Privacy Policy

Effective from 01/01/2020

Overview

Shift8 ABN 11 147 329 548 (“Shift8”, “we”, “us”, “our”) is committed to protecting your privacy. We have prepared this Privacy Policy to describe to you our practices regarding Personal Data (as defined below) we collect from users of our services including our POS application and all related software, platforms, services, products and websites (together the “Services”).

The processing of Personal Data shall always be in line with the Australian Privacy Principles (“APPs”) contained in the Privacy Act 1998 (“Privacy Act”), the General Data Protection Regulation (“GDPR”), and in accordance with country-specific data protection regulations applicable to Shift8.

We have implemented a number of technical and organisational measures to ensure the most complete protection of Personal Data processed through the Services.

For the purpose of the GDPR:

in respect of the Personal Data of the Services, that is provided to us by clients that subscribe to our Services (Subscribers) the Data Controller is Shift8;
in respect of Personal Data that is provided to us by end-customers of our Subscribers (being those persons that interact with our POS applications to make payments for goods and/or services of our Subscribers), Shift8 may also process Personal Data on behalf of its Subscribers as a data processor or act as a joint data controller (as appropriate).

When working as a data processor Shift8 will be acting on the instructions of its Subscribers and will work hard to ensure that the Subscriber is fully GDPR compliant. You will need to review the privacy policy of that Subscriber as in this instance they will be the data controller, and we will only process Personal Data on behalf of our Subscribers in accordance with their instructions and not for our own purposes. Similarly, where we act as a data processor Shift8 has no direct control over the data collected by its Subscribers. This means that you should contact the Subscriber with any data controller requests. Where we act a joint data controller then we will share responsibilities with the Subscriber.

Definitions

Capitalised terms not defined in this Privacy Policy have the meanings given in our Application Terms and Conditions, unless otherwise inconsistent with the context. In addition, the following capitalised terms have the following meanings:

“Anonymous Data” means data that is not associated with or linked to your Personal Data; Anonymous Data does not, by itself, permit the identification of individual persons. We collect Anonymous Data and Personal Data, as described below.
“Personal Data” means any information that allows someone to identify you, including, for example, your name, address, telephone number, e-mail address, as well as any other non-public information about you that is associated with or linked to any of the foregoing data.
“Sensitive Data” means Personal Data relating to a person’s physical or mental health, race or religion.

User Consent

Where we rely on your consent as the lawful basis to process your data we will always ask for you to positively affirm your acceptance. By clicking “I accept the Privacy Policy” or similar, or if we indicate that by clicking a button you are accepting this Privacy Policy you acknowledge and agree to be bound by this Privacy Policy.

We note that certain contact or other data forms where consent is required to be given by you include no pre-checked checkboxes so that you are able to freely and affirmatively opt-in. In cases where we do not consider it practical to include a checkbox, we will indicate that by clicking a certain button you have agreed to the terms of this Privacy Policy. We will also provide you with notice on the Services specifically detailing what it is that you are consenting to in clear and plain language as well ensuring that each matter that requires consent is clearly distinguishable.

For all areas of the Services where consent is given it is just as easily able to be withdrawn through the appropriate account settings on the Services.

If you believe that consent has not been given freely or in breach of the terms of this Privacy Policy please contact us.

Children

Our Services are not offered to persons who cannot form legally binding contracts under applicable laws (except where parental/guardian consent is given). You must also be old enough to consent to the processing of your Personal Data in your country (in some countries we may allow your parent or guardian to consent on your behalf).

If you are under the age of 18 (or such other age as required in your country to give consent) we require parental/guardian consent, and by agreeing to these terms, you represent and warrant that prior to accepting a parent/ legal guardian has also agreed to these terms on your behalf.

Any information that is in breach of this provision will be deleted.

Types of Data We Collect

INFORMATION YOU PROVIDE TO US

Account Data

You do not need to create an account to browse the website and view our service offerings. If you wish to use our POS applications, you will however, need to register for or have an account.

When you register for an account on the Services we collect your name, phone number, mailing or street address, telephone number, business entity details (as applicable), email address and other contact information.

At registration we will clearly label which information is required and which is optional to be provided at your discretion. We may also request you provide us with additional information after registration.

The legal basis for this processing is based on:

your consent through your voluntary submission of the form and agreeing to these terms;
the Personal Data being necessary for the performance of a contract to which you are a party;
for carrying out pre-contractual measures; and/or
any other legitimate interests as detailed below.

The registration of the account and voluntary provision of Personal Data is intended to enable us to offer you services that may only be available to registered users.

Data from your use of the Services

We collect content that you provide while using the Services. The information we collect includes information about your activity while using the Services. This includes when you use the Services to view and interact with content, and any other activity or actions that you take.

When you use our Point of Sale application, we will also collect the details of each sale that occurs to facilitate the service request. A local copy will be collected of each sale transacted through the Point of Sale application (on the device) which is sent to our servers for processing.

We use such information to assist in providing our services to you (including the provision of the Services) as well as for data analytics and reports that are shown in our Services.

The legal basis for this processing is based on:

your consent through your voluntary use of the Services and agreeing to these terms;
the Personal Data being necessary for the performance of a contract to which you are a party;
for carrying out pre-contractual measures; and/or
any other legitimate interests as detailed below.

This Personal Data is needed to enable us to provide the Services to you and to enable it to operate and otherwise to ensure your compliance with our terms.

Content you share

When you create content, or upload content to our Services we will also collect this Personal Data.

This includes as above noted, information you may have inputted into our Point of Sale application (whether as a Subscriber or as an end-customer.

We also collect information that you provide to us while participating in the Services and otherwise using the Services to communicate with other Authorised Users.

The legal basis for this processing is based on:

your consent through your voluntary submission of the form and agreeing to these terms;
the Personal Data being necessary for the performance of a contract to which you are a party;
for carrying out pre-contractual measures; and/or
any other legitimate interests as detailed below.

This Personal Data is needed to enable us to provide the Services to you and to enable it to operate. Certain functionality of the Services requires your personal information to function properly, for example in order for us to display the names of products or purchases we need to be able to collect this Personal Data.

Please note that the Services facilitates the interaction between users. As such we expressly request you carefully consider any communications that you receive in connection with the Services.

Payment Data

If you make a payment for the Services (such as a subscription fee for our applications), we (or our third party service provider) will collect all information necessary to complete the transaction, including your payment card information, bank account information and/or other billing information. We use this information to send to our third party payment gateways when you make payment for the Services.

Where you use our Point of Sale application, we collect details of your sales data for relevant transactions to facilitate the Services (including providing reports and monitoring), we do not however collect details of your payment card or bank account information (as we do not process such payments).

The Personal Data we collect will be the data that you provide us when making payment.

The legal basis for this processing is based on:

your consent through your voluntary submission of the form and agreeing to these terms;
the Personal Data being necessary for the performance of a contract to which you are a party including the payment of goods or services; and/or
any other legitimate interests as detailed below.

This Personal Data is needed to enable us to process your payment for your subscription to the Services. We retain information on your behalf, such as domain names, URLs, time zone preferences, service invoices, transactional history, messages and any other information that you store using your account.

Additional Data

If you provide us feedback or contact us via e-mail, or other means including by face-to-face meeting, by phone call, post, through social media or other communication or by contracting with us, we will collect your name and e-mail address, as well as any other content included in the e-mail or conversation, in order to send you a reply or otherwise process your request. We will store and process your communications and information as needed. When you participate in one of our surveys, we may collect additional profile information.

The legal basis for this processing is based on:

either through your consent through your voluntary submission of the form and agreeing to these terms or by your voluntary submission of data to us in other means;
the Personal Data being necessary for the performance of a contract to which you are a party;
for carrying out pre-contractual measures; and/or
any other legitimate interests as detailed below.

By submitting the form or making contact with us such Personal Data is transmitted on a voluntary basis and you consent to its collection.

List Data

On the Services you may have the ability to subscribe to various newsletters and email notifications. We may collect the data when you input your details for subscription purposes which may include your name, email address and email preferences.

The Personal Data is processed for the purpose of informing you regularly by means of a newsletter or other offer form (depending on your selections). The Personal Data collected during the subscription will only be used for marketing materials or for reasons made known on the form.

The legal basis for this processing is based on:

your consent through your voluntary submission of the form and agreeing to these terms; and/or
any other legitimate interests as detailed below.

By submitting the form and voluntarily providing us with your data, you are providing consent to the use of such data by us. For the purpose of revocation of consent there is a corresponding unsubscribe link found in each subscription email. Please note that some features of the Services may involve us providing, through the functionality within the Services, recommendations or suggestions for goods, services or benefits that we offer.

We may also collect Personal Data at other points on the Services that state that Personal Data is being collected. In some circumstances, Personal Data is provided to us by third parties such as our related entities, service providers or other organisations conducting activities on your behalf. With your expressed consent, your Personal Data may be used and disclosed to us this way. The purposes as outlined above may include the processing of such Personal Data to the extent necessary for us to comply with a law, regulation or legal request or to protect the safety of any person or to prevent fraud.

INFORMATION we collect FROM OTHERS ABOUT YOU

Content other people share

We also collect information, communications and information other people provide when they use the Services. For example, if a Subscriber has inputted data about a purchase by an end-customer into our POS application.

The legal basis for this processing is based on:

your consent through your voluntary submission of the form and agreeing to these terms;
the Personal Data being necessary for the performance of a contract to which you are a party including the payment of goods or services; and/or
any other legitimate interests as detailed below.

This Personal Data is needed to enable us to provide the Services to you in a functional manner.

INFORMATION we collect as you use our services

Log Data

To make our Services more useful to you, our servers (which may be hosted by a third party service provider) collect information from you, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session), domain name, geo-location information, and/or a date/time stamp for your visit.

This data may be processed for the purposes of operating our website, providing our services, improving our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you.

The legal basis for this processing is based on:

the Personal Data being necessary for the performance of a contract to which you are a party;
for carrying out pre-contractual measures; and/or
the legitimate interests of carrying out our business, providing personalised service to you and any other legitimate interests as detailed below.

Google Analytics

We currently use Google Analytics as well as Google Analytics for Display Advertising. Google Analytics collects information anonymously and reports website trends without identifying individual visitors. Google Analytics uses its own cookie to track visitor interactions. Site owners can view a variety of reports about how visitors interact with their website so they can improve their website and how people find it. Please see the following links for more information about Google Analytics: http://www.google.com/analytics/, http://www.google.com/privacy.html and http://www.google.com/analytics/tos.html.

You can opt-out of Google Analytics for Display Advertising by going to the Google Ads Preferences Manager.

To opt out of these remarketing pixels and technologies please visit the Network Advertising Initiative opt out page.

Facebook pixels

We currently use Facebook pixels for conversion tracking and custom audiences, in accordance with Facebook’s terms which can be viewed here https://www.facebook.com/customaudiences/app/tos/.

To opt out of these remarketing pixels and technologies please visit the Network Advertising Initiative opt out page.

Third party services

If you:

use one of the integrated third party services and login with your credentials from such third party service (“Third Party Services”); or
associate your account with your account at a Third Party Services, we may receive information about you from such Third Party Services, in accordance with such Third Party Services terms of use and privacy policy (“TPS Terms”). We may add this information to the information we have already collected from you via the Services. If you elect to share your information with these Third Party Services, we will share information with them in accordance with your election. The TPS Terms will apply to the information we disclose to them.

Submission data

To make our Services more useful to you, we may collect Personal Data about your input on the Services by extracting this information from your account.

This data may be processed for the purposes of monitoring your use of the Services and compliance with our terms. We may then use that data in aggregate (i.e. anonymised) in order to determine metrics associated with our Services, and otherwise to improve our Services.

The legal basis for this processing is based on the legitimate interests of carrying out our business, providing personalised services to you and any other legitimate interests as detailed below.

INFORMATION we collect as A DATA PROCESSOR

Subscriber Data

If you are an Authorised User subscribed under a licence of one of our Subscribers, or an end-customer of one of our Subscribers (as above noted) we may collect information about you from that Subscriber.

Our Subscribers may also have integrated our POS application and other Services into their systems. This means we may collect Personal Data that our Subscribers may send to us either manually or automatically (or permit us to access) through the integration of our application.

As a data processer we follow the instructions of our Subscribers in connection with the processing of all of such information. Our Subscribers generally permit us to process such data in connection with the provision of services to them and otherwise on the terms set out in this Privacy Policy.

The legal basis for this processing is based on:

your consent through your voluntary submission of the form and agreeing to these terms;
the Personal Data being necessary for the performance of a contract to which you are a party including the payment of goods or services; and/or
any other legitimate interests as detailed below.

This Personal Data is needed to enable us to provide the Services to you in a functional manner.

Use of Your Personal Data

In general, Personal Data you submit to us is used either to respond to requests that you make, or to aid us in providing the Services in a personalised, safe and efficient manner. We collect, use, store and share your Personal Data in the following ways:

to conduct our business;
to facilitate the Services and to enable the features of the Services to be utilised and enjoyed, subject always to our other Terms and Conditions;
to operate the Services and provide services or information to you including to:
- allow your account to be set up;
- assist in streaming and personalising information for you;
- enable us to process your orders for the Services;
- create statistical reports and data available to our Subscribers;
- enable us to process your personal data;
- manage our relationship with you, including information about similar products or terms and conditions or send you an email reminder that a task you have performed on our Services remains uncompleted such an incomplete form;
- enable you to communicate with us regarding your use of the Services;
- confirm your identity;
- notify you about activity on and updated to your account;
- provide information about you to our contractors, employees, consultants, agents or other third parties for the purpose of providing the services to you;
- communicate with you about your account, or any transaction;
- allow you to input data into the Services;
- allow your use to be restricted and limited as required;
administer contracts including to negotiate, execute and or manage a contract with you;
on an aggregated non-identifiable basis, to:
- help Shift8 understand its market position;
- assist with marketing our Services to others, including in respect of any online advertising; and
- deliver a statistical result to help with general Shift8 announcements;
for any marketing purposes;
to facilitate the creation of and security of your account;
identify you as a user in our system;
research, develop and improve our Services;
customise content to match your preferences;
prevent suspended users from re-registering;
send you a welcome e-mail to verify ownership of the e-mail address provided when your account was created (or other registration process in place);
provide you with access to protected areas of the site and to authenticate your account;
send you administrative e-mail notifications, such as security or support and maintenance advisories;
respond to your inquiries and requests;
to make telephone calls to you, from time to time, as a part of secondary fraud protection or to solicit your feedback;
to send newsletters, surveys, offers, and other promotional materials related to our Services and for other marketing purposes of Shift8;
detect, investigate and prevent potentially unlawful acts or omissions or acts or omissions with the potential to breach our Terms and Conditions, this Privacy Policy or any other policy;
enforce our Terms and Conditions, this Privacy Policy or any other policy;
verify information for accuracy or completeness (including by way of verification with third parties);
comply with our legal obligations, a request by a governmental agency or regulatory authority or legally binding court order;
combine or aggregate your Personal Data with information we collect from third parties and use it for the purposes set out this Privacy Policy;
aggregate and/or make anonymous your Personal Data, so that it cannot be used, whether in combination with other information or otherwise, to identify you;
resolve disputes and to identify, test and resolve problems;
notify you about the Services and updates to the Services from time to time;
supply you with generalised, targeted or personalised marketing, advertising and promotional notices, offers and communications, and measure and improve our marketing, advertising and promotions based on your ad customisation preferences; or
protect a person’s rights, property or safety.

If you access the Services from a shared device or a device of a third party (such as in an internet café), your Personal Data may also be available to other persons who access that device.

CREATION OF ANONYMOUS DATA

We may create Anonymous Data records from Personal Data by excluding information (such as your name) that make the data personally identifiable to you. We use this Anonymous Data to analyse request and usage patterns so that we may enhance the content of the Services and improve Services navigation. Shift8 reserves the right to use Anonymous Data for any purpose and disclose Anonymous Data to third parties in its sole discretion.

USE OF your INFormation as A DATA PROCESSOR

As a data processer Shift8 follows the instructions of use provided by its Subscribers in connection with the processing of all of such information. If you have information regarding such use you should contact the Data Controller of such information.

Disclosure of Your Personal Data

We may disclose your Personal Data to third parties for the purposes contained in this Privacy Policy, including without limitation to:

Service Providers

We may share your Personal Data with service providers and licensors of software services utilised by us in the provision of the Services to:

develop and improve our Services;
provide you with the Services;
to conduct quality assurance testing;
to facilitate creation of accounts;
to provide technical support;
and/or to provide other services to Shift8.

The service providers (and if necessary data processors) include:

information technology service providers such as web host providers and analytical providers;
accounting and financial service providers;
mailing houses;
content delivery services;
organisations who carry out credit, fraud and other security checks;
payment processors;
hosting services;
IT support providers;
email/marketing businesses engaged by us to disseminate materials to which recipients have consented; and
specialist consultants.

We limit the information we provide to third parties to the information they need to help us provide or facilitate the provision of goods and services and associated purposes. We deal with third parties that are required to meet the privacy standards required by law in handling your Personal Data, and use your Personal Data only for the purposes that we give it to them.

Affiliates and Acquisitions

We may share some or all of your Personal Data with our parent company, subsidiaries, joint ventures, or other companies under a common control (“Affiliates”), in which case we will require our Affiliates to honour this Privacy Policy. In the event we are involved in a merger, acquisition or sale of assets we may disclose Personal Data collected by us to such entities that we propose to merge with or be acquired by, and will assume the rights and obligations regarding your Personal Data as described in this Privacy Policy.

Subscribers (account holders)

We may also share some or all of your Personal Data with the relevant Subscriber to which you had used services with.

Subscribers must make sure they have the appropriate permission for us to disclose any content (which may contain Personal Data) in the manner directed through the Services.

Third parties with your consent

We may disclose your Personal Data to third parties to whom you expressly ask to us to send the Personal Data to or to third parties you consent to us sending your Personal Data to.

Any information that you share or otherwise disclose to the Services, will be available to the relevant Subscriber (and other Authorised Users depending on the privacy settings of the Subscriber). For example, if you input data into the Services, the relevant Subscriber may be able to see that you added such data.

We may also, with your consent or at your direction, disclose your Personal Data to your authorised representatives.

Other disclosures

Regardless of any choices you make regarding your Personal Data (as described below),Shift8 may disclose Personal Data if it believes in good faith that such disclosure is necessary: (a) in connection with any legal investigation; (b) to comply with relevant laws, regulations, enforceable governmental requests or to respond to subpoenas or warrants served on Shift8; (c) to protect or defend the rights or property of Shift8 or users of the Services; (d) to investigate or assist in preventing any violation or potential violation of the law, this Privacy Policy, or Terms and Conditions; (e) to protect the safety of any person or to protect the safety or integrity of our platform including for security reasons; and (f) detect, prevent or otherwise address fraud, security or technical issues.

We may share your Personal Data with such third parties subject to obligations consistent with this Privacy Policy and any other appropriate confidentiality and security measures, and on the condition that the third parties use your Personal Data only on our behalf and pursuant to our instructions.

We will take reasonable steps to ensure that anyone to whom we disclose your Personal Data respects the confidentiality of the information and abides by the APPs the GDPR or equivalent privacy laws.

We will never sell or rent your Personal Data or otherwise set up ways to sell this Personal Data.

DISclosure OF your INFormation as A DATA PROCESSOR

Where we act as a data processor the relevant Subscriber may also provide us with instructions with regards to disclosure.

If we can’t collect your data

If you do not provide us with the Personal Data described above, some or all of the following may happen:

we may not be able to provide the Services to you, either to the same standard or at all;
we may not be able to run the competitions and promotions in a way that benefits you;
we may not be able to provide you with information about products and services that you may want; or
we may be unable to tailor the content of the Services to your preferences and your experience of the Services may not be as enjoyable or useful.

Cancelling your account

Users may delete their account following the prompts in the application or the website.

If your account terminates (for whatever reason), the Personal Data associated with it may no longer be accessible to you. There may continue to be residual copies of such content due to ongoing data back-up and archiving.

If a Subscriber account is deleted, then the data will be removed in accordance with our existing policies.

Cookies Policy

Please see our Cookies Policy published [here].

Third Party Sites

When you click on a link to any other website or location, you will leave the Services and go to another site and another entity may collect Personal Data or Anonymous Data from you. We have no control over, do not review, and cannot be responsible for, these outside websites or their content and we are not responsible for the privacy practices of those third parties. Please be aware that the terms of this Privacy Policy do not apply to these outside websites or content, or to any collection of data after you click on links to such outside websites. The privacy policies and other terms that apply to those outside websites or their content may differ substantially from our Privacy Policy, so we encourage individuals to read them before using those outside websites.

Managing Your Personal Data

Subject to the Privacy Act and the GDPR you may request to access the Personal Data we hold about you by contacting us. All requests for access will be processed within a reasonable time.

Accessing or Rectifying your Personal Data

If required by law and if reasonably practicable, we may provide you with tools and account settings to access, correct, delete, or modify the Personal Data you provided to us. You can download and access certain information you provide to us by emailing us. In the event that you are unable to access your account to access or rectify your Personal Data, you may submit a request to us to correct, delete or modify your Personal Data and download the data for you.

Sometimes, we may not be able to provide you with access to all of your Personal Data and, where this is the case, we will tell you why. We reserve the right to charge a reasonable fee for searching for, and providing access to, your information on a per-request basis. We may also need to verify your identity when you request your Personal Data.

Deletion

We keep data for as long as it is needed for our operations. If you deactivate and delete your account your data will no longer be visible on your account.

If you wish to have us delete your data please contact us.

Object, Restrict, or Withdraw Consent

If you have an account on the website you will be able to view and manage your privacy settings. Alternatively, if you do not have an account, you may manually submit a request to us if you object to any Personal Data being stored, or if you wish to restrict or withdraw any consent given for the collection of your Personal Data.

You may withdraw your consent to the processing of all your Personal Data at any time. If you wish to exercise this right you may do so by contacting us.

You may withdraw your consent or manage your opt-ins by either viewing your account on the Services or clicking the unsubscribe link at the bottom of any marketing materials we send you.

Portability

We may provide you with the means to download the information you have shared through our services. If you require such information, please email us.

We may retain your information for fraud prevention or similar purposes. In certain instances we may not be required or able to provide you with access to your Personal Data. If this occurs we will give you reasons for our decision not to provide you with such access to your Personal Data in accordance with the Privacy Act and the GDPR.

There is no application fee for making a request to access your Personal Data. However, we may charge an administrative fee for the provision of information in certain circumstances such as if you make repeated requests for information or where the information is held by a third party provider.

Storage & Security of Your Personal Data

The Shift8 Services are hosted through Microsoft Azure.

Shift8 is committed to protecting the security of your Personal Data. We take all reasonable steps to protect Personal Data, including through internal and external security, restricting access to Personal Data to those who have a need to know, maintaining technological products to prevent unauthorised computer access and regularly reviewing our technology to maintain security. We choose technology partners based on their security and privacy policies and practices.

Personal Data stored in our system is protected by electronic and procedural safeguards. We take reasonable precautions to protect Personal Data (and other content) from accidental loss and theft by storing it in secure data centres with off-site backups. Communication between account holders and our servers is encrypted via industry-standard secure sockets layer (SSL).

The Services are protected by a secure and encrypted password that each account holder must choose themselves (or as given by an administrator). Account holders should never share their passwords. Shift8 is not responsible for any loss of data or breach of privacy if an account holder shares their password with someone else. We do not store your password on our servers.

Please do not disclose your account password to unauthorised people. No method of transmission over the Internet, or method of electronic storage, is 100% secure, therefore, while Shift8 uses reasonable efforts to protect your Personal Data, Shift8 cannot guarantee its absolute security.

International Transfer and Disclosure of Personal Data

Where we transfer Personal Data outside of the European Union or EFTA States, we ensure an adequate level of protection for the rights of data subjects based on the adequacy of the receiving country’s data protection laws.

We may disclose Personal Data to our related bodies corporate and third party suppliers and service providers located overseas for some of the purposes listed above. We take reasonable steps to ensure that the overseas recipients of your Personal Data do not breach the privacy obligations relating to your Personal Data.

Third parties located overseas are not permitted to (and are contractually obligated to not) access or use the Personal Data provided except for those limited purposes. We only choose reputable service providers and have agreements with such third parties that prevent them from using or disclosing to others the Personal Data we share with them, other than as is necessary to assist us. We may disclose your Personal Data to entities who may store or process your data overseas.

Notifiable Data Breaches

We take data breaches very seriously. Depending on where you reside our policy is:

If you reside in Australia:

In the event that there is a data breach and we are required to comply with the notification of eligible data breaches provisions in Part IIIC of the Privacy Act 1988 (Cth) or any other subsequent sections or legislation which supersede this Part IIIC, we will take all reasonable steps to contain the suspected or known breach where possible and follow our notifiable data breach policies.

If you reside in the European Union of EFTA States:

We will endeavour to meet the 72 hour deadline as imposed by the GDPR, to report any data breach to the supervisory authority where a data breach occurs that will likely be a risk to you.

Further, where there is likely to be a high risk to your rights we will endeavour to contact you without undue delay.

We will review every incident and take action to prevent future breaches.

Automated individual decision-making, including profiling

If you reside in the European Union or EFTA States, you shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you, as long as the decision is not necessary for entering into, or the performance of, a contract between us, or is not authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is not based on your explicit consent. If you wish to exercise your rights please contact us.

Retention of Data

We keep Personal Data from active accounts as long as it is reasonably needed for our operations and to fulfill the purposes set out herein.

We take steps to regularly destroy Personal Data, however we may:

in some cases, retain a copy of your Personal Data to comply with our legal obligations, resolve disputes, enforce our agreements and to comply with our trust and safety obligations. Personal Data retained for these purposes will be archived and stored in a secure manner after your account has been closed, and will not be accessed unless required for any of these reasons; and
retain Personal Data in an aggregated, de-identified or otherwise anonymous form, such that there is no reliable way of identifying you from the information.

Your California privacy rights

As a California resident, you have the rights listed below. However, these rights are not absolute, and we may decline your request as permitted by the CCPA.

Information

You can request the following information about how we have collected and used your Personal Information during the past 12 months:

o The categories of Personal Information that we have collected.

o The categories of sources from which we collected Personal Information.

o The business or commercial purpose for collecting and/or selling Personal Information.

o The categories of third parties with whom we share Personal Information.

o Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of recipient.

o Whether we’ve sold your Personal Information; and, if so, the categories of Personal Information received by each category of recipient.

Access – You can request a copy of the Personal Information that we maintain about you.

Deletion – You can ask us to delete the Personal Information that we maintain about you.

Nondiscrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as by denying you goods or services, increasing the price/rate of goods or services, decreasing the service quality, or suggesting that we may penalize you as described above for exercising your rights. However, the CCPA allows us to charge you a different price or provide a different service quality if that difference is reasonably related to the value of the Personal Information we are unable to use.

How to exercise your rights

You may exercise your California privacy rights as follows:

Right to information, access and deletion

You can request to exercise your information, access and deletion rights in the following ways:

Call 1-300-744-388

Identity verification. The CCPA requires us to verify the identity of the individual submitting the request before providing a substantive response to the request. A request must be provided with sufficient detail to allow us to understand, evaluate and respond. The requester must provide sufficient information to allow us to reasonably verify that the individual is the person about whom we collected information. A request may also be made on behalf of your child under 13.

•Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. We may require the authorized agent to have a written authorization confirming that authority.

Sale of personal information. We do not sell, as defined under CCPA, your Personal Information to third parties. In the preceding twelve (12) months, we have not sold any personal information.

Personal information that we collect, use and share

The chart below summarizes our collection, use and sharing of Personal Information during the last 12 months before the effective date of this Privacy Policy. We describe the sources through which we collect your Personal Information in section above titled The Personal Data We Collect, and describe the purposes for which we collect, use, sell and share this information in section above titled How We Use Your Personal Data and The Parties With Whom We Share Your Personal Data.

Category (see the glossary below for definitions)

Category (see the glossary below for definitions)	Do we collect this information?	information for business purposes?
Identifiers	No	No
Online Identifiers	No	No
Protected Classification Characteristics	No	No
Commercial Information	No	No
Biometric Information	No	No
Internet or Network Information	No	No
Geolocation Data	No	No
Sensory Information	No	No
Professional or Employment Information	No	No
Education Information	No	No
Inferences	No	No
Financial Information	No	No

Medical Information No No

Glossary

Category	Definition
Categories of Personal Information	Date Elements within the Category
Biometric Information	An individual’s physiological, biological or behavioral characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish an individual’s identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a face print, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
Transaction History	Products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Financial Information	Bank account number, debit or credit card numbers, insurance policy number, and other financial information.
Geolocation Data	Precise location, e.g., derived from GPS coordinates or telemetry data.
Identifiers	Real name, alias, postal address, unique personal identifier, customer number, email address, account name other similar identifiers.
Governmentissued ID	Social security number, driver’s license, passport, or other government-issued ID, including an ID number or image.
Medical Information	Personal information about an individual’s health or healthcare, including health insurance information.
Internet or Network Information	Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.

Category	Definition
Online Identifiers	An online identifier or other persistent identifier that can be used to recognize a person, family or device, over time and across different services, including but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers (i.e., the identification of a person or a device to a degree of certainty of more probable than not) that can be used to identify a particular person or device.
Physical Description	An individual’s physical characteristics or description (e.g., hair color, eye color, height, weight).
Professional or Employment Information	Information relating to a person’s current, past or prospective employment or professional experience (e.g., job history, performance evaluations), and educational background.
Protected Classification Characteristics	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
Sensory Information	Audio, electronic, visual, thermal, olfactory, or similar information.

Contact Information

Shift8 welcomes your comments or questions regarding this Privacy Policy.

If you have a question regarding this Privacy Policy or you would like to make a complaint, please contact us by email by using our contact details on the Services or below.

If you reside in Australia:

You can confidentially contact our Privacy Officer at:

The Privacy Officer

Shift8

Contact: Please use the forum and email based support available on the website.

If we do not resolve your enquiry, concern or complaint to your satisfaction or you require further information in relation to any privacy matters, please contact the Office of the Australian Information Commission at:

Telephone: 1300 363 992

Email: enquiries@oaic.gov.au

Office Address: Level 3, 175 Pitt Street, Sydney NSW 2000

Postal Address: GPO Box 5218, Sydney NSW 2001

Site: www.oaic.gov.au

If you reside in the European Union or EFTA States:

The data controller that is responsible for your Personal Data is:

Shift8

Email: Please use the forum and email based support available on the website

You can confidentially contact our Data Protection Officer on the same details as noticed for our Privacy Officer above.

If you wish to raise a concern about our use of your information you have the right to do so with your local supervisory authority. Please see https://edpb.europa.eu/about-edpb/board/members_en for a list of local supervisory authorities.

Changes to This Privacy Policy

This Privacy Policy is subject to occasional revision and Shift8 reserves the right, at its sole discretion, to modify or replace any part of this Privacy Policy. It is your responsibility to check this Privacy Policy periodically for changes. Continued use of the Services shall indicate your acknowledgement of that it is your responsibility to review the Privacy Policy periodically and become aware of any modifications.