Catalyst Technologies Pty Ltd (ACN 622 816 559) of 383 George Street, NSW 2000 (“we”, “us” or “our”) and our operation of the website at iluminr.co (“Website”) is committed to respecting your privacy.
1. Openness and transparency
We are committed to protecting your privacy and upholding your rights under the Australian Privacy Principles (“APPs”) contained in the Privacy Act 1988 (Cth), the Data Protection Act 2018 (the “DPA”) and the General Data Protection Regulation (EU 2016/679) (the “GDPR”) (collectively, “Privacy Laws”). We are a data controller for the purposes of the GDPR. We ensure that we will take all necessary and reasonable steps to comply with the relevant Privacy Laws and to deal with enquiries or complaints from individuals about compliance with the relevant Privacy Laws.
2. Your Information
We will collect Personal Information only by lawful and fair means and not in an unreasonably intrusive way. Generally, we will collect Personal Information directly from you, and only to the extent necessary to provide our services requested by you and to carry out our administrative functions or as required by a relevant Privacy Law.
We may also collect Personal Information from you when you fill in an application form, communicate with us, visit our Website, access a Platform, provide us with feedback or complete online surveys. We may collect Personal Information about you that you have provided to our business partners or from third parties and in respect of which you have given the third-party permission to share with us.
If you use a pseudonym when dealing with us or you do not provide identifiable information to us, we may not be able to provide you with any or all of our services as requested. If you wish to remain anonymous when you use our Website, do not sign into it or provide any information that might identify you.
We require individuals to provide accurate, up to date and complete Personal Information at the time it is collected.
3. Information we may collect about you
Personal information is any information relating to an identified or identifiable natural person (“Personal Information”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Stripe is an online payment system that is used to process payments on the Website. Personal Information will be collected from you for the purpose of processing such payments.
4. What is our legal basis?
Under the GDPR, we must have a legal basis to process Personal Information collected from individuals residing in the European Union. We rely on several legal bases to process your Personal Information, including:
5. How your information is used
We use, process and disclose your Personal Information for the purposes for which the information is collected, or for a directly related purpose, including (but not limited to):
6. Disclosure of Personal Information
We may disclose your Personal Information to:
Where we provide your information to third parties, we will ensure that these third parties are only allowed to use your Personal Information to provide the relevant services to you or us. It is in our legitimate interests as a business to work with third parties since we may not have the capabilities to do so ourselves.
7. Direct marketing
We may use and process your Personal Information to send you information about products and services we believe are suited to you and your interests or we may invite you to attend special events.
At any time, you may opt-out of receiving direct marketing communications from us. Unless you opt-out, your consent to receive direct marketing communications from us and to the handling of your Personal Information as detailed above will continue.
You can opt-out by following the unsubscribe instructions included in the relevant marketing communication, or by contacting us in writing at firstname.lastname@example.org.
Cookies are small files that can be stored on and accessed from a user’s device when the user accesses a website. They enable authorised web servers to recognise you across different websites, services, devices and browsing sessions.
The data collected through Cookies will not be kept for longer than is necessary to fulfil the purposes mentioned above. We will handle any Personal Information collected by Cookies in the same way that we handle all other Personal Information.
You can delete and refuse to accept browser Cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of the Website or Platforms.
9. iluminr Website
When transmitting Personal Information from your computer to our Website or Platform, you must keep in mind that the transmission of information over the internet is not always completely secure or error-free. Other than liability that cannot lawfully be excluded, we will not be liable in any way in relation to any breach of security or any unintended loss or disclosure of that information.
10. Data Storage
We may hold your Personal Information in either electronic or hard copy. We take reasonable steps to protect your Personal Information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your Personal Information. For example we use security software including AWS Shield and AWS Web Application Firewall to protect your Personal Information. Your Personal Information is stored in the Platform and in Data Base servers which are SSL encrypted (128-bit SSL encryption), and may be stored outside of the European Economic Area (“EEA”), Australia and the United States.
Our technical team regularly analyses server logs, and blocks any potentially malicious IP’s at the firewall. Penetration testing is conducted by an external party at least every 12 months on both the Platform and the Data Base servers. Penetration tests conducted look for XSS, CSRF, SQL injection, and other vulnerabilities that an attacker may exploit. Server vulnerability audits are regularly performed.
However, we cannot guarantee the security of any Personal Information transmitted over the internet and therefore you disclose information and Personal Information to us at your own risk. We will not be liable for any unauthorized access, modification or disclosure, or misuse of your Personal Information.
11. Third-party Recipients
We may disclose your Personal Information to third-party recipients such as our payment processing providers Stripe and Chargebee and other third parties located outside of the EEA and Australia in order to provide our services to you.
12. Third Party Sites
13. Access to information
Under the GDPR, an individual residing in the European Union has enhanced privacy rights, including the right to:
Subject to some exceptions provided by the relevant Privacy Laws, you may request access to your Personal Information in our customer account database, or seek correction of it, by contacting us. See Section 14: Contact Information. Should we decline you access to your Personal Information, we will provide a written explanation setting out our reasons for doing so. We may charge a reasonable fee that is not excessive to cover the charges of retrieving your Personal Information from our customer account database. We will not charge you for making the request.
If you believe that we hold Personal Information about you that is not accurate, complete or up-to-date then you may request that your Personal Information be amended. We will respond to your request to correct your Personal Information within a reasonable timeframe and you will not be charged a fee for correcting your Personal Information.
14. Contact information
If we receive a formal written complaint about our privacy practises, we will contact the complainant regarding their concerns and attempt to resolve the complaint as soon as possible.
If you are dissatisfied with the outcome of our handling of your complaint, you can lodge a privacy complaint with the Office of the Australian Information Commissioner (“OIAC”) or the European Data Protection Supervisor (“EDPS”). For further information about the EDPS or OAIC’s privacy complaint handling process, please see: http://www.oaic.gov.au/privacy/making-a-privacy-complaint or https://edps.europa.eu/node/75_en.
15. Notices and Revisions
We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personally identifiable information that cannot be resolved between us and the individual.
Dated: 28 June 2022