1. Introduction

VeriSaaS Pty Ltd (VeriSaaS, We, Us, Our), is a privately held held entity which provides the Verinote software, information security and cloud infrastructure services for government and regulated industries (“VeriSaaS Services”). VeriSaaS provides Services and solutions internationally.

VeriSaaS is committed to protecting the privacy of all users of VeriSaaS Services, Website and WebApp. As such, this Privacy Policy has been written in line with the Australian Privacy Act (Cth) 1988 (Privacy Act). Where VeriSaaS provides Services and solutions internationally, We must also comply with privacy-related laws in other countries.

This Privacy Policy has been written in order to allow you to understand Our policy regarding your privacy, as well as how your personal information will be handled when using the Services, Website and WebApp. This Privacy Policy will also provide you with information so that you are able to consent to the processing of your personal data in an explicit and informed manner, where appropriate.

In general, any information and data which you provide to VeriSaaS, or which is otherwise gathered by VeriSaaS, in the context of the use of Verinote Services will be processed by VeriSaaS in a lawful, fair and transparent manner. To this end, and as further described below, VeriSaaS takes into consideration internationally recognised principles governing the processing of personal data, such as purpose limitation, storage limitation, data minimisation, data quality and confidentiality.

2. Privacy, Personal Information, Personal Data and Employee Records 

This Privacy Policy and Collection Statement (Policy) concerns information or an opinion about an identified individual or an individual that is reasonably identifiable (You). For the purpose of this Policy ‘privacy’, ‘personal information’ and ‘personal data’ (PI) have the same meaning. The PI either identifies, or it has the potential to identify an individual.

VeriSaaS processes identifying PI and also special categories of PI (Sensitive PI).

We make no distinction between employee records and other sources of PI. Neither do we discriminate between different formats of PI (electronic records, paper records, voice files etc.), nor whether the information or opinions are true or not. All PI that We process and hold (where We have possession or control of a record), or use and disclose (where the information is outside of Our possession or control) is treated with the same respect, security and high standards.

3. Other definitions

“Cookie” means piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests.

“Customer” means a corporate entity in the private of public sector, such as a law enforcement agency, or business enterprise, which has entered into an agreement with VeriSaaS, for VeriSaaS to provide the VeriSaaS Services to the Customer.

“Personnel” means any person who is employed by or contracted to the Customer, or a subcontractor appointed by the Customer in accordance with the Agreement, and who is involved in accessing, using or facilitating the VeriSaaS Services and/or will be have access to Customer Data, Customer Systems, Customer facilities and any Confidential Information of the Customer.

“Diagnostic Data” means data collected or obtained by VeriSaaS from software that is locally installed by a VeriSaaS Customer (and its Personnel) in connection with the VeriSaaS Services. Diagnostic Data may also be referred to as ‘telemetry’.

“Profiling” means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an actual person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour (including possible criminal behaviour), location or movements

“Services” means the web and mobile application, Verinote, which is facilitated online via the verinote.app website and/or subdomains of same or via the Verinote mobile applications available for download on the Apple App Store and/or Google Play Store, and information security and cloud infrastructure services.

“Services Data” means all data developed, produced or created as a result of providing the VeriSaaS Services whether or not developed, produced or created by VeriSaaS, a VeriSaaS Customer, it’s Personnel or other third party.

“Usage Data” is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

4. Purpose

The purpose of this Policy is to inform You about the personal information that We ‘process’ (hold, collect, record, organise, structure, store, adapt, alter, retrieve, consult, use, disclose, transmit, disseminate or make available, align, combine, restrict, erase and destroy) about You, how We handle it, and inform You about Your choices.

5. Scope and Applicability

The scope of this Policy extends to all personal information that We process in the course of providing the Services, in complying with law and managing risk.

In providing the service, this Policy extends to Our business activities which include our Customer relationships, internal operations (management, employees, temporary staff, contractors) and external operations (third parties such as business partners and service providers).

The scope of this Policy extends to our external Customer-facing activities such as Our online presence at Https://www.verisaas.com and to the personal information that is collected through Our Website and WebApp and the use of email for general communications and marketing purposes.

This Policy does not extend to third party websites or to social media accessed via links on Our Website, WebApp or email communications.  Use of third party links and social media will be governed by the privacy policies and terms of use of the relevant service providers.

This Policy does not extend to VeriSaaS Customer environments, or to VeriSaaS Customer privacy practices. 

If You are Personnel of a VeriSaaS Customer, You will be asked to agree to the VeriSaaS End User Licence Agreement (EULA), this Privacy Policy and any other relevant VeriSaaS legal notices only at the time when You log in as in individual to use the VeriSaaS Services. You will be asked to consent in Your own right because Our Customer cannot give consent for the processing of Your personal information on your behalf.

6. About this Privacy Policy

This Policy is written in simple language so that it is easy to understand. If something is not clear, We invite You to contact Us so that We can provide assistance. Our contact details are provided in clause 16 below. They will also be provided every time that We make contact with You as an individual user of the VeriSaaS Services.

This Policy outlines the current personal information handling practices of VeriSaaS. We will update this Policy when Our information handling practices change and We will publish updates on Our Website, WebApps, and through Our email distribution lists.

While We publish Our Privacy Policy on Our Website so that it is easily accessible, We also make copies available on request in paper format. In most circumstances We do not charge a fee for providing a copy of the Policy. If however, a request is made for a copy in some other format (foreign language requirements or those linked to disabilities such as sight or hearing impairment), special arrangements may need to be made and a charge may apply.

7. Consent

In all cases where consent is required, whether it be express consent (verbal, in writing, click-wrap tick box) or implied consent (browse-wrap without a tick-box and other behaviour which indicates consent through continued use), it must be voluntary, current, specific and based upon adequate information about the circumstances and choices available to You as an individual. Naturally, You must have the capacity to understand, to give (for example be 16 years or older) and to communicate consent.  Individuals who are not sure about giving consent are encouraged to contact Us. See clause 16 for contact details.

In some circumstances, such as if are Personnel of a VeriSaaS customer who is accessing, using or facilitating the VeriSaaS Services on behalf of the VeriSaaS Customer, then Your Choices may be determined or limited by the VeriSaaS Customer. Only when You, as an individual, engage directly with VeriSaaS to use the VeriSaaS Services do We become responsible for obtaining your consent and for processing your personal information is accordance with law and Your choices.

8. Privacy Principles Governing the Handling of Personal Information

VeriSaaS is committed to making every reasonable effort to manage personal information in an open and transparent way. 

8.1 Open and Transparent Management of Personal Information

To support this commitment, We have implemented practices, procedures and systems to align Our handling of personal information with principles that have been derived from Australian privacy law, relevant international law, international standards and best practice.

These practices, procedures and systems are intended to regulate Our internal and external business operations through the use of administrative, technical and physical controls. This policy and the legal notices published on Our Website are examples of Our administrative controls. Technical and physical controls are generally not made publicly available for security reasons (security through obscurity).

This Policy, together with Our Website and WebApp Terms of Use and Email Disclaimer, set out how We provide for open and transparent management of personal information, to give You the ability to make informed choices about VeriSaaS Services and to communications with Us.

8.2 Anonymity and Pseudonymity

As an individual, You can choose to remain anonymous (You cannot be identified and We do not collect Your personal information), or You can choose to use a pseudonym (You can use a name, term or description that is different from Your own) when dealing with Us.

Circumstances where We give individuals the option to remain anonymous or to use a pseudonym include, for example, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified.

Examples of circumstances where We Will need to know the identity of the person that We are dealing with relate to the provision of the Verinote Services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction and where cost becomes excessive or impractical without knowing the identity of an individual We are dealing with.

8.3 Collection of Solicited Personal information

We are committed to collecting personal information by lawful and fair means and wherever possible only collecting it directly from the individual concerned.

We collect personal information from individuals where the information is reasonably necessary for one or more of the VeriSaaS functions, activities and legal obligations relating to the Services that We provide.

In providing VeriSaaS Services to individuals We may collect “Sensitive PI. This Sensitive PI is provided by the individual themselves, or, by an organisation, partner or other stakeholder. Where We collect Sensitive PI, We always ask for prior consent in “writing”, where writing includes electronic forms of writing such as email.

Broadly, we collect and process PI and Sensitive PI such as name, age, email address, sex, and language details, for example English as an additional language or dialect. We do not use Your PI for Profiling.

Information collected and processed can vary depending upon the country where the Services are offered.

For internal human resourcing, We also collect sensitive personal information, such as religious beliefs, trade union memberships and health information when it is required for employment reasons, or by law. We may solicit or request personal information from a third party such as an employment agency or referees in the context of employment.

In most instances, even for non-sensitive PI where We collect personal information, We only do so after a direct request to, and with the consent of the individual to whom the information relates.

In exceptional circumstance and for human resourcing, or when authorised or required by law, We may collect personal information from some source other than the individual themselves.

Where We provide VeriSaaS Services to a Customer, We do not solicit personal information about an individual employed by, or contracted to the Customer, nor do we solicit the personal information of any individual third-party authorised by the Customer to use the VeriSaaS Services. Rather, We require Our Customers to enter into legal agreements with Us that impose obligations on them to secure the confidentiality and privacy of Personnel that use the VeriSaaS Services.

8.4 Dealing with Unsolicited Personal information

Personal information is sometimes provided to Us in circumstances where We have not requested it. In these circumstances, where the information is unsolicited, We will examine whether it could have been collected in circumstances under clause 8.3 above. We will then apply Our minds and decide whether this unsolicited information should be retained, de-identified or destroyed. Having made that decision, We will implement the decision within a reasonable time.

We do not actively seek to collect unsolicited information.

8.5 Notification of the Collection of Personal Information

This Policy, other legal notices published on Our website and Our internal practices, procedures and systems (administrative controls) are Our way to ensure that individuals know about the personal information that VeriSaaS collects.

We are committed to making all reasonable efforts to inform individuals about the personal information We collect before We collect it, for example by making this Policy and Our other legal notices publicly available. We will also inform individuals about collection at the time We collect personal information, for example through website activity (Our Website Terms and Conditions of Use) and other forms of communication such as email.

In exceptional circumstances where this does not happen, for example, when We receive unsolicited personal information from a third party which We decide to retain, We will inform individuals as soon as reasonably possible after the collection of personal information.

Through this Policy and other legal notices published on Our Website and email, We seek to ensure that individuals are informed about the reasons for the collection, and that they know how to contact the accountable office bearers at VeriSaaS. See clause 16 below for details.

8.6 Use or Disclosure of Personal Information

Where We hold personal information about an individual that was collected for a particular purpose (the primary purpose) We will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect Us to use or disclose it for a related purpose. 

In some circumstances, for example, where We believe that the Verinote Services may be improved through new technologies such as data science (analytics), or where We see a benefit to individuals, We may use personal information that has been provided to Us by the individual themselves or received from third parties for a purpose that is different form the purpose for which it was given to Us in the first place. Where We do this, We will use and/or disclose the personal information in a de-identified format.

Broadly speaking, We use (process, handle and manage) personal information internally for 2 reasons:

1. To provide VeriSaaS Services:
   • Examples include: Name, address (physical, postal, email and Internet Protocol address), telephone numbers Cookies; and Diagnostic Data, Services Data and Usage Data.
2. For internal human resourcing:
   • Examples include: Name, address (physical, postal, email and Internet Protocol), health information, medical service provider details, next-of-kin, spouse or partner, banking details, tax, photo identity, trade union membership, religious beliefs, gender, cultural and ethnic identity, qualifications, training and the like.

We do not collect biometric forms of personal information such as fingerprints.

We also use and retain personal information records which are required to be retained for legal, business and evidential reasons. Sometimes these come from external sources and third parties.

Broadly speaking We disclose personal information (release it outside of Our possession or control) for the same primary reasons listed above, providing the service, for human resourcing and where there is a legal obligation to do so. 

8.7 Direct Marketing

When We provide a Service, We ask for consent to communicate directly with the individuals concerned in order to provide information and to promote Our service.

Whenever We do, We allow individuals to opt-out of receiving direct communications and direct marketing notifications. You will always be provided with an easy means of withdrawing your consent to VeriSaaS processing your PI. When You request Us to stop communicating with You, We will comply with that request.

If an individual requests information about how We came to have their personal information, We will respond, and provide the source of an individual’s personal information wherever possible. We will respond to these requests within a reasonable time (thirty (30) business days).

We do not disclose, sell or share personal information to third parties for direct marketing purposes.

8.8 Cross-border Disclosure of Personal Information

VeriSaaS operates from offices in Queensland, Australia.  These operations include all aspects of internal business operations, practices, processes and procedures that support the VeriSaaS Service as well as the provision of ‘live’ Services (where personal information travels over telecommunications lines). Static personal information is stored in data warehouses and on information systems located in Australia when a VeriSaaS Customer requests this. Static personal information may flow to other jurisdictions (see below).

VeriSaaS Customers are currently located in Australia. Over time we will extend the Services to other jurisdictions with the result that personal information will flow (be exported and imported) between Australia and other countries.

VeriSaaS relies on various independent third-party service providers such as telecommunications providers, and internet service providers which are based in Australia.

However, because information systems enable Our Services, personal information may be located or disclosed in transit and in a static format in countries outside Australia.  Wherever reasonably possible, we meet international best practice standards and employ recognised mechanisms such as contractual clauses and other agreements to manage the processing of personal information by Our service provider.

We employ ‘Cloud’ technology Services, and these too meet international best practice standards and employ recognised mechanisms such as contractual clauses. However, individuals are cautioned to consider how their personal information moves and is stored on global information systems and to make appropriate choices.

Our operations include all aspects of internal and external business that support Our Services such as (where personal information travels over telecommunications lines) and the storage of static personal information in data warehouses and on information systems.

8.9 Adoption, Use or Disclosure of Government Identifiers

We do not adopt, use or disclose government identifiers of an individual as Our own identifiers.

We do use and disclose government identifiers such as Australian Tax File Numbers, for example, for human resource purposes and where required or authorised by law.

8.10 Quality of Personal Information

We are committed to taking such steps as are reasonable in the circumstances to ensure that the personal information We collect, hold, use and disclose (process) is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.

To do this, We ask individuals to assist Us. We provide various technical means, including email notifications and user registration access where individuals can access, verify and update personal information records that We hold. We ask individuals to participate by ensuring their information is accurate, up-to-date, complete and relevant. See clause 9.4 and 9.5 below.

8.11 Security of Personal Information

We are committed to taking reasonable steps to protect personal information that We hold from misuse, (wrong or improper use) interference (access even where the content is not necessarily modified) and loss (accidental, inadvertent, misplaced personal information).

We are also committed to securing personal information from unauthorised access (by someone that is not permitted access the information), modification (alteration by someone that is not permitted to do so, or who acts beyond the scope of their authority to modify personal information) and unauthorised disclosure (where personal information is released from Our effective control without authority).

To comply with law and manage risk, Our practices, procedures and systems aim to protect the confidentiality, integrity and availability of Our information systems and information, especially the personal information that We collect, hold, use and disclose.

Where there is no legal obligation to retain records and evidence, and in circumstances where We no longer need personal information to provide VeriSaaS Services or for any purpose for which the information may be used or disclosed under Australian law, We take reasonable steps to destroy the information or to ensure that the information is de-identified.

Our information security and privacy practices include circumstances where Our data handling practices are outsourced to third parties. Because of this We endeavour wherever possible to bind third party service providers through appropriate legal agreements. We also endeavour to monitor their privacy and security practices where possible.

9. Breach

9.1 Eligible Data Breach

Under the Notifiable Data Breach Scheme, VeriSaaS must notify the Australian Privacy Commissioner and affected individuals of an Eligible Data Breach in relation to PI, credit reporting information, credit eligibility information or tax file number information if, and when:

1. There is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
2. The information is lost, and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to individuals.

9.2 Actual Eligible Data Breach

If, and when, VeriSaaS becomes aware of a breach of its network or information systems resulting in the circumstances outlined in 9.1a and 9.1b above, VeriSaaS will:

1. Take remedial action; 
2. Where remedial action fails to adequately limit the risk, notify the individuals concerned, and notify the Office of the Australian Information Commissioner (Commissioner): and
3. Work with the individuals concerned and the Commissioner to protect everyone and everything concerned.

9.3 Suspected Eligible Data Breach

If, and when, VeriSaaS suspects a breach of its network or information systems resulting in the circumstances outlined in 9.1a and 9.1 b above, VeriSaaS will:

1. Undertake an assessment of the situation with a view to establishing the facts; and do so within a reasonable time (thirty (30) business days); and
2. When a suspected breach is found to be an actual breach, VeriSaaS will follow the steps in 9.2 above.

If You suspects or becomes aware of a breach or an impending breach, please contact our privacy officer (contact details in clause 16 below) as a matter of urgency.

9.4 Access to Personal Information

Where We hold, or have the right and power to deal with personal information (for example, where it is stored by one of Our third party service providers), We will, on request by an individual, normally give that individual access to their information.

We do this so that individuals know what information We hold on them and because it assists Us to ensure that the personal information that We hold is up-to-date, complete and relevant.

In considering a request for access to personal information by an individual, We will require identification. We reserve the right not necessarily to give access to an individual to their personal information in circumstances, for example, where provided for in law, in instances of commercial sensitivity and where a third party may be negatively affected.

We will respond to an individual’s request for access to their information within a reasonable time (thirty (30) business days), and We will consider reasonable requests for access to be given in a particular format, for example, by email, telephone and postal Services. As a matter of courtesy, We will provide reasons for the refusal if access is refused.

No charge will apply when an access to information request is received. We do however reserve Our rights to charge a fee where We incur costs, for example, for photocopying, postage and costs associated with using an intermediary if one is required.

9.5 Correction of Personal Information

Where We hold personal information, We will take reasonable steps to correct it to ensure that, having regard to the purpose for which We hold it, it is accurate, up-to-date, complete, relevant and not misleading.

You, as an individual may request that We correct personal information that We hold about You in circumstances where You believe that the information is inaccurate, out of date, incomplete, irrelevant or misleading.

In considering a request for the correction of personal information that We hold, We will require identification of the requesting individual. We reserve the right not necessarily to effect the changes sought, but undertake to consider reasonable requests and to associate a statement to the record reflecting Our refusal to correct the failed request for correction if We consider refusal the appropriate action.

We will respond to a request to change information within a reasonable time (sixty (60) business days) although changes sought may take longer, for example, because We may need to contact and notify other organisations and individuals about the request.

No charge applies for making a request, correcting personal information or associating a statement for refusal to change a record.

As a matter of courtesy, We will provide reasons for the refusal if correction is refused, and also a reminder of the complaint process available to individuals that feel aggrieved by the refusal.

10. Complaints, Enquiries and Access to Information Requests

In most circumstances, the Australian Information Commissioner will not investigate a complaint if an individual has not first raised the matter with Us. For this reason, We ask individuals to agree to submit all complaints relating to this Policy to Us first, so that We have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to Us at Legal@verisaas.com and to see clauses 11 and 12 below for further details.

11. How to make a Complaint, Enquiries and Access to Information Requests

Individuals wanting to lodge a complaint can make general enquiries, request access to their information and complain to Us in writing. This includes email communications, but excludes text and social media.

We will respond to complaints within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed, for example, because We may need to contact and notify other organisations and individuals affected by the complaint. In this case We will endeavour to respond within sixty (60) business days.

12. Complaints and Enquiries

You agree to submit all complaints relating to this Policy to Us first, so that We have an opportunity to resolve Your complaint before You proceed to any relevant authority. Please direct all complaints and enquiries to Us at Legal@verisaas.com.

13. Skill, Diligence, Care

VeriSaaS will exercise reasonable skill, diligence and care as may reasonably be expected from a similar service provider.

14. Governing Law

The principles outlined in this Privacy Policy and Collection Statement are governed by Australian law, and international best practice.

15. General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU (citizens and residents, even when not physically located in the EU). It also addresses the export of such PI outside the EU.

VeriSaaS does not actively provide or seek to provide Services to individuals afforded data privacy protection under GDPR.  Nevertheless, we acknowledge that it is possible that the PI of such individuals may be processed as a result of unexpected circumstances, for example, if received through a third-party relationship. If this happens, we will make special arrangement to accommodate you in the exercise of your specific rights. Please ensure that you make us aware of your status if, and when, you become aware that your PI may be processed by us.

VeriSaaS will use all reasonable efforts to monitor and classify foreign PI and handle it accordingly.

VeriSaaS also requires its Customers to enter into legal agreements that impose obligations on them in relation to compliance with GDPR.

16. Company Information