1. About this Policy
- InDebted respects your privacy and wants you to understand how we collect, hold, use, and share your personal information about you.
- InDebted USA, Inc. (EIN number 27-0504127);
- InDebted Australia Pty Ltd (ACN 613 132 951);
- InDebted New Zealand Ltd (Company Number 7686518);
- InDebted Canada Ltd (Corporation Number 1180527-4);
- InDebted Platform Co UK Limited (Company Number 12253462); and
- any other company which is at any time a related entity or a wholly owned subsidiary of any of the above companies.
- The California Consumer Privacy Act (CCPA), sets out the framework for data protection law in California, and this act will be amended by the California Privacy Rights and Enforcement Act of 2020 (CPRA) and in effect from 1 January 2023. The CCPA and CPRA sets out the key principles, rights of individuals whose personal information is collected, used and handled and the obligations for organisations that collect, use and handle. The CPRA includes rights and obligations with respect to the personal information of employees as well. The CCPA and CPRA and any guidance issued by the California’s Attorney General and the California Privacy Protection Agency (once established) governs the way in which we must manage your personal information (Privacy Laws).
- Given the established privacy legislation in California by the CCPA and CPRA once in force, InDebted will handle your personal information in accordance with the obligations under the CCPA and CPRA regardless of whether your personal information is collected, used or handled in other States of the United States of America (USA) and outside of the State of California.
- The CPRA creates a new category of “sensitive personal information, such as race, ethnicity, religion, genetic information, sexual orientation, precise geolocation, and financial information, and give consumers the right to restrict businesses’ use of that information” (sensitive personal information).
- Our collection, use, disclosure and processing of your personal information is regulated by the Privacy Laws if:
- you interact with InDebted USA, Inc. (EIN number 27-0504127);
- we provide our Services to you whilst you are located in the USA; or
- we monitor your behavior whilst you are located in the USA.
2. Collection of personal information
- As part of providing any of our Services to you, InDebted Group will, from time to time, collect, hold, process and share your personal information provided to us directly by you or other organisations that you have client relationships with or given to us in other forms.
- We will not collect and use any of your sensitive personal information unless it is necessary for us to provide our Services to you and with your prior consent or where a permitted general situation exists.
- You may provide basic information such as your name, phone number, address and email address, social media profile name to enable us to communicate with you when we provide our Services to you, when you contact us and when we provide you with updates.
- We may collect additional information at other times, including but not limited to, when you provide feedback, make a complaint, when you provide information about your personal or business affairs, change your content or email preference, provide financial or credit card information, communicate with our customer support teams or interact with us through our website, Services applications or digital communication channels.
- Additionally, we may also collect any other information you provide while interacting with us and when we manage our customer, client and service provider relationships and whilst employed by us.
- We may also collect personal information about you from third parties or organisations including our related companies, publicly available sources of information (i.e. such as public registers), your approved representatives, other organisations, who jointly with us, provide products or services to you, third party websites, applications or platforms containing interactive InDebted content or that interface with our own websites and applications, social media platforms (if you publicly comment or send us a private message) and digital tracking tools such as cookies.
- When you visit our offices, CCTV footage may be recorded and other information that may be collected include details provided on a resume sent to us relating to an employment opportunity.
- We may also receive your personal information from third parties that we deal with on your behalf and from our clients and service providers.
- Any information we receive that we are not lawfully required to hold will be deleted or destroyed.
3. On what basis we use your personal information
- Under the Privacy Laws we are allowed to use your personal information in the following circumstances:
- to provide our Services to you and to fulfil a contract that we have with our clients and you;
- when you provide your consent to our clients or to us;
- to comply with our legal and regulatory obligations as well as effectively manage our business risks; and/or
- when it is in our legitimate interest.
- When we use your personal information for our legitimate interest it means that:
- processing your personal information is necessary and we cannot achieve the same outcome in any other way; and
- we have undertaken a balancing exercise and ensuring that our interests are not outweighed by your interests, rights and freedoms.
4. Use and disclosure of your personal information
- We will use or disclose your personal information held about you as permitted by law and for the business purposes for which it is collected. We may use your personal information on the following basis:
- where such processing is necessary for the performance of our contracts and compliance with our contractual arrangements with our clients including where we have contracts with our clients who place your accounts with us for collection;
- to provide and manage our Services to you;
- the proper management of our client and customer relationships;
- to verify your identity and to authenticate you when you contact us;
- when we communicate with you by sending you mail, email, telephone, SMS, mobile applications and social media platforms,
- for legitimate business purposes;
- using your personal information helps us to operate and improve our business, website, systems and minimize any disruption to the services that we may offer to you;
- where we are processing information based on your consent;
- to comply with our legal and regulatory obligations;
- for the establishment, exercise or defence of legal claims, proceedings or in an administrative or out-of-court procedure;
- for the purposes of obtaining or maintaining insurance coverage, managing risks and operations or obtaining professional advice;
- for the purpose of fraud, crime prevention, suppression, or detection and help us run our business and maintain integrity;
- ensuring workplace health and safety of our employees or enforcing our rights, making legal enquiries, or taking legal action; or
- record-keeping purposes.
- When you are a client of our Services, we may also use your personal information to tell you about our Services we think may be of interest to you.
- We do not knowingly collect or process the personal information of anyone under the age of 18 years old.
- We may create statistical and anonymized reports, analysis and predictive models, rules and insights using information about you and other customers. Aggregated reports may also be shared with other businesses for business development and to provide insights into collection performance, identify customer demographics or behavioral insights and the information in these reports is not personal and cannot be used to identify you.
- We will not process your personal information for direct marketing purposes, and we will not sell your personal information to other companies or organisations.
5. Automated decisions using your personal information
To provide an efficient and helpful customer experience we use automated decisioning in how we communicate with you. For e.g., if you communicate with us via email or SMS our system will automatically tailor communications with you based on your preferred digital method of communication, without any involvement of human intervention. We may also use automated decisions to detect and prevent fraud, detect and prevent money laundering and determining the most efficient and helpful way to provide our Services to you.
6. How we keep secure your personal information
- We will keep your personal information securely in either physical or electronic form. The security of your personal information is important to us. We will take appropriate technical and organisational precautions to secure your personal information and to prevent the loss, misuse, unauthorized access, disclosure or alteration of your personal information.
- We will store all your personal information on secure servers, personal computers and mobile devices, and in secure manual record-keeping systems.
- Much of the information we hold about you will be stored electronically. We store your information in secure data centers via our cloud data storage service provider Amazon Web Services.
- We use a range of physical, electronic and other security measures to protect the security, confidentiality and integrity of the personal information we hold and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. For example:
- access to our information systems is controlled through identity and access management controls;
- all of our employees are required to comply with our privacy framework and information security policies;
- all of our employees complete training about privacy and information security;
- we regularly monitor and review our security measures and compliance with internal policies and industry best practice; and
- our contracted service providers are contractually bound to comply with the Privacy Laws and have appropriate information security measures and are obligated to keep the information secure.
- You acknowledge that the transmission of unencrypted (or inadequately encrypted) data over the internet is inherently insecure, and we cannot guarantee the security of data sent to us by you over the internet and you do so at your own risk.
- Also, our website may have links to external websites, and we take no responsibility for the privacy practices or the content of those other sites.
7. InDebted Employees
- Access to your information is restricted to authorized employees who have a legitimate business purpose for using it.
- Unauthorized use and or disclosure of client and customer information by an employee of InDebted is strictly prohibited. All employees are required to maintain the confidentiality of client and customer information at all times and failing to do so will result in appropriate disciplinary measures, which may include dismissal.
8. Do you have to provide your personal information?
You can withhold your personal information when speaking with us if you are making a general enquiry. However, if you withhold your personal information, it may not be possible for us to provide you with our products and services or for you to fully access our website.
9. Providing your personal information to others
- We may disclose your personal information to any member of the InDebted Group of companies (this means our subsidiaries, our ultimate holding company and all of its subsidiaries) insofar as reasonably necessary for the purposes of providing our services and managing our business and on the legal bases allowed under the Privacy Laws.
- We may disclose your personal information to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
- We may disclose personal information to our suppliers or subcontractors insofar as reasonably necessary for providing our services and managing our business.
- In addition to the specific disclosures of personal information set out in this section 9, we may disclose your personal information where such disclosure is necessary for compliance with a legal or regulatory obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
- We may also disclose your personal information when we have obtained your consent.
10. Outside Service Suppliers
- We may use service providers to perform specialized services on our behalf. Our service providers may at times be responsible for processing or handling personal information. They are provided only the information necessary to perform the services.
- In addition, we require them to protect the information in a manner that is consistent with our privacy policies and security practices.
11. Your rights
- You have certain rights as to how your personal information is obtained and used and InDebted complies with your rights under the Privacy Laws as to how your personal information is collected, used and handled.
- Except as otherwise provided in the Privacy Laws, you generally have the following rights:
- if we rely on your consent to process your personal information, to withdraw your consent where we will stop processing the activities relevant to your consent;
- to be informed how we received your personal information and how it is being used;
- access your personal information (we will provide you with a free copy of it);
- to object to us using your personal information, where we are relying on our legitimate interest to do so and we can challenge your objection and communicate with you in accordance with our legal obligations;
- to correct your personal information if it is inaccurate or incomplete;
- to restrict processing of your personal information including opt-out of the sale or sharing of your personal information (i.e., we will not sell your personal information); and
- to not be subject to any retaliation for exercising your privacy rights.
- We may ask you to verify your identity and provide us with additional information before acting on any of your requests.
- We will respond to you as soon as possible but within 30 days from the date of your request.
12. Countries to Which We Transfer Your Information
- Your personal information may be transmitted through, stored or processed in countries other than your home country, in which case the information is bound by the laws of these countries.
- InDebted and its Group companies operate in:
- United States of America;
- New Zealand;
- Philippines; and
- United Kingdom.
- We made an “adequacy decision” with respect to the Privacy Laws of each of these countries. Transfers to each of these countries will be protected by appropriate safeguards, namely:
- with respect of any of our service providers:
- the recipient does not breach the Privacy Laws; or
- the recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the protection under the Privacy Laws; and
- any disclosure will be done pursuant to agreements setting out the requirements for use, safeguarding, retention and disposal of such information, or as required by law; or
- you have consented to us making the disclosure.
13. Access to your personal information
- You may request details of personal information that we hold about you in accordance with the provisions of the Privacy Laws. If you would like a copy of the information which we hold about you or believe that any information we hold on you is inaccurate, out of date, incomplete, irrelevant or misleading, please email us at firstname.lastname@example.org.
- We reserve the right to refuse to provide you with information that we hold about you, in certain circumstances set out in the Privacy Laws or any other applicable law.
14. Retention of your personal information
- We will keep your personal information for as long as required by InDebted in compliance with its Privacy Laws and its legal and regulatory obligations. We also generally retain your personal information for at least seven (7) years after we have stopped interacting with you to comply with our legal obligations and so that we can respond to any questions or complaints regarding our interactions with you.
- We may also need to keep your personal information for a longer period, where required for legal or regulatory reasons.
- We will keep your data safe and secure for as long as we hold it.
15. Complaints about privacy
- If you have any complaints about our privacy practices, please feel free to send in details of your complaints to email@example.com. We take complaints very seriously and will respond shortly after receiving written notice of your complaint. We will let you know if we need any additional information from you.
- If you are displeased with the way we are or have handled your personal information, you can contact the Office of the Attorney General in California for Californian data privacy matters or your local consumer regulator in the other States of the USA.