Last updated on 18 June 2019
We are committed to managing personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act) and any other applicable privacy laws.
In addition to the Privacy Act, if you are located in the European Union (EU) (including the European Economic Area (EEA)), the section 'European residents' below provides further information about our processing of your personal information we collect and your additional data subject rights in relation to the processing of your personal information (or personal data) under the General Data Protection Regulation (2016/679) (GDPR).
In providing our services to you we may collect and process personal information as outlined below. Crop Shop Boutique Pty Ltd will be a data controller for the purposes of the GDPR and this policy includes information that must be provided to you when we collect your personal information.
This Policy sets out how we collect, use, disclose, store and dispose of personal information about our customers, employees and any other people we interact with. It should be read together with any terms and conditions governing your use of our products or services, website or app and any location-specific legal notice.
In this Policy,
- personal information means any information about an identified individual or an individual who is reasonably identifiable or as otherwise defined by applicable data protection law.
- services means any services we offer, including but not limited to fitness coaching services or programs, workout guides, or health and nutrition advice.
- you refers to any individual about whom we collect personal information.
- What information do we collect about you?
We only collect personal information where it is necessary for our functions or activities. The kinds of personal information we collect will depend on the capacity in which you are dealing with us. You can always decline to give us any personal information we request, but that may mean we cannot provide you with some or all of the services you have requested.
Customers and potential customers
When you inquire about our products or services or sign up for our updates, we will typically collect your name, e-mail address and any other contact details required for us to respond to that inquiry.
If you become a customer of ours we may also collect:
- with your consent, your photo or video for promotional purposes;
- any additional personal information you provide to us, or authorise us to collect.
We may collect personal information as part of our recruitment activities, such as your name, contact details, qualifications and work history. Generally, we will collect this information directly from you.
We may also collect personal information from third parties in ways which you would expect (for example, from recruitment agencies or referees you have nominated). Before offering you a position, we may collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions.
We may collect personal information from other individuals who are not customers or employees. This includes our individual service providers and contractors and other individuals who interact with us on a commercial basis. Generally, it would include your name, contact details, identification details, any required background checks or relevant business experience, and any other information relevant for our interactions and transactions with you.
Visitors to our websites
The way in which we handle the personal information of visitors to our websites is discussed below.
- How do we collect your personal information?
We generally collect personal information directly from you. We may collect and update your personal information by email, via our website, or in person. We may sometimes collect personal information about you from other sources, for example, our third-party suppliers and contractors who assist us to operate our business (such as payment gateways like PayPal or Shopify).
- Why do we collect and use your personal information?
We collect personal information reasonably necessary to carry out our business and to assess and manage our customers' needs. We may also collect information to fulfil administrative functions associated with these services.
The purposes for which we usually collect and use personal information depends on the nature of your interaction with us, but may include:
- providing guidance, support and feedback related to your use of our products or services;
- to process and administer your dealings as a customer, including processing payments and any direct debit requirements or facilitating delivery;
- planning, marketing and administering programs and events;
- researching and developing our products and services, including market research;
- sending you updates on our services, or opportunities or events you may be interested in;
- recruitment processes (including for volunteers, internships and work experience);
- any purpose you have consented to;
- any related secondary purpose we believe you would reasonably expect when we collected your personal information or because of our relationship with you;
- any purpose for which we are required or authorised by applicable law; and
- to respond to and manage inquiries, complaints, feedback and claims, defend our legal interests and investigate and protect against fraud, theft and other illegal activities.
We may use your image or audio-visual recordings which identify you for promotional purposes where you would reasonably expect this to occur, or where you have given us your express or implied consent (for example, where you have won a prize, or where you have tagged us in photo or video on a social media platform)
- How do we interact with you via the internet?
- Can you deal with us anonymously?
We will provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us where it is lawful and practicable (for example, when making a general enquiry). If we do not collect personal information about you, you may be unable to use our full range of services or participate in programs or activities we deliver.
- How do we hold and secure information?
We store information using digital or cloud based platforms in secure databases (including trusted third-party storage providers based in Australia and overseas). Personal information may be collected in paper-based documents and converted to electronic form for use or storage (with the original documents securely destroyed). We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.
We maintain physical security over all data stores, such as through locks and security systems at our premises. We also maintain network security, for example firewalls and other security systems such as user identifiers and passwords to control access to our computer systems.
Our websites do not necessarily use encryption or other technologies to ensure the secure transmission of information via the internet. Users of our websites are encouraged to exercise care in sending personal information via the internet.
We take steps to securely destroy or de-identify information that we no longer require.
- Do we use or disclose your personal information for digital or direct marketing?
We may use or disclose your personal information for the purpose of informing you about our services, upcoming promotions and events, or other opportunities that may interest you. If you do not want to receive direct marketing communications, you can opt-out at any time by contacting us using the contact details below or the unsubscribe facility in all emails we send to you.
If you opt-out of receiving marketing material from us, we may still contact you for the purposes of facilitating other dealings with you (such as the order of products or services).
We may occasionally engage other companies to provide marketing or advertising services on our behalf. Those companies will be permitted to obtain only the personal information they need to deliver the service. If we provide those companies with any of your personal information, it is to provide you with a better or more relevant and personalised experience and to improve the quality of those services.
- How do we disclose personal information?
We will not sell, distribute or disclose your information or personal details onto any third parties, other than in accordance with this Policy, and to those who are contracted to us to keep your information or personal details confidential. We may disclose personal information:
- to our suppliers, consultants, contractors or agents we engage in order to provide our services, including for payment processing and debt recovery, shipping, data processing, data analysis, customer satisfaction surveys, information technology services and support, website maintenance, development or hosting, archiving, marketing and market research;
- via our social media pages for promoting us and our services;
- if we merge with or are acquired by another entity, to that entity as a part of the merger or acquisition;
- to relevant government authorities for the purpose of investigating an incident, for example, a workplace health and safety matter or a security incident;
- when conveying information to a responsible person (e.g. parent, guardian, spouse) if you are injured, incapable or cannot communicate, unless you have requested otherwise;
- for other administrative and operational purposes, such as risk management and management of legal liabilities and claims (for example, liaising with insurers and legal representatives).
We may use and disclose your personal information for other purposes explained at the time of collection, that you have consented to or otherwise as set out in this Policy.
- Do we disclose your personal information overseas?
Unless we have your consent, or an exception under the APPs applies, we will only disclose your personal information to overseas recipients where we have taken reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to your personal information.
The reason for disclosure to an overseas recipient depends on the nature of the services those recipients provide to us (for example storing data via a cloud service, or where our customer relationship management system is hosted on servers located overseas).
- How can you access or seek correction of your personal information?
You are entitled to access your personal information we hold about you upon request. You can do this by contacting us using the contact details set out below.
You will not be charged for making a request to access your personal information but you may be charged for the reasonable time and expense incurred in compiling information in response to your request.
We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in the information we hold about you and letting us know if your personal details change.
If you consider any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your information.
We may decline your request to access or correct your personal information in certain circumstances in accordance with the APPs. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction.
- Data Breaches
Under the APPs, we may be required to notify you about ‘eligible data breaches’. An eligible data breach occurs when:
- there is unauthorised access to or disclosure of personal information we hold (or information is lost in circumstances where unauthorised access or disclosure is likely to occur);
- the access, disclosure or loss is likely to result in serious harm to you; and
- we are unable to prevent the likely risk of serious harm with remedial action.
If it is not clear whether a suspected data breach meets these criteria, we will investigate and assess the breach further. This is to ensure you are notified if your personal information is involved in a data breach that is likely to result in serious harm. Even if the criteria are not met, we may decide it appropriate to notify you anyway as part of our commitment to taking privacy seriously.
- European residents
If you are an individual customer based in Europe and we offer or provide our products or services to you, our processing of your personal information will be subject to the GDPR and the following additional information applies.
Global Fitness Pty Ltd is the data controller for the purposes of processing your personal information. We have a Privacy Officer who will also be appointed as a Data Protection Officer if we have a legal obligation to do so.
Our Legal grounds for processing: We rely on the following legal grounds to process your personal information:
- contract performance - we need to collect and process your personal information to enter into a contract with you when you purchase our products or to perform our obligations under a contract with you when you request and we provide you with our products and services;
- if it is necessary to pursue our legitimate interests and does not override your rights and interests - this is the usual basis on which we carry our business for the purposes set out above and includes when we carry out research, conduct direct marketing or otherwise communicate with you; and
- with your consent - we need your consent to collect and use your sensitive information such as your health information or to send you direct marketing.
- to comply with laws or regulations that apply to us including exercising our rights.
Transfer of information outside Europe: If we or our service providers or one of our related entities transfers your personal information outside Europe or onwards to a third country from Australia, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information. We will do this by one of the following:
- sending it to a country approved by the European Commission as having adequate privacy protections;
- the recipient has signed a contract based on standard “model contractual clauses” approved by the European Commission, requiring them to protect your personal information) (see http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm; or
- if the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield scheme (https://www.privacyshield.gov/welcome) or another valid scheme; or
- meeting the requirements of an applicable derogation such as obtaining your consent;
How long do we retain your personal information? We retain your personal information for as long as necessary to provide our services and products that you have requested, to comply with our legal obligations, resolve disputes, and enforcing our rights and policies. Unless we have an ongoing relationship with you (e.g. you are a frequent customer) or otherwise required, we will retain your personal information for no longer than 2 years.
Your additional rights and choices: You can -
- ask us to erase your personal information without undue delay in certain circumstances such as if you withdraw your consent and we otherwise have no legal reason to retain it.
- object to, and ask us to restrict, our processing of your personal information in certain circumstances, such as while we verify your assertion the information is inaccurate or if we are processing your information for our legitimate interests or for direct marketing purposes (we may be legally entitled to refuse that request).
- in some circumstances such as where we are processing your information with your consent, receive some personal information you have given us in a structured, commonly used and machine-readable format and/or ask us to transmit it to someone else if technically possible feasible.
- withdraw your consent (but we may be able to continue processing without your consent if there is another legitimate reason to do so).
- lodge a complaint with the relevant European data protection authority if you think that any of your rights have been infringed by us – we can, on request, tell you the relevant authority for the processing of your personal information.
- What should you do if you have a complaint about the handling of your personal information?
You may contact us at any time if you have any questions or concerns about this Policy or about the way in which your personal information has been handled. You may make a complaint to us using the contact details set out below.
In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.
If you are not satisfied with our response to your complaint, or you consider that we may have breached the APPs or the Privacy Act, a complaint may be made to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted by telephone on 1300 363 992 or by using the contact details on the OAIC website.
We may amend this Policy from time to time, with or without notice to you. We recommend that you visit our website regularly to keep up to date with any changes.
- How can you contact us?
Our contact details are:
5/18 Township Drive, Burleigh Heads 4220 QLD