Digistorm Group - Version 2.1 – 13 January 2021

Introduction

This Policy sets out how we collect, handle and use information about you.

We reserve the right to update this Policy at any time without notice.

We are subject to the privacy laws of the jurisdictions in which we operate, including the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

In certain circumstances we may also be subject to the EU General Data Protection Regulation (Regulation 2016/679) as it applies to residents in the European Economic Area.

Purpose

The purpose of this Policy is to:

• set out the types of information that we may collect; and
• how that information will be used, handled, stored and disclosed.

Application

This policy applies to Personal Information that we may collect about you in the manner outlined in this policy, including from all legal entities owned or controlled by us (across any jurisdiction).

This policy does not apply to Personal Information that may be collected by a third party or how that third party may use, handle, store or disclose your Personal Information.

Definitions

Organisation means a natural person, a body corporate, a partnership, any other unincorporated association, or a trust, that is not a small business operator, a registered political party, an agency, a state, territory or national authority or a prescribed instrumentality of a state, territory or nation.

Personal Information means information or an opinion about an identified natural person, or a natural person who is reasonably identifiable.

Digistorm Group, we, us, our means:

• Digistorm Pty Ltd ACN 153 005 264;
• Digistorm, LLC;
• Digistorm Operations Pty Ltd ACN 153 005 317;
• Digistorm Group Pty Ltd ACN 140 122 649; and
• and affiliates to the above noted entities.

Institution means preschools, primary schools, secondary schools, and further and higher education places for learning, whether public or private.

Suite of Products means those products and services on our website from time to time.

Information we collect about you

We collect personal information about you (including, but not limited to, the details outlined in the ‘what types of information do we collect?’ section below) that:

• you give us directly (for example Personal Information we receive from you directly when you create an account, complete an enrolment form or when you communicate with us by email or through social media);
• we receive from other sources (for example Personal Information we receive from Institutions, business partners, sub-contractors in technical and delivery services, advertising networks, analytics providers, search information providers); and
• we collect about you and your device (for example technical information, including the IP address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, cookies, operating system and platform, type of device. Additionally, as you browse the our platforms, websites and Suite of Products, we collect information about the individual web pages or products that you view, what websites or search terms referred you to across those platforms, and information about how you interact with our Suite of Products. We refer to this automatically collected information as “Device Information”).
• We collect Device Information using the following technologies:
  • “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org
  • "Log files” track actions occurring on our Suite of Products, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps; and
  • “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse our Suite of Products.

In some situations you will have the option to deal with us anonymously or through a pseudonym, however, where you are requesting products or services from us or from an Institution where such contact is via us or one of our services, it may become impracticable to provide those products or services to you without verifying your identity. Where you fail to provide us information or where the information provided is incomplete and/or inaccurate, or you choose not to provide us with the information that we have requested, it may affect our or an Institutions ability to provide you with our products and services.

In the event that we receive identifiable information from a third party, such as an Institution, we will take reasonable steps to ensure that you have given express or implied consent to the collection of that information. If it is determined that we are unable to have possession of the information under a relevant law, we will destroy the information or ensure that the information is de-identified.

What types of information do we collect?

Personal details

We collect the following types of information about you: full name, gender, date of birth, age, residential address, postal address, email address, phone number, facsimile number, and proof of identity information.

Why we collect this information:

• to identify you and conduct appropriate identity checks for, or on behalf of, Institutions;
• To create an account with us in order to interact with Institutions;
• to submit enrolment applications with an Institution;
• to send you updates about your account;
• to communicate about and provide you with our current and future products and services;
• to send you relevant news, promotion and marketing materials, either initiated by us or by Institutions;
• to respond to your requests, questions, comments and complaints;
• to register for conferences and special events; or
• any other reason allowed at law.

Religious and political beliefs

We collect information or opinions about your racial or ethnic origin, political opinions, or memberships, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation, or criminal record.

Why we collect this information:

• to the extent that we or an Institution consider it is necessary to provide our products and services to you or to improve the products, services and business activities that we undertake;
• to publish your reviews, forum posts or other content on our website or if an Institution chooses to do so; or
• any other reason allowed at law.

Digistorm products and services

We collect information, communication or opinions about any of our products, services, transactions, payment history and business activities.

Why we collect this information:

• to improve the products, services and business activities that we or an Institution undertake; or
• any other reason allowed at law.

Digital media

We collect digital media and content such as; video footage and audio.

Why we collect this information:

• for internal training and quality purposes; or
• to ensure effective delivery of products and services;
• to resolve disputes or problems; or
• any other reason allowed at law.

Proof of identity

We collect identifiers (such as tax file number and business number), citizenship and residency details, details regarding and information provided by your referees, details regarding and information provided by your guarantor(s) and business partner(s), financials/credit/criminal history checks, results of any pre-employment or profile tests, employment history, education history, identity documents, health information and next of kin details.

Why we collect this information:

• to identify you;
• to identify your referees and guarantor(s);
• to conduct identity and criminal checks;
• to conduct credit checks;
• to assess your suitability for employment;
• to act as your agent;
• to process your application on behalf of Institutions;
• to register for conferences and special events; or
• any other reason allowed at law.

Third parties

Information that may be collected by us or on our behalf via third parties including the date and time of your visit to our website, IP address, documents and pages you access, type of browser and setting, operating system, address of a recurring site you are about to visit; information you submit regarding payment particulars, device identifier, including UDID, device details, pages visited, language selections, cookies, tracking pixels, geographic area and location.

Why we collect this information:

• to provide you with local information and alerts about our products and services on behalf of Institutions;
• to improve our website and services;
• to comply with local legal restrictions;
• to gather anonymous statistics;
• for analytical purposes;
• to ensure proper function of the website and online software ; or
• any other reason allowed at law.

Do Not Track settings

For some (but not all) services operated by us, the Do Not Track browser setting is accepted (which can be adjusted in your browser). Because a uniform technological standard has not yet been developed for Do Not Track, we do not currently respond to all Do Not Track signals. We continues to review new technologies and may adopt a standard once one is created.

Storing your information

We are a growing online business. In order to offer a consistent service to you we may store and manage data electronically or in paper form. Where data is stored electronically, it is done so by a third party cloud service provider that may store your Personal Information or a backup of your Personal Information in Australia, the United States of America or such other locations that the third party cloud service provider determines from time to time (see our list of third parties here for jurisdictions where your informed may be stored). The data that we collect from you may be transferred to, and stored to these servers or processed by staff operating in other countries, who work for us or an Institution.

We will take all steps reasonably necessary to ensure that your information is secured from misuse, interference, loss, unauthorised access, unauthorised modification or unauthorised disclosure. Any Personal Information will be handled in accordance with this Policy and applicable privacy laws. Despite using all steps reasonably necessary, the transmission of information through the internet is not completely secure.

Submission of any information to us is an acknowledgement that you agree to such use, storage and disclosure.

Disclosing your information

We may share your information with:

• any and all of our affiliates;
• third parties including Institutions, business partners, suppliers and subcontractors;
• any prospective buyer of any part of our business or assets; or
• where we are required to disclose your information in order to comply with any legal obligation, or in order to enforce any agreements; or to protect the rights, property, or safety of us and our customers, or others. This includes, where relevant, exchanging information with Organisations for the purposes of fraud protection and credit risk reduction.

International data transfers

We collect and store Personal Information globally from each jurisdiction we operate in and from each legal entity that is owned or operated by us in different international jurisdictions and may transfer, process and store your Personal Information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing you the Suite of Products and services provided by those Suite of Products. We have appointed Digistorm Pty Ltd to control and deal with all Personal Information that is collected globally by the Digistorm Group.

Accessing and correcting your information

You may request access to Personal Information that we hold about you at any time by contacting our Privacy Officer using the details set out in this Policy. We will respond to any such request for access to Personal Information within a reasonable time frame and will provide you access to the Personal Information that we hold pertaining to you, unless we are authorised not to do so by law.

Where permitted by law, we may charge you a reasonable fee for processing your request to access your Personal Information and should we decline you access to your Personal Information, a written explanation will be provided setting out the legal reasoning for doing so.

If upon receiving your Personal Information, or at any other time, you believe the Personal Information that we hold about you is incorrect, out of date, incomplete, irrelevant or misleading, please notify our Privacy Officer using the details set out in this Policy.

If we decline to correct your Personal Information as requested by you, a reason for refusal will be provided except to the extent that it is unreasonable to do so. In the event that we decline the request to correct Personal Information, you may request to associate a statement with the information.

Complaints

Should you believe that we have not fulfilled our obligations under any relevant law or have not complied with the terms of this Policy or would like to appeal a decision made by us in relation to your Personal Information, you can make a complaint in writing to our Privacy Officer using the contact details set out in this Policy.

We will respond to you within a reasonable period of time (or where a period is specified by any law, that period) to acknowledge your complaint and inform you of the next steps we will take in dealing with your complaint.

Our external provider’s privacy policies

We provide the Suite of Products to various Institutions. The Suite of Products have been specifically designed to appear as the relevant Institution, however, the your interactions when using the Suite of Products is with us and can be confirmed where:

• the URL is:
  • digistorm.com.au or digistorm.com;
  • digistormenrol.com.au or digistormenrol.com;
  • app.digistorm.com, or
• the mobile app:
  • designates ‘Digistorm’ as the publisher or seller in the relevant app store; or
  • the terms with the relevant Institution app provide that the service is provided by a member of the Digistorm Group.

We ‘hold’ your Personal Information on behalf of the Institution in which you are dealing with.

Accordingly, where you are dealing with an Institution and you are concerned that there may have been a breach of this Policy by an independent third party associated with us and/or an Institution, please contact the relevant entity directly. Alternatively, you may contact the Privacy Officer at the details set out in this Policy.

(Primary Purpose): The primary purpose for which your Personal Information is collected by us:

• is to facilitate various services on behalf of an Institution to you, including delivering any number of services in the Suite of Products;
• for the Institution to communicate with you in a secure manner;
• for you to make payments to an Institution;
• for an Institution to market to you;
• for an Institution to organise and store your Personal Information in a consistent manner for the Institution to better provide its services to you or a family member of yours; and
• in any manner described or disclosed in the relevant privacy policy of an Institution.

(Secondary Purpose): The secondary purpose in which we will use your Personal Information, includes (but is not limited to):

• providing analytics services, of any kind, to Institutions;
• to provide any entity in the Digistorm Group;
• disclosure is required or authorised by or under an Australian law or a court/tribunal order;
• a permitted general situation exists in relation to the use or disclosure of the Personal Information by us; and
• we reasonably believe that the use or disclosure of your Personal Information is necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body

General Data Protection Regulation (GDPR)

Application

This section applies to residents in the European Economic Area (EEA).

Definitions

Controller , Data Processor, Data Subject,Processor, Processing, Subprocessor, and Supervisory Authority shall be interpreted in accordance with applicable EU Data Protection Legislation.

EU Data Protection Legislation means the General Data Protection Regulation, Regulation (EU) 2016/679 and any legislation and/or regulation implementing or made pursuant to it or which amends or replaces any of them, as it applies to the EEA.

Residents of the EEA (where we act as processor)

We work with Institutions and Organisations around the world, including in the EEA. If you are located in the EEA, your personal information is processed by us in Australia. When you submit data, including Personal Information, via our Suite of Products, that data is being submitted directly into Australia and at no time is it held in the EEA. As part of providing our Suite of Services, we may transfer your personal information to other regions, including to Australia.

We rely on the following provisions of the EU Data Protection Legislation when transferring your data to our servers in Australia:

• (Article 28(3)): the entry into a data protection agreement with the relevant Controller;
• (Article 49(1)(a)): at the time of submitting the data, you explicitly consented to the transfer of your data outside of the EEA and into Australia;
• (Article 49(1)(b)): the transfer of your data into Australia is necessary in order to perform the contract you are entering into with the Institution (which is the Controller) when you submit your data;
• (Article 49(1)(c)): the transfer of your data into Australia is necessary in order to conclude or perform a contract concluded between you and the Institution (which is the Controller), created when you submitted the data; and
• (Article 1): to otherwise pursue our legitimate business interests outlined in this policy, which includes us acting as Processor for the Institution as Controller.

If you are located in the EEA, you have certain rights under European law with respect to your personal data, including:

• the right to request access to, correct, amend, delete, port to another service provider;
• or object to certain uses of your personal data.

Due to the manner in which the Suite of Products is delivered, you are contracting directly with an Institution. That Institution has subsequently contracted with us in order to deliver the Suite of Products and therefore facilitate the various communications between you and the Institution. In this manner, we are the Processor of your Personal Information for the Institution.

If you are a Data Subject in the EEA and wish to exercise rights in accordance with the EU Data Protection Legislation, please contact the Institution you interacted with directly -- we serve as a processor on their behalf and can only forward your request to them to allow them to respond.

Additionally, if you are located in the EEA, we note that we are generally processing your Personal Information in order to fulfil contracts we might have with you (for example if you submit an enrolment application for a child at an Institution), or otherwise to pursue our legitimate business interests outlined in this Policy, unless we are required by law to obtain your consent for a particular processing operation. In particular we process your Personal Information to pursue the following legitimate interests, either for ourselves, the Institutions, our partners, or other third parties:

• To provide Institutions, yourself and others with our Suite of Products;
• To prevent risk and fraud on our platform and within our Suite of Products;
• To provide communications, marketing, and advertising;
• To provide reporting and analytics;
• To facilitate communications and payments between you and the relevant Institution;
• To provide troubleshooting, support services, or to answer questions;
• To test out features or additional services; and
• To improve our services, Suite of Products, and websites.

When we process Personal Information to pursue these legitimate interests, we do so where we believe the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that Personal Information can help mitigate the risks to the Data Subject.

We note that we use third parties as Subprocessors to process your information in association with the Suite of Products. Depending on the processing undertaken by the third party, will depend on information disclosed to them. Please click here to view the list of third party Subprocessors.

Where you submit any data to or otherwise use the Suite of Products:

• you expressly consent to us transferring the submitted data outside of the EEA; and
• consent to your use of the Subprocessors as disclosed and as added to or replaced from time to time.

Residents of the EEA (where we act as controller)

We work with Institutions and Organisations around the world, including in the EEA and you may make an enquiry with us, either on your own behalf or on behalf of an Institution. If you are located in the EEA, your Personal Information is processed by us in Australia. When you submit data, including Personal Information, via our Suite of Products, that data is being submitted directly into Australia and at no time is it held in the EEA. In such circumstances, we will be considered the controller of such data submitted.

We rely on the following provisions of the EU Data Protection Legislation when transferring your data to our servers in Australia:

• (Article 49(1)(a)): at the time of submitting the data, you explicitly consented to the transfer of your data outside of the EEA and into Australia;
• (Article 49(1)(b)): the transfer of your data into Australia is necessary in order to perform the contract you are entering into with us when you submit your data;
• (Article 49(1)(c)): the transfer of your data into Australia is necessary in order to conclude or perform a contract concluded between you and us, created when you submitted the data; and
• (Article 1): to otherwise pursue our legitimate business interests outlined in this policy.

If you are located in the EEA, you have certain rights under European law with respect to your personal data, including:

• the right to request access to, correct, amend, delete, port to another service provider;
• or object to certain uses of your personal data.

If you are a submitting an enquiry on behalf of an Institution or other Organisation to acquire use of the Suite of Products in an Institution and wish to exercise these rights in accordance with the EU Data Protection Legislation, please contact us using the contact information below. In this manner, we are acting as the Controller of the Personal Information.

Additionally, if you are located in the EEA, we note that we are generally processing your Personal Information in order to fulfil contracts we might have with you (for example if you submit an enquiry to acquire the Suite of Products), or otherwise to pursue our legitimate business interests outlined in this Policy, unless we are required by law to obtain your consent for a particular processing operation. In particular we process your Personal Information to pursue the following legitimate interests, either for ourselves, the Institutions, our partners, or other third parties:

• To communicate with you regard the Suite of Products;
• To prevent risk and fraud on our platform and within our Suite of Products;
• To provide communications, marketing, and advertising;
• To provide reporting and analytics;
• To facilitate communications and payments between you, the Institution and us;
• To provide troubleshooting, support services, or to answer questions;
• To test out features or additional services; and
• To improve our services, Suite of Products, and websites.

When we process Personal Information to pursue these legitimate interests, we do so where we believe the nature of the processing, the information being processed, and the technical and organisational measures employed to protect that Personal Information can help mitigate the risks to the Data Subject.

We note that we use third parties as Subprocessors to process your information where we are the Controller. Depending on the processing undertaken by the third party, will depend on information disclosed to them. Please click here to view the list of third party Subprocessors.

Where you submit any data to or otherwise use the Suite of Products:

• you expressly consent to us transferring the submitted data outside of the EEA; and
• consent to your use of the Subprocessors as disclosed and as added to or replaced from time to time.

Minors

Our website and Suite of Products are not intended for Data Subjects under the age of 16. However, due to the nature of the Suite of Products facilitating the enrolment and communication of minors that attend an Institution with their respect parents, you may submit Personal Information to us on behalf of a Data Subject under the age of 16. In such circumstances, we will seek your express consent to this submission and use of Personal Information of the Data Subject no yet 16 years of age.

Contact

Your information, irrespective of which entity you submitted data to or contracted with, is controlled by Digistorm Pty Ltd and this entity has been appointed to deal with all privacy inquires on behalf of the Digistorm Group.

If you have any comments, concerns or questions regarding this Policy or Personal Information that we hold about you, please contact our Privacy Officer by email to [email protected] or by post at:

Privacy Officer Digistorm Pty Ltd ACN 153 005 264 Suite G2, 2019 Gold Coast Highway MIAMI, QUEENSLAND 4220 AUSTRALIA

Please note that where you have submitted any Personal Information to us via any Institution and contact us in accordance with this Policy, we will disclose and provide that request to the relevant Institution for their action and instruction. We suggest you contact the Institution to resolve any matter related to your Personal Information before contacting us.