Purpose, scope and users
Protecht is a supplier of enterprise risk management services including software as a service products. We recognize that to operate our business successfully, we must maintain high standards about how we collect, hold, use and disclose personal information. We value the trust of our customers and users and take our privacy obligations seriously.
This policy was last updated on 15 June 2023 with minor revisions including where personal information is located and addition of sub-processors.
- Protecht, Protecht Group, we, us or our means Protecht Group Holdings Pty Ltd (ACN 158 875 515) of Address Level 8, 299 Elizabeth Street, Sydney, New South Wales, Australia, and any of its related bodies corporate.
- Customer or company means, in relation to you, the person or entity that has contracted with Protecht Group to allow you to use Protecht's services. The customer or company will generally be your employer, or an identified subgroup (i.e., division, department, etc.) within your employer.
- User or customer user means, the person that as part of their job responsibilities with a company's authorization accesses one or more of our provided services.
- Personal information means any information about an identified or identifiable individual that can be used (directly or indirectly) to identify you. For example, your name, email address, phone number, online identifier, IP address, location information or photograph. Information that has been anonymized, and from which no individual can be identified either directly or in combination with other data, is not personal information. This includes personal information that you provide to us about you or other users (where you are permitted to do so), or personal information collected electronically, about how you use our services or our websites, via cookies, or through your use of our services or websites. information that has been anonymized, and from which no individual can be identified either directly or in combination with other data, is not personal information.
- Platform data means any content or data that you or third parties submit to Protecht using the services.
- Services means all products (including related mobile applications), services and websites offered by Protecht.
- Visitor means any person who visits our websites.
- CCPA refers to the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
- You or your means either user or visitor, as applicable.
What information we collect
We collect information, including personal information relating to you and your use of our services from a variety of sources. some of this information is collected directly from you and some is collected from your interaction with our services, your company, or from third parties. how and what information we collect about you will depend on the way that you use our services, for example, whether you are a user of our services, or a visitor to our websites.
Information we generally collect
- Contact information: When you provide us with your contact information, whether through use of our services, creation of an account, or via interaction with our sales or customer support team, we collect your contact information. This may include personal information, such as your name and email address.
- Content you provide through our products: We collect and store content that you post, this content includes any information about you and the company that you may choose to include. Examples of content that we may collect and store include the risk descriptions of your company in risk registers and action plans used to manage those risks. Content also includes the files and links you upload when accessing our services.
- Device and browser data: We collect data from the device you use to access our services, such as your IP address, operating system, browser details and time of visit. This information may also tell us your location.
- Log data: We keep log files that record data each time a device accesses our servers. The log files contain data about the nature of each access, including the originating IP address. We may combine this automatically collected log information with other information we collect about you. We do this to maintain an audit trail of activity, to improve our services, to improve our marketing activities, for system analytics, or to monitor or improve functionality.
- Referral data: If as a visitor, you navigate to our websites from an external source (such as a link on another website or via an email), we record information about the source that referred you to us.
- Other data you submit: We may collect your personal information if you submit it to us in other contexts, for example by giving us a testimonial, attending an event we host or by entering a contest. We may also collect personal information at other points throughout our provision services or certain points within our website (where you will be notified that personal information is being collected). If you contact us via our support channels we will also collect any information that you provide to us voluntarily, such as your operating system version, and other information required to enable us to respond to your request.
- Interacting with us on social media: We may collect personal information about you when you interact with us using social media. for example, if you post material to our Facebook page or "tweet" us on Twitter.
- Third parties: We may collect your personal information from third parties if you give permission to those third parties to share your personal information with us, or where you have made that information publicly available online.
- Mobile devices: If you connect to the services using a service provider that uniquely identifies your mobile device, we may receive this identification information, in order to provide the services to you.
The site and services are intended for users who are 18 years old or older. We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently received personal information from a child under the age of 13, we will delete such information from our records.
Data controller and data processor
Data protection law in certain jurisdictions differentiates between the ‘controller’ and ‘processor’ of personal information. For our customers’ users, your company will be the controller of your personal information and Protecht will be the processor. for visitors, Protecht will generally be the controller of your personal information.
How we hold the information we collect
Security of personal information
However, please note that transmitting information over the Internet is never completely secure. Although we do our best to protect your personal information, we cannot guarantee that personal information submitted to, maintained by, or transmitted by our systems is secure in all situations.
Security is a collaborative effort and information transmitted over the internet is susceptible to possible loss, interception, and misuse, so we also recommend that you create a sophisticated password for logging in to our services, change that password regularly and ensure you keep it confidential.
If you suspect there has been any unauthorized access to or misuse of your personal information, immediately contact our Data Protection Officer at firstname.lastname@example.org.
Where is personal information located?
For Protecht ERM and Protecht ALM services, your site will be hosted in the selected AWS region selected upon signup. To confirm this region, please contact your Protecht customer success manager.
For other personal information please see Protech’s sub-processor list.
How we use the information we collect
We may, from time to time, use the personal information we collect from you or that you provide to us to:
- Contact you directly regarding our services
- Provide you with proper access to and use of our services
- Help you use our services
- Contact you to provide customer service support
- Research the effectiveness of our websites, marketing, advertising and sales efforts
- Keep you informed and up to date with our services
- Sell or market our services to you
Our use of your personal information is limited to these purposes. unless permitted by law, no personal information about a user is collected, without an appropriate entity first obtaining the consent of the data subject to the collection, use, dissemination, or processing of that information.
United Kingdom, European Union and North American Users
When you use our services as a user, we process your personal information either:
- With your consent
- To fulfil our contractual responsibility to deliver the services to the customer
- To pursue Protecht's legitimate interests of improving our services or developing new products and features
When you use our services as a visitor, we process your personal information either:
- With your consent
- To pursue Protecht's legitimate interests of improving our services or developing new products and features
Customers and customers’ users
When you use our Services as a customer or customer's user, we may use your personal information to:
- Create your account: We need to collect and use your personal information to allow you to create an account and log in to that account.
- Provide you with our services: This includes providing you with access to and use of our platform and customer support, which may require us to access your personal information so that we can assist you, for example, in the event of a technical issue.
- Manage our services: We use your personal information in order to provide you with our services and to improve our services. This may include:
- Monitoring, maintaining and improving our services and features
- Personalizing or customizing your experience when you use our services (including presenting the Protecht suite of services in the best format for you or the device you use to access the Protecht service)
- Creating new services or features
- Preventing potentially illegal, undesirable or abusive activities
- Investigating complaints made by you
- Communicating with you via telephone or SMS message from time to time, as part of secondary fraud protection
- To respond to requests for information required by law, such as subpoenas, warrants or other mandatory information requests
- Contact you about our services or your account: From time to time, we may need to contact you via email, mail, or telephone to tell you about changes to our services, terms or policies.
- Market our services: We may also send you news and information about our products or services that you either request from us or we believe may interest you. In most cases, we will contact you via email. As part of our marketing efforts, we may combine information about you from third party sources with information we hold about you to create a user profile, which will help us to make our sales and marketing efforts more relevant to you and to personalize and improve your experience.
- Respond to legal requests and prevent harm: If we receive a legal request or are informed of a situation that may cause harm, or potential harm to someone, we may need to use your personal information in order to respond appropriately to that request or threat.
When you use our Services as a Visitor, we may use your personal information to:
- Contact you for marketing purposes: We may send you news and information about our products or services that you either request from us, or we believe may interest you (unless prevented by law). In most cases, we will contact you via email.
- Manage our services: We may use your personal information to provide our services and improve those services. some of these uses include:
- Personalizing or customizing your experience when you use our services (including presenting our websites in the best format for you or the device you use to access our websites)
- Creating new services or features
- Monitoring, maintaining and improving our services and features
- Enforcing our contracts and policies when we are made aware of potential breaches of the security of personal information
- Preventing potentially illegal, undesirable, or abusive activities
- Responding to requests for information required by law, such as subpoenas, warrants or other mandatory information requests.
- Profiling for marketing purposes: As part of our marketing efforts, we may combine information about you from third party sources with information we hold about you to create a user profile, which will help us to make our sales and marketing efforts more relevant to you and to personalize and improve your experience.
Anonymity and pseudonyms
In most cases, it will be very difficult for us to provide you with our services if you do not provide us with your real name and contact details (primarily the email address you use when creating your account). Situations where we might have difficulty interacting with you anonymously, or via a pseudonym, are when you use our services as a customer.
Who do we share personal information with?
In most cases, the personal information that we disclose to our staff or service providers will be directly necessary for us to provide our services to you. However, there may be other occasions where we need to disclose your personal information to our staff, service providers, professional advisors or other third parties, including to:
- Provide the services: in providing the services, we may need to disclose your personal information to people who work for us or to one of our service providers. Our agreements with third party service providers always include obligations to protect the security and confidentiality of your personal information. These disclosures may be related to activities such as filling orders, processing payments and mail-outs, storing and managing documents, research, providing professional advice, facilitating creation of accounts, sending you service emails, providing technical support, or providing other services to you.
- Prevent illegality or enforce our terms and policies: If you engage in or threaten any unlawful activity, we may reasonably believe that it is necessary to disclose your personal information to the police, a relevant authority or enforcement body, or your internet service provider, employer, supervisor, or network administrator.
- Protect our rights or the rights of our staff: There may be situations where disclosing your personal information is necessary to protect the property, health or safety of Protecht or its staff, our customers or others. For example, exchanging information with other organizations to protect against fraud.
- Keep other entities associated with us informed: In some cases, we may need to disclose your personal information to our agents, business affiliates, joint venture entities, partners, investors, or any applicable subsidiaries or holding companies. For example, the need to disclose your personal information to these entities may arise from a legal obligation we owe that entity or to assist our or their legitimate business interests.
- Run events, competitions, and promotions: We may need to disclose your personal information to sponsors and promoters when you register or attend an event that we conduct or promote.
- Comply with legal requests: In some situations, we may be compelled to disclose your personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. we may disclose your personal information to third parties such as law enforcement officials or to comply with court orders, such as subpoenas or other legal processes.
When we disclose your personal information to third parties such as our service providers, we have robust confidentiality and data processing agreements in place with them to ensure they maintain the confidentiality of your personal information and have adequate privacy and security measures in place to protect your personal information.
We may share your personal information globally within the Protecht Group to carry out the activities specified in this policy. We may also subcontract processing to, or share your personal information with, third parties located in countries other than your country. Your personal information, therefore, may be subject to privacy laws that are different from those in your country.
personal information collected within the European Union may, for example, be transferred to and processed by third parties located in a country outside of the European Union. In such instances, we will ensure that the transfer of your personal information is carried out in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organizational measures are in place, such as the standard contractual clauses approved by the EU Commission.
What are your rights in relation to your personal information?
You have certain rights relating to your personal information, subject to local data protection laws. These rights may include:
- Accessing your personal information held by us (right to access)
- Rectifying inaccurate personal information and, taking into account the purpose of processing the personal information, ensuring it is complete (right to rectification)
- Erasing/deleting your personal information, to the extent permitted by applicable data protection laws (right to erasure; right to be forgotten)
- Restricting our processing of your personal information to the extent permitted by law (right to restriction of processing)
- Receiving your personal information in a commonly used format and transferring your personal information to another controller, to the extent possible (right to data portability)
- Objecting to any processing of your personal information carried out on the basis of our legitimate interests (right to object). Where we process your personal information for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection
- Opting out of the “sale” of your personal information, as such term is defined under the CCPA
- Not being subject to a decision based solely on automated processing, including profiling, which produces legal effects
- Not being subject to discrimination based on your exercise any of your rights; not being denied goods or services, not being charged a different price, or not being provided with a lesser quality of goods or services if you exercise any of your rights and To the extent we base the collection, processing and sharing of your personal information on your consent, you may withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal
You have control over your personal information and how it is collected, used and shared. You can, at any time, exercise your rights by:
- Updating your account details: You may edit your registration and other account information on your account settings page or your profile page. This information will be updated immediately. To update any other information, please contact our Privacy Officer at email@example.com
- Requesting access, correction or deletion of your personal information: Upon request, we will provide you with information about whether we process, or provide to a third party to process on our behalf, any of your personal information. If you want to review, correct (if necessary) or delete the personal information that we have collected and hold about you, please contact our Privacy Officer at firstname.lastname@example.org. If you are a California resident, you can also request this information by calling us toll free at +1 (833) 3285471. You must provide us with your first name, last name, email address, and phone number. To verify your identity, we will match that information to the information we have on our systems. To the extent, if any, that we collect and process your personal information in our capacity as a data processor, we will pass on your request to the applicable data controller, who is responsible for processing such requests.
- Requesting an export of your personal information: If you request an export of the personal information that we hold about you, we will provide you with this information in a standard CSV file format. This data format may not be applicable or compatible with all systems. To request a data export, please contact our Privacy Officer at email@example.com.
- Limiting or stopping use or disclosure of your personal information: If you want to limit or stop our use of or disclosure of your personal information to third parties, please contact our Privacy Officer at firstname.lastname@example.org. However, please note that by limiting or stopping the use of your personal information by us, or its disclosure to third parties, you may also limit our ability to provide you with our services.
- Withdrawing your consent: Where we have relied on your consent to use your personal information, you have the right to withdraw that consent at any time by contacting our Privacy Officer at email@example.com.
Unsubscribing to communications
If you subscribe to our newsletter(s) or other communications, you may choose to stop receiving those communications by using the unsubscribe instructions included our emails, or by contacting our Privacy Officer at firstname.lastname@example.org.
- Lodging complaints: You also have the right to complain to a data protection authority about our processing of your personal information. For more information, please refer to "How do you make a complaint?" below.
- Other queries or requests: If you have any queries about our handling of your personal information or want to make a request that is not listed above, please contact our Privacy Officer at email@example.com.
To protect your privacy and security, we may take steps to verify your identity before complying with your request. Where the Services are administered for you by an administrator (see "Notice to End Users" below), you may need to contact your administrator to assist with your requests first.
How long do we retain personal information?
We retain your personal information for as long as we provide our Services to the customer (or until the customer requests we delete your personal information), or long as is required to comply with our legal obligations, resolve disputes or enforce our legal rights. We may keep your personal information in our encrypted and archived backups for up to 90 days from the point of collection.
We will retain your personal information for as long as is necessary to provide our Services to you, or to comply with our legal obligations, resolve disputes, and enforce our legal rights.
How to make a complaint
Contacting our Privacy Officer
We will treat your complaint seriously, and will investigate any alleged breach, including how it occurred, and how best to prevent future breaches (if relevant). You can contact our Privacy Officer at firstname.lastname@example.org.
We will respond to your complaint as soon as possible.
United Kingdom and European Union complaints
Protecht takes the protection of personal data seriously and has appointed a Data Protection representative (DataRep) for the purposes of GDPR* in the EU/EEA and the Data Protection Act 2018 (as amended) in the UK. If Protecht has processed or is processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data. This is the preferred contact method. To contact DataRep please use either method below:
- sending an email to DataRep at email@example.com quoting <Protecht Group> in the subject line
- or contacting DataRep via online webform at www.datarep.com/data-request
Our Privacy Officer is our Data Protection Officer (DPO) for the purposes of European Union and UK data protection laws and will primarily deal with any communications with EU or UK data protection authorities.
If you live in Australia and have any complaints regarding our handling of your personal information, our response to your request or our compliance with the Privacy Act 1988 (Cth), please contact our Privacy Officer at firstname.lastname@example.org. However, if you are dissatisfied with our response, you may raise a complaint with the Office of the Australian Information Commissioner by contacting them at: https://www.oaic.gov.au/about-us/contact-us.
United States complaints
If you live in the United States, are a California resident, and have any complaints regarding our handling of your personal information, our response to your request, or our compliance with the CCPA please contact our Privacy Officer at email@example.com.
Notice to end users
Our Services are intended for use by organizations. Where the Services are made available to you through an organization (e.g. your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control.
If this is the case, please direct your privacy questions to your administrator in the first instance, as your use of the Services is subject to that organization’s internal policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be differ to this policy.
Sensitive personal information
If you do not want your company to send us sensitive personal information about you, you must make such request directly to your company.
Cookies and tracking technologies
We and our marketing partners, affiliates, or analytics or service providers use technologies such as cookies, beacons, tags, and scripts, to analyses trends, administer the website, track user's movements around the website, and gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual and aggregated basis.
We use local storage, such as HTML5, to store content information and preferences. Third parties with whom we partner to provide certain features on our websites or to display advertising based upon your web browsing activity also use HTML5 to collect and store information. Various browsers may offer their own management tools for removing HTML5.
We partner with a third party to manage our advertising on other sites. Our third-party partner may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you advertising based upon your browsing activities and interests. If you prefer not to have this information used for the purpose of serving you interest-based ads, you may opt-out at any time. If you are located outside of the European Union, click here for more information. If you are located in the European Union, click here for more information. Please note this does not opt you out of all advertising. You will continue to receive generic ads.
Social media widgets
Links to other websites
We display customer or user testimonials and other endorsements on our websites. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial or any other endorsement, please contact us at firstname.lastname@example.org.
Blogs and forums
Our websites offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To remove your personal information from our blog or community forum, please contact us at email@example.com. In some cases, we may not be able to remove your personal information, and in such cases, we notify you and explain why we are unable to fulfill your request.
Protecht ERM mobile application
You can stop all collection of information by the Protecht ERM Mobile Application by uninstalling it. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.
Protecht Group contact details
Protecht Group sub-processors
These are available in Protecht's online security profile. Access to the security profile can be requested through the service desk firstname.lastname@example.org or through the security team using email@example.com.