SUSTAINET PRIVACY POLICY – CANADA/USA AND UK (SEE SCHEDULE A)
This privacy policy (this “Policy”) describes SustaiNet Software International Inc.’s (“SustaiNet”) practices with respect to the collection, use, storage and disclosure of personal information it collects from users of its software and website.
1. Introduction
SustaiNet respects and upholds individual’s right to privacy and the protection of personal information.
The Personal Information Protection and Electronic Documents Act (Canada), or similar privacy legislation applicable in your Province, (“Applicable Privacy Legislation”) regulates the way private sector organizations operating in Canada may collect, use, keep, secure and disclose personal information. “Personal information” means all information about an identifiable individual.
As required by Applicable Privacy Legislation, SustaiNet has appointed a Privacy Officer who is responsible for compliance with this Privacy Policy and Applicable Privacy Legislation. Information on how to contact the Privacy Officer can be found below.
2. Collection and Use of Personal Information
SustaiNet offers a variety of services (the “Services”) including (a) public access to the SustaiNet website (the “Website”), (b) access to web-enabled software applications (the “Software”) for use by organizations in tracking, monitoring and reviewing public participation, stakeholder consultations and community engagement projects (“Consultation Projects”), and (c) outsourced hosting of Consultation Projects.
SustaiNet collects and uses personal information from individuals who have the right to use the Software on the Internet in connection with managing Consultation Projects (“Customers”) or who have set up an account to access the Services and individuals who visit the Website for the following purposes:
(a) If you request information via the Website, SustaiNet may collect personal information (e.g. name, address, company, contact information) to enable a direct response to your request;
(b) if you subscribe to or purchase a license to use the Software, SustaiNet may collect personal information (e.g. name, address, contact information, credit card number) to verify your identity and to charge you for the license;
(c) if you subscribe to or purchase a license to use the Software, personal information is collected on individuals using the Software and on individuals entered into the Software databasein order to manage Consultation Projects;
(d) if you wish to set up an account with SustaiNet to access the Services, SustaiNet will collect personal information from you to verify your identity and to determine which Consultation Projects you are entitled to access;
(e) when you login to your account SustaiNet will collect personal information from you to verify your identity and to prevent unauthorized access to the Services and any Consultation Projects;
(f) if you request support, additional information about the Software, or if you request a demonstration version of the Software, SustaiNet may collect personal information from you so that SustaiNet can contact you and provide you with these services;
(g) to collect data concerning traffic on, and use of, the Website for statistical analysis in order to improve the Website and the Services;
(h) to provide the Services; and
(i) to inform you of product updates, special offers, new services and products, partners, promotions, events and updated information that may be pertinent to you and to generally keep you informed about SustaiNet and its customers via newsletters.
The personal information that SustaiNet may collect from you for the purposes identified above may include, but is not limited to: name, email address, telephone number, other contact information, credit card number and other billing information, a password you choose for your account, and any secret question(s) and answer(s) in case you forget your password and any personal information you choose to post to or enter into to a Consultation Project, and may include, but is not limited to: name, address, phone, fax, email, contact information, organization, stakeholder group, land parcel (property) location, land interest, comments, issues, concerns, objections, interests, attitudes, demographics and any other such information as is required by the Customer for the purposes of managing such consultations for specified projects. SustaiNet may also collect data concerning traffic on, and use of, the Website and may include non-personal data such as, IP address, page tags, user site performance, and other such information required for logfile analysis and web analytical purposes
In order to provide the Services, SustaiNet will use, process and store any information (which may include personal information) that you may post to or enter into a Consultation Project.
SustaiNet limits the personal information it collects and uses to that which is necessary to fulfill the purposes identified above. SustaiNet will not collect, sell, distribute or use personal information for any other purposes without your further consent, as required by law or as authorized by Applicable Privacy Legislation.
3. Sharing of Personal Information
The only circumstance under which SustaiNet may disclose your personal information to a third party is for the fulfillment of any of the purposes identified above, as required by law or as authorized by Applicable Privacy Legislation.
In order to provide the Services, SustaiNet may hire other companies or contractors to provide limited services on its behalf, for example to provide Website and Software hosting services, and support with respect to the Software or Services or for surveys and other marketing purposes on behalf of SustaiNet. Such service providers are only permitted access to and/or use personal information necessary to provide the service. They are required to protect your personal information and must agree to adhere to this Policy.
If you participate in a Consultation Project any data or personal information you submit may be accessed, used or otherwise processed by other individuals, groups or organizations, including (if permitted in respect of such Consultation Project) the public at large. The Customer that has engaged us to host the Consultation Project (the “Project Controller”) has control over all information submitted to the Consultation Project (this includes who may participate in the Consultation Project, what data and other information may be accessible through the Consultation Project and who may access, post, modify or delete such data and other information). If you are concerned about who may access personal information you submit in a Consultation Project you should contact the Project Controller.
4. Retention of Personal Information
SustaiNet will keep personal information used to make a decision that directly affects an individual for at least one year after it makes such a decision. Subject to this oneyear retention requirement, SustaiNet will only retain personal information for as long as necessary to fulfill the purposes identified in this Policy or as long as required for legal or business purposes.
5. Security of Personal Information
SustaiNet has implemented security measures to protect your data from unauthorized access, loss or theft, modification and other threats. Personal Information is protected by security safeguards that are appropriate to the sensitivity level of the information. Our employees, affiliates and other third party parties providing Services on our behalf are required to sign contracts obliging them to protect the privacy and confidentiality of personal information provided to them, and is to observe the intent of this agreement, in order to perform their function. This obligation remains in effect even after employees, affiliates and other third party parties leave the employ of or association with SustaiNet. Appropriate controls are in place over computer systems and these controls are reviewed on an ongoing basis to ensure compliance with our security and privacy policy. Except as is required by law, when personal information is no longer required, the documentation records are destroyed.
6. Requests for Access to and Correction of Personal Information
Applicable Privacy Legislation allows any individual the right to access and/or request the correction of errors or omissions in his or her personal information that is in the custody or under the control of SustaiNet. SustaiNet’s Privacy Officer will assist the individual with the access request. This includes:
(a) identification of personal information under SustaiNet’s custody or control;
(b) information about how personal information under SustaiNet’s control may be or has been used by SustaiNet; and
(c) the names of any individuals and organizations to which the individual’s personal information has been disclosed.
SustaiNet will respond to requests within the time allowed by Applicable Privacy Legislation and will make every effort to respond as accurately and completely as possible.
In certain exceptional circumstances, SustaiNet may not be able to provide access to certain personal information it holds about an individual. If access cannot be provided, SustaiNet will notify the individual making the request, in writing, of the reasons for the refusal.
7. Concerns or Questions regarding SustaiNet’s Compliance
Questions or concerns regarding SustaiNet’s compliance with this policy may be directed to the Privacy Officer:
Howard Adam, President
SustaiNet Software International Inc.
Suite 200, 322 Water Street
Vancouver, BC V6B 1B6
howard@sustainet.com
(604) 717-4327
__________________________________________________________________
SCHEDULE A
DATA PROTECTION (UNITED KINGDOM)
1. In this Schedule A, “DPA” means the Data Protection Act 1998 of the United Kingdom and associated regulations, and “Data Processor”, “Data Controller”, “Data Subject”, “Personal Data” and “Process” shall have the same meanings as in the DPA.
2. To the extent that Customer Content contains any Personal Data in respect of which Customer is the Data Controller (“Customer Personal Data”), SustaiNet shall:
(a) process Customer Personal Data only in accordance with Customer’s instructions from time to time (which instructions, the Parties acknowledge for the avoidance of doubt, include processing Customer Personal Data for the purposes of fulfilling SustaiNet’s obligations under this Agreement);
(b) take appropriate technical and organisational measures against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data;
(c) take reasonable steps to ensure the reliability of SustaiNet employees who have access to Customer Personal Data;
(d) notify Customer as soon as reasonably practicable, of any notice or communication concerning the DPA SustaiNet receive from any Data Subject of Customer Personal Data or any applicable regulatory authority (including the Information Commissioner’s Office in the United Kingdom or its successor) in relation to Customer Personal Data; and
(e) assist Customer, at Customer’s cost and expense, as reasonably necessary so that Customer may comply with all subject access requests, which may be received from the Data Subjects of Customer Personal Data.
3. SustaiNet will not use Customer Personal Data for any purpose other than as permitted under this Agreement and/or Applicable Law. Without prejudice to the generality of the foregoing, in particular SustaiNet will not disclose Customer Personal Data to any third party in any circumstances other than at Customer’s specific request or as expressly permitted by this Agreement and/or Applicable Law.
4. In the event of a breach or alleged breach of this Schedule and/or the SustaiNet Privacy Policy by SustaiNet or any of SustaiNet’s employees, SustaiNet will, as soon as reasonably practicable, notify Customer of such breach or alleged breach and will provide details of the actions taken or to be taken by SustaiNet in order to remedy such breach and ensure compliance with this Schedule and the SustaiNet Privacy Policy.
5. Upon at least ten (10) working days’ prior written notice and subject to Customer’s confidentiality obligations in this Agreement or the License Agreement, SustaiNet will allow SustaiNet’s data processing facilities, procedures and documentation to be submitted for scrutiny by Customer’s auditors or professional advisers (at your Customer’s cost and expense) in order to ascertain compliance with this Schedule provided that any such inspection is undertaken no more than once in each twelve (12) month period during the term of this Agreement and is conducted so as to cause minimal disruption to SustaiNet’s or its data processing facilities’ business operations. SustaiNet will provide reasonable assistance to Customer, at Customer’s sole cost and expense, in relation to any such inspection.
6. For the avoidance of doubt, Customer acknowledges and agrees that SustaiNet may sub-contract certain of SustaiNet’s obligations under this Agreement, which may include the processing of Customer Personal Data. SustaiNet will use commercially reasonable efforts to ensure that each agent, sub-agent, contractor or third party that assists in the performance of SustaiNet’s obligations under this Agreement complies with this Schedule. For the avoidance of doubt, if any act or omission by any such agent, sub-agent, contractor or other third party would, if undertaken by SustaiNet, constitute a breach of this Schedule, SustaiNet shall be responsible for such action or omission as if it were the act or omission of SustaiNet.