Spacetel

Your business runs better when your IT just works—let’s make that happen! Click here..

Menu
Book a Free Consultation
Call Now

Privacy Policy

Purpose: Spacetel’s Privacy Policy describes how we collect, use, store, and protect personal information (PI) of individuals (including customers, employees, and partners) in compliance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). We are committed to respecting privacy and safeguarding personal data as a core company value. This policy applies to all personal information handled by Spacetel, whether in electronic or paper form, and to all staff or contractors who process personal data on our behalf.

 

Personal Information We Collect:

  • Customers: We may collect details such as names, contact information (address, email, phone), organization details, service and billing information, and any data customers provide to us in the course of using our services (which could include their clients’ data if we host or manage something for them). We limit collection to what is necessary for providing and supporting our services, fulfilling orders, and meeting legal requirements.
  • Prospective Customers/Marketing: With consent or permissible circumstances, we collect basic contact info from inquiries or sign-ups for newsletters.
  • Employees & Contractors: For HR administration, we collect personal data like full name, DOB, TFN, bank details (for payroll), qualifications, emergency contacts, etc. This is handled with confidentiality as per employment law.
  • Website Users: Our website may collect some personal info (e.g., if someone fills a contact form) and usage data (via cookies or analytics, though typically de-identified).
  • We provide a Collection Notice at point of data collection wherever possible, explaining why we need the info and referencing this Privacy Policy.


Use and Disclosure of Personal Information:

  • We only use personal information for the primary purposes for which it was collected or as reasonably expected:
    • Providing and managing our services (e.g., using customer contact info to deliver support, or using customer configuration data to maintain their systems).
    • Communicating with individuals about their service, billing, or inquiries.
    • Improving our offerings (using feedback or usage data in aggregate form).
    • Direct marketing (only if the person would reasonably expect it or has consented; always with opt-out option in line with APP 7 and Spam Act).
    • HR management for employees.
    • Any secondary purpose that is closely related to the primary purpose, where the individual would reasonably expect such use (or otherwise with consent).
  • We do not sell personal data to third parties.
  • We may disclose personal info to third parties in certain situations:
    • To our service providers (“data processors”) who help us operate (e.g., cloud hosting providers, couriers, payroll processors), but only on a need-to-know basis and under contracts that oblige them to protect the data (per Vendor Management Policy).
    • Where required by law (e.g., in response to a lawful subpoena or regulatory requirement). We will attempt to notify the individual if permitted and if such disclosure is not obvious.
    • If necessary to prevent a serious threat to health or safety or to take action regarding suspected unlawful activity (as permitted under Privacy Act exceptions).
    • If the person consents to the disclosure (specific or implied).
  • Public disclosure: We generally do not publish personal info. If we ever want to use a testimonial including a person’s name or photo, we would obtain their consent.


Data Quality and Minimization: We take reasonable steps to ensure the personal information we collect is accurate, up-to-date, and complete:

  • Individuals can update their info by contacting us (we respond promptly to changes like updated address, etc.).
  • We avoid collecting more info than necessary. E.g., if providing support doesn’t need a birthdate, we don’t collect it. For anonymized analysis, we de-identify data where possible.
  • We periodically review records and purge redundant or outdated personal data (aligned with our Records Management and Retention Policy) to minimize what we hold.


Data Security (Storage & Protection): We implement strong security controls to protect personal info from misuse, interference, loss, unauthorized access, modification or disclosure:

  • Personal data in electronic form is stored on secure systems with access controls (only staff with a need for that info can access). For example, customer contact details are in our CRM restricted to sales/support, HR data is in HRIS only HR/Management access, etc.
  • We apply encryption where appropriate: sensitive personal data (IDs, passwords, financial info) is encrypted in transit (SSL/TLS for any web interfaces, VPN for remote access) and at rest (our databases use encryption, laptops have full-disk encryption).
  • Physical files containing personal info (e.g., employee contracts, backup media with data) are kept in locked cabinets or secure areas, accessible only to authorized staff (per Physical Security Policy).
  • We educate employees on confidentiality and have them sign NDAs. We enforce the Acceptable Use and Clean Desk policies to reduce unauthorized viewing.
  • Our IT and InfoSec policies (access control, anti-malware, etc.) all serve to protect data including personal data.
  • If data is stored with third-party providers (cloud), we ensure they have robust security (via Vendor Management as above) and ideally data residency as required or adequate protection if overseas (see below).
  • Retention and Disposal: Personal data is kept only as long as needed for business or legal requirements and then securely destroyed (shredding, secure erasure). For instance, job applicant data for unsuccessful candidates might be kept 6-12 months then deleted. Customer data is retained during contract and possibly for a period after (as per contract or regulatory retention) then purged or returned.


Openness & Transparency: We publish this Privacy Policy (e.g., on our website) and make it available to anyone who asks. It outlines the kinds of personal info collected, how we handle it, and how individuals can contact us about it, fulfilling APP 1 and 5 obligations.

Individual Rights:

  • Access: Individuals may request access to personal information we hold about them. Provided it’s feasible and no legal exceptions apply, we will give them access (e.g., by providing a copy of relevant records) within a reasonable timeframe. We may require identity verification before releasing data. If for some reason we refuse access (e.g., it unreasonably affects others’ privacy, is frivolous, or subject to legal privilege), we’ll give a written explanation referencing the relevant Privacy Act exception.
  • Correction: If an individual believes their info is inaccurate, out-of-date, incomplete, irrelevant or misleading, they can ask us to correct it. We will promptly correct it and confirm. If we disagree that something is incorrect, we will at least note the individual’s claimed correction on the record and explain our reasoning, and inform them of complaint process if unsatisfied.
  • These processes are in line with APP 12 & 13. We typically do not charge fees for access/correction requests, unless there’s an exceptional resource cost, and even then only reasonable cost.

Anonymity: Where lawful and practical, we allow individuals to interact with us anonymously or using a pseudonym (APP 2). For example, general inquiries on our website can be done without providing a name. However, for service provision and contracts, it’s usually impractical to be anonymous (we need contact and billing info).


Use of Cookies/Online tracking: If applicable:

  • Our websites may use cookies for functionality and to collect usage analytics (non-identifiable). For any that might identify or track, we disclose that in a website privacy notice and obtain consent where required (like via a cookie banner if needed).
  • We do not attempt to link web browsing data to identified individuals except if required for security (like investigating a breach attempt).


Overseas Disclosure: We generally aim to store personal data in Australia. If we need to disclose personal info to an overseas recipient (like an overseas service provider or parent company):

  • We will do so only in compliance with APP 8 – meaning either the recipient is subject to similar privacy laws (whitelisted countries) or we will take reasonable steps (contractual clauses, etc.) to ensure they handle it per APPs.
  • We will inform individuals in our Privacy Policy about likely overseas locations if applicable. For instance, “Our cloud CRM is hosted in data centers in Singapore and USA” or “We use a support desk provider based in EU”, etc.
  • If no appropriate safeguards, we will seek the individual’s consent for that overseas transfer (and explain risks if any).
  • We have standard data protection clauses in contracts with any overseas data processors.


Notifiable Data Breaches (NDB): Although part of Incident Response, in context of privacy:

  • If a data breach occurs likely to result in serious harm to individuals (e.g., personal info compromised), we will notify the OAIC and affected individuals in line with the NDB scheme. Our Incident Response Plan has steps for this, including quick assessment of breach severity and preparation of notice (what happened, what data, recommendations for individuals, our remedial actions).
  • We treat privacy breaches very seriously; even if not reaching the “likely serious harm” threshold, we may still inform individuals as a customer service principle or as required contractually.


Training & Compliance:

  • We train employees on privacy obligations as part of security awareness (including basics of APPs, handling PI safely, and consequences for misuse).
  • Any employee deliberately breaching personal data privacy may face disciplinary actions.
  • We have a designated Privacy Officer or the Security Officer double-hatting to oversee privacy compliance, handle requests, and monitor that our practices align with this policy.
  • We periodically review and update this Privacy Policy and related procedures to ensure compliance with changes in law or business practices.


Complaints Handling:

  • If someone believes we have mishandled their personal info or violated our privacy obligations, they can lodge a complaint to our Privacy Officer (contact details provided on website).
  • We’ll acknowledge receipt, investigate internally, and respond in a reasonable time (typically within 30 days) with the outcome and any actions we will take to address it.
  • We treat complaints seriously and use them to improve processes if a gap is found.