Positive APAC Privacy policy

1. Positive Group Pty Ltd ACN 657 215 177, (Positive APAC, we, us or our), an Australian company of OPC, Level 1, 25 Burwood Road, Hawthorn VIC 3122, is a provider of employee mental health services for corporate employers.

2. We have offices in the UK and Australia and a global strategic network of partners and clients. Our parent company, Positive Health Strategies Ltd, is a UK-registered company headquartered in London (Positive UK).

3. We may deliver our services to you via our Positive NOW platform which is our mental wellbeing SAAS platform hosted by Positive UK.

4. This Positive APAC privacy policy (Privacy Policy) explains how we will collect, use, disclose, store, and protect personal information collected from "you" (being any of our customers, their stakeholders, staff and users, individuals we engage or interact with) and how we may use such information in providing goods and services to you. This Privacy Policy also describes the way in which you may access or correct your personal information that we hold, and how to contact us if you have any complaints in relation to your privacy.

5. We will handle your personal information in accordance with applicable privacy and health records laws, including the Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (APPs).

6. We are committed to respecting and protecting your privacy.

7. ‘Personal information’ includes information or an opinion about an identified individual, or an individual who is reasonably identifiable. For example, personal information may include your name, age, gender, postcode and contact details.

8. Under Australian privacy law, 'sensitive information' is personal information that is subject to a higher level of privacy protection than other personal information. It includes information or an opinion about an individual's racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record.

9. We may collect personal information from you so that we can supply our services to you or otherwise interact with you.

10. We may also collect person information from your employer, colleagues, associates, representatives and stakeholders that you work with or use our services (Users).

11. When you engage our services (including when you sign up, when you access or use our services), we collect the personal information you give us such as your name, address and email address and those details of Users.

12. You are not compelled to disclose your personal information to us. However, if you do not provide the information requested, you may not be able to receive the full benefit of our services.

13. Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In such a case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

14. Where we process sensitive information about you we will always ask for your consent to such processing. You have the right to withdraw consent to the processing of this data at any time by contacting us.

15. We have set out below in Table 1 a description of all the ways we plan to use your personal information. Note that we may process your personal information for more than one lawful ground depending on the purpose for which we are using your information.

16. We may collect, use, store and transfer the following personal information from you:

(a) Identity Data includes first name, last name, username, gender, date of birth.

(b) Contact Data includes email address, phone number and correspondence address.

(c) Wellbeing Data includes data relating to your wellbeing and experiences, which may include sensitive information.

(d) Transaction Data includes details about payments made on our website and other details about the products and services you have purchased from us and named points of contacts on invoices.

(e) Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location.

(f) Profile Data includes your username and password, purchases or orders made by you, feedback and survey responses.

(g) Usage Data includes information about how you use our website, products and services.

(h) Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

17. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal information but is not considered personal information at law as this data does not directly or indirectly reveal your identity. If we combine or connect Aggregated Data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this Privacy Policy.

18. Positive NOW allows you to submit Wellbeing Data which, in some cases, may include sensitive information such as information concerning your health. Where we analyse Wellbeing Data, we only do so at an aggregate level. This data analysis is not automated and we do not build any personal profiles about you as an individual. We will only process sensitive information if we have your explicit consent to do so, unless we otherwise have a lawful basis for data processing.

19. We will collect your personal information in a lawful and fair way and in a manner that is not unreasonably intrusive. We will collect your personal information:

(a) where you have given it to us;

(b) where you have given it to a third party for the purpose of acquiring our services or otherwise engaging us;

(c) automated technologies or interactions;

(d) through third parties or publicly available sources

(e) where you have consented; or

(f) otherwise in accordance with the law.

20. Where we are required to gain consent, we will seek and acquire your consent at the time you give the information. Separately, by unilaterally or otherwise providing personal information to us, you consent to our collection, use and disclosure of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us.

21. You may give us your Identity Data, Contact Data, Wellbeing Data and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise through engaging with us. If you are a customer or a User, we will collect your personal information directly from you through your interactions with us or with our platform. This may include when you:

(a) register to attend our event, or to access our products or services;

(b) participate in our accredited programmes;

(c) attend our live or virtual face to face sessions and events;

(d) create an account on Positive NOW;

(e) participate in discussion boards or forums hosted on Positive NOW;

(f) otherwise submit such data through use of any of our platforms or otherwise;

(g) subscribe to our service or publications;

(h) request marketing to be sent to you;

(i) complete a survey; or

(j) give us some feedback.

22. When you do any of these things, you consent to our collecting and using your personal information for the purpose so described or intended.

23. Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns including IP address and url path requested.

24. Third parties or publicly available sources. We may receive information about you from your employer if your school, university or employer has requested that you attend an event we are hosting, or wish to access our services. We may also receive personal information about you from various third parties and public sources, such as Technical Data from the following parties:

(a) Analytics providers;

(b) Search information providers.

25. Contact, Financial and Transaction Data. We may gather this type of data from providers of technical, payment and delivery services. For example, if a Payment is made on our website using PayPal, PayPal may use Financial and Transaction Data from providers of payment services.

26. When we collect your personal information, we will as soon as is practicable take reasonable steps to notify you of the details of the collection (including notifying you through this Privacy Policy), such as the purposes for which the information was collected, the organisations (if any) to which the information will be disclosed, and also notify you that this Privacy Policy contains details on how you may access or correct your information, and how you may raise any complaints.

27. If we ask for your personal information for a secondary purpose, such as marketing, we will either ask you directly for your consent, or provide you with an opportunity to say no.

28. We generally use your personal information for the following main purposes:

(a) Where we need to, to perform the contract we are about to enter into or have entered into with you (or a User you are associated with).

(b) Where it is necessary for our legitimate interests, and your interests and your fundamental rights do not override those interests.

(c) Where we are required to comply with a legal or regulatory obligation.

(d) Consent, where you choose to provide it (including for marketing).

(e) Aggregated data derived from personal information may be analysed for research and reporting purposes.

29. Further, at Table 1 below we set out a non-exhaustive description of the type of personal information we will use and the ways we plan to use it.

Table 1 – Purpose of using data we collect

30. The Positive NOW platform allows you to submit Wellbeing Data which, in some cases, may include sensitive information such as information concerning your health. Where we process your Wellbeing Data, which may include sensitive information about you, we will always ask for your consent to such processing. You have the right to withdraw consent to the processing of this sensitive information at any time by contacting us.

31. Where we analyse Wellbeing Data, we only do so at an aggregate level and it will be anonymised. This data analysis is not automated and we do not build any personal profiles about you as an individual. We will only process sensitive information if we have your explicit consent to do so, unless we have a lawful basis otherwise.

Marketing

32. We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We send direct marketing emails to users who have given consent for us to do so.

33. You have the right to withdraw consent to marketing at any time by contacting us or clicking unsubscribe from a marketing email. Please note that it may take us a few days to update our records to reflect your request.

34. If you ask us to remove you from our marketing list, we may keep a record of your name and email address to ensure that we do not send to you marketing information. Where you opt out of receiving marketing messages this will not apply to personal information provided to us as a result of a product or service purchase, product or service experience, or other transactions or engagements with us.

35. We may share your personal information with other parties as provided for in this Privacy Policy.

Third party software support partners.

36. The Positive NOW platform has integrations with third-party software and systems (third-party vendors and service providers) to enable:

(a) supply of services;

(b) supply of support; and

(c) payments for services.

37. Where we disclose your personal information to our partners (including contractors that work with us), we ensure that we have entered an agreement or arrangement where they are required to:

(a) respect the security of your personal information and to treat it in accordance with the law;

(b) only process the personal information in accordance with our terms of engagement or otherwise on our documented instructions;

(c) only provide access to staff and other persons who have a duty of confidentiality with regard to the shared personal information;

(d) comply with security obligations equivalent to those imposed on us under the GDPR;

(e) notify us of any breach in relation to the personal information we have shared with them; and

(f) only enlist a sub-processor with our prior permission.

38. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

39. Alternatively, we may seek to acquire other businesses or we may merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this privacy notice.

40. We will never sell your personal information as a separate or stand alone asset.

41. We may also transfer your personal information to your employer, university, school, industry group, sports body, or similar body or institution, if they have invited you to attend an event we are hosting or access our services.

42. We will never share your Wellbeing Data with a third party without your consent.

Third party services

43. In general, the third-party providers we use will only collect, use and disclose your information to the extent necessary to allow them to perform the services and integrated functions they provide to us. This occurs so that we can provide and services to you. As with many businesses, these include third party information technology and data service providers.

44. These third-party service providers, such as payment gateways and other payment transaction processors, who have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.

45. For these providers, we recommend that you read their privacy policies, so you can understand the manner in which your personal information will be handled by these providers.

46. We will not disclose your personal information to third parties for reasons other than as set out in this Privacy Policy unless you have consented, or we are otherwise permitted or required to do so by law. This may include disclosure of your personal information in the following circumstances:

(a) disclosure to comply with our legal obligations, including, but not limited to, where we are required to provide information under a subpoena or Court order or other mandatory reporting requirements under law;

(b) to communicate with the Office of the Australian Information Commissioner (OAIC) if you make a privacy complaint or the OAIC makes an inquiry of us; or

(c) where we are otherwise authorised or permitted to do so under law, including:

(i) where we disclose your information for purposes which are directly related to the main purpose for which we collected it, in circumstances where you would reasonably expect us to disclose your information for these purposes;

(ii) where we reasonably believe that disclosure of your information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent; or

(iii) where this is reasonably necessary for the establishment, exercise or defence of any legal claim.

47. If you are a job applicant, supplier, service provider or contractor, we may disclose your personal information to manage our relationship with you.

48. If our business is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.

49. Yes, we will transfer personal information (including sensitive information) overseas to our parent company Positive UK located in the United Kingdom, with data centres in the United Kingdom and Europe.

50. By uploading personal information, you expressly consent to us transferring that information (which may include sensitive information) to the Positive NOW hosted platform operated by Positive UK. Positive UK provides the same or similar services as Positive APAC to UK and European clients.

51. Where we disclose personal information overseas, we will comply with the requirements of the Privacy Act. We will only disclose your personal information overseas:

(a) to our suppliers and contractors for the purpose of providing our website, our platform and/or our services;

(b) as part of supplying our services to you;

(c) if you have provided your prior consent;

(d) if the receiving person or organisation is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs which you can access and enforce; or

(e) if the disclosure is otherwise required or authorised by law.

52. We will, in all cases, take reasonable steps to ensure that any such recipient of your personal information does not breach the APPs.

53. When the personal information is transferred to Positive UK it will be hosted in London and other locations in the UK and Europe (subject to the UK General Data Protection Regulation and the EU General Data Protection Regulation). Positive UK handles and hosts personal information and sensitive information of Positive APAC clients, customers and Users, pursuant to its privacy policy (UK Privacy Policy) and subject to the UK General Data Protection Regulation.

54. We take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up-to-date, complete, relevant and not misleading. You can assist us in keeping your personal information accurate by informing us of any updates to your personal information using our contact details below.

55. You have a right to seek access to, and the correction of, the personal information we hold about you.

56. You may also request access to the personal information that we hold about you, using our contact details set out below. In certain circumstances, we may refuse to allow you access to your personal information where this is authorised by the law, such as where providing access would have an unreasonable impact on the privacy of other individuals, providing access would pose a serious threat to the life or health of any person or to public health or safety, or giving access would be unlawful.

57. If you believe that the personal information we hold about you requires correction (for example, because the information is inaccurate, out-of-date, incomplete, irrelevant or misleading), you may request that the information be corrected using our contact details set out below.

58. If we refuse your request for access or correction, we will provide you with reasons for the refusal in writing, and details about how you may complain about the decision.

59. We take reasonable steps to protect personal information we hold about you from misuse, interference and loss, and from unauthorised access, modification or disclosure.

60. We use physical and technological security measures to protect the personal information we hold.

61. We may hold your personal information in a number of ways including electronically and in physical format.

62. We use a secure third-party cloud storage provider with servers located in Australia and in UK and Europe (where we transfer to Positive UK).

63. We also use secure third-party messaging software and SMS messaging services, which are encrypted.

64. When your personal information is no longer required to be retained under law we will take steps to securely destroy the information or to ensure that the information is permanently de-identified.

65. We are committed to complying with the mandatory ‘notifiable data breach’ scheme (the NDB scheme) under the Privacy Act.

66. The NDB scheme applies when an ‘eligible data breach’ of personal information occurs. An ‘eligible data breach’ occurs when:

(a) there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds;

(b) this is likely to result in serious harm to one or more individuals; and

(c) we have not been able to prevent the likely risk of serious harm with remedial action.

67. Where we take remedial steps to prevent the likelihood of serious harm occurring for any affected individuals after a data breach has occurred, the data breach will not be an ‘eligible data breach’.

68. Where we have reasonable grounds to believe that we have experienced an eligible data breach (and remedial action cannot be used), we will notify affected individuals and the Office of the Australian Information Commissioner about the breach in accordance with the Privacy Act.

69. We may collect your personal information through your interactions with our website at https://www.positivegroup.org/ and via the Positive NOW platform.

70. Where you upload information via our website, including via our contact form, you consent to us keeping your personal information for the purposes of dealing with your inquiries and our potentially supplying services to you.

71. We will deal with any personal information collected via our website in accordance with this Privacy Policy and the law.

72. We also collect data through our use of cookies and other internet technologies.

73. Cookies are small data files which are stored on your device’s browser. Cookies are stored in order for your internet browser to navigate a website. Cookies will not identify you, but they do identify your internet service provider, browser type and browsing habits.

74. We will not use cookies to collect your identifying personal information. The cookies may collect statistical information about your visit to our website (such as the pages you visit on the website) in order to remember your preferences and allow you to navigate the website more easily.

75. The default setting of most internet browsers is to accept cookies automatically, but you can choose whether to allow cookies through your browser settings. Your settings may affect your ability to use our website including that your experience at our website may be diminished and some features may not work as intended.

76. We also collect your IP address to create an audit trail of events that take place on our website and to track and aggregate non-identifiable information, your referring website addresses, browser type and access times.

77. If we provide links through our website or the Positive NOW platform to third-party websites, add-ins, plug-ins and applications (Third Party Pages), those links are provided for convenience and may not remain current or be maintained.

78. Once you leave our store’s website or are redirected to a Third Party Page, you are no longer governed by this Privacy Policy.

79. We are not responsible for the privacy practices of, or any content on, those Third Party Pages, and have no control over or rights in them. The privacy policies that apply to Third Party Pages may differ substantially from our Privacy Policy, so we encourage individuals to read them before using them.

80. We respect your privacy and we take all feedback, input, complaints and concerns regarding privacy very seriously.

81. If you have any questions about privacy-related issues, you would like to request access to or correction of your personal information, you would like further information about this Privacy Policy, or you have a concern or complaint your privacy or the handling of your personal information by us, you may lodge your question, concern or complaint in writing to us at:

FAO Neil Thayer, Finsgate, 5-7 Cranwood Street, London, EC1V9EE. 0207 936 3454

82. Where you contact us, we will respond to you as soon as possible, but no later than 30 days from receipt of your question or complaint.

83. If you are not satisfied with your medical practitioner's (or the practice's) response, our response, or if you do not wish to raise a question or complaint with us directly, you may wish to contact the Office of the Australian Information Commissioner at www.oaic.gov.au.

84. We may update this Privacy Policy from time to time. We will notify you about any changes to this Privacy Policy through our website at https://www.positivegroup.org/, and we will make the most current version of the Privacy Policy available when you receive services from us, or on your request.

Effective: May 2022