DISCO

Security and Privacy

Last updated 23 May 2018 to include a section for European Privacy Law - GDPR

At S-Wave Pty. Ltd. (“DISCO”) we think privacy is important. We are committed to ensuring the privacy and protection of our customers’ personal information, and that of our customers’ business clients.

This Policy reflects both Australian privacy law and DISCO's policies in relation to the use and protection of personal information (which is information that could reasonably be used to identify you). Information relating to your rights under Australian privacy law can be found on The Australian Privacy Commissioners website at www.privacy.gov.au. This policy now includes a section on how we deal with privacy, and your rights, under the European General Data Protection Regulation (GDPR).

This Policy will be available for free access on our website at all times. Let us know if you would like a hard-copy of this Policy sent to you.

1. How is Information collected and what is collected?

DISCO collects personal information from you when completing transactions, when you register to use any of DISCO’s services or through your use of DISCO’s services.

DISCO only holds your personal information for so long as is reasonably necessary and relevant to providing DISCO’s services. This personal information may include:

  • General information about you - name, title, address, contact details, image and answer to a security question, your business name and business type and your business logo;
  • contact details - such as phone number, address, email address, and social media handle; contact lists which are lists of contacts stored in customer accounts. These are the collected addresses of recipients so that you can share assets on the platform, or so that users can add contacts manually.
  • Payment details - such as credit/debit card number and expiry date and transaction details relating to your use of DISCO’s services;
  • Our interactions with you - the DISCO services you use, feedback, complaints, compliments, claims you have made, responses to market research, records of any correspondence and interactions and any interactions with us via social media;
  • Your interaction with DISCO’s services – the files you upload using DISCO’s services and comments, metadata and other information that you add to those files, playlists you create and tags/comments you may add to them, who you share your files and playlists with, IP addresses, reports you create, access logs, messages you may send when sharing files and playlists using DISCO’s services, details relating to whether you work as part of a team and information set out above in relation to your team members;
  • Website and mobile apps - if you use our website or mobile applications, your geo-location, IP address, mobile telephone number or ID, and details of how you use the website or app, access logs and any third party sites that you have accessed; and
  • If you are a shareholder, certain details about you for registration purposes.

If you provide us with information about other individuals, you must tell those individuals and let them know where they can find a copy of this Privacy Statement.

DISCO will take reasonable steps to ensure that the personal information we hold about you is accurate, up to date and complete.

From time to time, DISCO may receive information relating to you that we have not requested and which is not otherwise described above (“Unsolicited Information”). If DISCO does receive Unsolicited Information, we will check whether it is reasonably necessary for us to keep it. If it is, we will treat the Unsolicited Information in the same way as the other information described above. If DISCO determines that it is not reasonably necessary for us to keep it, we will, as soon as practicable, destroy or de-identify the relevant Unsolicited Information.

2. How do we hold your personal information?

DISCO may hold your personal information in electronic or hard copy form. We will take reasonable steps to destroy or de-identify your personal information once it is no longer needed, unless we are required by Australian law, or a court or tribunal order, to retain it.

3. How do we use and disclose your personal information?

The personal information collected by DISCO is used to enable us to provide DISCO’s services to you and to provide you with information about DISCO’s products and services from time to time. Without limiting the foregoing, we will use personal information as follows:

  • to facilitate your use of the DISCO service and App (including by way of uploading your business logo to the public facing pages of the DISCO App and setting up your accounts using your email details);
  • to provide you with information about the DISCO service and App (including updates on features, support, trial expiry notices, payment issues and requests);
  • to provide you with support services;
  • to run DISCO’s internal analytics (including tracking your use of the DISCO App), improve the DISCO websites and services, including by means of product development and market and behavioural research;
  • To ensure website content is relevant, including ensuring that content from our websites is presented in the most effective manner for you and for your device, which may include passing your data to business partners, suppliers and/or service providers;
  • we may also combine the information that we collect and hold about you for the purposes of creating insights about you and customer segmentation; and
  • For legal and administrative purposes.
  • DISCO may collect, use, disclose and share your personal information so that DISCO and other third parties can generate consumer insights about you and for DISCO to offer you its services. DISCO and other third parties may also disclose your personal information to parties who assist DISCO to promote its products and services.

DISCO may need to disclose some personal information about you in certain circumstances to third parties. For example, to service providers we engage to enable us to provide DISCO’s services. We will require these organisations to agree to comply with this Policy and with strict conditions governing how personal information is to be handled.

DISCO will not sell, rent or trade personal information about you to or with third parties without your express permission or as set out in this Policy.

DISCO will only disclose personal information in accordance with this Policy, if required to by law or as permitted under the Privacy Act or the GDPR (see GDPR Section). For example, if we are legally required to do so (such as pursuant to a court or tribunal order or under taxation laws), if there is a serious threat to an individual’s health or safety, there is reasonable suspicion of unlawful activity, for the conducting of surveillance and intelligence gathering by an enforcement body, or to assist in locating a missing person.

4. Access to and Changing your Information

You have the right to seek access to information that DISCO holds about you. You also have the right to ask us to correct information about you, which is inaccurate, incomplete or out of date. You may access the information that DISCO may have collected about you by placing your request in writing and sending it to us using the contact details below. Please include your phone number and enclose a copy of a form of identification such as a current driver's license or passport with your request.

DISCO’s policy is to consider any requests for access or correction within 28 days of receipt. If we are unable to correct your information, we will provide to you within a reasonable period a written notice setting out the reason, and the complaint mechanisms available to you.

If you are in the EEA you may have further rights which are set out in our GDPR Section.

DISCO’s Privacy Officer
2/45 Victoria Avenue, Albert Park, Victoria, 3206
privacy@disco.ac

5. Making a complaint

If you are not satisfied with how we have handled your personal information, please contact DISCO’s Privacy Officer via the details listed above.

You can also lodge a complaint with the Australian Information Commissioner. For more details on how to do this, please visit www.oaic.gov.au.

6. Marketing

DISCO may wish to send you marketing communications about offers that we believe may be of interest to you. We may send these to you via email, telephone, SMS or other electronic means. We may also send you marketing communications in the post.

We will ensure that all electronic marketing communications contain a clearly marked ‘opt-out’ or ‘unsubscribe’ for you to click on.

7. Information Security

DISCO will ensure that it takes reasonable commercial steps to keep secure any information that we hold about you. DISCO has security measures, proprietary data protection algorithms, in place to protect the loss, misuse and alteration of the information under our control.

From time to time, we may also need to transfer your information overseas. For example, we may store your personal information in a cloud, or other type of networking electronic storage which is based in a jurisdiction outside Australia. If we do this, DISCO will ensure reasonable steps are taken so that the overseas recipient does not breach the Privacy Act 1988 (Cth), or the Australian Privacy Principles in relation to that information, or adheres to laws substantially similar to Australian privacy laws. DISCO will also take reasonable steps to prevent unauthorised access and reduce the risk of disclosure to unknown entities.

8. Online Privacy Considerations

Other matters specific to DISCO’s collection and use of personal information online are set out below.

i. Cookies. For each visitor to our website, our server automatically collects information about your session such as your login details to keep you signed in, and delivering you personalised content. Most web browsers are set by default to accept cookies. However, if you do not wish to receive any cookies you may set your browser to either prompt or refuse cookies. Note that if you disable cookies, you may not be able to fully enjoy DISCO’s services.

ii. Social Media. DISCO’s services may contain links to online forums such as Facebook and Twitter. Think carefully before you post or publish any personal information in these forums as it may be publicly available.

iii. Secure Online Transactions. If you engage in a financial transaction through use of DISCO’s services, we will process your credit card details securely over the Internet using an accredited internet payment security system. With the combination of SSL encryption on our payment provider’s website and a secure browser at your end, we take all reasonable measures to ensure that your credit card and personal information are protected when you purchase online. We also recommend that you take appropriate security precautions when accessing the Internet via public Wi-Fi networks or shared computers.

iv. Links to other websites. Sometimes DISCO’s services will contain links to third party websites or services. We recommend that you review the privacy policies of each third party website or services you visit because DISCO is not responsible for privacy practices of that site.

GDPR Section

European grounds for processing personal data

This section applies if you are based in the European Economic Area (EEA) during your interactions with us and sets out the additional information that we are required to provide to you under the GDPR.

Under European data protection law, use of personal information must be based on one of a number of legal grounds and we are required to set out the grounds in respect of each use. We can only process personal data when the processing is permitted by the specific legal ground set out in the law.

In the table below, we have set out the relevant grounds that apply to each purpose of data processing that is mentioned in this Privacy Statement. You can find an explanation of each of the legal grounds for use of personal information below.

Purposes of the data processing Use bases
to provide DISCO’s services to you and to provide you with information about DISCO’s products and services from time to time. contract performance, legitimate interests (to allow us to perform our obligations and provide services to you
to facilitate your use of the DISCO service and App contract performance, legitimate interests (to allow us to perform our obligations and provide services to you)
to provide you with information about the DISCO service and App contract performance, legitimate interests (to allow us to perform our obligations and provide services to you)
To run DISCO’s internal analytics, improve the DISCO websites and services, including by means of product development and market and behavioural research contract performance, legitimate interests (to allow us to maintain and improve the quality of our services and products)
To provide support services contract performance, legal obligation, legitimate interests (to allow us to correspond with you in connection with our services)
To ensure website content is relevant, including ensuring that content from our websites is presented in the most effective manner for you and for your device. contract performance, legitimate interests (to allow us to provide and improve our services)
For marketing purposes for the purposes of running DISCO’s internal data analytics consent (which can be withdrawn at any time)
We may also combine the information that we collect and hold about you for the purposes of creating insights about you and customer segmentation. contract performance, legitimate interests (to allow us to perform our obligations and provide services to you)
For legal and administrative purposes contract performance, legal obligation, legal claims, legitimate interest (to allow us to guard against fraud and other unlawful activity)

Other rights available under European Law

If you are based in the EEA during your interactions with us in addition to the rights outlined above, under certain conditions, you may have the right under the GDPR to ask us to:

  • provide you with further details on how we use and process your personal information;
  • delete personal information we no longer have grounds to process; and
  • restrict how we process your personal information whilst we consider an inquiry you have raised.

In addition, under certain conditions, you have the right to:

  • where processing is based on consent, withdraw the consent;
  • lodge a complaint with a supervisory authority;
  • object to any processing of personal information that we process on the “legitimate interests” or “public interests” grounds, unless our reasons for the underlying processing outweighs your interests, rights and freedoms; and
  • object to direct marketing (including any profiling for such purposes) at any time.

You can exercise these rights by contacting us.
These rights are subject to certain exemptions to safeguard the public interest and our interests. We will respond to most requests within 30 days.

Retention period under GDPR

Our retention periods for personal data are based on business needs and legal requirements. We retain personal data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. When personal data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the data.

Disclosure of information outside the EEA

Where we transfer personal information from inside the EEA to outside the EEA, we may be required by law to take specific measures to safeguard the relevant personal information. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions. In countries which have not had these approvals, we will use appropriate safeguards to protect any personal information being transferred, such as EU Commission-approved model contractual clauses or binding corporate rules permitted by applicable legal requirements.

GDPR - Legal grounds for use of personal information

Use of personal information under the GDPR must be justified under one of a number of legal bases or grounds and we set those out here. The principle legal grounds that justify our use of your personal information are as follows:

  • Consent: where you have consented to our use of your information (you will have been presented with a consent form in relation to any such use [and may withdraw your consent by contacting us at privacy@disco.ac]).
  • Contract performance: where we are required to collect and handle your personal information in order to provide you with the services that we have contractually agreed to provide to you.
  • Legal obligation: where we need to use your personal information to comply with our legal obligations.
  • Vital interests: where we need to process your personal information in order to protect the vital interests of you or another natural person, e.g. where you require urgent assistance.
  • Public interest: where we need to process your personal information in order to carry out a task that is in the public interest.
  • Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
  • Public interest in area of public health: where we need to process your personal information for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, set out in EU law or the laws of the member state in which you are based.