[2] LAWS AND STANDARDS WE COMPLY WITH

We comply with:

1. the Australian Privacy Principles established by the Privacy Act 1988 (Cth); and
   
2. to the extent that the European Union's General Data Protection Regulation 2016/679 ('GDPR') applies to us and our use of your information, the GDPR.

[3] TYPES OF PERSONAL INFORMATION THAT WE COLLECT 

The personal information we collect, including through our contact form and newsletter subscription function, as well as our donation function, may include the following:

• Name;
• Mailing or street address;
• Email address;
• Social media information;
• Telephone number and other contact details;
• Age;
• Date of birth;
• Credit card or other payment information, including if you make a donation to us;
• Information about your business or personal circumstances;
• Information in connection with client surveys, questionnaires and promotions, including any comments you submit and your marketing preferences;
• Your device identity and type, operating system, internet service provider, I.P. address, geo-location information, page view statistics, advertising data and standard web log information; 
• Information about third parties; and
• Any other information provided by you to us via this website, a third party link or service, or otherwise through our online presence, or otherwise required by us or provided by you.

[4] HOW WE COLLECT PERSONAL INFORMATION

We endeavour to ensure that information we collect is complete, accurate, accessible and not subject to unauthorised access.

We may collect personal information either directly from you, or from third parties, including where you: 

• Contact us through our website;
• Communicate with us via email, telephone, SMS, social applications (such as LinkedIn, Facebook or Twitter) or otherwise;
• Use our automated referral system or manual referral service;
• Interact with our website, social applications, services, content and advertising; 
• Communicate with a third party service which provides information to us, such as our payment processor through which you may make a donation; and
• Invest in our business or enquire as to a potential purchase in our business.

When you use our Services, we collect information from you in a number of ways.  For instance, we ask you to provide your name and email address to register and manage your Account. We also maintain your marketing preferences and the emails and other communications that you send us or otherwise contribute, such as customer support inquiries or posts comments. You might also provide us with information in other ways, including by responding to surveys, submitting a form or participating in contests or similar promotions.

Sometimes we require you to provide us with information for contractual or legal reasons. For example, we may ask you to select your jurisdiction when you sign up to donate (“Donate”) to determine  information required and the consequences of failing to provide it. If you do not provide personal information when requested, you may not be able to use our Services if that information is necessary to provide you with the service or if we are legally required to collect it.

We may also collect personal information from you when you use or access our website or our social media pages. This may be done through use of web analytics tools, 'cookies' or other similar tracking technologies that allow us to track and analyse your website usage.

Please see our Cookie Statement for more information.

[5] USE OF YOUR PERSONAL INFORMATION

We collect and use personal information for the following purposes:

• To provide services or information to you, including customising services for you;
• For record keeping and administrative purposes;
• To provide information about you to our contractors, employees, consultants, agents or other third parties for the purpose of providing services to you;
• To improve and optimise our service offering and customer experience;
• To comply with our legal obligations, resolve disputes or enforce our agreements with third parties;
• To send you marketing and promotional messages and other information that may be of interest to you and for the purpose of direct marketing (in accordance with the Spam Act 2003 (Cth)). In this regard, we may use email, SMS, social media or mail to send you direct marketing communications. You can opt out of receiving marketing materials from us by using the opt-out facility provided (e.g. an unsubscribe link);
• To send you administrative messages, reminders, notices, updates, security alerts, and other information requested by you; and
• To consider an application of employment from you.

This clause applies to personal information, other than in the European Economic Area. We may disclose your personal information to cloud-providers, contractors and other third parties located inside or outside of Australia. If we do so, we will take reasonable steps to ensure that any overseas recipient deals with such personal information in a manner consistent with how we deal with it.

Where you are a resident of the European Union and the GDPR applies, please see below (clause 10).

We've endeavoured to ensure that our use and collection of your data is clear and as transparent as possible, but in the interests of keeping this policy concise it's not possible to list every circumstance in which we will use your data.

We may use third party service providers for disaster recovery services. To the extent necessary to receive those disaster recovery services, we will provide your data to that third party service provider.

We may also use third party service providers to audit the infrastructure and applications we use to store your data. To the extent necessary to receive those audit services, we will provide your data to that third party service provider.

[6] SHARING YOUR PERSONAL INFORMATION

 We may share your personal information in the following ways:

• Affiliates - We never share personal information with our affiliates unless when it is reasonably necessary or desirable, such as to help provide services to you or analyze and improve the services we or they provide;
• Business partners - We may share personal information with our business partners. For example, we may share your personal information when our Services are integrated with their services, but only when you have been informed or would otherwise expect such sharing;
• Service providers - We share personal information with our Service Provider (“Squarespace Services”) who in turn perform services on our behalf. For example, we may use third parties to help us provide customer support, marketing and other communications on our behalf or assist with data storage;
• Process payment - We transmit your personal information via an encrypted connection to our third party payment provider;
• Following the law or protecting rights and interests - We disclose your personal information if we determine that such disclosure is reasonably necessary to comply with the law, protect our or others’ rights, property or interests (such as enforcing our Terms of Service) or prevent fraud or abuse of Squarespace or our Users or End Users. In particular, we may disclose your personal information in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.

[7] SECURITY

While no service is completely secure, our service provider, Squarespace, has a security team dedicated to keeping personal information safe. We LSO maintain administrative, technical and physical safeguards that are intended to appropriately protect against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse and any other unlawful form of processing, of the personal information in our possession.

We take reasonable steps to ensure your personal information is secure and protected from misuse or unauthorised access. Our information technology systems are password protected, and we use a range of administrative and technical measures to protect these systems. However, we cannot guarantee the security of your personal information.

[8] HOW WE RETAIN YOUR PERSONAL INFORMATION

We retain personal information regarding you or your use of the Services for as long as your Account is active or for as long as needed to provide you or our Users with the Services. Our service provider, Squarespace, also retains personal information for as long as necessary to achieve the purposes described in this Privacy Policy, for example, to comply with our legal obligations, to protect us in the event of disputes and to enforce our agreements and to protect our and others’ interests.

The precise periods for which we keep your personal information vary depending on the nature of the information and why we need it. Factors we consider in determining these periods include the minimum required retention period prescribed by law or recommended as best practice, the period during which a claim can be made with respect to an agreement or other matter, whether the personal information has been aggregated or pseudonymized, and other relevant criteria. For example, the period we keep your email address is connected to how long your Account is active, while the period for which we keep a support message is based on how long has passed since the last submission in the thread.

Please note that in the course of providing the Services, we collect and maintain aggregated, anonymized or de-personalized information which we may retain indefinitely.

[9] LINKS

Our website may contain links to other websites. Those links are provided for convenience and may not remain current or be maintained. We are not responsible for the privacy practices of those linked websites and we suggest you review the privacy policies of those websites before using them.

[10] REQUESTING ACCESS OR CORRECTING YOUR PERSONAL INFORMATION

If you wish to request access to the personal information we hold about you, please contact us using the contact details set out below including your name and contact details. We may need to verify your identity before providing you with your personal information. In some cases, we may be unable to provide you with access to all your personal information and where this occurs, we will explain why. We will deal with all requests for access to personal information within a reasonable timeframe.

Where you are a resident of the European Union and the GDPR applies to your personal information, you have the right to ask for 'subject access request' or 'SAR' being a copy of your personal data held by us. Where we do hold such data about you we will provide you with a copy of the data we hold about you. This will be in a commonly used machine-readable file where you request us to e-mail the information to you. We will also give you a description of the data, tell you why we are holding it and tell you who we could have disclosed it to.

If you think that any personal information we hold about you is inaccurate, please contact us using the contact details set out below and we will take reasonable steps to ensure that it is corrected. We will also stop processing data on your request and you may also request that we delete the data held about you.

If you would like a copy of the information which we hold about you or believe that any information we hold on you is inaccurate, out of date, incomplete, irrelevant or misleading, please email us using the contact details set out in the 'Contact Us' section below.

We reserve the right to refuse to provide you with information that we hold about you, in certain circumstances set out in the Privacy Act 1988 (Cth).

[11] CHANGE OF CONTROL

If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our user databases, together with any personal information and non-personal information contained in those databases. This information may be disclosed to a potential purchaser under an agreement to maintain confidentiality. We would seek to only disclose information in good faith and where required by any of the above circumstances.

[12] TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA (‘EEA’)

Your personal information may be transferred to countries that do not have the same data protection laws as the country in which you initially provided the information.

If you are an EU resident and the GDPR applies, we will wherever possible, ensure your data remains in the EEA.

Information that we collect in the EEA may from time to time be stored, processed in or transferred between parties located in countries outside of the EEA which may not have as stringent data protection laws as found in the EEA.

Some of our third party service providers may be also located outside the EEA. If we transfer your data outside the EEA in this way (where you are a resident of the European Union and the GDPR applies to your personal information) we will ensure that the third party provider we use is compliant with the GDPR and that your privacy continues to be protected as outlined in this privacy policy.

If Article 27 of the GDPR applies to us, we will appoint a representative within the European Union in accordance with the GDPR. Please contact us and we will let you know the representative's contact details.

[13] PRIVACY SHIELD

Our website host, Squarespace has certified its compliance to the Privacy Shield.

Squarespace is committed to treating personal information received from the European Economic Area, Switzerland and the United Kingdom pursuant to the Privacy Shield Frameworks in accordance with the applicable Principles. You can find Squarespace’s certification here and you can learn more about their Frameworks and Principles by visiting https://www.privacyshield.gov/.

Squarespace’s accountability is for all personal information we receive under the Privacy Shield and subsequently transfer to a third party which is described in the Privacy Shield Principles. In particular, Squarespace may use third parties to process data on our behalf as described in this Privacy Policy, and Squarespace remains liable if they do so in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.

If you have a question or complaint you believe to be within the scope of Squarespace’s Privacy Shield certification, please contact them at privacy@squarespace.com.

For any complaints that either privacy@squarespace.com, or the MFRC can’t resolve directly, then JAMS is the independent organization responsible for reviewing and resolving complaints about our Privacy Shield compliance. You can contact JAMS free of charge at https://www.jamsadr.com/eu-us-privacy-shield. JAMS is an alternative dispute resolution provider based in the U.S.

If your concern still isn't addressed by JAMS, you may be entitled to a binding arbitration under the Privacy Shield Principles. For purposes of enforcing compliance with the Privacy Shield, Squarespace, Inc. is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.

[14] COMPLAINTS

If you wish to complain about how we handle your personal information or information held by us, please contact us using the details set out below including your name and contact details. We will investigate your complaint promptly and respond to you within a reasonable time.

For data which is subject to the GDPR, you have the right to lodge a complaint with the local regulator in your jurisdiction in Europe if you do not feel we have adequately upheld your rights under GDPR.

[15] CONTACT US

For further information about our privacy policy or practices, or to access or correct your personal information, or make a complaint, please contact us using the details set out below:

Email: contact@martuwarrafitzroyriver.org

By providing personal information to us, you consent to our storage, maintenance, use and disclosing of personal information in accordance with this privacy policy.

We may change this privacy policy from time to time by posting an updated copy on our website and we encourage you to check our website regularly to ensure that you are aware of our most current privacy policy. The most recent date of this privacy policy is the Effective Date at the start of this privacy policy.

The Martuwarra Fitzroy River Council website ‘Privacy Policy’ has been prepared by SprintLaw Australia.