TAHUA - PRIVACY POLICY

INTRODUCTION

This privacy policy (Privacy Policy) was created to inform customers you of how we will collect, use, disclose and protect your Personal Information. By accessing and using our Website and/or the Services, you are agreeing to the terms of this Privacy Policy. This Privacy Policy does not limit or exclude any of your rights under any Data Protection Laws.

PART A: PRIVACY POLICY

Definitions

Capitalised terms defined in Tahua’s Terms of Use (Terms) have the same meaning in this Privacy Policy. In addition, the following capitalised terms have the following meanings:

Data Protection Laws means the data protection and privacy laws applicable to the processing on Personal Data that we are committed to comply with, including:
- the Privacy Act 2020 (New Zealand);
- the Privacy Act 1988 (Cth, Australia); and
- where we are dealing with persons based in the European Union (EU), the European Union General Data Protection Regulation (GDPR).
Grant Application Form means the digital form created by a Grant Organisation that a Grant Applicant uses in order to apply for a grant.

Changes to this Privacy Policy

We may change this Privacy Policy by uploading a revised policy onto the Website. The change will apply from the date that we upload the revised policy.

Collection of Personal Information

Personal Data and Information Collected From You

We collect Personal Information about you when you provide (or make available) that Personal Information to us, including

via the Website, WebApp and Services;
through any registration or subscription process with us;
through any form submission process on our WebApp or Subscription Service;
through any contact with us, whether face-to-face, telephone call, email or otherwise;
when you sign up to our email marketing lists, or when you enter into a transaction with us.

If possible, we will collect Personal Information from you directly.

The Personal Information we may collect includes, but not limited to, your name, physical address, email address, login for the Services, feedback and suggestions for the Services, IP address, phone number, billing information (if applicable), occupation, employer, and job title.

Personal Information Collected Automatically

We may automatically collect information about your usage and web browsing when you use any of our Services or Website. We may collect the Personal Information as log files, or through cookies or other tracking technologies (see the “Cookies and Tracking” below for more information), store it against the associated User ID, and link it to the other Personal Information we hold about an End User or User ID.

The Personal Information we may collect includes, but is not limited to, your IP address, your operating system, your browser ID, time, date, your browsing activity, your interaction with the Services (including any Content, comments, and location).

Personal Information Uploaded and Transferred to the Subscription Service By Another End User

We collect Personal Information about persons indirectly when you or other End Users use our Services, such as when:

An End User invites a person to become and Authorised User or a Grant Assessor.
- Personal Information of End Users may include, but not limited to, first name, last name, phone number, and email address.
A Grant Applicant invites a person to collaborate on a Grant Transaction.
- Personal Information of End Users may include, but not limited to, first name, last name, and email address.
A Grant Applicant completes a Grant Application Form which may request Personal Information about additional persons. Grant Application Forms are created by the Grant Organisation and they determine what Personal Information about additional persons is required for the grant.
- As an example, some Grant Organisations require Grant Applicants to name “Key Personnel” in the Grant Application Form. In this example, Personal Information that may be collected are first name, last name, email address, and role.

If you provide Personal Information of another person to us (directly or as a consequence of your use of the Services), then you must ensure that you are authorised to disclose that personal information to us in accordance with applicable Data Protection Laws and shall comply with your obligations specified in Part B of this Privacy Policy.

Third-parties

We may collect Personal Information about you from third parties where you have consented to such collection or the information is publicly available.

Statistical Information

We may collect statistical (non-personal) information about your use of our Services and Website to improve the features and overall user experience. This may include statistical information such as, but not limited to, pages accessed on our Services and Website, search terms, links that are clicked on, browsers and operating systems, IP address, and cookies.

Cookies and Tracking

We may use various technologies to collect and store information when you use our Service, and this may include using cookies and similar tracking technologies, such as pixels and web beacons. You may control the use of cookies at the individual browser level, however your use of our Services and Website may be affected.
Personal Information may be collected as log files, or through cookies or other tracking technologies, stored against associated User IDs, and linked to the other Personal Information we hold about associated End Users or User IDs.
The Services, WebApps and Website do not currently recognize Do Not Track (DNT) signals sent by our End Users’ web browsers.
In addition, third parties that have content embedded on the Services, WebApps or Website, such as videos or social media buttons, may set cookies on an End User’s browser and/or obtain information about the fact that a web browser visited the Services, WebApps or Website from a certain IP address.
We may use cookies from third-party partners such as Google to help us distinguish between different End Users and understand how often a particular End User may visit our Services and Website, how the End User got to our Services, and the End User’s activity on our Services and Website. Google developed two resources – How Google Uses Information from Sites or Apps that Use Our Services and Google Analytics Opt-out Browser Add-on – to help provide website visitors more information and choice on how their data is collected when websites use Google services.

Disclosure of Personal Information

We may disclose your Personal Information to:

another company within our group for the purpose of providing Services and otherwise complying with the Terms;
any business that supports our Services and Website, including any person that hosts or maintains any Underlying System that we use to provide our Services and Website;
a credit reference agency for the purpose of credit checking you;
a third-party who acquires Tahua or substantially all of Tahua’s assets, Personal Information we hold may be one of the transferred assets (subject to the same constraints and disclosure under this policy);
other third parties, for anonymised statistical information;
a person who can legally require us to supply your Personal Information (e.g. a regulatory authority);
any other person authorised by the Data Protection Laws or another law (e.g. a law enforcement agency); and
any other person authorised by you.

We have no direct relationship with any person other than you, and for that reason, you (as the End User) are responsible for making sure you have the appropriate consents for us to disclose any Content (which may contain Personal Information) in the manner you direct through our Services. You must ensure compliance with your obligations in part B of this Privacy Policy in respect of any such disclosures.

Use of Personal Information

We will not process your Personal Information, other than as outlined in this Privacy Policy, without having a lawful basis to do so.

We process Personal Information:

perform the Services and otherwise carry out our obligations under the Terms;
to provide, tailor and improve the Website, WebApp and Services;
to respond to communications from you, including a complaint;
to identify you when you sign-in to your account and verify that your account is not being used by others;
to combat and prevent breaches of our Terms and our other policies;
to enforce compliance with our Terms, protect and/or enforce our legal rights and interests and comply with laws;
to bill you and to collect money that you owe us, including authorising and processing credit card transactions; and
to undertake credit checks (if necessary),

and such processing is necessary for the performance of the contract between you and us.

We also process Personal Information:

to comply with our obligations to our third-party suppliers and service providers;
to analyse usage of the Website, WebApp and Services, or carry out research and analysis, so we can improve the Website, WebApp and/or Services;
to market our Services to you, including contacting you electronically;
to ensure the security of our Services, WebApp and Website; and
to personalise the WebApp and Services for you and your Authorised Users,

and such processing is necessary for the purposes of a legitimate interest pursued by us, and we have assessed that our interests are not overridden by the interests or fundamental rights and freedoms of the person to whom the Personal Information relates.

We may also use Personal Information collected for such other purposes that are compatible with the original purposes described above, or that you otherwise consented to from time to time.

We also process Personal Information to communicate with you in relation to the WebApp or the Services from time to time, including to respond to your contact request and any related communication. You can unsubscribe from any communications from us by contacting us as directed in any such communications.

We may also use and disclose de-identified information (non-Personal Information) as set out in this Privacy Policy and as we otherwise determine, provided that there is only a low risk that any person could be re-identified from the information.

If you are based in the EU at the time we are processing your Personal Information, you have the right to object to the way we process your Personal Information where the processing is based on legitimate interests.

Trans-border Personal Data and Information Flows

Tahua’s head office is located in New Zealand, so some limited Personal Information is transferred and/or stored there. The vast majority of Personal Information we handle is stored and hosted in Australia.

Some limited Personal Information may be provided to companies located overseas who offer software as a service products that process content for inclusion on the Subscription Service (for example, conversion of images and videos to make them suitable for viewing online/ through a web browser). Those third parties located overseas are not permitted to (and are contractually obligated to not) access or use the Personal Information except for those limited purposes. We only choose reputable service providers and have agreements with such third parties that prevent them from using or disclosing to others the Personal Information we share with them, other than as is necessary to assist us.

In respect of the transfer of Personal Information to Australia, the USA and other countries, we will use reasonable efforts to obtain assurances from any third parties that they will safeguard Personal Information consistent with this Privacy Policy.

While the information resides outside of the territory where you reside, it may be accessible to the local courts, law enforcement and national security authorities in a foreign jurisdiction.

Subprocessors

To support the delivery of our services, we engage a number of trusted third-party service providers (“subprocessors”). These subprocessors may process the personal information you provide to us, including storing or transmitting data on our behalf.

Below is a current list of our subprocessors, the services they provide, and their country of operation:

Subprocessor	Service Provided	Country
Accredo	Cloud-based Finance System	New Zealand
Amazon Web Services	Cloud Infrastructure Provider	United States
Better Proposals	Cloud Proposal Management	United Kingdom
Datadog	Cloud Monitoring Service	United States
HubSpot	Sales and Service Management	Ireland
QuickBooks Online	Cloud-based Finance System (Intuit Inc)	United States
New Relic	Cloud Monitoring Service	United States
Rollbar	Error Tracking	United States
Xero	Cloud-based Finance System	New Zealand

We take appropriate steps to ensure that our subprocessors handle personal data in a manner consistent with this Privacy Policy and relevant data protection laws. We may update this list from time to time, and such changes will be reflected in this Privacy Policy.

Retention of Personal Information

We will delete your Personal Information once:

the purpose for collection of that information is no longer relevant; and
we are no longer required to comply with any legal obligation that necessitates the retention of that information.

However, despite this, we may retain a copy of Personal Information (in a static form, not accessible online) for archival purposes only.

Protecting your Personal Information

We will take reasonable steps to keep your Personal Data and Information safe from loss, unauthorised activity, or other misuse.

Accessing and correcting your Personal Information

Subject to certain grounds for refusal set out in the Data Protection Laws, you have the right to access your readily retrievable Personal Information that we hold and to request a correction to your Personal Information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the Personal Information relates.

In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the Personal Information, we will make the correction.

If you are an EU-based person you have the right (under the GDPR) to:

access and correct your Personal Information;
in certain circumstances, have your Personal Information erased;
restrict the processing of your Personal Information;
move, copy or transfer your Personal Information easily for your own purposes across different services in a safe and secure way;
object to processing where we relying on legitimate interests as the basis for processing and at any time to processing of Personal Information for direct marketing purposes; and
withdraw your consent to our processing of your Personal Information if your consent is being relied on by us.

Please note that in certain circumstances we may refuse to respond to a GDPR rights request where we have the right to do so under the GDPR, for example, where a request is manifestly unfounded or excessive.

If you want to exercise either of the above rights, contact us using our Inquiries form. Your email should provide evidence of who you are and set out the details of your request (e.g. the Personal Information, or the correction, that you are requesting).

We may charge you our reasonable costs of providing to you copies of your Personal Information or correcting that information.

Internet Use

While we take reasonable steps to maintain secure internet connections, if you provide us with Personal Information over the internet, the provision of that information is at your own risk.

If you follow a link on our Website to another website, the owner of that website will have its own privacy policy relating to your Personal Information. We suggest you review that website’s privacy policy before you provide access to your Personal Information.

PART B: YOUR OBLIGATIONS

By accessing and using our Website, WebApp and Services to upload and transfer other people’s Personal Information, you agree that you:

will comply with your obligations under all Data Protection Laws;
have obtained (or shall obtain) all consents necessary under the Data Protection Laws, for us to process the Personal Information through our Services as you direct, and that such consent is obtained from the correct person; we may, but shall not be required to, offer through the functionality of the Services a pop-up or embedded form to allow End Users to give their consent, retrospectively, to the processing of their Personal Information through our Services. However, you shall not rely on any such functionality, and it is your responsibility to ensure that you obtain consent from the appropriate person(s).
must notify us without undue delay if any person withdraws their consent, or any part of their consent, or objects to any processing of Personal information through our Services;
will make sure that you are frequently updating any Personal Information stored within your account or Subscription Service that relates to another person when requested to do so by that person;
upon becoming aware of a security incident, or any other breach, or suspected breach, of your security safeguards, must notify us without undue delay and shall provide timely information relating to the security incident as it becomes known or as is reasonably requested by us;
will not upload or transfer “sensitive data” (as that term is defined in the Data Protection Laws) to the Subscription Service;
are responsible for your secure use of our Services, including securing your User ID, protecting the security of Personal Information when in transit to and from the Subscription Service and taking any appropriate steps to securely encrypt or backup any Personal Information uploaded to the Subscription Service;
are responsible for reviewing the information made available by Tahua relating to data security and making an independent determination as to whether the Services meet your requirements and legal obligations under the Data Protection Laws.
acknowledge that our Services are subject to technical progress and development and that we may update or modify the Terms (including this Privacy Policy) from time to time, and you agree to review the latest version of the Terms (including the Privacy Policy) from time to time.