Where the processing of your personal information is not subject to the Privacy Act or GDPR, different rules may apply under your applicable law.
Who is responsible for your personal information?
We, Willow Technology Corporation Limited of Level 21, Governor Philip Tower, 1 Farrer Place, Sydney NSW 2000 and Willow Technology Operations Pty Limited of Level 21, Governor Philip Tower, 1 Farrer Place, Sydney NSW 2000, or one of our affiliates, including Willow Digital Pty Ltd ABN 16 606 612 088, (Willow) which is identified in our communication with you will be the responsible controller for any personal information you provide to us in connection with our business relationship.
Which categories of personal information do we collect and process?
- We may collect and process the following categories of personal information depending on the nature of our business relationship with you or your organization: Private or work contact information, such as full name, address, telephone number, mobile phone number, fax number, gender, sex, location, images, driver’s licence and email address, mobile device unique identifier and the IP address of your computer or other online identifiers if you use our services online;
- Payment related information, such as information necessary for processing payments and fraud prevention; further business information necessarily processed in a business or other contractual relationship with Willow or voluntarily provided by you, such as feedback and any other information you may provide to us. We do not directly collect your credit card or other payment details necessary to process your payment for any goods and services you purchase through any app provided by us. Your credit card and other payment processors in accordance with their privacy policies and terms and conditions.
- Information about your interests and preferences and other information obtained by cookies or website analytics tools, in particular your activities when you use our websites or products or other services we offer to you online (such as downloadable content). This may include information about which content you download, click or view for how often and how long;
- Information from publicly available resources, integrity data bases and credit agencies;
- Information we are legally required to collect to comply with our legal or regulatory obligations, which may include information about relevant and significant litigation or other legal proceedings against you or a third party related to you and interaction with you which may be relevant for antitrust purposes; and
- Sensitive information. In certain circumstances, where required by law or where you have permitted us to do so, we may collect special categories of your personal information which are specifically protected under data protection law. In connection with the registration for and provision of access to an event or seminar, we may ask for information about your health for the purpose of identifying and being considerate of any disabilities or special dietary requirements you may have. Any use of such information is based on your consent. If you do not provide any such information about disabilities or special dietary requirements, we will not be able to take any respective precautions.
For which purposes do we process, collect, hold, use and disclose your personal information?
Depending on the nature of our business relation, we may process collect, hold, use and disclose your personal information for the following purposes (“Permitted Purposes“):
- Planning, entering into, performing, managing and administering the services we provide to prospective and current customers e.g. by maintaining our information technology systems, customer service and data storage;
- Maintaining and protecting the security of our products and services and of our IT systems, databases, websites or other digital infrastructure, preventing and detecting security threats, fraud or other criminal or malicious activities;
- Ensuring compliance with legal obligations and regulatory obligations. This may include sales and business record keeping obligations for tax or other purposes and sending required notices or other disclosures, compliance screening or recording obligations (e.g. under anti-money laundering (AML), know your customer (KYC), antitrust laws, export control laws, trade sanction and embargo laws or to prevent white-collar crimes). In this context we may be required to conduct automated checks of your contact data or other information about your identity against applicable anti-money laundering or sanctioned-party lists and to contact you to confirm your identity in case of a potential match, to record interaction with you which may be relevant for antitrust purposes and to report to or support investigations by competent supervisory, law enforcement or other public authorities;
- Informing you, where permitted by applicable law about Willow’s products or services which are similar to products and services purchased or used by our within that or otherwise related to our business relationship with you or your organisation; or
- Solving disputes, enforcing our contractual agreements and to establish, exercise or defend legal claims.
Where you have expressly given us your consent or where otherwise legally permitted, we may also process your personal information for the following purposes:
- Communicating with you through the channels you have approved to keep you up to date on the latest announcements, special offers and other information about Willow’s products, technologies and services (including marketing-related newsletters) as well as events and projects of Willow;
- Administrating and performing customer surveys, marketing campaigns, market analysis, sweepstakes, contests or other promotional activities or events; or
- Profiling and automated processing: Collecting information about your preferences on the basis of your activities when you use our websites and any products or services we offer to you online (such as downloadable content). On the basis of this information (e.g. which content is downloaded, clicked or viewed for how often and how long), we create a user profile to personalise and foster the quality of our communication and interaction with you (for example, by way of newsletter tracking or website analytics). The logic behind our profiling activities is to identify areas which may be useful or otherwise of interest for you and to inform you about such areas in a more effective and targeted way. The algorithms used apply this logic and automatically deliver the targeted content or information to you.
Please note: Under the European General Data Protection Regulation (Article 21 (2)) you have the right to object to the use of your personal information for direct marketing purposes, including the profiling described above. Please refer to “Your data protection rights” below for further explanation of your rights and how to exercise them.
Where your explicit permission is required for any marketing-related communication, we will only provide you with such information if you have opted in. You may opt out at any time if you do not want to receive any further marketing-related types of communication from us. We will not use your personal information for taking any automated decisions affecting you or creating profiles other than described above.
On which basis do we process your information?
We will process your personal information for the above Permitted Purposes only:
- where it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into such a contract;
- where it is necessary to process any order you make for third party products and services;
- where it is necessary for our or a third party’s legitimate interests, always provided that such interests are not overridden by your interests or fundamental rights and freedoms. Our “legitimate interests” may include our commercial interests in operating our business in a professional, sustainable manner, in accordance with all relevant legal and regulatory requirements;
- for our compliance with our legal obligations;
- where it is necessary to protect your or another person’s vital interests;
- where we have obtained your specific or, where necessary, explicit consent to do so. We will in each case inform you about the processing of your data and your related rights prior to obtaining your consent.
The legal bases for processing of your personal information are set forth in Article 6 GDPR.
How do we collect your personal information?
We will typically collect your personal information directly from you when you interact with us, e.g. when you visit our website, social media pages, communicate with us in relation to our products and services, request a product or service, register to our services, receive our newsletter or other specific marketing material or participate in our customer surveys. Where you have expressly given your consent, we may also obtain your personal information from third parties (including our contractors who supply services to us, our partner institutions or from a publicly maintained record) for communication and marketing purposes. In such cases, you will be informed about this in accordance with applicable law. Otherwise, we do not obtain personal information from third parties.
How do we hold and protect your personal information?
We may hold personal information electronically, or in paper files. We will maintain physical, electronic and procedural safeguards in accordance with the technical state of the art and legal data protection requirements to protect personal information against misuse, intrusion, interference, loss and unauthorised access, modification or disclosure. These safeguards include implementing specific technologies and procedures designed to protect your privacy, such as secure servers, firewalls and SSL encryption and depending on the information and the circumstances, this protection may in particular include:
- the use of confidential passwords for purposes of accessing such information on Willow’s internal systems;
- storing hard copies of documents containing personal or sensitive information in secure files created for this purpose;
- imposing confidentiality requirements on our employees;
- conducting reasonable due diligence on any third party service provider’s security measures, and compliance with privacy laws, especially if they are located offshore; and
- maintaining physical access controls over our premises.
Where Willow holds personal information that it no longer requires, Willow will take reasonable steps to destroy or de-identify such information, subject to any law or court order requiring retention.
Where do we process personal information?
Willow is a globally active enterprise. In the course of our business activities (including because we may use a cloud-based service to store and process personal information), we may transfer your personal information to entities located outside Australia, or where the GDPR applies, outside the European Economic Area including to the USA, Canada, Singapore, China, Hong Kong, Israel, Philippines and the United Kingdom (provided that the United Kingdom will cease from the EU) (third countries), in which applicable laws do not offer the same level of data protection as the laws of your home country. When doing so, we will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of your personal information, in particular where the GDPR applies by entering into the EU Standard Contractual Clauses which are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. You may contact us anytime using the contact details below if you would like further information on such safeguards.
With whom do we share your personal information?
We may share your personal information as follows:
- We may also instruct service providers (so called data processors) within or outside of Willow, domestically or abroad, e.g. shared service centres or cloud providers, to process personal information for the Permitted Purposes on our behalf and in accordance with our instructions only. Willow will retain control over and will remain fully responsible for your personal information and will use appropriate safeguards as required by applicable law to ensure the integrity and security of your personal information when engaging such service providers.
- With courts, regulators, law enforcement or other competent authorities or attorneys if legally permitted and necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
- We may disclose your Personal Information to customer groups.
- We may also share your Personal Information with third parties if we sell or buy any business or assets, in which case we may disclose personal information to the prospective seller or buyer of such business or assets, along with its professional advisers. If Willow or substantially all of its assets are acquired by a third party, personal information held by us about customers and other contacts will be one of the transferred assets.
Otherwise, we will only disclose your personal information when you direct or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or when we suspect fraudulent or criminal activities.
How long do we store personal information?
We will hold your personal information as long as required to provide you with the products or services or information you have requested and to execute and administer your business relationship with us. If you have asked us not to communicate with you, we will hold this information as long as required to comply with your request. We are also required to keep certain of your personal information (e.g. relating to business or tax relevant transactions) for certain retention periods under applicable law. Your personal information will be promptly deleted when it is no longer required for these purposes.
To obtain access or seek correction of your personal information that we hold, please contact us using the contact details below.
Where we process your personal information under the GDPR, subject to certain legal conditions, you may request access to, rectification, erasure or restriction of processing of your personal information. You may also object to processing or request data portability. In particular you have the right to request a copy of the personal information that we hold about you. If you make this request repeatedly, we may make an adequate charge for this. Please refer to Articles 15-22 of the GDPR for details on your data protection rights.
If you have given us your consent for the processing of your personal information, you may withdraw your consent at any time with future effect, i.e. the withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal. If you withdraw your consent, we will only continue processing your personal information where there is another legal ground or where we are legally required to do so.
For any of the above requests, please send a description of your personal information concerned and appropriate proof of identity (e.g. your name or customer number) as proof of identity to the contact details below. We may require additional proof of identity to protect your personal information against unauthorized access. We will carefully consider your request and may discuss with you how it can best be fulfilled.
If you have any concerns about how your personal information is handled by us or wish to raise a complaint on how we have handled your personal information, you can contact us at the contact details below to have the matter investigated. Where a complaint is received, the Privacy Officer will consider the complaint, and within a reasonable time, will decide whether the complaint warrants further investigation. The complainant will be advised by Willow of the outcome of its investigations within a reasonable time.
If you are not satisfied with our response or believe we are processing your personal information not in accordance with the law you may refer the matter to the Office of the Federal Privacy Commissioner at Website: http://www.oaic.gov.au Phone: 1300 363 992, or if your personal information is being processed within the scope of the GDPR, you can complain to the competent data protection supervisory authority in your country. For example, if you are from the UK, you may contact the Information Commissioners Office via their website (www.ico.gov.uk).
Are you required to provide personal information?
As a general principle, you will provide us with your personal information entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide personal information. However, there are circumstances in which Willow cannot take action without certain of your personal information, for example because this personal information is required to register your attendance at an event, provide you with a response to a communication or query, or to provide you with access to a web offering or newsletter or to carry out a legally required compliance screening. In some instances, we may be unable to provide you access to the services. In these cases, it will unfortunately not be possible for Willow to provide you with what you request without the relevant personal information.
Information collected by cookies and other technologies
Willow may gather information by cookies or other web-tracking or analytics technologies. A cookie is a small text file that is stored on your device for record-keeping purposes. You can remove cookies by following directions provided in your Internet browser’s “help” file or clearing out your browser’s cache. You may also decline our cookies if your browser permits, but doing so may interfere with your use of our website or the provision of our services.
How to get in touch with us
Cyber Security at Willow
Vulnerability Disclosure Policy
InSite Application Privacy Collection Statement