Independent Identification verification provider(s) to verify the information you have provided is true, accurate and up to date.
- We may disclose personal information if we outsource certain functions, including bulk mailing, market research, direct marketing, statement production, and information technology support. We also seek expert help from time to time to help us improve our systems, products and services.
- In all circumstances where personal information may become known to our contractors, agents and outsourced service providers, there are confidentiality arrangements in place. Contractors, agents and outsourced service providers are not able to use or disclose personal information for any purposes other than our own.
Disclosing personal information to cross-border recipients
- We may disclose personal information outside of Australia to various service providers (e.g. email service provider(s)) or suppliers that we may engage. The service providers may or may not be located in Australia and it may not be possible for us to inform you of any cross border changes in a timely manner.
- We will take reasonable steps to ensure that any overseas recipient will deal with such personal information in a way that is consistent with the Australian Privacy Principles.
- Please refer to the appendix of this policy (below) to the countries to which we may disclose your personal information, if any. The list may be changed without, or under very short, notice.
Security of personal information
- We may hold your personal information in either electronic or hard copy form. We are committed to ensure that we protect any personal information we hold from misuse, interference, loss, unauthorised access, modification and disclosure.
- Accordingly, we have a range of practices and policies in place to provide a robust security environment. We ensure the adequacy of these measures by regularly reviewing them on an ongoing basis.
- If you are being directed to an external site for various reasons, included but not limited to: making eligible purchases (e.g. on merchant sites); and ID verification (e.g. Australia Digital ID/Trulioo), the responsibility of personal information security resides with that independent third party. Incent Loyalty does not have control over, and therefore will not be held responsible for another entity’s information security.
- Our security measures include, but are not limited to:
-educating our staff as to their obligations with regard to your personal information;
passwords when accessing our systems;
- encrypting data sent from your computer to our systems during Internet transactions and customer access codes transmitted across networks;
- employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from entering our systems;
- destroying and de-identifying data when it is no longer required, or the mandatory record keeping time frame (typically 7 years) has elapsed;
- using dedicated secure networks or encryption if we transmit electronic data for purposes of outsourcing; and
- providing secure storage for physical records.
However, we cannot guarantee the security of your information.
Adoption, use, or disclosure of government identifiers
- We will not adopt a government related identifier of an individual as our own identifier unless required or authorised to do so by or under an Australian law, regulation or court/tribunal order.
- Before using or disclosing a government related identifier of an individual, we will ensure that such use or disclosure is reasonably necessary for us to verify your identity for the purposes of our activities or functions or required or authorised by law.
Access to, control and correction of, personal information
- You can request us to provide you with access to the personal information we hold about you. If we deny you access to your personal information, we will let you know why.
- Requests for access to limited amounts of personal information, such as checking to see what address or telephone number we have recorded, can generally be handled over via the online platform or the telephone. Online access of your personal information will generally be free of charge.
- If you would like to request access to more substantial amounts of personal information such as details of what is recorded in your account file, we will require you to complete and sign a “Request for Access to Personal Information” form.
- Following receipt of your request, we will provide you with an estimate of the charge for processing your request and confirm that you want to proceed. We will not charge you for making the request for access. Any processing charge will reflect the costs we incur in giving you access to the requested personal information.
- We will respond to your request as soon as possible and in the manner requested by you. We will endeavour to comply with your request within 14 calendar days of its receipt but, if that deadline cannot be met owing to exceptional circumstances, your request will be dealt with within 30 calendar days. It will help us provide access if you can tell us what you are looking for.
- You may be required to provide officially certified documents such as marriage certificate, change of name certificate etc. should you require any name change. There may be a fee involved, as change of name may require re-verification of identity with an external identity provider.
- Data Portability is the ability to obtain your information in a format you can move from one service provider to another (e.g. when you transfer your telephone mobile (‘cell’) account to another carrier). We will provide you with an electronic file of your basic account information upon your written request in a format that is mutually convenient and/or technically possible.
- Your identity will be confirmed before access to the information held about you, and any data portability can be provided.
Refusal to give access, and other means of access
- In particular circumstances we are permitted by law to deny your request for access, or limit the access we provide. We will let you know why your request is denied or limited if this is the case. For example, we may give an explanation of a commercially sensitive decision rather than direct access to evaluative information connected with it.
- If we refuse to give access to the personal information or to give access in the manner requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.
- Additionally, we will endeavour to give access in a way that meets both yours and our needs.
Correction of personal information
- We will correct all personal information that we believe to be inaccurate, out of date, incomplete, irrelevant or misleading given the purpose for which that information is held or if you request us to correct the information.
- Please contact us if any of the details you have provided to us change, or if you believe that the information we have about you is not accurate or up to date.
- If we correct your personal information that we previously disclosed to another APP entity you can request us to notify the other APP entity of the correction. Following such a request, we will give that notification unless it is impracticable or unlawful to do so.
Refusal to correct information
- If we refuse to correct the personal information as requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant information.
- If we refuse to correct the personal information as requested by you, you can request us to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading. We will then associate the statement in such a way that will make the statement apparent to users of the information.
Sometimes you may be directed to a third party’s web site where an advertiser or market research company asks you to provide your personal information. It is your choice whether to provide your personal information to that third party. We cannot be held responsible for the privacy practices or actions of any third party.
Deletion of personal information
- You may require your information to be deleted permanently. Incent Loyalty may remove your Personal Information from the production database upon your express written request. However, the information may still be archived for regulatoryrecord-keeping purposes for the required time frame (generally 7 years), at the sole discretion of our AML Officer.
- Incent Loyalty may only remove the Personal Information we control, and cannot facilitate the removal of personal information which may already have been disclosed under this policy.
- We cannot provide any membership services once your information has been deleted. Please refer to our Terms and Conditions regarding the balance of your INCNT upon cancellation of membership.
Contact us and complaints
- If you have any questions, or would like further information about our privacy and information handling practices, please email us on [email protected]
- We offer a free internal complaint resolution scheme to all of our customers. Should you have a privacy complaint, please contact us to discuss your concerns using the following details:
Privacy Officer [email protected]
To assist us in helping you, we ask you to follow a simple three-step process:
- Gather all supporting documents relating to the complaint.
- Contact the Privacy Officer using the contact details set out above and we will review your situation and if possible
resolve your complaint immediately.
- If the matter is not resolved to your satisfaction, please contact our Complaints Officer on [email protected]
If you are still not satisfied, you can contact the Office of the Australian Information Commissioner using any of the
GPO Box 5218 Sydney NSW 2001
Phone: 1300 363 992 www.oaic.gov.au