1. This Policy
We at InDebted Australia Pty Ltd ACN 613 132 951 our subsidiaries, our ultimate holding company and all of its subsidiaries (“InDebted Group”, “we“, “us” and “our“) respect your privacy and want you to understand how we collect, hold, use, and share personal information about you.
The Privacy Act 1988 (Cth) (‘Privacy Act‘), the Australian Privacy Principles, Privacy Regulation 2013 (‘Regulations‘) and registered privacy codes govern the way in which we must manage your personal information (‘Privacy Laws‘).
InDebted has an intergroup agreement and Privacy Framework that documents how we share personal information within our InDebted Group.
2.1 Collection of Personal Information
The Privacy Act defines personal information as any information or opinion about an individual that can be identified from that information.
As part of providing any of our Services we may collect, hold, process and share your personal information which can include: your name, date of birth, age, mailing/residential address, contact details, occupation, place of work, government identifiers such as a tax file number, driver’s license, Medicare, passport number, signature, photograph, video or audio recording.
We may also collect, hold, and share financial and credit related information that includes your personal finances, bank account, credit card details, transaction information, credit history, financial solvency and other financial related information such as your credit applications, credit agreements and financial difficulty and hardship applications.
We will not collect and use any of your sensitive personal information unless it is necessary for us to provide our Services to you and with your prior consent or where a permitted general situation exists. Sensitive personal information includes information relating to your health, sexual orientation, biometric data, criminal history, racial or ethnic origin as well as membership of any trade or professional associations.
2.2 How Information is Collected
(a) Most information will be collected from you personally, this can be taken by us:
- If you call or email us.
- When we provide our Services to you.
- When we manage our customer relationships and service provider relationships.
- If you provide us with feedback or make a complaint.
- If we provide you with our Services.
- If you apply for an account with us.
- When CCTV footage is recorded at our offices or premises.
- Your information that is in the public domain.
- Other information that may be collected include details provided on a resume sent to us relating to an employment opportunity.
(b) We may obtain your credit related personal information when negotiating with a credit provider on your behalf.
(c) We may also receive your personal information from third parties that we deal with on your behalf and from our service providers.
(d) We may also receive your personal information from another party by any other means. If we do, we will apply the Privacy Laws in deciding whether it is lawful to keep the information received.
Any information we receive that we are not lawfully required to hold will be deleted or destroyed.
2.3 How We Keep Your Personal Information
We will keep your personal information securely in either physical or electronic form. The security of your personal information is important to us. We will take appropriate technical and organisational precautions to secure your personal information and to prevent the loss, misuse, unauthorized access, disclosure or alteration of your personal information.
We will store all your personal information on secure servers, personal computers and mobile devices, and in secure manual record-keeping systems.
Much of the information we hold about you will be stored electronically. We store some of your information in secure data centres that are located in Australia. We also store information in data centres of our contracted service providers (including cloud storage providers), and some of these data centres may be located outside of Australia.
We use a range of physical, electronic and other security measures to protect the security, confidentiality and integrity of the personal information we hold both in Australia and overseas. For example:
- access to our information systems is controlled through identity and access management controls;
- employees and our contracted service providers are bound by internal information security policies and are required to keep the information secure;
- all employees are required to complete training about privacy and information security; and
- we regularly monitor and review our security measures and compliance with internal policies and industry best practice.
You acknowledge that the transmission of unencrypted (or inadequately encrypted) data over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet and you do so at your own risk.
Also, our website may have links to external websites and we take no responsibility for the privacy practices or the content of those other sites.
2.4 Use and Disclosure of Information
We will use or disclose personal information held about you as permitted by law and for the business purposes for which it is collected (e.g. provision of our Services, including administration of our Services, notifications about changes to our Services, record-keeping purposes, technical maintenance, obtaining or maintaining insurance coverage, managing risks or obtaining professional advice) – that is, to carry on our business activities and provide our Services to you. We may use your personal information to comply with legislative or regulatory requirements in any jurisdiction, for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure, to prevent fraud, crime or other activity that may cause harm in relation to our Services and help us run our business and maintain integrity.
We may also use your personal information to tell you about our Services we think may interest you or for a purpose related to the primary purpose of collection or where you would reasonably expect that we would use the information in such a way, subject to legal restrictions on using your personal information for marketing purposes.
2.5 Our Services to You
Collecting your personal information will assist us in providing our Services to you and this includes but is not limited to:
- processing applications for the provision of our Services including debt management services;
- managing our Services to you which also includes managing our customer and client relationships;
- responding to enquiries relating to your accounts and other Services provided to you;
- detecting and preventing fraud and other risks to you and other individuals;
- understanding your needs, developing and offering our Services to you as well as researching and developing new services;
- ensuring workplace health and safety of our employees;
- dealing with any complaints made by you;
- complying with our legal and regulatory compliance requirements; or
- enforcing our rights, making legal enquiries, or taking legal action.
2.6 Providing Your Personal Information to Others
We may disclose your personal information to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
We may disclose personal information to our suppliers or subcontractors insofar as reasonably necessary to provide the relevant Services to you.
In addition to the specific disclosures of personal information set out here, we may disclose your personal information where such disclosure is necessary for compliance with a legal or regulatory obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
We may also disclose your personal information when you have obtained your consent.
2.7 Overseas Recipients
Prior to disclosing your personal information to an overseas recipient, unless a permitted general situation applies, we will take all reasonable steps to ensure that:
- where it is an entity within the InDebted Group we will follow the terms of our intergroup agreement and Privacy Framework that documents how we share personal information within our InDebted Group;
- the overseas recipient does not breach the Privacy Laws; or
- the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way the Privacy Laws; or
- you have consented to us making the disclosure.
Acceptance of any of our Services via an application in writing, orally or electronic means will be deemed as giving consent to the disclosures detailed herein.
Currently we are handling, storing, and processing your data in the following locations where InDebted provides services Australia, New Zealand, United States of America, Canada, Singapore, Malaysia, Philippines and the United Kingdom. The locations where we handle, store and process your data may change as our business needs change and we appoint other service providers from time to time.
2.8 Direct Marketing
We will not use your personal information for direct marketing. We will not sell your personal information to other companies or organisations.
2.9 Wish to Stay Anonymous?
You can withhold your personal information when speaking with us if you are making a general enquiry. However, if you wish for us to provide you with our Services, we will need to identify you.
2.10 Retaining and Deleting Personal Information
We will retain your personal information for as long as legally required and when we no longer are legally required or have a legitimate purpose to retain it, we will either delete, destroy, desensitize or anonymize it.
We may retain your personal information where such retention is necessary for compliance with a legal or regulatory obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
2.11 Your Privacy Rights
We have summarised the rights that you have under the Privacy Laws. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
The summary of your principal rights under Privacy Laws are:
- to request, at any time, for us to inform you of the personal information we hold about you;
- the right to access your personal information and we will respond to you within 30 days of making a request;
- the right to rectification of your personal information;
- the right to erasure (where we have no legitimate right or business requirements to retain your personal information);
- the right to restrict or object to processing (where we have no legitimate right or business requirements to process your personal information);
- the right to complain to a supervisory authority; and
- the right to withdraw your consent (where we have no legitimate right or business requirements to retain or process your personal information).
We may refuse to give you access to personal information we hold about you if we reasonably believe that giving access would pose a serious threat to the life, health or safety of an individual, or to the public health or safety, where giving access would be unlawful, where giving access would have an unreasonable impact on the privacy of other individuals, if there are legal proceedings, or if we consider the request to be frivolous or vexatious.
If we refuse to give you access to or to correct your personal information, we will give you a notice explaining our reasons except where it would be unreasonable to do so.
2.12 Third Party Websites
Our website may include hyperlinks to, and details of, third party websites. We have no control over, and are not responsible for, the privacy policies and practices of third parties.
3. About Cookies & Pop-Ups
Cookies may be either “persistent” cookies or “session” cookies:
- a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date;
- a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from the cookies.
For more detailed information, please read our Cookies Policy.
We also use a pop-up notice which only stores your session information, device details and geo-location. The purpose of the pop-up is for users that choose to subscribe, there will be a content drip workflow that periodically provides the user with articles and information related to our services. The article/information page links will appear in the user’s browser while they are browsing at other sites.
4. Credit Reporting
Credit Reporting Bodies (CRB) are authorised by law to handle your credit related information. As permitted by law, we may collect, hold, use or disclose credit related information held about you for the purposes of:
- to assist you with our debt management services;
- to provide you with our Services;
- to deal with complaints and meet legal and regulatory requirements; and
- to assist other credit providers to do the same.
If you have been or have a reasonable belief that you are likely to be a victim of fraud, you can contact the CRB and request for a “ban-period“. The CRB will not be permitted to use your personal or credit related information during this time.
5. Notifiable Data Breaches
The Privacy Act includes a new Notifiable Data Breaches scheme (NDB) which requires us to notify you and the Office of the Australian Information Commissioner (OAIC) of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).
The NDB scheme requires us to notify about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.
If we believe there has been a data breach that impacts your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as possible and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy.
If you believe that any personal information, we hold about you has been impacted by a data breach, you can contact us using the contact details below.
6. Complaints Handling
6.1 Contact Us
You may exercise any of your rights in relation to your personal information by contacting us. If you have a question or complaint about how your personal information is being handled by the InDebted Group, our affiliates or contracted service providers, please contact us first on the following email: firstname.lastname@example.org
We will try to have your complaint resolved within 5 business days, but it may take longer depending on the complaint. If this is the case, we will aim to resolve your complaint within 30 days.
6.2 The Office of the Australian Information Commissioner
Under the Privacy Laws you may also complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information. Please note the OAIC requires that any complaint be first made to the respondent organisation. The law also allows 30 days for the respondent organisation to deal with the complaint before a person may make a complaint to the OAIC.
The Commissioner can be contacted at:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001