(ACN 099 084 143)
Unless otherwise specified, capitalised terms used in this Policy have the same meaning as in the Terms and Conditions.
In this Policy:
Claim means any claim in law or equity, or under statute, for a remedy of any nature whatsoever, whether contingent, prospective, actual or otherwise and including any and all claims, actions, sums of money, arbitrations, suits, counterclaims, demands, causes of action, debts due, verdicts, judgments, Losses, User Account reckonings, proceedings and charges;
Law means any law or legal requirement, including at common law, in equity, under any statute, regulation or by-law and any decision, directive, guidance, order, decree, guideline or requirements of any authority;
Loss means any damage, loss, expense and cost whatsoever including any cost or expense regarding any Claim and any legal costs and expenses of any nature; and
User, you or your means any person who accesses and uses Spenda’s Platform.
This Policy forms part of and is incorporated into the Terms and Conditions.
This Policy has been prepared in accordance with:
applicable Australian privacy and data protection laws, including the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles contained therein; and
the General Data Protection Regulation (EU) 2016/679 (GDPR), as applicable.
This Policy applies to Spenda’s collection and disclosure of your Personal Information (as defined in clause 2.2) when you use the Platform or register a User Account.
This Policy is intended to describe what information Spenda collects and/or processes; how Spenda uses it; and under what circumstances, if any, Spenda discloses any Personal Information. Please read this Policy before using the Platform or before submitting any Personal Information to Spenda. By using the Platform or otherwise providing or submitting any Personal Information to Spenda, you are agreeing to, accepting the practices described, in this Policy.
Spenda may in its absolute discretion elect to amend or replace this Policy by uploading a revised Policy on the Platform from time to time. A copy of the most up to date version of this Policy will be made available to view on the Platform. Any changes made to this Policy will apply immediately from the date Spenda uploads the revised Policy onto the Platform. In addition, Spenda may, but is not obliged to, notify you by email of any updates to this Policy. Spenda strongly encourages you to refer to this Policy on an ongoing basis to understand your rights under this Policy. Unless otherwise stated, the most current version of the Policy will apply to all information Spenda has about you. If you do not agree with the practices outlined in this Policy, you must immediately stop accessing or using the Platform and take steps to cancel your User Account.
Types of Information Collected
When you register for a User Account or use the Platform, Spenda may collect Personal Information, Sensitive Information and Statistical Information which relate to you. Those terms are defined in clauses 2.2, 2.3 and 2.4 below, respectively.
Personal Information includes information which identifies a natural person, or by which the person’s identity may be reasonably determined. It may include a person’s full name, mailing or residential address, date of birth, bank account details, signature, credit card details, phone number and email address, credit information, employee record information, tax file number information as well as “personal data” (for the purposes of the GDPR) or Sensitive Information. For the purpose of this Policy, the term Personal Information also includes:
information we collect through your interactions with Spenda or other interactions with Content and/or User Generated Content on the Platform; and
personal information obtained from a third party which, under and in accordance with the Privacy Act, may lawfully be exchanged.
Sensitive Information includes information (or an opinion) about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record, as well as information about an individual’s health, genetic information or biometric information.
Statistical Information includes the internet protocol (IP) address of your device used to connect to the Platform created by Spenda, time zone setting, language preferences, location data, information about your browser, phone, hardware and software (including your hardware model, operating system version, device memory, advertising or unique application or device identifiers and (potentially) information about your applications installed, battery level,) as well as other information which does not identify you personally, but which tracks your usage of the Platform.
Personal Information about third parties
If at any time you supply Spenda with Personal Information or Sensitive Information about another person, you must ensure that you have written consent from that person to do so, and you must agree to inform that person about Spenda, this Policy and the fact that Spenda may use and disclose their Personal Information in accordance with and for the purposes outlined in this Policy.
How Spenda collects Personal Information
Spenda will not ordinarily collect any Personal Information about you except where you provide it to Spenda (either directly, or through posting or interacting with Content and/or User Generated Content on the Platform), or where it is provided to Spenda with your authority.
Spenda collects Personal Information when you:
take steps to register a User Account, enquire about or sign up for and use the Platform;
interact with Content and/or User Generated Content on the Platform;
provide Spenda with feedback, make an enquiry or request of Spenda or make a complaint; and/or
do business with Spenda or other Users via the Platform.
In the event Spenda receives unsolicited Personal Information about you (ie. where Spenda has taken no active steps to collect the Personal Information), it will only be collected where:
such collection is reasonably necessary for one or more of Spenda’s functions or activities or that of the Platform; and
obtains your consent; or
is authorised or required to do so by Law.
Where clause 4.3 does not apply, Spenda will (as soon as practicable) destroy or de-identify any unsolicited Personal Information that Spenda receives.
Where clause 4.3 applies, Spenda will treat the Personal Information in accordance with the Privacy Act and this Policy.
How Spenda uses Personal Information
Spenda may use Personal Information for the purposes set out in clauses 5.2 to 5.4. Spenda will make every reasonable effort to advise you of the specific purposes for which Spenda is required to collect your Personal Information before that Personal Information is to be collected.
To provide, develop and improve the Services
You authorise Spenda to use your Personal Information to:
contact you in relation to your use of the Platform or your interaction with Spenda, including (without limitation) to notify you of any modifications to Spenda’s Terms and Conditions or this Policy;
provide the Services, including (without limitation) to facilitate payments for transactions effected between Users via the Platform and to create corresponding records of these transactions between Users;
notify you about promotions or other communications related to other Users whose User Generated Content you have consented to receive;
make improvements to the Platform. For example, Spenda may track any troubleshooting issues and compatibility issues with various operating platforms and devices to ensure Users have proper and stable access to the Platform, and to implement updates where necessary; and
measure the performance of Spenda’s Services and to understand how the Services are used. For example, Spenda may analyse Users’ interactions with the Platform so Spenda can optimise the experience of its Users.
To ensure compliance
Additionally, the purposes for which Spenda will generally collect and use your Personal Information (to which you authorise Spenda to do so) will include:
to comply with all Laws (including but not limited to, where considered necessary by Spenda, verifying your identity to prevent fraud or other unauthorised or illegal activity);
to co-operate with authorities in relation to any investigation into any User of the Platform;
to perform Spenda’s administrative operations, including accounting, risk management, payment processing, record keeping, archiving, and development and testing; and
to manage Spenda’s rights and obligations under the Terms or Conditions or this Policy.
Marketing and other Communications
Spenda may send you email marketing and SMS notification and other communications to (variably):
provide you with information about the Platform, products or Services;
invite you to participate in promotions or ask you for feedback;
provide you with User Generated Content that you have consented to receive from other Users; and/or
communicate with you for other marketing purposes.
Spenda will always provide you with the option to unsubscribe from Spenda’s marketing communications. If you do not want to receive marketing communications from Spenda, please contact Spenda through the Platform or by email.
Disclosure of Personal Information
By accessing the Platform, you consent to the disclosure of your Personal Information in accordance with this Policy. You acknowledge that in using the Platform you are consenting to the disclosure of Personal Information, which you provide in the course of using and interacting with the Platform, to other Users with whom you transact or do business from time to time via the Platform.
Spenda takes the protection of your Personal Information very seriously. Spenda will only disclose your Personal Information to its employees, officers, insurers, professional advisers, agents or contractors (including potentially where these parties are based overseas) insofar as such disclosure is necessary to enable Spenda to perform its obligations and to act in accordance with this Policy. Such Personal Information will not be disclosed or used other than as specified in this Policy without your express consent, which will be stored in Spenda’s records.
Spenda will not use or disclose your Personal Information for any purpose other than as disclosed in this Policy unless:
Spenda has obtained your consent to its use or disclosure; or
the purpose is related to the purposes disclosed in this Policy and an individual would reasonably expect Spenda to use or disclose that Personal Information in that manner.
Spenda may also disclose your Personal Information to other third parties from time to time. Subject to what is permitted by Law, the types of third parties to whom Spenda may disclose your Personal Information may include:
Spenda’s agents, contractors and external advisors (such as legal and financial advisors) whom Spenda engages from time to time to carry out, or advise on, Spenda’s functions and activities;
business partners; and/or regulatory bodies, government agencies, law enforcement agencies and courts.
Unless otherwise specified in this Policy or as required by Law, you authorise Spenda to disclose your Personal Information and Statistical Information to third parties:
where Spenda assigns, transfers, sells or otherwise licenses its rights under the Terms and Conditions to a third party. Where this occurs, Spenda will notify you using the Personal Information linked to your User Account;
where Spenda reasonably believes (acting in good faith) that such disclosure is necessary in order to investigate, prevent or take action regarding illegal activities (including without limitation actual or suspected fraud), situations involving potential threats to the physical safety of any person, violations of the Terms and Conditions or this Policy, or as otherwise required by Law;
in a business transaction including (but not limited to) a merger with or acquisition by another company, or the sale of all or a substantial portion of Spenda’s assets, of which your Personal Information and Statistical Information may be among the assets transferred. Where this occurs, Spenda will (if possible) notify you using the Personal Information linked to your User Account; and
where such disclosure is required by Law, or where Spenda reasonably believes in good faith that such disclosure is necessary to protect Spenda’s rights.
You consent to Spenda disclosing Statistical Information to third parties including, without limitation, to analytics companies and Spenda’s business partners, to help Spenda understand usage patterns, to assist in the Platform and product development and for advertising purposes (subject to what is permitted by Law).
Spenda may from time to time disclose your Personal Information to overseas entities who may not be bound by Australian Law. Where Spenda discloses your Personal Information to overseas recipients, Spenda will make every reasonable effort in the circumstances to ensure that the overseas recipients comply with this Policy and any applicable Australian Law concerning the protection of Personal Information, unless:
Spenda reasonably believes, or no less onerous than, that the overseas recipient is bound by privacy Laws that are substantially similar to the Privacy Act which can be enforced against the overseas recipient; or
you give Spenda an informed consent to the disclosure of your Personal Information to an overseas recipient who may not be bound by Australian Law; or
the disclosure to an overseas recipient is authorised or required by Australian Law (including the Privacy Act).
If you register a User Account or continue to access the Platform, you agree to Spenda’s use of tracking technologies, referred to as cookies, to track and record your usage. Cookies are text files placed on your computer or Compatible Device to collect standard internet log information and visitor behaviour information.
Statistical Information; and
information about your interaction with the Platform, activity on third party websites which are linked to the Platform, and views and interactions with Content and/or User Generated Content.
You may control the technical information Spenda collects, including through your browser or device settings. In doing so, you:
acknowledge some of the Services may not function properly if you choose to disable cookies; and
release Spenda and any of its related bodies corporate from any and all Claims, liability and Losses which may arise out of, result from, or relate in any way to your decision to disable cookies (including any limitation on your ability to use the Services).
Spenda will comply with the principles of data protection (including as set out in the GDPR) for the purpose of fairness, transparency and lawful data collection and use.
Spenda will process Personal Information as a processor and/or, to the extent relevant, as a controller (as those terms are defined in the GDPR).
Spenda must have a legal basis to process Personal Information which it collects. Spenda relies on several legal bases to process Personal Information in accordance with this Policy, including:
where the person has consented to the processing of Personal Information by Spenda (which consent may be withdrawn at any time);
for Spenda’s legitimate interests to operate, provide or improve the Platform or its products and Services;
where necessary to provide access to, and use of, the Platform; and/or
where Spenda is authorised or required by Law to do so.
Spenda will only process any Personal Information that is considered Sensitive Information if the person expressly consents to it being provided to Spenda.
Where a person has (directly or indirectly) provided consent to Spenda processing their Personal Information, the consent may be withdrawn at any time with future effect – i.e. the withdrawal of consent does not affect the lawfulness of processing based on the consent before its withdrawal. If consent is withdrawn, Spenda will only continue processing the person’s Personal Information where Spenda is permitted or obliged to do so by Law (including under the GDPR).
Your Rights Under this Policy
This clause 9 sets out the rights you have in relation to how your Personal Information is obtained and used.
Except as otherwise provided by Law, you have the following rights in connection with your Personal Information we have collected:
the right to be informed how your Personal Information is being used;
the right to access your Personal Information (and Spenda will provide you with a free copy of it);
the right to correct your Personal Information if it is inaccurate or incomplete;
the right to delete your Personal Information (which is also known as “the right to be forgotten”);
the right to restrict processing of your Personal Information;
the right to retain and reuse your Personal Information for your own purposes;
the right to object to your Personal Information being used; and
the right to object against automated decision making and profiling.
You are encouraged to contact Spenda at any time if you wish to exercise your rights in relation to this Policy. Spenda reserves the right to request you verify your identity before Spenda acts on any request made by you.
Storage of Personal Information
Spenda implements a variety of security measures to maintain the safety of your Personal Information. Your Personal Information is held on our company servers located in Australia (as determined by Spenda from time to time) in a controlled, secure environment where it is protected from unauthorised access, use or disclosure.
Spenda‘s servers may at times in future be located overseas in countries which are not bound by the Privacy Act, including, without limitation, the United States of America, and you hereby expressly consent to the disclosure of your Personal Information to overseas recipients. In doing so, you agree that Spenda is not obliged to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information.
Security of Personal Information
Spenda will use all reasonable efforts to keep secure your Personal Information, Statistical Information and all other information that you transmit to Spenda through your use of the Platform, your interaction with Spenda or otherwise. Spenda will take all reasonable care to protect and prevent unauthorised access to, or modification and disclosure of, your Personal Information.
Notwithstanding clause 11.1 above, you acknowledge the internet is inherently insecure and no data transmission online can be guaranteed as fully secure. Accordingly, Spenda cannot guarantee or warrant the security of any information (including Personal Information) you provide through your use of the Platform. You understand that any Personal Information you send online or otherwise provide to us is done so at your own risk.
If Spenda becomes aware of a breach of security in relation to your Personal Information, Spenda will immediately use all reasonable endeavours to take action to remedy the security breach, in order to limit the risk caused by unauthorised access to, or unauthorised disclosure of, your Personal Information before any serious harm is suffered as a result of the breach.
If Spenda becomes aware of a breach of security, and a third party has, without authorisation:
accessed your Personal Information; or
disclosed your Personal Information to another third party,
and a reasonable person would conclude that such unauthorised access or disclosure is likely to result in serious harm to you, then Spenda will (as required by Law) notify you and the Office of the Australian Information Commissioner (OAIC) with details of the Data Breach, including details of how Spenda believes the Data Breach has occurred and to what Personal Information such Data Breach relates, and the steps that you can take in response to the Data Breach.
If Spenda becomes aware of a Data Breach in which your Personal Information is lost, and Spenda has reasonable grounds to believe that:
unauthorised access to, or unauthorised disclosure of, your Personal Information is likely to occur; and
if unauthorised access to, or unauthorised disclosure of, your Personal Information occurs, a reasonable person would conclude that such unauthorised access or disclosure is likely to result in serious harm to you,
then Spenda will notify you and the OAIC with the details of the Data Breach, including details of how Spenda believes the Data Breach has occurred and to what Personal Information such Data Breach relates, and the steps that you can take in response to the Data Breach.
You acknowledge and understand that if you access the Platform from outside Australia, other entities including, potentially, foreign governments, may collect, use and disclose your Personal Information in ways which differ from this Policy and the Laws of Australia, and that Spenda will in such circumstances have no control over such collection, use and disclosure of your Personal Information (and is not liable in relation to such collection).
How long your Personal Information is stored
You consent to Spenda retaining your Personal Information for as long as necessary to fulfil the purposes for which Spenda has collected it, including in order to satisfy any Law.
To determine the appropriate retention period for Personal Information, Spenda will consider the amount, nature and sensitivity of the Personal Information collected from you, the potential risk of unauthorised use or disclosure of your Personal Information, the purposes for which Spenda processes the Personal Information and whether Spenda can achieve those purposes through other means. Spenda will also at all times have regard to the applicable legal requirements under the GDPR and/or the Privacy Act (as applicable).
Where Spenda provides your Personal Information to third parties in accordance with this Policy, you acknowledge and agree that:
the use of your Personal Information by third parties is not in Spenda’s reasonable control;
third party websites may place their own cookies or other files on your computer or telephone, solicit Personal Information from you and may or may not use your Personal Information in accordance with their own privacy policies which may differ from this Policy; and
If Spenda discloses Personal Information to a third party, Spenda will always act to protect it in accordance with this Policy. However, you agree that Spenda will not be liable for any Loss or liability which may be incurred as a result of, or in connection with, or in relation to any use of your Personal Information by a third party to whom Spenda validly disclosed the Personal Information (and you agree to make no claim against Spenda in that regard).
How to Contact Spenda
If you believe that the privacy of your Personal Information has been compromised or that your Personal Information has not been used in accordance with this Policy, you should contact Spenda as soon as possible using the means on the Platform or at:
Telephone: 1300 682 521; or
Mail: Attention: Privacy Compliance Officer [Justyn Stedwell]
Spenda Limited, Suite 103
Level 1, 2 Queen Street
Melbourne, VIC, 3000
Your complaint will be taken seriously and addressed in accordance with clause 16 of the Terms and Conditions in relation to Dispute Resolution.
How to Contact the Office of the Australian Information Commissioner
If you do not receive a satisfactory response from Spenda, or you believe that Spenda has not handled your complaint satisfactorily, you may wish to refer your complaint to the Office of the Australian Information Commissioner at:
Address: GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992