Privacy Policy Our Privacy Commitment We are committed to being open and transparent about how we manage your Personal Information. Your use of our Services generates information, including at times Personal Information about you and your Permitted Users. It is important that you read this Privacy Policy which sets out how we manage the information generated through your use of the Services. It explains what information is being collected, how it is used and who can access it. It will help you make informed decisions about sharing your Personal Information with us. We have a few fundamental principles: We will always collect, store, use and disclose Personal Information in accordance with all applicable privacy laws. However, we have also put in place this Privacy Policy to protect Personal Information you submit or we collect. We will only use your Personal Information when we have lawful grounds to do so, it is necessary for us to deliver you our Services, or to perform other necessary business functions and activities. We will not use or disclose your Personal Information for purposes unrelated to our business activities and the Services, unless we first obtain your consent or there is a legitimate legal basis for doing so. 1. Application This Privacy Policy explains how we and our subsidiaries and related bodies corporate and any website we operate, collect, handle and protect your Personal Information. By using the Services or providing your Personal Information to us, you consent to our collection, storage, use and disclosure of your Personal Information in accordance with this Privacy Policy. If you do not agree with any part of this Policy, you must not provide your Personal Information to us. This Privacy Policy should be read together with our respective website terms and conditions. 2. Important Terminology Our business interests span Australia, New Zealand and the United Kingdom. “We“, “our“, or “us” collectively refers to: ANZCRO New Zealand Limited; ANZCRO (UK) Limited; Australian New Zealand Central Reservation Office Pty Limited; and Ozone Technology Holdings Limited. The laws we comply with in our dealings with your Personal Information will depend on your location. We will always comply with Applicable Privacy Laws and Applicable Anti-Spam Laws which means: if you are in Australia, the Privacy Act 1988 (Cth) (Australian Privacy Act), and the Spam Act 2003 (Cth); or if you are in New Zealand, the Privacy Act 1993 and Unsolicited Electronic Messages Act 2007; or if you are in the United Kingdom, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. Personal Information means: if you are in Australia, information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable; or if you are in New Zealand, any information about an identifiable individual; or if you are in the United Kingdom, any information which is related to an identified or identifiable natural person. Permitted Users means people authorised to access the Services through your organisation. 3. Dealing with us Anonymously Where it is lawful and practicable to do so, you may deal with us anonymously (e.g. when enquiring about our services generally). However, we usually need your name, contact information and other details to enable us to provide our Services to you. 4. What Information do we Collect Information you provide to us directly: Our usual practice is to collect Personal Information directly from you, and your Permitted Users, when you subscribe to, and use, the Services. A few examples include: Personal details: given name(s). Demographic information: date of birth; age; title. Contact details: email address; correspondence address; telephone number. Information we get from third parties: We may obtain Personal Information from authorised third parties (e.g. travel booking agencies). Information we collect automatically: We may collect Personal Information about you automatically when you visit our websites or use our Services, like your IP address, location and device type. Some of this information may be collected using cookies, our sensor technology and similar tracking technologies. Information we create in the performance of the Services: We may also create or obtain Personal Information, such as your interactions with us, and any interactions we have with providers of Services on your behalf. Information you make public: We may obtain your Personal Information that you manifestly choose to make public. How we use your Personal Information Unless otherwise specified in this Privacy Policy, we process your Personal Information only to the extent necessary to protect our legitimate interests, in relation to your contractual performance of your obligations, for the effective provision of the Services, or to the extent that you consent to the processing of your Personal Information. Primarily, we collect your Personal Information so that we can provide you with the Services and any related services you may request. In doing so, we may use the Personal Information we have collected from you for purposes related to the Services including: to facilitate the Services and business operations; to internal purposes (such as record keeping, account and database management and other administrative purposes including keeping track of billing and payments); for marketing and communication purposes such as making suggestions and recommendations to you about goods or services that may be of interest to you and to conduct research and produce reports; to improve our website, Services, marketing, customer relationships and experiences (using data analytics etc.); to administer and protect our business and keep the Services working, safe and secure (by troubleshooting, analysis, testing, system maintenance and monitoring and addressing other security/technical issues); to notify you about changes or updates to the Services; and for any other purpose reasonably incidental or ancillary to these purposes. By using the Services, you consent to your Personal Information being collected, stored, used and disclosed in this way and for any other use you authorise. You can always choose not to provide your Personal Information to us, but it may mean that we are unable to provide you with the Services. We will always endeavour to be clear about the purposes for which we are processing that Personal Information and our lawful basis for doing so. We set out below, in a table format, a description of the ways we plan to use your Personal Information. Note that we may process your Personal Information using more than one lawful ground depending on the specific purpose for which we are using your information. Please contact us if you would like details about the specific legal ground we are relying on to process your Personal Information where more than one ground has been set out in the table below. Purpose / Activity Lawful basis for processing To facilitate the Services and business operations. Necessary for our legitimate interests. Performance of a contract with you (e.g. using our online platforms or websites or making bookings with Service providers on your behalf). For internal purposes (such as record keeping, account and database management and other administrative purposes including keeping track of billing and payments). Necessary for our legitimate interests to manage the delivery of our Services to you. For marketing and communication purposes such as making suggestions and recommendations to you about goods or services that may be of interest to you and to conduct research and produce reports. Necessary for our legitimate interests to develop our products/services and grow our business. To improve our website, products/services, marketing, customer relationships and experiences (using data analytics etc.) Necessary for our legitimate interests to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy. To administer and protect our business and keep the Service working, safe and secure (by troubleshooting, data analysis, testing, system maintenance and monitoring and addressing other security/technical issues). Necessary for our legitimate interests for running and protecting our business, ensuring appropriate security, investigating and helping to prevent security issues and abuse, to prevent fraud and so on. Necessary to comply with a legal obligation. To notify you about changes or updates to the Service. Performance of our contract with you. Necessary for our legitimate interests to develop our products/services and grow our business. 5. Disclosure of Information Your Personal Information will not be sold, traded, rented or otherwise provided to others without your consent. From time to time, third parties may submit requests to access information that has been generated from your use of our Services. This might include, for example, law enforcement or government agencies requesting information about you or Permitted Users. We may also disclose information about you or your use of our products and services if we have a good faith belief that such action is allowed by law, for example in accordance with Applicable Privacy Laws to avoid prejudice to the maintenance of the law or to prevent or lessen a serious threat to public health or safety, or to the life or health of an individual. Where possible and appropriate, we will notify you if we are required by law to disclose your Personal Information. Otherwise, we will not pass on your Personal Information unless this is necessary for the fulfilment of a contractual agreement or to facilitate Services bookings on your behalf, you have consented to the passing on of your Personal Information, or we are obliged to do so due to a mandatory legal provision, court decision or official order. 6. International Data Transfers Your Personal Information may be transferred to, and processed in, countries other than New Zealand, Australia or the United Kingdom (where our data hosting servers are currently located). There may be differences with each respective country’s privacy laws. However, where we disclose Personal Information to a third party in another country, we place safeguards to ensure your Personal Information is protected and only disclose information to an organisation in a foreign country which has a substantially similar privacy regime or where the overseas organisation has agreed to comply with the Applicable Privacy Laws. For individuals in the European Economic Area (EEA), this means that your Personal Information may be transferred outside of the EEA. Where your Personal Information is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data (like New Zealand), or to a third party where we have approved transfer mechanisms in place to protect your Personal Information (e.g. by entering into the European Commission’s Standard Contractual Clauses). For further information, please contact us using the details set out in the contact section below. 7. How is Information Protected? We implement a variety of security measures to protect the loss, misuse, and alteration of your Personal Information when you enter, submit, or access your Personal Information. While we endeavour to protect the privacy of your account and Personal Information we hold, we cannot guarantee complete security at all times. There are a number of measures you need to take to keep your information secure. For example, it is important that you: choose a strong password – we recommend using a phrase, rather than a word, or at least ensuring the word is a minimum of 8 characters, with at least 2 numbers or letters; and do not write down your password or share it with anyone. 8. What About Links to Other Websites? Our website may contain links to other websites that are not under our control. These websites may use cookies. It is the responsibility of those third parties to collect appropriate consents from you in order to permit their own cookies (to the extent this is required by law) and to inform you about the cookies they use. You should check the privacy policy on all third party websites to ensure you are comfortable with third party cookies. We have no responsibility for linked websites, and provide them solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or warranties about their accuracy, content or thoroughness. Your disclosure of Personal Information to or on third party websites is at your own risk. 9. Email, Text and Telephone Communications We may use your Personal Information to identify a product or service that you may be interested in or to contact you about an event or promotion. We may, with your consent or where required by Applicable Anti-Spam Laws, use the contact details you have provided to contact you from time to time (whether by phone, email or SMS) to tell you about new products or services and special offers that we believe may be of interest to you. You can withdraw your consent to receiving direct marketing communications from us at any time by unsubscribing from the mailing list by clicking ‘unsubscribe’ at the bottom of any email from us, by contacting us on the details at the end of the policy or by using the unsubscribe facility set out in any other electronic communication you receive. Once you have unsubscribed from the electronic communication, you will be removed from the corresponding marketing list as soon as is reasonably practicable and in accordance with Applicable Anti-Spam Laws. We may occasionally engage other companies to provide marketing or advertising services on our behalf. Those companies will be permitted to obtain only the Personal Information they need to deliver the service. If we provide those companies with any of your Personal Information, it is to provide you with a better or more relevant and personalised experience and to improve the quality of those services. We take reasonable steps to ensure that these organisations are bound by confidentiality and privacy obligations in relation to the protection of your Personal Information. We may also use your Personal Information and information collected about you using third parties such as Google Analytics to provide you with a better or more personalised and relevant experience when using our website. We may do this by combining behavioural data we collect by the use of cookies and combining it with the Personal Information we have collected from you. 10. Keeping Personal Information Accurate and Up to date It is your responsibility to ensure that the Personal Information you provide us is accurate, complete and up-to-date. However, as required by Applicable Privacy Law, we will also endeavour to ensure that the Personal Information collected from you is up to date, accurate and complete. You may request access to or correction of your Personal Information we hold about you at any time by contacting the relevant Privacy Officer using the contact details set out at the end of this policy. We will need to verify your identity. Subject to any applicable exceptions or requirements, we will provide you with access to the Personal Information you request within a reasonable time and usually within 20 working days. If we decide to refuse your request we will tell you why in writing and how to complain. You will not have to pay a fee to access or correct your Personal Information. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. 11. Retention The length of time we keep your Personal Information depends on what it is and whether we have an ongoing business need to retain it – for example, to provide you with a Service you’ve requested; or to comply with applicable legal requirements such as money laundering and financial reporting legislation; or to protect our legitimate interests, in particular, the assertion, exercise and defence of legal claims. We’ll retain your Personal Information for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our internal retention policies and practices. Following that period, we’ll make sure it’s deleted or anonymised. Otherwise, as a general rule, we only keep your Personal Information for as long as we require it for the purposes of providing you with our Services. In some circumstances we may anonymise your Personal Information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. In some circumstances, Applicable Privacy Laws may grant you the right to require us to delete your data: see the “erasure” right in the section below for further information. 12. Additional Right Under UK Law The Applicable Privacy Laws in the United Kingdom, grant the following additional data protection rights to UK data subjects: Request access to your Personal Information (commonly known as a “data subject access request”). This enables the data subject to receive a copy of the Personal Information we hold about them and to check that we are lawfully processing it. Request correction of the Personal Information that we hold. This enables the data subject to have any incomplete or inaccurate information corrected. Request erasure of Personal Information. This enables the data subject to ask us to delete or remove Personal Information where there is no good reason for us continuing to process it. Also, the right to ask us to delete or remove their Personal Information where they have exercised their right to object to processing (see below). Object to processing of Personal Information. This right applies where we are relying on our legitimate interests (or those of a third party) and there is something about the data subject’s particular situation which makes them want to object to processing on this ground. Such data subject also has the right to object where we are processing their Personal Information for direct marketing purposes. Request the restriction of processing of Personal Information. This enables the data subject to ask us to suspend the processing of their Personal Information, for example if they want us to establish its accuracy or the reason for processing it. Request the transfer of Personal Information to another party (known as the “right to data portability”). Withdraw consent. This right applies only if we are relying on the data subject’s consent to process any of your Personal Information. This will not affect the lawfulness of any processing carried out before the data subject withdraws their consent. If the Applicable Privacy Laws grant you such additional rights and you wish to exercise any of these rights, please contact privacy@anzcro.com.au You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within 20 working days. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 13. AdWords Remarketing Privacy Policy This website uses the Google AdWords remarketing service to advertise on third party websites (including Google) to previous visitors to our site. It could mean that we advertise to previous visitors who haven’t completed a task on our site, for example using the contact form to make an enquiry. This could be in the form of an advertisement on the Google search results page, or a site in the Google Display Network. Third-party vendors, including Google, use cookies to serve ads based on someone’s past visits to this website. Of course, any data collected will be used in accordance with our own privacy policy and Google’s privacy policy. You can set preferences for how Google advertises to you using the Google Ad Preferences page. 14. Changes to this Privacy Policy We may amend the terms of this Privacy Policy from time to time, and will notify you of any changes by posting an updated version on our website or by sending you a notice via email. It is your responsibility to check this Privacy Policy periodically for changes, and to keep your email address current. Your continued use of the Services following notification of any changes to this Privacy Policy constitutes acceptance of those changes. If you do not agree with any aspect of the updated Privacy Policy, you must immediately cease all use of the Services. 15. How to Contact Us We take your concerns seriously. If you have a question or comment regarding this policy or wish to make a complaint or exercise your privacy rights, please contact our Privacy Officer on the following details: Country Contact Details Australia Phone: +61 7 5556 5556 Post: ANZCRO Attn: Privacy Officer Address: Level 1, 6 Short Street, Southport QLD 4215 E-mail: privacy@anzcro.com.au New Zealand Phone: +61 7 5556 5556 Post: ANZCRO Attn: Privacy Officer Address: Level 1, 6 Short Street, Southport QLD 4215 E-mail: privacy@anzcro.com.au United Kingdom Phone: +61 7 5556 5556 Post: ANZCRO Attn: Privacy Officer Address: Level 1, 6 Short Street, Southport QLD 4215 E-mail: privacy@anzcro.com.au We will need to verify you, and we will respond to you within a reasonable period of time to acknowledge your complaint and inform you of the next steps we will take in dealing with your complaint. If you are not satisfied with our response, you may complain to: Country Office Australia The Office of the Australian Information Commissioner (OAIC) via the OAIC website: www.oaic.gov.au. New Zealand The New Zealand Privacy Commissioner via the website: https://www.privacy.org.nz/your-rights/making-a-complaint/ United Kingdom The Information Commissioner’s Office (ICO) via the website https://ico.org.uk/global/contact-us We would, however, appreciate the chance to deal with your concerns before you approach one of these entities, so please do get in touch using the details above in this section. This represents our Privacy Policy as at 01 September 2019.