Privacy Policy
Who are we
When we refer to ‘we’, ‘us’, ‘our’ or just ‘Togetha' that means Togetha Software Pty Ltd. You can contact us about privacy at privacy@togetha.io
Privacy Policy
Togetha take your privacy seriously and is committed to responsible privacy practices.
Please read the following policy to understand how we collect, use, disclose, store, handle and protect your Personal Information. We hope that this will help you make an informed decision about sharing Personal Information with us. This Privacy Policy applies to all information collected through our interactions with you.
This Privacy Policy should be read in conjunction with any Agreements we many have with you, for example an End User License Agreement (EULA) and our organisational controls visible in our Trust Centre.
This Privacy Policy takes into account the requirements of the Australian Privacy Principles set out in the Australian Privacy Act, and its 13 Australian Privacy Principles (APPs), as well as other applicable privacy laws.
By interacting with us you acknowledge that you understand and agree with our use of your Personal Data and Personal Information and understand your rights in relation to your Data.
Types of Data
User Data
User Data means all information collected from our Customers that is not Personal Information.
Personal Information
Personal Information has the meaning given to it by the Privacy Act, that is, information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not, and for the purposes of this Privacy Policy, is deemed to have a corresponding meaning as given by applicable privacy laws (including but not limited to the GDPR), as applicable;
Personal Data
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’) Art.4 GDPR
We will use Personal Data and Personal Information interchangeably in this policy.
Sensitive Information
Sensitive information is defined as information or an opinion about an individual’s:
racial or ethnic origin;
political opinions;
membership of a political association;
religious beliefs or affiliations;
philosophical beliefs;
membership of a professional or trade association;
membership of a trade union;
sexual preferences or practices; or
criminal record.
Data we collect
We do not store sensitive information, and generally, we will not collect sensitive information about you.
We do not collect Personal Information on individuals under the age of 18 (a minor) and you should not provide any such information to us. If you do provide us with Personal Information on a minor, either deliberately or accidentally, and we become aware of it, we will immediately remove this from our systems.
We may collect User Data and Personal Information depending on how you interact with us.
Commonly we will collect your contact details so that we can interact with you. This will include:
Your name
One or more contact methods such as phone number, email address
Information collected through interactions
- Browsing our website
When you access our websites, data like the IP address of your computer, browser, date and time will be logged. This data is used to maintain our internet services and secure it.
We use analytical tools such as Google Analytics to gain insights into how our web site is used and performs.
These tools collect technical information (User Data) such as web browser type, browsing preferences, Internet service provider, referring/exit pages, date/time stamps, IP address, time zone and geolocation data (if applicable), some of which is collected automatically, arising from your use of our website and/or Products, as well as information about your usage of our website and/or Products when browsing (see: How do we collect Data below).
- Make enquiries
When you contact us in any way, for example a contact form, phone, email, competitions or responding to promotions, we will collect the information relevant to the enquiry including:
What you are enquiring about
Contact history
Information you volunteer to give us
- Purchasing from us
When you purchase from us, we need:
billing details
shipping details
product and product license details
- Support via our portal
When you ask for support, in addition to contact and product details we may need:
Usage information - what happened and how, including logs
System information like hardware, browser, IP addresses
- Subscription to information such as Newsletters
When you subscribe to information services such as newsletters we will also store:
preference information
Opt-In consent
Tracking information to confirm delivery and provide anonymous statistics
- Use of our applications (Atlassian products and Atlassian Marketplace Apps)
No personal data is stored or forwarded to third parties from our cloud apps. Only meta and configuration data is stored using an anonymised user ID. The apps securely fetch all relevant data from the Atlassian Cloud and store it back within the customers tenancy.
Please see the individual App Privacy Statements for App specific details.
How do we collect Data
Directly
Where possible we will only collect Personal Information about you from you directly.
Third parties
We may also collect Personal Information through third parties such as Atlassian, our service providers or through promotional and marketing activities where they have gained your permission, such as purchasing our App on the Atlassian Marketplace.
We are not responsible for the privacy practices of third parties, including Atlassian, service providers, suppliers or sub-processors. You should review their privacy policies for how they protect and handle your Personal Information.
Cookies and Analytics tools
We also use the following technologies to collect technical information and general analytics:
cookies, which are data files that are placed on your device and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org;
log files, which track actions occurring on our website, platforms and applications; and
tags and pixels, which are electronic files used to record information about how you browse our website.
You may disable cookies and other tracking technologies used to collect technical information in your web browser. If you do so, you can still access our website, but it may impact your user experience.
In addition to our cookies, certain third parties may deliver cookies to your device for a variety of reasons. For example, we sometimes use various web analytics tools that help us understand how visitors engage with our website. Any third party links or advertising on our website may also use cookies; you may receive these cookies by clicking on the link to the third party site or advertising. We do not control the collection or use of information by these third parties, and these third party cookies are not subject to this Privacy Policy. You should contact these companies directly if you have any questions about their collection and/or use of information. When linking to any other site, you should always check the relevant website's privacy policy before providing any Personal Information.
Unsolicited Information
If you provide unsolicited User Data, we will use it in accordance with the Privacy Policy. If you submit unsolicited Personal Information and we determine that we could not have collected the Personal Information in accordance with the Privacy Policy, we will destroy the information or ensure that the information is de-identified as soon as practicable. Otherwise, the Personal Information will be used in accordance with this Privacy Policy.
Technical Information
Technical information (generally anonymous) relating to your device, system, and use of the products, is gathered periodically to facilitate the provision of software updates, gauging of usage patterns, product support, and sending you technical notices, updates, security alerts, and support and administrative messages.
How do we use Data
Business Management
We use your Data to manage our business so we can provide our services to you. Examples of how we use your data are to:
verify your identity for securing your information
deliver products to our customers or to receive goods or services from third parties
enable the proper operation and functionality of our products
gain insights about you so that we can serve you better by understanding your preferences and interests
prevent, detect and investigate suspicious, fraudulent, criminal or other activity that may cause you, us or others harm
identify opportunities to improve our products and services to you
comply with our legal obligations
keep you up to date on new product versions
communicate with you, and to address any issues or complaints that you may have regarding our relationship and our products
for direct marketing purposes (see "Direct Marketing Communications" below)
We may use technical data and related information to the extent necessary to provide you with support, or communications to improve our Products or to provide services or technology to you.
Direct marketing communications
We will only send you direct marketing communications through mail, SMS or email, including services, features, surveys, newsletters, offers, promotions or providing you other news or information about us and our select partners, where you have consented to do so.
You may opt out of receiving direct marketing communications at any time by unsubscribing using the link on the communication or by contacting us.
If you receive mail purporting to be us and you have not signed up, you should probably regard this with some suspicion and send it to your spam filters. We’d like to hear about it if you do.
Third party partners
We may disclose Data, including your Personal Information, to third parties in connection with the purposes described above (see the How do we use Data section).
This may include disclosing Data to the following types of third parties:
our related companies
any (potential) purchaser of our business or assets
our professional advisers such as lawyers, accountants or auditors and insurers
our employees, contractors and third party service providers who assist us in performing our functions and activities e.g. payment systems operators and financial institutions, cloud service providers, data storage providers, shipping companies, telecommunications providers and IT support services providers
organisations authorised by us to conduct promotional, research or marketing activities
third parties to whom you have authorised us to disclose your information (e.g. referees)
any other person as required or permitted by law to comply with legal obligations, to protect and defend the rights or property of Togetha or to protect us against legal liability.
We work with Atlassian on certain business-related functions of our Products, such as the processing of payments. Atlassian has its own privacy policy at https://www.atlassian.com/legal/privacy-policy
We also use third party service providers to provide us with web analytics services. You can read more about how each service provider uses your Personal Information here.
If we disclose your Personal Information to third parties we will use reasonable commercial efforts to ensure that such third parties only use your Personal Information as reasonably required for the purpose and in a manner consistent with applicable laws. We will do this, where practical, by including suitable privacy and confidentiality clauses in our agreement with the third party service provider.
Subprocessing
Some of our obligations under this Privacy Policy and Subscription Agreement may be performed by Subprocessors. A subprocessor will only be granted access to Data where:
such access is for purposes consistent with this Privacy Policy; and
the Subprocessor agrees to be bound by this Privacy Policy.
When we work with Subprocessors, we seek to provide the Subprocessor with only the Data the Subprocessor needs to perform its specific functions. You can see a list of our Subprocessors in our DPA Schedules.
Cross-border transfer of Data
It is possible when using our Products that your Data, including your Personal Information, will be transferred across international boundaries.
We may share your Personal Information with individuals in various countries, including resellers and service providers, to deliver our Products and acquire services related to our operations. Your Personal Information is expected to be handled and stored by third-party service providers situated in the United States, Australia, and countries within the European Union.
Cross-border transfers from Australia (Australian Customers)
Countries which are members of the European Union have data protection laws which protect Personal Information in a way which is substantially similar to the Privacy Act and the Australian Privacy Principles, and there will be mechanisms available to you to enforce protection of your Personal Information under those data protection laws. In these circumstances, we do not require the overseas recipients to comply with the Privacy Act and the Australian Privacy Principles and we will not be liable for a breach of the Privacy Act or the Australian Privacy Principles if your Personal Information is mishandled by overseas recipients.
For transfers of your Personal Information to the United States, note that certain locations within the United States do not have data protection laws as comprehensive as Australia's. We will take commercially reasonable steps to secure a contractual commitment from the recipient to handle your information in accordance with the Privacy Act and the Australian Privacy Principles, however if your Personal Information is mishandled in that jurisdiction, we disclaim responsibility and you will not have a remedy under the Privacy Act.
Cross-border transfers outside of the European Economic Area or UK (EU/UK Customers)
We may transfer your Personal Data to countries outside of the European Economic Area (EEA) or the UK including to such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA or UK.
Whenever such transfer occurs, we will base the transfer on the European Commission Implementing Decision (EU) 2021/915 of June 4, 2021 on standard contractual clauses (EU Standard Contractual Clauses) and, as applicable, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK Addendum) in order to contractually provide that your Personal Data is subject to a level of data protection that applies within the EEA and UK. You may obtain a redacted copy (from which commercial information and information that is not relevant has been removed) of such Standard Contractual Clauses by sending a request to privacy@togetha.io
How do we protect your Data?
We implement reasonable measures to protect and safeguard your Data, including your Personal Information, from misuse, loss, theft and unauthorised access, modification or disclosure.
For information about the measures we take to protect and safeguard your Data, please refer to our Trust Centre.
Where there has been a security breach, data leakage or Personal Information is lost, destroyed or becomes damaged, corrupted or unusable, we will notify you as soon as reasonably practicable. However, particularly for electronic data stores and due to the fact that the Internet is inherently insecure, we cannot guarantee the security of transmission of Personal Information disclosed to us online. Accordingly, you transmit your Personal Information to us online at your own risk and are encouraged to exercise care in sending Personal Information via the internet. Please notify us immediately if you know or reasonably suspect that your Personal Information has been subject to any data breach, breach of security or other unauthorised activity. This will help us identify if any unusual activity starts to occur with your account as part of our security monitoring processes.
To the maximum extent permitted by applicable Law, we exclude all liability (including in negligence) for the consequences of any unauthorised access to, modification of, disclosure of, misuse of or loss or corruption of any Personal Information. Nothing in this Privacy Policy restricts, excludes or modifies or purports to restrict, exclude or modify any statutory consumer rights under any applicable law, including the Australian Competition and Consumer Act 2010 (Cth), or any liability which cannot be excluded due to the operation of applicable Laws.
How long do we keep your Personal Information?
Generally, we will retain your Personal Information for the period necessary for the purposes for which your Personal Information was collected (as outlined in this Privacy Policy) unless a longer retention period is required by law or if it is reasonably necessary for us to comply with our legal obligations, resolve a dispute or maintain security.
Your rights in relation to your Personal Information
You can choose not to disclose your Personal Information
If you contact us to make a general enquiry about us or our business, you do not have to identify yourself or provide any Personal Information. Alternatively, you can also notify us that you wish to deal with us using a pseudonym.
If we cannot collect Personal Information about you or if you use a pseudonym, we may not be able to provide you with the information or assistance you require. For example, we will not be able to send you information you have requested if you have not provided us with a valid email address or telephone number.
Access to your own information
You may request access to any Personal Information we hold about you at any time by contacting us at privacy@togetha.io. We will provide access to that information in accordance with the Australian Privacy Act, subject to any exemptions that may apply.
If you believe that Personal Information we hold about you is incorrect, incomplete or inaccurate, then you may request we amend it by contacting us. Where we agree that the information needs to be corrected, we will update it. If we do not agree, you can request that we make a record of your correction request with the relevant information.
You can also ask us to notify any third parties that we provided incorrect information to about the correction. We’ll try and help where we can – if we can’t, then we’ll let you know.
To guard against fraudulent requests, we will need information to confirm your identity before granting access or making corrections. We may decline to provide you with access to your Personal Information including where we determine that the information requested:
may disclose the Personal Information of another individual or trade secrets or other business confidential information;
is subject to legal professional privilege;
is not readily retrievable and the burden or cost of providing the information would be disproportionate to the nature or value of the information;
does not exist, is not held, or cannot be located by us;
would pose a serious threat to the life, health or safety of any individual, or to public health or safety if it were accessed; or
is not permitted by Law to be accessed.
Right to Be Forgotten
In accordance with the Australian Privacy Principles (APPs) and other applicable privacy laws, you have the right to request the deletion of your personal information that we hold. This is also known as the "right to be forgotten."
How to Exercise Your Right
If you wish to exercise your right to be forgotten, please contact us using the contact details provided. Upon receiving your request, we will take the following actions:
Verification: We will verify your identity to ensure that the request is legitimate. This may involve asking you to provide proof of identity.
Assessment: We will assess the request to determine if it is necessary and feasible to delete the information. This assessment will consider our legal obligations, including any mandatory retention periods and the necessity of the data for legitimate business purposes.
Deletion: If your request is approved, we will delete your personal information from our records and systems. Where possible, we will also inform any third parties to whom we have disclosed your personal information of your request, so they can also take appropriate action.
Confirmation: We will confirm in writing once your request has been completed and your personal information has been deleted.
Limitations and Exceptions
Please note that the right to be forgotten is subject to certain limitations and exceptions, including but not limited to:
Compliance with legal obligations that require us to retain certain information.
The necessity of retaining information for the establishment, exercise, or defence of legal claims.
The retention of data necessary for the performance of a contract to which you are a party.
GDPR, for EU/UK Customers
Data Subjects have to the following rights under the GDPR:
right to access – You have the right to request Togetha Group for copies of your Personal Data;
right to rectification – You have the right to request that Togetha Group correct any information you believe is inaccurate. You also have the right to request Togetha Group to complete the information you believe is incomplete;
right to erasure – You have the right to request that Togetha Group erase your Personal Data, under certain conditions;
right to restrict processing – You have the right to request that Togetha Group restrict the processing of your Personal Data, under certain conditions;
right to object to processing – You have the right to object to Togetha Group’s processing of your Personal Data, under certain conditions; and
right to data portability – You have the right to request that Togetha Group transfer the data that we have collected to another organisation, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at privacy@togetha.io
Questions or complaints?
If you have any questions, concerns or complaints about our collection, use, disclosure or management of your Personal Information, please contact us through our Data Protection Officer.
Data Protection Officer
Brian Hill, brian.hill@togetha.group, +61 2 6190 1554 has been assigned the role of Data Protection Officer (DPO) for the Togetha Group Pty Ltd's Data Privacy Compliance Program.
If you no longer wish to receive communications from us, please unsubscribe at privacy@togetha.io
We are committed to resolving any complaints reasonably and to ensuring that we are doing the right thing by our customers. We will make all reasonable inquiries and your complaint will be assessed with the aim of resolving any issue in a timely and efficient manner.
If you have raised a complaint with us and you are unsatisfied with the outcome or have further concerns about the way we handle your Personal Information, you may complain to the Supervisory Authority.
For Australian Customers, the Supervisory Authority is the Office of the Australian Information Commissioner, whose contact details are set out below:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001 Australia
Phone: 1300 363 992
Online: www.oaic.gov.au
Email: enquiries@oaic.gov.au
For European Customers, the Supervisory Authority is the relevant data protection authority in your European Member State.
For UK Customers, the Supervisory Authority is the Information Commissioner's Office, whose contact details are set out below:
UK Information Commissioner's Office
Water Lane, Wycliffe House Wilmslow
Cheshire SK9 5AF UNITED KINGDOM
Phone: +44 1625 545 700
Online: ico.org.uk
Email: icocasework@ico.org.uk
For US Customers, please contact the data protection authority of your State.
Last updated: 12 Aug 2024
Definitions
Data means Personal Information and User Data;
Data Controller has the meaning given in Article 4(7) of the GPDR, that is, a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Information, where the purposes and means of processing are determined by EU or Member State laws, and for the purposes of this Privacy Policy, includes Australian Privacy Principle (APP) entities as defined by the Privacy Act;
Data Processor has the meaning given in Article 4(8) of the GDPR, that is, a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, and for the purposes of this Privacy Policy, includes APP entities as defined by the Privacy Act;
Data Subject has the meaning given in Article 4(1) of the GDPR, that is, a natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier, or to one more factors specific to the identity of that natural person;
GDPR means the European Union General Data Protection Regulation (EU) 2016/679;
Law means all relevant legal and regulatory requirements applicable to you or us (including, for the avoidance of doubt, the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles, and the GDPR);
Personal Data has the meaning given in Article 4(1) GDPR, that is, any information relating to a Data Subject;
Personal Information has the meaning given to it by the Privacy Act, that is, information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not, and for the purposes of this Privacy Policy, is deemed to have a corresponding meaning as given by applicable privacy laws (including but not limited to the GDPR), as applicable;
Privacy Act means the Australian Privacy Act 1988 (Cth);
Products means all websites, platforms, apps, services and software operated, owned, developed and sold by us;
Subprocessor means any processor engaged by us or by any other Subprocessor who agrees to receive from us or from any other Subprocessor, Personal Information exclusively intended for processing activities to be carried out on behalf of you after the transfer in accordance with your instructions, the terms of our Subscription Agreement and this Privacy Policy;
Supervisory Authority means the authority with the primary responsibility for dealing with the relevant data processing activity; and
User Data means all information collected from our Customers that is not Personal Information.