Purpose
This Privacy Policy includes two parts:
- Privacy Program: outlines the roles, responsibilities and requirements of Venn Technology's privacy program to meet its privacy obligations. This includes the scope of regulations that apply, and the clauses and obligations that apply to Venn Technology's data processing activities.
- Privacy Statement: this should be a public facing notice of the purpose and use of personal data collected, and the privacy rights of data subjects whose data is collected, processed, or stored by Venn Technology's systems and services. This should be published on the website and linked in Venn Technology's systems and services that collect personal data.
Privacy Program
Based on the jurisdictions and scope of processing personal data, the below privacy regulations apply.
Privacy Regulations |
Purpose and Regulator |
Australian Privacy Act | Privacy rights of Australian consumers as regulated by the Office of the Australian Information Commissioner (OAIC). |
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) | PIPEDA sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada as regulated by the Office of the Privacy Commissioner. |
EU General Data Protection Regulation | The General Data Protection Regulation is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area regulated by the European Data Protection Board. |
New Zealand Privacy Act 2020 | NZPA Administered by the Ministry of Justice Governs how organisations and businesses can collect, store, use and share personal information. |
The following privacy requirements and obligations apply to Venn Technology based on the personal data collection activities and scope above.
Notice and transparency requirements
Venn Technology is required to give notice to data subjects prior to processing of personal data and provide transparency around the purpose and use of their personal data.
references: |
• Australia PA: APPs 1 & 5 |
• Canada PIPEDA: Schedule 1, Principles 2, 3 and 8 |
• EU GDPR: Article 12 |
• New Zealand PA: IPP 3 |
Legal basis for processing
There must be a legal basis for the processing of personal data collected by Venn Technology. That may include where consent is obtained, it's required to fulfill a contract, vital interests of the data subjects, for public or other legitimate interests.
references: |
• Canada PIPEDA: Schedule 1, Principle 4.3 (consent required) |
• EU GDPR: Article 6 |
• New Zealand: IPPs 10 and 11 (post-collection) |
Purpose limitation
Personal data can only be collected for the specified and legitimate purposes, in line with Venn Technology’s Privacy Policy. The personal data cannot be further processed in a manner that is incompatible with those purposes.
references: |
• Australia PA: APP 6 |
• Canada PIPEDA: Schedule 1, Principle 4 |
• EU GDPR: Article 5(1)(b) |
• New Zealand: IPP 10 |
Data minimization
Data minimization refers to Venn Technology only collecting personal information that is directly relevant and necessary for the defined purposes of personal data collection. The personal data should only be retained for as long as is required to fulfil that purpose.
references: |
• Australia PA: APP 3.1–3.2 |
• Canada PIPEDA: Schedule 1, Principle 4 |
• EU GDPR: Article 5(1)(c) |
• New Zealand PA: IPPs 1 and 9 (storage limitation) |
Security requirements
Venn Technology is required to apply technical and organizational security measures that protect the personal data collected. That includes ensuring only authorized personnel have access to that personal data and taking reasonable steps to prevent data breaches.
references: |
• Australia PA: APP 11 |
• Canada PIPEDA: Schedule 1, Principle 7 |
• EU GDPR: Article 32 |
• New Zealand: IPP 5 |
Privacy by design
Privacy by design is the principle that privacy should be considered in the complete design and operation of Venn Technology’s services and systems. That is considering the ways to limit data collection to what is required and legitimate, ensuring the security of personal data, and ensuring it is used for appropriate purposes with consideration of the personal data subjects rights.
references: |
• Australia PA: APP Guidelines, APP 1, 1.3 |
• EU GDPR: Article 25 |
Processor and service provider requirements
Requirements and restrictions apply to the data processing activities and to the service providers using personal data. These are detailed in the relevant privacy regulations and clauses noted below.
references: |
• EU GDPR: Article 28 |
• New Zealand PA: IPP 5; Section 11 |
Prohibition on discrimination
Venn Technology is required to ensure personal data processing activities are not discriminative in nature. This can include ensuring data subjects can refuse or withdraw consent and continue to use the services where that does not preclude the ability to provide the services and ensuring any automated processing activities do not apply discrimination.
references: |
• EU GDPR: Recital 71 |
Record Keeping
Venn Technology is required to retain records of processing activities, including details of the relationships with data controllers and sub-processors (as applicable), the purpose and categories of personal data processing, records of disclosures, and any other required records to document Venn Technology’s compliance with its privacy obligations under this policy.
references: |
• Australia PA: APP Guidelines, APP 1, 1.5 |
• Canada PIPEDA: Part 1, Division 1.1, Section 10.3 |
• EU GDPR: Article 30 |
Risk and impact assessments
Data protection impact assessments are required to understand, assess and mitigate the risks of personal data processing activities. This should consider the risks to the rights and freedoms of data subjects with respect to the purpose and nature of processing activities, and the safeguards, security measures and other mechanisms to protect the interests of data subjects.
references: |
• Australia PA: Privacy Act 1988, 33D; APP Guidelines, APP 1, 1.7 |
• EU GDPR: Article 35 |
Data breach notification
Breaches of personal data are required to be notified to supervisory authorities and the data subject(s) whose data was part of the breach.
references: |
• Australia PA: Privacy Act 1988, Part IIIC |
• Canada PIPEDA: Part 1, Division 1.1,Sections 10.1–10.3 |
• EU GDPR: Articles 33 and 34 |
• New Zealand PA: Part 6, Subpart 1 |
Registration with authorities
Venn Technology is required to communicate or register details of its privacy program with the supervisory authorities for the privacy regulations that apply below.
references: |
• EU GDPR: Article 37(7) |
Data Protection Officer
A Data Protection Officer is required to be appointed that is accountable for ensuring effective implementation, monitoring and reporting of Venn Technology's privacy obligations in accordance with this privacy policy.
references: |
• Australia PA: Australian Government Agencies Privacy Code |
• Canada PIPEDA: Schedule 1, Principle 1 |
• EU GDPR: Article 37 |
• New Zealand PA: Section 201 |
International data transfer restrictions
There are requirements or restrictions that apply to international data transfers that need to be adhered to for each of Venn Technology's privacy obligations referenced below.
references: |
• Australia PA: APP 8 |
• EU GDPR: Articles 44–50 |
• New Zealand: IPP 12; Part 8 |
Privacy Statement
Introduction
When you use our services, we're collecting your personal data to support those services. Data privacy is important to us at Venn Technology. This Privacy Policy details our use of personal data and your privacy rights and choices available to you.
How we use personal data
Your data is collected to help us: |
• Provide support and troubleshooting when using our services. |
• Analyze and improve our services. |
Personal data we may collect
Venn Technology may collect one or more of the following types of data as a requirement for using our services:
Venn Technology may collect one or more of the following types of data as a requirement for using our services: |
1. Name |
2. Contact Information |
3. IP address |
4. Cookie ID |
5. Login and password |
6. Usage Data |
In addition to the data above which may be requested or required when using our services, additional unsolicited data may be processed that is not reviewed by Venn Technology as part of the services provided. We will apply the same security and privacy protections as the solicited data above, which may not recognize any additional privacy risks of this data.
When we share your personal data
Your personal data may be shared with third parties under one or more of the following scenarios:
● To government agencies, regulators or law enforcement agencies with a lawful purpose.
Your Rights
Your privacy rights are outlined below. For further details of these rights or to make a request from us related to these rights, please see the Privacy Requests and Contacts section below and contact us accordingly.
The right to be informed. You have the right to be informed about the collection and use of your personal data, when the data is obtained by us.
The right to access and amend your data. You can request a copy of your personal data through a data subject request. You can ask us to explain the means of collection, what data is being processed by us, and anyone that we share it with.
The right to rectify your data. If your data is inaccurate or incomplete, you can ask us to rectify that.
The right to data erasure. You can request we erase your data within 30 days. We will notify you if that cannot be completed or any implications of doing so for using our services.
The right to transfer your data. You can have your data transferred from one system to another safely and securely.
The right to restrict your data processing. You can request we restrict or suppress your personal data to limit its use.
The right to opt-in for sensitive data processing: For any highly sensitive personal data we may collect, we require your explicit consent to opt-in to us processing that data.
The right to opt-in by a parent or guardian: We do not collect data from minors. You are required to be over the age of 16 in order to use our services.
The right not to be subject to fully automated decisions: We do not apply automated processing activities that profile you or make fully automated decisions using your personal data.
These rights are subject to the clauses of the relevant privacy regulations, legal requirements, public interest, and where the above rights may conflict with your use of our services. For any privacy concerns or to request further details of your rights, please see the Privacy Requests and Contacts section below.
Sub-processors and locations
Our current list of sub-processors can be found at https://venntechnology.com/sub-processors
Privacy requests and contacts
For further information about our Privacy Policy or practices, or to raise any privacy requests or complaints in relation to your data, please contact us using the following methods:
● Privacy Officer: Bradley Delaune, Engineering Product Manager
● Mailing Address: 1024 Texan Trail, Grapevine, TX 76051 USA