Data privacy policy
CREDIT OBJECTS PTY LIMITED Level 40, 140 William Street, Melbourne, VIC 3000
Table of Contents
- Introduction
- Data Privacy Policy
- Purpose
- Scope
- Definitions
- Data Collection and Processing Principles
- Types of Data We Collect
- Legal Basis for Processing
- Data Security and Protection
- Third-Party Integrations
- Cloud Infrastructure and Data Hosting
- International Data Transfers
- Data Subject Rights
- Data Retention Policy
- Breach Notification
- Employee and Contractor Privacy Responsibilities
- Policy Updates
Introduction
This document contains a detailed Data Privacy Policy specifically tailored for Credit Objects Pty Ltd, focusing explicitly on data privacy principles, protections, rights, and responsibilities, including how data is handled during third-party integrations.
Effective Date 01/01/2025
Last Updated 01/01/2025
Data Privacy Policy
Credit Objects Pty Ltd (“we,” “us,” or “our”) is committed to maintaining the highest standards of data privacy in line with global data protection regulations. This Data Privacy Policy outlines our approach to collecting, processing, storing, and protecting personal and business data across all our IT services, including custom development, systems integration, consulting, and managed IT services. This policy specifically focuses on how we safeguard data privacy throughout our operations, including when engaging with third-party systems and providers.
Purpose
- Personal and organizational data is collected and used responsibly
- All processing activities comply with applicable privacy laws e.g., GDPR, CCPA, Australian Privacy Act.
- Data subjects are informed of their rights and our obligations.
- Transparent handling of data during third-party integrations and partnerships.
- Clear assurances that user data is never sold, never used for ML or AI training, and that user credentials are never stored in our systems.
Scope
This policy applies to:
- All employees, contractors, and third parties engaged by Credit Objects Pty Ltd.
- All data subjects whose information we process, including clients, end-users, partners, and website visitors.
- All digital platforms, services, APIs, and cloud environments maintained or operated by Credit Objects Pty Ltd.
- All third-party integrations and data flows involving customer data.
Definitions
- Personal Data: Any information relating to an identified or identifiable individual.
- Processing: Any operation performed on personal data (e.g., collection, storage, use, disclosure).
- Data Subject: An individual whose data is being processed.
- Controller: The entity that determines the purpose and means of processing data.
- Processor: The entity that processes data on behalf of the controller.
- Third-Party Integration: Any external service, API, or software connected to our systems that involves data exchange.
Data Collection and Processing Principles
We adhere to the following principles:
- Lawfulness, Fairness, and Transparency: We process data legally and fairly with clear purposes. Individuals are informed of how their data is used.
- Purpose Limitation: Data is collected for specific, legitimate purposes and not processed in a manner incompatible with those purposes.
- Data Minimization: We collect only the data necessary to fulfill the specified purposes.
- Accuracy: Reasonable steps are taken to ensure that data is accurate and kept up to date.
- Storage Limitation: Data is retained only as long as necessary to fulfill its intended use or legal obligations.
- Integrity and Confidentiality: Appropriate security measures are in place to prevent unauthorized access, loss, or destruction of data.
- Accountability: We are responsible for and able to demonstrate compliance with data protection obligations.
- Data Protection Commitment:
- User data is never sold to any third party.
- User data is never used for machine learning or artificial intelligence training.
- User credentials (e.g., passwords and login names) are not stored in our systems.
- We do store user tokens which are securely generated credentials—strictly to perform operations on user data only as explicitly permitted by the user during access authorization.
Types of Data We Collect
a) Authentication and Access Tokens
We do not store user login names or passwords. However, we store user tokens required for secure API-based access to third-party systems. These tokens are:
- Granted by the user via consent during authorization flows
- Used to access and process only the user-permitted data
- Revoked immediately upon user request or access expiry
All data operations are limited strictly to the scope of permissions provided by the user.
b) Personal Data
- Full name
- Email address and phone number
- Job title and company name
- Login credentials and authentication data
c) Technical and Operational Data
- IP address, device and browser type
- Access logs, usage statistics
- API tokens and integration metadata
d) Business and Client Data
- Files, configuration data, and project information
- Data transmitted or stored via integrations
- Customer support communications
We do not collect sensitive personal data (e.g., health, ethnicity, religion) unless explicitly required and consented to.
Legal Basis for Processing
Depending on the jurisdiction, we rely on the following legal bases:
- Consent: For marketing and optional integrations
- Contractual necessity: To deliver contracted services
- Legal obligations: To comply with statutory requirements
- Legitimate interests: For security, business continuity, and service improvement
Data Security and Protection
We implement and maintain a robust information security framework that includes:
- Encryption of data in transit and at rest
- Multi-factor authentication (MFA)
- Role-based access control (RBAC)
- Secure software development practices
- Regular security audits and penetration testing
- Incident response and breach notification protocols
Additionally:
- We do not store user passwords or login credentials.
- We store user tokens only as necessary for authorized operations explicitly permitted by the user.
- Data encryption, secure APIs, firewalls, monitoring tools, and access control systems are enforced to prevent unauthorized access or disclosure.
Third-Party Integrations
We often work with third-party platforms to deliver enhanced functionality. When integrations involve personal or business data:
- Data Sharing is Purpose-Specific: Only necessary data is shared to enable specific functionality.
- Privacy Reviews are Conducted: We assess the data protection practices of integration partners.
- Security is Enforced: We use secure methods (e.g., OAuth2, HTTPS, API encryption) to transmit data.
- Contractual Safeguards: Data Processing Agreements (DPAs) or equivalent clauses are in place with each third party.
- Client Controls: Where possible, clients retain control over what data is shared or received through integrations.
- Secure Authentication: We use secure authentication methods such as OAuth to obtain user tokens.
- Access Limitations: Access is strictly limited to user-authorized scopes.
- Data Encryption and Logging: All data exchanges are encrypted and logged for traceability.
- Strict Data Operations: We do not perform any operations on user data beyond the permissions explicitly granted by the user.
Cloud Infrastructure and Data Hosting
Credit Objects Pty Ltd utilizes enterprise-grade cloud infrastructure to operate its platform, including:
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
User data is hosted on these platforms in accordance with:
- The data privacy and security policies of each cloud service provider
- Any custom data privacy agreements negotiated between Credit Objects Pty Ltd and these providers to further enhance protection, compliance, or residency requirements
We ensure that cloud service providers meet international standards for data protection, including ISO 27001, SOC 2, and GDPR compliance where applicable.
International Data Transfers
If we transfer personal data across borders, particularly outside of the country or region of origin:
- Legal Compliance: Transfers are conducted in compliance with applicable legal frameworks.
- Transfer Mechanisms: We rely on mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
- Security Measures: Additional security measures (e.g., encryption and access controls) are applied during transfer.
Data Subject Rights
We respect and uphold the following rights of data subjects:
- Right to Access – View and receive a copy of your personal data.
- Right to Rectification – Correct inaccurate or incomplete data.
- Right to Erasure – Request deletion of your data (right to be forgotten).
- Right to Restrict Processing – Limit how your data is used.
- Right to Data Portability – Obtain and reuse your data across services.
- Right to Object – Object to specific processing activities.
- Right to Withdraw Consent – Revoke consent at any time where applicable.
Requests can be submitted by contacting us at info@creditobjects.com.au. We aim to respond within the timeframes mandated by applicable laws.
Data Retention Policy
- We retain data only as long as necessary for the purposes for which it was collected.
- Retention periods may vary based on the nature of data and legal requirements.
- Upon expiry of retention periods, data is securely deleted or anonymized.
Breach Notification
- We will notify affected individuals and regulators within required legal timeframes.
- Affected parties will be informed of the nature of the breach, affected data, and recommended next steps.
Employee and Contractor Privacy Responsibilities
- Trained in data protection principles and legal obligations.
- Bound by confidentiality agreements.
- Subject to disciplinary action in case of violations of this policy.
Policy Updates
- This Data Privacy Policy may be reviewed and updated periodically.
- Changes will be posted on our website with a new effective date.
- Substantive changes will be communicated to affected parties where applicable.