Date of last update: 15 June 2020
This Privacy Notice applies to Finnigan Investments (Australia) Pty Ltd, OneAffiniti Ltd and OneAffiniti LLC (collectively “OneAffiniti“, “we” or “our“) and describes how each of these companies uses your personal data.
OneAffiniti runs digital marketing campaigns and data analytics for its clients. As part of our services, we create webpages and produce communications, marketing materials and social media posts (“Marketing Materials“). We also provide lead qualification and profiling services and offer other marketing-related services through our websites (which are owned and operated by OneAffiniti), including www.oneaffiniti.com (“Sites“).
This Privacy Notice applies to (i) individuals who use or visit OneAffiniti’s Sites or Marketing Materials, and (ii) individuals whose personal data OneAffiniti processes on behalf of clients in connection with the provision of services (in each case “you” or “your“).
OneAffiniti operates in several jurisdictions, therefore our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements. Where applicable we will call out any differences in local privacy notices given to you when your data is collected.
- Who controls your personal data
- Personal data we collect
- How we obtain your personal data
- Purposes for which we process your personal data
- Direct marketing
- Who we share your personal data with and why
- Legal basis for processing your data
- Data retention
- International transfers
- Keeping your data secure
- Your privacy rights
- Links to third party sites, content and services
- Contact Us
- Changes to this Privacy Notice
1. Who controls your personal data
- OneAffiniti – except as set out in paragraph 1(b) below, OneAffiniti, comprising Finnigan Investments (Australia) Pty Ltd, OneAffiniti Ltd and OneAffiniti LLC, are controllers of your personal data. This means that each company determines the purpose for which and the manner in which your personal data is collected, used, disclosed and otherwise processed*. These companies are responsible for complying with privacy laws and for making sure your personal data is processed fairly and lawfully.
* The word “processing” (and its derivatives) covers anything that can be done with your personal data, such as collecting, storing, using, deleting, transferring, sharing and disclosing.
- Our clients – When OneAffiniti processes personal data in the course of providing services to clients, it is our clients who are the controllers of that data and OneAffiniti will – for the most part – be a processor acting on the clients’ behalf. Typically, our clients will provide us with personal data (which may include information about you) and we will use that data (and/or supplement it) in order to provide our services to them. In this situation, it is our clients who are responsible for ensuring any personal data complies with applicable law and their privacy notices will apply. When our clients are the controllers, you should refer to their privacy notices for further information about how your personal data may be used by them.
2. Personal data we collect
- Personal data is any information about you from which you can be directly or indirectly identified. The types of personal data we may obtain about you include:
- your name
- your contact details (such as email address, telephone number)
- employment details (such as job title, company you work for)
- your opinions and comments
- details of your interactions with our website and services (such as your IP address and pages visited), including the results of profiling or analytics we may carry out.
- In some cases it is possible for you to engage with us anonymously or using a pseudonym. For example, if you wish to give feedback without requiring a response from us, you do not have to provide us with your full name or email address. However, if you do not provide us with some or all of the personal data requested, we may not be able to provide you with our services or data you request, to the requested standard or at all, and you may also miss out on receiving valuable data about us and our and our client’s products and services.
- When we provide services on behalf of our clients, they may provide us with personal data about you (typically name and contact details). We may supplement that data with additional information as required by our clients as part of our provision of services.
- In addition to the above, if you are an employee of one of our clients we may obtain personal data about you if (i) you register to use our services and/or (ii) your employer provides us with your details as a point of contact. The personal data we may get about you will generally be limited to your name and contact details and any other information you may have provided on the registration form.
3. How we obtain your personal data
- We may obtain your personal data directly from you, for example when you:
- communicate with us (e.g. by email or telephone)
- respond to or participate in any polls or surveys, or provide feedback on products or services
- subscribe to receive communications (such as newsletters or alerts) or notifications about offers
- enter into any competitions or sign up for a webinar or event
- respond to our lead qualification calls
- complete a form to request pricing or more product data, or request that we contact you
- access and use our Marketing Materials or Sites
- otherwise interact with us or disclose your personal data to us; or
- register to use any of our services on behalf of a client.
- We may also obtain personal data about you from third party sources, for example:
- from our clients
- social media platforms may share data about how you interact with our content or the content of third parties with whom you have a relationship (e.g. you’re a customer of theirs). Any data gathered through these social media platforms will be governed by the privacy settings, policies and/or procedures of the relevant platform, which we strongly recommend you to review
- third party data sources, such as data providers or public databases.
4. Purposes for which we process your personal data
We may process your personal data for some or all of the following purposes:
- provision of services – we may process your personal data in order to:
- provide and administer our services
- provide customer support and respond to questions, queries, requests for data and applications
- send digital marketing material on behalf of our clients, including marketing emails, posts on social media platforms or display advertising
- follow up on leads from our digital marketing activities on our clients’ behalf
- develop and improve our services, including our Sites and Marketing Materials and to provide a more personalised service
- manage and carry out our business and operational functions, including business decisions and technical operations
- competitions and promotions – we may process your personal data to operate our competitions and promotions including determining entry eligibility, awarding prizes and publishing or otherwise making available a list of prize winners
- analytics – we may analyze your personal data to: (i) improve and measure the effectiveness of our services, (ii) gain insights into how our services are being used and by whom, (iii) help us to generate new leads, (iv) help us to better understand visitors to our sites and users of our services. To assist us with these activities we may combine personal data with other data which we may source from our Sites, Marketing Materials or third parties
- marketing and advertising – we may process your personal data to:
- conduct marketing and advertising activities, including displaying content on our Sites and Marketing Materials and serving display advertising on third party websites
- analyze the effectiveness and optimize the performance of any specific marketing campaign we undertake, including on behalf of our clients
- provide data about our services, including through the distribution of newsletters and other communications about our services and your use of our services.
5. Direct marketing
- Sending you marketing – we may use your personal data to send you direct marketing communications by email, telephone or text where we have obtained your prior consent, or we are able to rely on another lawful basis to send such communications (such as our legitimate interests).
- Right to opt out – you have the right to opt out of receiving any further marketing communications from us at any time. You can do this by clicking on the unsubscribe link in a marketing communication, or by contacting our Privacy Officer directly (see Contact Us). Please note that if you want to opt out of receiving marketing communications from an organization other than OneAffiniti (such as our clients), then you will have to contact that organization directly, as it is responsible for managing its own marketing lists.
6. Who we share your personal data with and why
We may share your personal data with others in the following situations:
- OneAffiniti group companies – your personal data may be shared within the OneAffiniti group of companies:
- Clients – your personal data may be shared with our clients in order to:
- analyze the effectiveness and optimize the performance of a marketing campaign
- draw a prize (for example if we have been asked to run a competition on behalf of a client)
- validate a sale, register a sales opportunity or assist with or fulfill a transaction
- Third party suppliers – your personal data may be shared with our third party suppliers (i.e. third parties that provide products and services to us and our clients) in order to:
- provide you with the services that you have requested
- help us deliver, administer, host and support our functions and activities
- help maintain our Sites, Marketing Materials and databases
- provide marketing services, including telemarketing services, data analysis and serving advertising
- provide IT services, including data processing, storage and backup.
Our service providers are required to keep personal data secure and their use of personal data is limited to the provision of services to us.
We may also share your personal data if required or permitted to do so by applicable law, or if you have given us your consent to make a particular disclosure to someone. Also, if we decide to merge, divest, restructure, reorganize, dissolve, sell or transfer some or all of our assets for any reason, we may share your personal data with the buyer or successor in title.
7. Legal basis for processing your data
We will only process your personal data where we have a lawful basis for doing so. The following are the lawful bases that we rely upon to justify our processing:
- your consent – we will process your personal data with your prior consent (which you may give directly to us or to our clients). For example, if you register to receive our newsletter then you may also opt in (consent) to receive marketing communications. You can withdraw your consent at any time – please see Section 11(h) (Your privacy rights) below
- performance of a contract – we will process your personal data where this is necessary to enter into, or for the performance of, a contract with us or our clients
- legitimate interests – we will process your personal data if necessary for the purposes of our legitimate interests, or the legitimate interests of our clients (or other third parties), as long as these interests are not overridden by your fundamental privacy rights. For example, we may process your personal data for the following legitimate interests:
- our own direct marketing activities
- direct marketing we carry out on behalf of a client with whom you have an existing relationship or have agreed to be contacted for marketing purposes
- fraud prevention and detection
- our own internal administrative purposes
- personalization of the service(s) we provide to you and to gain a better understanding of our visitors/users/customers (and their end customers where applicable)
- ensuring network and data security, including preventing unauthorized access to electronic communications networks and stopping damage to computer and electronic communication systems, and/or
- reporting possible criminal acts or threats to public security to a competent authority
- compliance with law – we will process your personal data if it is necessary to comply with a legal requirement (for example, to comply with a court order requiring us to make a disclosure to law enforcement agencies, or to comply with employment or tax laws or other regulatory provisions).
8. Data retention
We will take all reasonable steps to destroy or anonymize personal data that we no longer need for any of the purposes described above in accordance with our data disposal and retention policy, and applicable laws.
9. International transfers
Where you are submitting personal data from within the European Economic Area or the United Kingdom (“EEA/UK”), such data may be transferred to countries outside the EEA/UK. By way of example, some of the third parties we disclose your personal data to may be based, or have servers located, outside of the EEA/UK in various countries, including Australia, the United States and the Philippines. Before we disclose your personal data to our overseas recipients, we will take all reasonable steps to ensure that your personal data is only used for authorized purposes, in a manner that is consistent with our Privacy Notice and adequately protected using the appropriate technical, organizational, contractual or other lawful means.
10. Keeping your data secure
- Our security measures – we take the security of your personal data seriously. We have implemented procedures to safeguard the security and confidentiality of your personal data. These measures include:
- storing personal data in a secure environment and imposing electronic and physical restrictions to files containing personal data
- procedures designed to safeguard personal data from misuse, interference, loss and unauthorized access, modification or disclosure
- restricting access to authorized personnel for permitted purposes only.
- Transmission of data over the Internet – whilst we continually strive to ensure our systems and controls are updated to reflect technological changes, the transmission of data via the internet is not completely secure and as such we cannot guarantee the security of your data transmitted to us online, which is at your own risk. If you communicate with us using a non-secure web platform, you assume the risks that such communications between us are intercepted, not received, delayed, corrupted or are received by persons other than the intended recipient.
- How you can help to keep your data secure – you can help to keep your data secure by ensuring you do not share any user name and/or password (that you use in relation to our services) with any other person. You should stop using your username and password and notify us immediately (see Contact Us below) if you suspect that someone else may be using them.
11. Your privacy rights
Depending on where you are located and the privacy laws that apply, you may have some or all of the privacy rights described below. You may exercise these rights in respect of personal data that we process about you as a controller. Where we process personal data about you as a processor, you will need to contact the relevant controller to exercise your privacy rights. The rights set out below may be subject to conditions. You can exercise your rights by contacting our Privacy Officer (see Contact Us):
- Right of access – you have the right to request information about our processing of your personal data and to get access to that data
- Right of rectification – you have the right to request that we rectify or modify any personal data that we hold about you that is incorrect or incomplete
- Right of erasure – you have the right to request the erasure of personal data that we process about you in certain circumstances
- Right to restrict processing – you have the right to ask us to restrict the processing of your personal data in certain circumstances
- Right of data portability – you have the right to receive your personal data (which you have provided to us) in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller
- Right to object to processing and direct marketing – you have the right to object to the processing of your personal data, in particular for direct marketing purposes. You can unsubscribe from direct marketing by clicking on the unsubscribe link that will be included in any marketing email we send you, or by contacting our Privacy Officer (see Contact Us)
- Right to object to automated decision-making – you have the right to object to automated decision-making if this produces legal effects, or otherwise significantly affect you
- Right to withdraw your consent – where you have consented to the processing of your personal data, you have the right to withdraw such consent at any time. You can withdraw your consent by contacting us (see Contact Us). If you withdraw your consent it will not affect the lawfulness of any processing that has already taken place based on your consent prior to its withdrawal.
- What are cookies – cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently to improve the user experience, as well as to provide certain data to the owners of the site.
- What data do we get – cookies may collect general data from your device when you interact with our Sites and Marketing Materials. This might include your geo-location, IP address, device identifier, the browser and operating system you are using and details of the website that IP address has come from, the pages accessed on our website and the next website visited.
- How do we use cookie-derived data – we may use and combine data collected using cookies and similar devices, with data we already have about you. We do this to maintain, secure and improve our website, enhance your experience when using our website, display and deliver relevant data and advertising (including direct marketing and targeted ads on third party websites and social media sites) and understand the effectiveness of our marketing and advertising.
- How to stop cookies – if you want to prevent cookies being used, you can change your browser settings to disable cookies, or to notify you when you receive a new cookie. However, you may not be able to access all or parts of our website, or you may experience reduced functionality when accessing certain services (e.g. automatic log in may not function properly). For more data, visit youronlinechoices.com.au or www.allaboutdnt.org. Third party cookies may have their own privacy notices in relation to their cookies and tools.
- Remarketing – we use Google Display Advertising and other third party providers for re-marketing purposes. Remarketing is the practice of serving targeted ads to individuals that have visited or interacted with our Sites when they browse Google or its partner websites. In addition to using cookies and related technologies as described above, we may also permit certain third parties to help us tailor and serve advertising that we think may be of interest to users and to collect and use other data about user activities on our Sites and Marketing Materials. These companies may deliver ads that may also place cookies, and related technologies as described above, and otherwise track user behavior. This means we will continue to show ads to you across the internet, specifically, but not limited to, on the Google Content Network (GCN). As always, we respect your privacy and are not collecting any identifiable data through the use of Google’s or any other third party remarketing system. You can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using the Ads Preferences Manager.
13. Links to third party sites, content and services
- Third party sites – in addition to Sites, Marketing Materials and services that we operate and provide access to directly (which we control), we also use and provide links to websites which are controlled by third parties, which may include:
- Twitter, LinkedIn and YouTube, where we have certain OneAffiniti accounts and profiles
- Facebook, where we have a social media page, and
- websites, social media platforms, online portals or other online forums operated by or on behalf of our clients or third party suppliers.
Please be aware these third party operated sites or other online destinations have their own privacy notices and we cannot accept any responsibility for their use of data about you. This Privacy Notice does not apply to such third party sites and we take no responsibility for the practices of any such third party sites or how they process your data.
- Third party content – our services may include integrated content or links to content provided by third parties (such as video materials). This Privacy Notice does not address the privacy, security, or other practices of the third parties that provide such content.
- How we handle complaints – we take your complaints seriously and will attempt to resolve any issues quickly and fairly. If you think we have not complied with our privacy obligations or this Privacy Notice, please contact us (see Contact Us). If you make a complaint, our Privacy Officer will contact you to try to resolve the matter. We may ask you for further details, consult with other parties and keep records regarding your complaint. We will notify you of the outcome of any investigation into your complaint once this is complete, including any actions we will take to address your complaint.
- Your right to complain to a regulator – if you believe we have not complied with our obligations under applicable privacy law, or you are unhappy about the way we have handled your privacy complaint, you have the right to complain to the relevant regulator:
- Europe: you can find your European national data protection authority by clicking here or by visiting the European Commission website (europa.eu), or
- Australia: there is a Contact Us option on the website for the Office of the Australian Information Commissioner (https://www.oaic.gov.au/)
But before you make a formal complaint to a regulator we very much hope you will give us a chance to address your concerns.
15. Contact Us
If you wish to contact us for any reason, including to exercise any of your data subject rights, or to make a complaint about our handling of your personal data, you can do so as follows:
Contact: Privacy Officer
Contact address: Suite 7, Level 10, 109 Pitt Street, Sydney NSW Australia
Tel: +61 2 8599 9898
Contact address: Venture House, 2 Arlington Square, Bracknell RG12 1WA, United Kingdom
Tel: +44 01344 289070
Contact address: 9600 Great Hills Trail, Suite 220W Austin TX 789759, United States
Tel: +1 512 982 0928
16. Changes to this Privacy Notice
We keep this Privacy Notice under review and may revise it from time to time. Any revised Privacy Notice will take effect when it is published on our website. Your continued use of our website or services will constitute your consent to those revisions.