1. PURPOSE OF OUR POLICY
(a) The Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988 (Cth) (Privacy Act); and
(b) The regulations and principles set by the European Union’s General Data Protection Regulation 2016/679 (GDPR).
2. WHO AND WHAT THIS POLICY APPLIES TO
2.2 We handle Personal Information as a controller in our own right and also as a processor for and on behalf of our customers and other users.
2.5 If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that they have that person’s consent to provide such information for the purpose specified.
2.6 We consider the protection of privacy of children very important and we have special processes in place for the collection of Personal Information from or about children. These are set out at point 7 below.
3 THE INFORMATION WE COLLECT
3.1 In the course of providing our services and running our business we collect Personal Information. Without limitation, the type of information we may collect is:
(a) Account Information. We may collect personal details such as an individual’s name, geo-location, third-party usernames and contact information when setting up an account for our services;
(b) Contact Information. We may collect information such as an individual’s email address, telephone, residential, business and postal address and other information that allows us to contact the individual;
(c) Financial Information. We may collect financial information related to an individual such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide our services;
(d) Sensitive Information. We may collect sensitive information which has a higher level of protection under the Privacy Act and GDPR. For example, we may collect images in stored videos which make an individual’s ethnicity or religion reasonably identifiable;
(e) Statistical Information. We may collect information about an individual’s access and use of our services, including through the use of Internet cookies, their communications with our online services, the type of browser they are using, the type of operating system they are using and the domain name of their Internet service provider, their browser session, geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour for statistical purposes.
(f) Information sent to us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities, or any other Personal Information we request or receive; and
(g) Information from third parties. We may collect Personal Information from third parties, such as where a customer provides us with Personal Information about their users or where we need to access a customer’s content for support purposes and this contains Personal Information about others (for example, images of others).
3.3 We may also collect non-Personal Information about an individual, meaning information which does not make any individual reasonably identifiable, such as information regarding their computer, network and browser. Where non-Personal Information is collected the Australian Privacy Principles and the GDPR do not apply.
4 HOW INFORMATION IS COLLECTED
4.1 Most information will be collected in association with an individual’s use of our service, an enquiry about our service or generally dealing with us. However we may also receive Personal Information from sources such as advertising, an individual’s own promotions, mailing lists, contractors, staff, recruitment agencies and our business partners. In particular, information is likely to be collected as follows:
(a) Registrations/Subscriptions. When an individual registers or subscribes for a service, account, connection or other process whereby they enter Personal Information details in order to receive or access something, including a transaction;
(b) Supply. When an individual supplies us with goods or services;
(c) Contact. When an individual contacts us in any way;
(d) Access. When an individual accesses our premises physically we may require them to provide us with details for us to permit them such access. When an individual accesses our services through the internet we may collect information such as login details, and using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services. When an individual accesses our services they may opt to share Personal Information with us or opt out of sharing Personal Information with us. Videos on the services will be stored through our third party cloud storage facility and the individual may opt-out of this service. We have access to videos on cloud storage. An individual may also opt to share information with us for the purpose of us storing a copy of the video which we may access and examine for support purposes, including if the video export process encounters an error;
(e) Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened; and
(f) Research. When we contact an individual for market research purposes and collect opinions and preferences.
4.2 As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.
4.3 Where we obtain unsolicited Personal Information (such as by accidental acquisition from a customer) we will either delete/destroy the information, or if we are legally permitted to retain such information, inform the individual that we hold such information.
5 HOW PERSONAL INFORMATION IS USED & DISCLOSED
5.1 In general, the primary principles for our use and disclosure of Personal Information, are that we:
(a) Will only use any Personal Information for the purpose for which it was collected, for secondary purposes related to the purpose for which it was collected, for other purposes with the individual’s permission, or as otherwise permitted or required by law. The purpose of collection is determined by the function or activity for which the information was collected and/or submitted.
(b) Only process Personal Information when we can identify a lawful basis to do so. It is always our responsibility to ensure that we can demonstrate which lawful basis applies to the particular processing purpose.
5.2 If it is necessary for us to disclose an individual’s Personal Information to third parties we will do so in a manner compliant with the Australian Privacy Principles and the GDPR.
5.3 We will not disclose or sell an individual’s Personal Information to unrelated third parties under any circumstances, unless the prior written consent of the individual is obtained.
5.4 How we use Personal Information: We may use Personal Information for the following purposes:
(a) The provision of goods and services between an individual and us;
(b) Verifying an individual’s identity, where reasonably necessary;
(c) Where an individual opts in, storing copies of their videos on the services for our examination where a support request is made, including where a video export error occurs;
(d) Communicating with an individual about:
i Their relationship with us;
ii Our goods and services;
iii Our own marketing and promotions to customers and prospects;
iv Competitions, surveys and questionnaires;
v Market research opportunities;
(e) Internal business purposes, such as accounting, administration and reporting;
(f) Improving our services and creating new services;
(g) Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
(h) As required or permitted by any law (including the Privacy Act and GDPR).
5.5 How we disclose Personal Information: There are some circumstances in which we disclose an individual’s Personal Information, including as follows:
(a) Members of the public where you choose to share a link to a video on our services with them, or where they otherwise access a hosted video you have made public;
(b) Third party service providers for the purpose of enabling them to provide their services to us, including (without limitation) our stock asset providers (such as Storyblocks), cloud data storage providers, web-hosting and server providers, marketing or advertising tools, professional advisors (such as our accountants and lawyers), optional integrated services (such as YouTube and Giphy) and our payment systems operators;
(c) Our employees, contractors and/or related entities;
(d) Our existing or potential agents or business partners;
(e) Sponsors or promoters of any promotions or competition we run;
(f) Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a regulator or governmental authority should be made aware of;
(g) Third parties to collect and process analytical data, such as Facebook and Google Analytics or other relevant businesses;
(h) As required or permitted by law (including the GDPR and Privacy Act); and/or
(i) In order to sell our business (in that we may need to transfer Personal Information to a new owner or for due diligence purposes).
5.6 We may utilise third-party service providers to host our services, communicate with an individual, assist us process payments, to assist us with marketing and to store contact details about an individual. These service providers may be located outside of Australia or the European Economic Area. A list of our current third-party service providers is available here.
5.7 An individual who uses our online services will be sending information (including Personal Information) to the United States where our servers are located. That information may then be transferred within the United States or back out of the United States to other countries outside of the individual’s country of residence, depending on the type of information and how it is stored by us. These countries may not necessarily have data protection laws as comprehensive or protective as those in the individual’s country of residence, however our disclosures of Personal Information overseas will always be performed in accordance with the applicable requirements of the GDPR and Privacy Act.
6 Legal Bases For Processing
6.1 Legitimate interests: We will process Personal Information for our legitimate interest to allow individuals to access and use our website, to send marketing content we think may be of interest to customers and prospects, to contact customers about market research; to contact an individual if they leave their contact details with us or if they otherwise initiate contact with us, for our internal business processes, to improve the services and to create new services. Where we rely on legitimate interests the individual has a right to object to our processing of the Personal Information on this basis.
6.2 Performing a contract: We will rely on performing a contract to process Personal Information where we are preparing to enter into a contract with an individual or are carrying out our obligations under a contract with an individual. This includes, where we are setting up an account for an individual and where an individual is using our services.
6.3 Legal obligation: We will rely on a legal obligation to process Personal Information where we are subject to a legal obligation, including if we are reporting illegal activity or we have taxation obligations.
6.4 Consent: If we need to rely on consent, we will ask for affirmative consent to process the specific Personal Information for a specific purpose before we process the Personal Information for that purpose. For example, we will ask you to choose whether you would like to make your hosted videos public or private and we may ask you if you will consent to participate in market research.
7 Privacy & Children
7.1 In the European Union and Australia, if an individual is under 16 years of age, then they must not use or access the service or provide their Personal Information at any time or in any manner without their parent or legal guardian’s verifiable consent.
7.2 In the United States. If an individual is under 13 years of age, we require one of the following:
(a) The child is using the service as part of a school’s account strictly for educational purposes and the school has the child’s parent or legal guardian’s consent to the collection of the child’s Personal Information on behalf of the parent or legal guardian; or
7.3 Parents and legal guardians who have given consent on behalf of a child may request by contacting us via email to review the Personal Information we hold about the child and ask us to stop collecting, using or sharing the child’s Personal Information.
7.4 If we learn that Personal Information has been collected on the service from persons under the minimum age for that jurisdiction, without verifiable parental or legal guardian consent, then we will take the appropriate steps to delete or destroy such information.
8 Our commitment
8.1 Personal Information will:
(a) Be processed lawfully, fairly and in a transparent manner by us;
(b) Only be collected for the specific purposes we have and Personal Information will not be further processed in a manner that is incompatible with the purposes we have identified
(c) Be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
(d) Be kept up to date, where it is possible and within our control to do so;
(e) Be kept in a form which permits us to identify an individual, but only for so long as necessary for the purposes for which the Personal Information was collected; and
(f) Be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.
9 THE SAFETY & SECURITY OF PERSONAL INFORMATION
9.1 Where we no longer require Personal Information for the purpose it was originally collected and we have no other lawful basis for us to continue to hold that Personal Information we will delete or de-identify that Personal Information.
9.3 We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
9.4 We use SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our reasonable control.
9.5 We are not responsible for the privacy or security practices of any third party the individual engages with separately from the services we provide. The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
9.6 If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.
9.7 Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information, then:
(a) We will immediately establish the likelihood and severity of the resulting risk to wider rights and freedoms of natural persons;
(b) If we determine we are legally required to notify the security breach, then we will (as applicable) notify:
i The relevant supervisory authority/ies and provide all relevant information on the particular breach; and
ii The affected individuals and provide all relevant information on the particular breach without undue delay.
9.8 We will document the facts relating to any security breach, its effects and the remedial action taken, and investigate the cause of the breach and how to prevent similar situations in the future.
10 Personal Information Rights
10.2 Unsubscribe: To object to processing for direct marketing/unsubscribe from our email database or opt-out of communications (including marketing communications), the individual can contact us using the details below or opt-out using the opt-out facilities provided in the communication.
10.3 Correction & rectification: If an individual believes that any Personal Information we hold about them is inaccurate, out of date, incomplete, irrelevant or misleading, they can contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, incomplete, misleading or out of date.
10.4 Objecting to processing: Individuals may have the right to object to processing of Personal Information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides the individual’s interests, rights and freedoms, in order to proceed with the processing of the Personal Information.
10.5 Restricting processing: The individual may have the right to request that we restrict the processing of their Personal Information if, they are concerned about the accuracy of the Personal Information; they believe their Personal Information has been unlawfully processed; they need us to maintain the Personal Information solely for the purpose of a legal claim; or we are in the process of considering their objection in relation to processing on the basis of legitimate interests.
10.6 Access, erasure and data portability: An individual may have the right to request details of the Personal Information we hold about them, or to request that we erase the Personal Information we hold about them, or that we transfer this information to a third party.
11 COMPLAINTS AND DISPUTES
11.1 If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the contact details below. We will promptly investigate the complaint and respond, in writing, setting out the outcome of our investigation and the steps we will take in response to the complaint. The individual also has the right to contact the relevant authority in the country in which they are based.
11.2 If we have a dispute regarding an individual’s Personal Information, we both should first attempt to resolve the issue directly between us.
12 Contacting INDIVIDUALS
12.1 From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Where such information is materially important to the individual’s interaction with us, they may not opt out of receiving these communications on the basis of a direct marketing opt out.
13 CONTACTING US
13.1 All correspondence with regards to privacy should be addressed to:
Data Protection Officer
Clipchamp Pty Ltd ABN 89 162 516 556
Level 1, 315 Brunswick St
Fortitude Valley QLD 4006
An individual may choose to contact the Data Protection Offer via email in the first instance.
14 ADDITIONS TO THIS POLICY
Last update: 30 July 2020