- The information we collect and receive;
- How we use the information collected and received;
- To whom we disclose information;
- How we store and retain information;
- What our security practices are;
- International data transfers;
- Our contact details for privacy matters;
- Your rights in relation to personal information.
(a) Nomosone Limited, a New Zealand registered company;
(b) Nomos One Trustee Limited, a New Zealand registered company;
(c) Nomos One Pty Ltd, an Australian registered company;
(d) Nomos One Pte Ltd, a Singapore registered company; and
(e) Nomos One B.V., a Netherlands registered company.
2.2 If we make significant changes, we will notify you of the changes through our website or through others means, such as email. To the extent permitted under applicable law, by using the Service or providing Personal Information after such notice, you consent to our updates to this policy.
2.3 If you do not agree to any change we make, you should immediately stop using the Service and our website, and deactivate your account.
3. Who is the data controller and who is a data processor?
3.1 Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. In general, for the Personal Information we hold:
(a) our Client is the “controller” of some Personal Information; and
(b) Nomos One is the “processor” of that Personal Information and the “controller” of other Personal Information.
3.2 The Service is provided for use by Nomos One’s Clients, who are typically organisations rather than individuals. Our Clients maintain user accounts enabling individuals to access and use the Service on our Clients’ behalf.
3.3 Where you use the Service through an organisation (e.g. your employer or client), that organisation is the administrator responsible for your user account, so that organisation is the “controller” for that purpose. If this is the case, please direct your privacy questions to your administrator in the first instance, as your use of the Service is subject to that administrator’s policies. We are not responsible for any administrator’s privacy or security practices, which may be different from this policy. Please contact your administrator or refer to your administrator’s policies for more information.
3.4 Administrators are able to:
(a) require you to reset your account password;
(b) restrict, suspend or terminate your access to the Service;
(c) change the email address associated with your account;
(d) change your information, including profile information; and
(e) restrict your ability to edit, restrict, modify or delete information.
3.5 Where we process Personal Information in accordance with the Client’s instructions (including instructions conveyed through an administrator’s actions), the Client acknowledges and agrees that the Client:
(a) will remain the sole data controller of such Personal Information;
(b) will be responsible for the legality of the data processing and observing the rights of the data subjects;
(c) must comply with all applicable privacy and data protection laws; and
(d) will from time to time enter into one or more specific agreements regarding treatment of Personal Information, as
requested by Nomos One.
4. What Personal Information do we collect?
4.1 The type of Personal Information we collect depends on the purpose for collection and circumstances of collection, and may include:
(a) identifying information, such as your name and title;
(b) contact information, such as your postal address, telephone number, facsimile address and email address; and
(c) website user data collected when you visit our website. Website user data may include your IP address, cookies, device information, unique device identifiers, operating system and version, and mobile network information.
5. What other information and data do we collect?
5.1 We may from time to time collect information that is not Personal Information (i.e. it is not attributable to you individually). The purpose of this is to ensure we can further develop and improve our services.
5.2 If we do combine non-personal information with Personal Information the combined information will be treated as Personal Information.
6. What information don’t we collect?
6.1 Nomos One does not collect sensitive information (e.g. biometric data, racial or ethnic origin, political opinions, religious affiliations, genetic data or health data).
6.2 The Service is not directed to individuals under 16. We do not knowingly collect Personal Information from children under 16. If we become aware that a child under 16 has provided us with Personal Information, we will take steps to delete such information. If you become aware that a child has provided us with Personal Information, please contact: firstname.lastname@example.org.
7. How do we collect Personal Information?
7.1 We may collect Personal Information:
(a) directly from you, including in the following circumstances:
(i) when you interact with us in person, on the phone or via email;
(ii) when you provide us with your Personal Information in another kind of document, for example, in a contract; and
(iii) when you enter information into a form, including an online form;
(b) automatically when you visit our website;
(c) from your organisation or from the administrator of your user account;
(d) from a third party (e.g. an accounting firm or outsourced lease management provider).
8. Are you required to provide Personal Information?
8.1 In general, we will let you know at the time of collection whether the provision of Personal Information to us is optional or whether it is required for us to provide you with services or to perform our functions in relation to you.
8.2 If we have indicated that the requested Personal Information is required and you do not provide it, we will not be able to provide you with some or all the services you have requested or perform certain functions in relation to you.
9. How are cookies used?
9.1 “Cookies” are a small piece of data sent from a website and stored in a user’s web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user’s previous activity.
9.2 We use “cookies” to make the Service as easy for you to use as possible and helps us better understand user behaviour.
9.3 We treat information collected by cookies and other similar technologies as non-personal information unless:
(a) applicable laws require us to treat it as Personal Information; and
(b) to the extent that non-personal information is combined with Personal Information, we treat the combined
9.4 You can disable cookies on your computer if you wish, but please note that if you disable caching or choose to block sites from sending any data, this may cause the Service not to work.
10. How do we use your Personal Information?
10.1 We use your Personal Information to:
(a) verify your identity;
(b) assist us in performing our functions, including providing services to our Clients and performing and/or enforcing our contractual obligations;
(c) help us improve our services and improve your experience in using the Service, including for internal training purposes;
(d) provide, update, support, maintain and protect the Service, the website, and our business;
(e) communicate with you, including:
(i) by responding to questions, comments or requests and sending emails and other communications
relating to the Service including planned maintenance or software updates and changes to this Privacy
(ii) notifying you about other or new Nomos One services or promotions, where you have opted-in to receive
such notifications; and
(iii) either directly or via one of our partners, for marketing, research or participation in surveys or
competitions, where you have opted-in to receive such communications;
(f) investigate and help prevent complaints, security issues, and abuse;
(g) help with billing, account management, auditing and other administration services;
(h) facilitate the development and marketing of the Service and our website;
(i) protect the rights, property, or personal safety of us or our agents, personnel, or others; and
(j) comply with our legal obligations.
11. When do we disclose Personal Information?
11.1 We disclose Personal Information in the following circumstances:
(a) Clients and administrators:
(ii) Administrators and other Client representatives and personnel may be able to access, modify or restrict access to Personal Information. This may include, for example, your employer using Service features to export logs of activity or accessing or modifying your profile details. Administrator users will see the name and email address of users, which will be displayed within the “Users” tab in the Service.
(iii) Administrator users may grant access to non-employees (e.g. an auditor or property management company) via inputting your user name and email address, which will be displayed within the Users tab in the Service.
(b) Corporate affiliates: Nomos One may share Personal Information with its corporate affiliates, including any parent
company, subsidiary, or related company.
(c) Third party service providers and partners: We may engage third party companies or individuals as service
providers or business partners to process Personal Information and support our business. These third parties may
assist us to provide services or perform our functions, for example:
(i) provide information processing, database management, and storage services;
(ii) the development, operation and maintenance of our website;
(iii) secure payment processing; and
(iv) providing customer service.
(d) Business sale or corporate transaction: If Nomos One (or assets of Nomos One) are acquired by another
company, whether by merger, acquisition, bankruptcy or otherwise, that company may receive all Personal
Information held by or on behalf of Nomos One. In this event, you will be notified via email and/or a prominent
notice on our website, of any change in ownership, uses of your Personal Information, and choices you have
regarding your Personal Information.
(e) To comply with law or legal processes: Nomos One may disclose your Personal Information:
(i) if required by law;
(ii) if we reasonably believe that use or disclosure is necessary to investigate fraud, or comply with a law, court order, or legal process;
(iii) to protect the rights, property, or personal safety of us or our agents, personnel, or others;
(iv) to law enforcement or government officials as we, in our sole discretion, believe is necessary or appropriate.
12. How do we store and retain your data?
12.1 Nomos One outsources hosting of our product infrastructure to Amazon Web Services (AWS). At present, our server instance resides in Sydney, Australia and is backed up in Melbourne, Australia.
12.2 Nomos One will retain your Personal Information for as long as it is needed for the purpose for which it was collected (or any other purpose you have consented to) or for so long as we are required by law to retain it.
12.3 How long we keep information we collect about you depends on the type of information. For example:
(a) User account information: We retain your account information for as long as your account is active and a reasonable period after termination in case you decide to reactivate your account. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce contracts, to support our operations, and to continue the development and improvement of our Service. Where we retain information to improve our Service, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Service, not to specifically analyse personal characteristics about you.
(b) Client and administrator access: If your access or use of the Service is made through our Client (e.g. your employer, audit client, or property management company), we retain your information for as long as required by the administrator of that account.
(c) Marketing information: If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Service, such as when you last opened an email from us or ceased using your Nomos One account. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.
13. What are our security practices?
13.1 Nomos One is committed to protecting your Personal Information. Nomos One and our service providers utilise a combination of industry-standard security technologies, procedures and organisational measures, including penetration testing, to help protect your Personal Information from unauthorised access, use, loss, or disclosure.
13.2 Given the nature of the internet we cannot guarantee security of information transmitted through the internet. We will do our best to protect your Personal Information, however any transmission is at your own risk.
14. International data transfer
14.2 We may transfer, process and store your information outside of your country of residence, to wherever we or our third party service providers operate for the purposes of providing the Service. Where Personal Information is transferred outside of the European Economic Area or New Zealand, it will be:
(a) to a country or organisation that has ‘adequacy’ for the purpose of Article 45 of Regulation (EU) 2016/679 (including organisations subject to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks); or
(b) transferred subject to the European Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses), pursuant to Decision 2004/915/EC and Decision 2010/87/EU as appropriate.
15. What are Nomos One’s contact details for privacy matters?
15.1 Nomos One’s contact details for privacy matters are:
(a) Email: email@example.com
(b) Mail: Nomos One Limited, Level 1, 115 Stuart Street, Dunedin 9016, New Zealand.
16. What are your rights (if you are a non-European Union resident)?
16.1 If you are not an EU resident, you have the following rights in relation to access and correction of your Personal Information:
(a) Access to your Personal Information: You may request access to Personal Information that we hold about you by contacting us, using the contact details above.
(i) You may request that we correct factual errors in your Personal Information by sending us an email request that shows the error(s), using the contact details above.
(ii) If we choose not to correct errors that you have identified in your Personal Information, you may request that we make reasonable efforts to note the correction request, to be held (if possible) together with the relevant Personal Information.
(iii) To protect your privacy and security, we may also take reasonable steps to verify your identity before granting access or making corrections. We may refuse access to or correction of your Personal Information for any reason of refusal permitted by law.
(i) If you have any questions about privacy related issues or wish to complain about the handling of your Personal Information by us, please contact our Privacy Officer at: firstname.lastname@example.org. We may ask you to lodge your complaint in writing. Any complaint will be investigated by the Privacy Officer and you will be notified of the decision in relation to your complaint as soon as practicable after it is made, usually within 20 working days.
(ii) If we are unable to satisfactorily resolve your concerns about our handling of your Personal Information, you can contact the relevant Privacy Commissioner or Information Commissioner (or similar) for your jurisdiction.
17. What are your rights (if you are a European Union resident)?
17.1 An EU resident is an individual who is in the European Union at the time their Personal Information is processed.
17.2 If you are an EU resident, you may have certain rights in relation to the Personal Information we hold about you. We set out these rights and how to exercise them below. Some of these rights only apply in certain circumstances.
17.3 These rights include:
(d) restriction of processing;
(e) data portability; and
17.4 How to exercise your rights:
(a) Where we are the “processor” and not the “controller”, you may need to exercise your rights through the controller, who may be the administrator for User account.
(b) Please note that we will require you to provide us with proof of identity before responding to any requests to exercise your rights. We must respond to a request by you to exercise those rights without undue delay and at least within one month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please send us the following details, using the contact details above.
(i) proof of identity (one of the following: passport, driving licence, national identity card or birth certificate. The documents must include your full name and date of birth, nationality, and include proof of any name change). If you are exercising rights on behalf of another EU resident (the data subject), please include both your proof of identity and the proof of identity of the data subject. You will also need a signed consent from the data subject, authorising you to exercise these rights on their behalf. If the data subject is a minor, you will not need signed consent, but will require proof of your status as the data subject’s parent or guardian;
(ii) contact details;
(iii) details of country of residence;
(iv) details of the data right(s) you wish to exercise, including any relevant details; and
(v) confirmation that you understand that Nomos One may require further details from you in order to confirm your identity and/or process your request.
(c) Please note, if you make a request in relation to your data rights and we do not hold information in a form that allows us to identify you, we will inform you of that. We will not be obliged to comply with those data rights unless you provide additional information that allows us to identify what information we hold about you. If we do not take action on your request in relation to your data subject rights, we will advise you within one month of the reasons we will not be taking action. You may make a complaint to us or to your data protection authority, and you may seek a judicial remedy in accordance with the provisions of the European General Data Protection Regulation (GDPR).
(d) We will communicate any correction or erasure of Personal Information or restriction of processing that we undertake in accordance with your instructions to any third parties who have received that Personal Information, unless that notification is impossible or involves a disproportionate effort. If you request, we will provide you with details of those third parties that have received your Personal Information.
(a) In the event that you wish to make a complaint about how we process your Personal Information or respond to any request by you in relation to your data rights, please contact us and we will endeavour to deal with your request as soon as possible. You also have the right to launch a claim with your data protection authority.
17.6 Legal basis for using your Personal Information: The GDPR requires us to tell you the legal basis for processing your Personal Information. The principal bases on which we process your Personal Information are:
(a) Consent: Applies where you have freely given an informed, specific and unambiguous indication that we are permitted to collect and process your Personal Information. At any time, you may revoke your consent to the processing of some or all of your Personal Information by:
(i) emailing us, using the contact details above; or
(ii) using the “unsubscribe” function in any communication that we send to you.
(iii) If you revoke your consent, we may need to stop providing you with the Services, if consent is the only legal basis for our processing of your Personal Information. The withdrawal of consent will not affect processing of Personal Information that occurs before you notify us that you have withdrawn your consent.
(b) Contract: Applies if processing your Personal Information is necessary for the performance of a contract to which you are a party. For example, if we are providing services to you, we may need to use your Personal Information to carry out those services and any related activities.
(c) Legitimate interests: Applies if the processing is necessary for our legitimate interests or the legitimate interests pursued by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of Personal Information.
(a) You have the right to know whether we process Personal Information about you, and if we do, to access Personal Information we hold about you and certain information about how we use it and who we share it with.
(b) We may not provide you with certain Personal Information if providing it would interfere with another’s rights (e.g. where providing the personal information we hold about you would reveal information about another person) or where another exemption applies.
(c) You have the right to one copy of the information set out above. If you request further copies of that information, we may charge a reasonable fee for our administrative costs.
17.8 Correction: You have the right to correct any Personal Information we hold about you that is inaccurate. You may have incomplete Personal Information we hold about you completed, including by means of a supplementary statement (taking into account the purposes of processing of the relevant Personal Information). During the period while we assess whether the Personal Information we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data as described below.
(a) You may request that we erase the Personal Information we hold about you in the following circumstances:
(i) you believe that it is no longer necessary for us to hold the Personal Information we hold about you;
(ii) we are processing the Personal Information we hold about you on the basis of your consent, and you wish to withdraw your consent and there is no other ground under which we can process the Personal Information;
(iii) you have exercised your right of objection and there are no overriding legitimate grounds for the processing;
(iv) you no longer wish us to use the Personal Information we hold about you in order to send you information about Nomos One and our services; or
(v) you believe the Personal Information we hold about you is being unlawfully processed by us.
(b) During the period while we consider your request for erasure, you may exercise your right to restrict our processing of the Personal Information as described below.
(c) Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure. After deleting the Personal Information, we may not be able to provide services to you, or the same level of service that we were previously able to provide.
(d) Where you have requested that we erase Personal Information that we have made public and there are grounds for erasure, we will use reasonable steps try to tell others that are displaying the Personal Information or providing links to the Personal Information to erase that Personal Information.
17.10 Restriction of Processing to Storage Only:
(a) You have a right to require us to stop processing the Personal Information we hold about you other than for storage purposes, in certain circumstances. Please note, however, that if we stop processing the Personal Information, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or for another individual’s protection).
(b) You may request we stop processing and just store the Personal Information we hold about you where:
(i) you believe the Personal Information is not accurate, for the period it takes for us to verify whether the Personal Information is accurate;
(ii) the processing we are doing is unlawful and we wish to erase the Personal Information, but you require us to store the Personal Information instead;
(iii) the Personal Information is no longer necessary for our purposes and we wish to erase it, but you require us to store that personal information for the establishment, exercise or defence of legal claims; or
(iv) you have exercised your right to object, pending the verification of whether our legitimate grounds of processing override your interests, rights and freedoms.
(c) If you have obtained a restriction on processing, we will inform you before that processing restriction is lifted.
(a) You have the right to receive a certain parts of the Personal Information that we collect from you in a structured, commonly used and machine-readable format and a right to request that we transfer such Personal Information to another party.
(b) The Personal Information that you can request under this “portability” right is data that you have provided us with your consent, or that you provided for the purposes of performing our contract with you, and the processing of that Personal Information is carried out by automated means.
(c) If you wish for us to transfer the Personal Information to another party, please ensure you provide the details of that party and note that we can only do so where it is technically feasible. We are not responsible for the security of the Personal Information or its processing once received by the third party. We also may not provide you with certain Personal Information if providing it would interfere with another individual’s rights, for instance where providing the Personal Information we hold about you would reveal information about another person.
(a) At any time you have the right to object to our processing of Personal Information about you in order to send you information about Nomos One and our services, and any marketing messages, including where we build profiles for such purposes. If you object to this processing of your Personal Information, we will stop processing the Personal Information for that purpose.
(b) You may also object where we are processing the Personal Information we hold about you (including where the processing is profiling) on the basis of our legitimate interest and you object to such processing.
(c) Please provide as much detail as possible on your reasons for the request to assist us in determining whether there is a compelling overriding interest in us continuing to process such data or whether we need to process it in relation to legal claims. You may exercise your right to request that we stop processing the Personal Information during the period while we make the assessment on an overriding interest. Please advise us if you would like to make that processing restriction request at the time you provide the details of your objection to processing.
V1 – 31.01.19