PhishNet

Customer Login
Menu

Privacy Policy

Privacy Policy

Version 1.0 – 5 March 2021


  • About this Privacy Policy
      1. This Privacy Policy describes how we manage personal information about our customers (you), your end users, our suppliers, agents and contractors; who we interact with or engage for the purposes of supplying products and services to you.
      2. We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) and the EU General Data Protection Regulation 2016/679 (GDPR). 
      3. This Privacy Policy applies to all of our entities, affiliated entities and subsidiaries. 
      4. If we decide to change this Privacy Policy, we will post the updated version on this webpage so that you will always know what personal information we gather, how we might use that information, where we store it and whether we will disclose it to anyone. Our policy is to be open and transparent about our privacy practices.  
  • Our provision of the managed information technology products and services
    1. We provide a range of information technology products and services such as managed hardware and software resale services, equipment hosting services and technical support services (collectively, the services). 

 

  1. We only enter into a contract with you for your subscription, license or use of one or more of our services. We do not enter into contracts with any of your end users.
  2. The functionality, technical specifications and products that we provide to you depend on the particular requirements set out in the contract that we have with you. 
  3. Some of our services provide functionality that can be used by you to collect, process and disclose personal information about your end users. 
  • Your responsibility for end user privacy
      1. You are required to comply with all applicable privacy laws.
      2. We rely on you to obtain all relevant privacy consents and authorisations from your end users required by law, in order for the personal information that is entered and/or transmitted via our services to be collected, disclosed and otherwise processed by us. We also rely on you to ensure that all of your end users’ personal information held by us is accurate, up to date, complete, relevant and not misleading.
      3. We encourage you to ensure that your end users are familiar with your privacy policy, so that your end users understand how you collect, use and otherwise process personal information about them, via the services. 
  • The types of personal information we collect and hold 
      1. We collect the following types of personal information:
        1. Content entered into and/or transmitted via our services about end users: All information, including personal information, that is entered into and/or transmitted via our services (either by end users or otherwise) is stored in systems owned by third party vendors which is managed by us on your behalf. The types of personal information collected may include names, contact details as well as any other personal information entered into and/or transmitted via the services by, about or on behalf of an end user. In the course of providing our services we may host your databases or content. These databases and content may include personal information of your end users.
        2. Information about your personnel: We collect contact details of your personnel, such as names, contact information and billing information, including credit card details. Credit card details are not held by us, but are held by payment gateway providers that we use. Other than the last 4 digits of a credit card, all such credit card information is not accessible by us. For your personnel who are end users, we also collect the information about them referred to in paragraph (a). 
        3. Information about our suppliers and contractors: We collect personal about our suppliers and contractors in the course of engaging their services. The types of personal information we collect about them include names, contact details, addresses, medical information, occupation as well as any other information provided to us. 
        4. Information required for the support, maintenance and security of our services: In order to support and maintain the services that we provide to you, we collect and process end user information including IP addresses, email addresses, user access logs, usernames, passwords and any personal information included in technical support tickets and error messages.
        5. Managed services technical data: When providing our services, we may monitor or access you or your end users’ computers, networks and other equipment remotely or on site. In the course of doing so, we will collect and process information about that equipment and any software and data processed by that equipment. This information includes IP addresses, server names and addresses, database names, network names, serial numbers, WiFi passwords, computer names, application names, browser history, user access logs, usernames, passwords, technical support log tickets, bandwidth capabilities, error messages, social media handles, FTP server addresses, hostnames, subnet masks, router names, hosting account usernames and passwords and software subscription details.
        6. Computer and network usage data of our employees and contractors: As part of our recruitment and management of personnel and contractors,  we collect and process all of the following personal information: names, phone numbers, ABN details, business and company names, residential addresses, professional references, information included on resumes, academic transcripts, employment history, skills and qualifications, national police checks and criminal history records, bank account details, tax file numbers, superannuation details and relevant identification documents (such as driver’s licence and passports for visa and working permits). We also collect employee medical information, emergency contact details, dates of birth and next of kin details. Subject to applicable laws, we may carry out electronic surveillance of our personnel when they use our computer equipment, smartphone devices and networks (such as IP addresses, usage patterns, access logs and usernames, computer names, traffic firewalls and websites visited).
        7. Telecommunications Data: As an internet service provider, we are required to retain data about communications under Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). This information is retained for 2 years from the date that we create it. We are also required under the TIA Act to retain subscriber information for 2 years from the date the relevant account is closed. The data that we retain in accordance with our obligations under the TIA Act may be disclosed to law enforcement agencies. For further information about the specific types of personal information that we may be required to collect and retain under the TIA Act, please contact us.
  • How we collect personal information
      1. Our policy is to be completely transparent about how and why we collect personal information and not to collect personal information by means that are unfair or unreasonably intrusive. We only collect personal information that is necessary to provide the services and to otherwise operate our business.
      2. We collect personal information about your personnel in one or more of the following ways: 
        1. when they contact us with enquiries about our services, whether by email, via our website or via telephone; 
        2. during the preparation, negotiation and finalisation of the contract for the provision of services and for billing purposes; or
        3. when it is voluntarily disclosed to us (including, but not limited to via telephone, e-mail and online forms).
      3. We will collect personal information about your end users in one or more of the following ways: 
        1. when end users enter personal information into or via our services; 
        2. when you provide personal information to us about your end users;
        3. in the course of providing our services; or 
        4. when it is voluntarily disclosed to us (including, but not limited to via telephone, e-mail and online forms).
      4. We will collect personal information about our employees, suppliers and contractors in one or more of the following ways: 
        1. when we carry out background checks during the recruitment process or otherwise;
        2. when they respond to employment or contractor opportunities that we make available, enquire about available positions within our company, and when we conduct reference checks;
        3. when we trade business details with our suppliers and contractors; 
        4. for workplace health and safety reasons;
        5. during the preparation, negotiation and finalisation of a contract that we enter into and for billing purposes thereafter; or
        6. when it is otherwise voluntarily provided to us;
  • How we use personal information 
    1. We use personal information about you, your end users and our suppliers and contractors to enforce our legal rights, comply with our legal obligations and as otherwise set out in the following table:

Category 

How we use and process that personal information 

Our reason for collecting the personal information 

Personal information about your personnel 

  • To provide the services.
  • To setup, configure, host or procure the hosting of the Service for you and for your end users to use the services. 
  • To communicate with you about your current and prospective use of our services, including with respect to your end users’ current and anticipated usage of the services, and to discuss and implement your software, security and hardware development requirements.
  • To provide data migration and implementation services in respect of databases that require integration into our services.
  • To provide you with technical support and maintenance services including by responding to help desk tickets, scheduling upgrades and enhancing our services.
  • To provide you with professional services  (including training, consulting and other services).
  • To send out billing information and notices and process payments.
  • To discuss our security requirements and to understand your security requirements in respect of the services. 
  • When conducting research and development of our products and services.
  • To provide you with information about promotional offers and new products and solutions that we make available and to process orders for new or additional managed  services. 
  • In order to identify you when you contact us for technical support questions. 
  • To administer our contractual relationships with you (and to enforce our contractual rights).  
  • To streamline and personalise our customer experience and processes. 
  • To configure new services for you or to make changes to existing services, as requested. 
  • To handle complaints.
  • Necessary for our legitimate interests (in order to operate, administer and grow our businesses including to operate our services, IT systems and networks, manage our hosting environments and ensure the successful delivery of our services).
  • Performance and enforcement of our contracts with you. 
  • Compliance with our legal obligations. 

Personal information about end users 

  • As required to provide and support the services supplied to you and to process the personal information of end users on your behalf.
  • For data migration purposes.
  • In order to store end user personal information in databases and systems in our hosting environments at third party data centres.
  • To provide technical support services to you and your end users that require us to view and/or update end user data held in our services.
  • When conducting research and development of our products and services.
  • To configure new services or to make changes to existing services, as requested. 
  • Backing up and restoring data that includes end user personal information.
  • To carry  out security audits, investigate security incidents and implement security processes and procedures that require access to end user personal information.
  • To handle complaints.
  • Performance of our contracts with you. 
  • Necessary for our legitimate interests (in order to administer and our businesses including to allow you to operate our services, and to enable us to operate our IT systems and networks, manage our hosting environments and ensure the successful delivery of our services).
  • To comply with our legal and statutory obligations.

Personal information about our employees, suppliers and contractors

  • To provide you with the required services.
  • To manage and govern their employment or engagement with us as required to operate our businesses. 
  • To send out billing information and notices to suppliers and contractors and processing payments. 
  • For workplace health and safety reasons (i.e. ensuring our contractors are adequately  trained and safe). 
  • When conducting research and development of our products and services.
  • To procure new services from our suppliers and contractors. 
  • When escalating technical support requests, procuring subscriptions on your behalf and managing your licenses. 
  • To handle complaints. 
  • Performance of our contracts with you. 
  • Performance of our contracts with our employees, suppliers and contractors. 
  • Necessary for our legitimate interests (in order to administer and our businesses including to allow you to operate our services, and to enable us to operate our  IT systems and networks, manage our hosting environments and ensure the successful delivery of our services).
  • To comply with our legal and statutory obligations.


  • Analytics data
      1. We also collect information about your end users known as analytics data, such as user location, information about devices accessing our services, the amount of time an end user spends and in which parts of it, and the path navigated through it. However, all such information is de-identified data and not collected in a form that could reasonably be expected to identify an individual. In any event, we only use analytics data for the following internal business purposes:
        1. to help us review, enhance and improve our services; and
        2. to develop case studies and marketing material without identifying any end user.
  • How we hold and secure personal information
      1. We hold and store personal information that we collect in our offices, computer systems and third party owned and operated hosting facilities. In particular:
        1. we use hosting facilities operated by reputable hosting providers (currently Zettagrid);
        2. personal information that is provided to us via email is held on our servers or those of our cloud-based email providers which have restricted access security protocols;
        3. we use third party owned cloud-based customer relationship management (CRM) and marketing platform providers to hold personal information about current and prospective customers;
        4. personal information is held on computers and other electronic devices in our offices and at the premises of our personnel; and
        5. we hold personal information that is provided to us in hard copy in files and folders in secure locations.
      2. We take reasonable steps to protect personal information that we hold using such security safeguards as are reasonable in the circumstances to take against loss, unauthorised access, modification and disclosure and other misuse and to implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.
      3. For example, we:
        1. perform security testing and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management and firewalls;
        2. carry out security audits of our systems which seek to find and eliminate potential security risks in our electronic and physical infrastructure as soon as possible;
        3. maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of information systems (electronic or otherwise);
        4. require all of our employees, agents and contractors to comply with privacy and confidentiality provisions in their employment contracts and subcontractor agreements that we enter into with them;
        5. continuously monitor, log analysis, and audit our devices, storage and channels. This may be performed by our suppliers and contractors;
        6. have data backup archiving, data breach response plans and disaster recovery processes in place;
        7. implement passwords and access control procedures into our computer systems; and
        8. with respect to personal information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such personal information is securely de-identified (where permitted by law) or destroyed.
  • Disclosure of personal information
  1. We only disclose personal information that we collect to third parties as follows:
  1. in order to provide the services to you;

 

  1. when performing contracts, we may outsource certain obligations to third party contractors in accordance with our contractual rights (such as hosting, consulting and other professional services). Professional services carried out by them may require access to an individual’s personal information. We ensure that all staff and contractors are aware of their information security responsibilities, are appropriately trained to meet those responsibilities and have entered into agreements which require them to comply with privacy and confidentiality obligations that apply to personal information that we provide to them;

 

  1. when we engage third parties to make marketing calls, to provide customer satisfaction surveys or send marketing emails. All individuals will be given the opportunity to ‘opt out’ of any direct marketing calls or emails;

 

  1. when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we request their representation in relation to a legal dispute;

 

  1. where a person provides written consent to the disclosure of their personal information; 

 

  1. where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person; 

 

  1. for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); 

 

  1. when we de-identify personal information and then use it for our or third party research purposes;

 

  1. where required in connection with a merger, sale or corporate reorganisation; 

 

  1. in the event of a merger, dissolution, reorganisation or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal information, would be transferred to the surviving entity in a merger or the acquiring entity, and in such case all such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal information as set out in this Privacy Policy; 

 

  1. when required to disclose personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements, or to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas; or

 

  1. where required by law.


  • Third party websites 
  1. Our website may include links to third party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third party website operator complies with applicable data protection laws. You and your end users should consider the privacy policies of any relevant third party website prior to sending personal information to them.
  • Interacting with us without disclosing personal information
  1. If a person does not provide us with their personal information, they can only have limited interaction with us. For example, a person can browse our public facing websites without providing us with personal information such as the pages that generally describe the services that we make available. However, when a person submits a form on our websites or an organisation enters into a contract with us, we need to collect personal information for identification purposes, so that we can provide our services, and for the other purposes described in this Privacy Policy. 
  2. Any person has the option of not identifying themselves or using a pseudonym when contacting us to enquire about our services. 
  • Offshore disclosure
  1. As a supplier of information technology services, including cloud services, we retain personal information on servers that may be located in a number of overseas countries.  We may disclose personal information to our offshore service providers and personnel who assist us with providing our services and to assist us with the operation of our businesses generally. We will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles in relation to personal information.
  • How to access and correct personal information held by us
      1. Subject to verification of your identity, you can contact us directly to access and correct personal information that we hold about you. 
      2. End users who have access to the services can amend personal information contained in their accounts, or delete their accounts, at any time, by logging into their accounts but only where such functionality is available or by contacting you, in the first instance. Once an account is deleted, we may still be required to retain the data in accordance with our contractual obligations or where required by law. End users who wish to make enquiries about the personal information held by them, should contact you in the first instance.
      3. We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law.  
  • Retention and de-identification of personal information
      1. For the purposes of the Privacy Act 1988 (Cth), we may take such steps as are reasonable in the circumstances to de-identify the personal information that we hold about an individual where we no longer need it for any purpose for which it was collected and/or used, if the information is not contained in a Commonwealth record and we are not required by Australian law (or a court or tribunal order) to retain it.
  • Opt-out for direct marketing 
      1. You may opt out at any time from the use of your personal information for direct marketing purposes by emailing the instructions to [email protected] or by clicking on the “Unsubscribe” link located on the bottom of any of our marketing emails. Please allow us a reasonable time to process your request. You cannot opt out of receiving transactional e-mails related to the services. 
  • Contact details
    1. Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or to make a privacy complaint, may contact us using the following details:

Privacy Representative and Data Protection Officer 

Level 1, 1 Chandos Street St Leonards NSW 2065

+61 2 8338 3444

  1. We will use our best endeavours to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis or otherwise resolving the complaint. 
  2. If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the Australian Privacy Principles, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:

Office of the Australian Information Commissioner

Telephone: 1300 363 992

Email: [email protected]

Address: GPO Box 5218, Sydney NSW 2001

 

GDPR 

  • Personal Data
      1. This section of our Privacy Policy applies to personal data of customers and end users that may be collected by us that is governed by the EU General Data Protection Regulation 2016/679 (GDPR). Article 4(1) of the GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person. 
  • Collection of personal data
      1. You are responsible for the collection of personal data of your end users and for obtaining all relevant consents and authorisations necessary for us to process end user personal data in accordance with this Privacy Policy. Paragraph 5 above sets out how we collect personal data about you, your personnel,  your end users and suppliers and contractors. 
  • Purpose of processing personal data and our legal basis for doing so
      1. The table in paragraph 6.1 above sets out the legal basis under which we process personal data for the purposes of Article 6(1) of the GDPR.  
  • Who will receive personal data
      1. Detailed information about who we disclose personal information to is set out in paragraph 9 above. This applies equally to personal data governed by the GDPR.
  • International transfers
      1. We only transfer personal data internationally as set out in paragraph 12 above in compliance with the GDPR. We have legally binding agreements in place that govern the receipt and processing of personal data transferred offshore. Information about other appropriate or suitable safeguards is available, on request.
  • Retention of personal data
      1. It is our policy to retain personal data in a form which permits identification of any person only as long as is necessary for the purposes for which the personal data was collected for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal data (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect any other person’s vital interests or where we de-identify it on the basis set out in this Privacy Policy). 
      2. Where you require personal data to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.
  • Requirement to provide personal data to us
      1. Please see paragraph 11 above for information about the requirement to provide personal information to us and the limitations that apply where personal information is not provided.  Those requirements and limitations apply equivalently to personal data governed by the GDPR.
  • Further processing activities by us
      1. We will not carry out any further processing activities on personal data, other than as set out in this Privacy Policy. 
  • Rights under the GDPR
    1. Under the GDPR, data subjects have a number of rights, including:
  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object to processing

 

  1. You and your end users also have the right to lodge a complaint with the relevant supervisory authority.
  2. End Users are encouraged to contact you in the first instance, if they wish to exercise any of their applicable rights under the GDPR.