Mythradon Privacy Policy

Date last updated: 12th January 2023

1. About this Privacy Policy 1
   1. This Privacy Policy describes how Mythradon Pty Ltd ABN 35 644 344 409 of PO Box 5027 Pinewood VIC 3149 (we, us and our) manages personal information about our customers (including our resellers), individuals whose data is processed by or on their behalf and users of our Mythradon Customer Success Platform and the Mythradon website at https://mythradon.com/. All such individuals are referred to in this Privacy Policy as "data subjects".
   2. Mythradon is committed to upholding the highest privacy standards in all jurisdictions in which we operate. We adhere to all relevant privacy laws and regulations, including the Australian Privacy Act 1988, The United Kingdom General Data Protection Regulation (UK-GDPR) and the General Data Protection Regulation (GDPR). We take the protection of personal data seriously and strive to ensure that all personal data is collected, used, and shared in a transparent and compliant manner.
   3. This Privacy Policy describes:
      • The period for which we store personal information;
      • A data subject’s right to access, rectify or to request erasure of personal information;
      • A data subject’s right to withdraw consent to our collection and use of your personal information;
      • A data subject’s right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC);
      • Why we collect and process personal information, the types of personal information that we collect and process and who we disclose it to;
      • Details of the security measures that we take to help protect personal information; and
      • Other information about how we collect, use and disclose personal information.
   4. We are committed to complying with our privacy obligations in accordance with the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth).
   5. If we decide to change this Privacy Policy, we will post the updated version at https://mythradon.com/privacy and notify you of such updates to the email account notified by our data subjects to us. Our policy is to be completely transparent about our privacy practices.
2. Our Platform
   1. We own and operate the Mythradon Customer Success Platform which provides customer relationship management functionality to business entities (Mythradon CSP) and the Mythradon website at https://mythradon.com/ (Mythradon Website) (together, the Mythradon Platform).
   2. We enter into contracts with our customers for their subscription to the Mythradon CSP. The Mythradon CSP provides customers with functionality that can be used by them to collect, process and disclose personal information about their end users and other data subjects. We may also appoint resellers who may enter into contracts for their distribution of access to the Mythradon CSP.
3. Customer responsibility for data subject privacy
   1. Our customers (including our resellers and their authorised end users) are required to comply with all applicable privacy laws.
   2. We rely on our customers to obtain all relevant privacy consents and authorisations from data subjects required by law, in order for the personal information that is entered into the Mythradon CSP to be collected, disclosed and otherwise processed by us.
   3. We also rely on our customers to ensure that all personal information of their data subjects held by us is accurate, up to date, complete, relevant and not misleading.
   4. We encourage our customers to ensure that their data subjects are familiar with their privacy policies so that their data subjects understand how the relevant customer will collect, use and otherwise process personal information about them, via the Mythradon CSP or otherwise.
4. The types of personal information we collect and hold about customers and data subjects
   1. The Mythradon Platform can be used to collect and hold the following types of personal information:
      1. Content entered into the Mythradon Platform about data subjects: All information, including personal information, that is entered into the Mythradon Platform is stored in systems managed by our customers and/or by us on their behalf. The types of personal information collected may include names, dates of birth, telephone numbers, mobile numbers, email addresses, job titles, bank account details, transaction data, postal addresses, residential and business addresses, as well as any other personal information entered into the Mythradon CSP by, about or on behalf of a data subject.
      2. Financial Information: We collect billing and payment details. Credit card details are not held by us, but are held by payment gateway providers that we use. Other than the last 4 digits of a credit card, all such credit card information is not accessible by us.
      3. Information required for the support, maintenance and security of the Mythradon Platform: In order to support and maintain the Mythradon CSP for a customer or to maintain the Mythradon Website, we collect and process end user information including device ID, device type, computer and connection information, statistics on page views, traffic to and from the Mythradon CSP, advertising data, IP addresses, email addresses, user access logs, usernames, hashed passwords, information included by customers in technical support tickets and error messages.
5. How we collect personal information
   1. Our policy is to not collect personal information by means that are unfair or unreasonably intrusive in the circumstances.
   2. We collect personal information about data subjects in one or more of the following ways:
      1. when end users enter personal information into the Mythradon CSP;
      2. when it is transmitted to the Mythradon CSP via an API in accordance with our obligations to do so pursuant to a contract with a customer;
      3. when a customer provides personal information to us;
      4. when it is provided to us by third parties such as government agencies on behalf of a customer or pursuant to an agreement with a customer, for it to be entered into and/or processed by the Mythradon Platform;
      5. publicly available records and registries, online searches and any other third party data sources that voluntarily disclose it to us.
      6. when it is voluntarily disclosed to us (such as via telephone, surveys, e-mail and online forms).
6. How we use customer and data subject personal information
   1. We use customer and data subject personal information for the following purposes:
      1. to deliver software services for the purposes of fulfilling our obligations under our customer contracts;
      2. by hosting personal information on our servers that may incorporate personal information;
      3. in the course of providing support services (when receiving technical support calls or when accepting enquiries, requests or orders for new services);
      4. when employing staff and engaging contractors and when interviewing staff and contractors;
      5. through the use of cookies on the Mythradon Website;
      6. when processing orders for our products and services; and
      7. in order to identify members when contacted with questions or concerns regarding our products and services;
7. Analytics data
   1. We also collect information about the Mythradon Platform end users known as analytics data including user location, the type of device accessing our platforms, the amount of time an end user spends on the Mythradon Platform and in which parts of it, and the path navigated through it. However, all such information is de-identified data and not collected in a form that could reasonably be expected to identify an individual. In any event, we only use analytics data for the following purposes:
      1. to help us review, enhance and improve the Mythradon Platform (for statistical or research purposes); and
      2. to develop case studies and marketing material without identifying any end users.
   2. We use analytics and cookie tracking on the Mythradon Website.
8. How we hold and secure personal information
   1. We hold and store personal information that we collect in our offices, computer systems and third party owned and operated hosting facilities for a period of 7 years following the termination of any contract with a customer for information collected using the Mythradon CSP. For personal information not collected using the Mythradon CSP, we will hold and store such personal information for a period of 7 years following the date that we first collected the information. In particular:
      1. We hold data collected via the Mythradon CSP in hosting facilities operated by reputable hosting providers;
      2. personal information that is provided to us via email is held on our servers or those of our cloud-based email providers;
      3. we use third party owned cloud-based marketing platform providers to hold personal information about current and prospective customers;
      4. personal information is held on computers and other electronic devices in our offices and at the premises of our personnel;
      5. we hold personal information that is provided to us in hard copy in files on our business premises.
   2. We take reasonable steps to protect personal information that we hold using such security safeguards as are reasonable in the circumstances to take against loss, unauthorised access, modification and disclosure and other misuse and to implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.
   3. We:
      1. ensure all staff and contractors are aware of their information security responsibilities and that they are appropriately trained to meet those responsibilities;
      2. use SSL encryption on our systems;
      3. implement anti-virus and security controls for email and other applicable computer software and systems;
      4. have data backup archiving, data breach response plans and disaster recovery processes in place;
      5. implement passwords and access control procedures into our computer systems;
      6. perform audit tracking of personal detail read/updates;
      7. maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management and firewalls
      8. maintain physical security measures in our buildings and offices
      9. ensure that data centres that we engage:
         1. undertake server security hardening services;
         2. employ strict security policies and visitor access management;
         3. keep entry points to a minimum to ensure full visibility of those entering the facility;
         4. use surveillance cameras and security barriers to keep unwanted intruders out;
         5. operate a strict access policy for all those on-site;
         6. implements DDoS prevention systems and 24/7 network monitoring;
         7. have extensive data backup and restoration facilities;
         8. implement two-factor authentication Access Control Systems in place to protect data from employee negligence or malicious activities; and
         9. incorporate a digital Visitor Management Solution to provide full visibility and accountability for any third party contractors or visitors who may require ad hoc access.
      10. with respect to personal information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such personal information is securely destroyed.
9. Disclosure of personal information
   1. We only disclose customer and data subject personal information that we collect to third parties as follows:
      1. where required under a contract with a customer, we will transmit data subject personal information to third parties on behalf of the customer. For example, the Mythradon CSP includes functionality that enables data subject personal information to be transmitted to third party systems. Customers may be able to effect those transfers using the Mythradon CSP or may instruct us to otherwise do so on their behalf;
      2. to our resellers where necessary for us or them to determine or calculate the amount of any commission that is payable by us to them;
      3. in order to host databases that are integrated into the Mythradon CSP, we engage reputable hosting providers who host those databases on our behalf;
      4. when performing contracts we may outsource certain obligations to third party contractors such as professional service providers in accordance with our contractual rights. Professional services carried out by them may require access to customer and data subject personal information;
      5. when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
      6. where a person provides written consent to the disclosure of their personal information;
      7. where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person;
      8. to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences;
      9. for the enforcement of a law imposing a pecuniary penalty;
      10. for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
      11. where required by law.
   2. Customers who use the Mythradon CSP to disclose personal information about data subjects to third parties are expected to only do so where permissible under applicable law.
10. Third party websites
    1. The Mythradon CSP may include links to third party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third-party website operator complies with applicable data protection laws. Customers and data subjects should consider the privacy policies of any relevant third-party website prior to sending personal information to them.
11. Interacting with us without disclosing personal information
    1. If a person does not provide us with their personal information, they can only have limited interaction with us. For example, a person can browse our public facing website without providing us with personal information such as the pages that generally describe the services that we make available. However, when an organisation enters into a contract with us, or a person registers an end user account on the Mythradon CSP, or a person submits an enquiry to us, we need to collect personal information for identification purposes, so that we can provide our services, and for the other purposes described in this Privacy Policy.
    2. Any person has the option of not identifying themselves when contacting us to enquire about our services.
    3. For security purposes, only end users who identify themselves accurately and truthfully when opening any account on any of the Mythradon CSP, may login to and access the functionality provided by the Mythradon CSP.
12. Offshore disclosure
    1. We may disclose personal information to our offshore service providers and personnel who assist us with providing our services and to assist us with the operation of our businesses generally. We will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles, GDPR or UK-GDPR in relation to personal information.
13. How to access and correct personal information held by us
    1. End users who have accounts on the Mythradon CSP can access personal information on their account at any time, by logging into their accounts or by contacting the customer who provided them with access to the Mythradon CSP. Once an account is deleted, we may still be required to retain the data in accordance with our contract with the customer or by law.
    2. Data subjects who wish to make enquiries about the personal information held by them on the Mythradon CSP should contact the customer who provided them with access to the Mythradon CSP, or who uploaded their personal information into the Mythradon CSP in the first instance.
    3. Our customers can access their personal information and make copies of such information via the Mythradon CSP portal. We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee of $250 (or any other reasonable fee determined by us) by any person who requires Mythradon to provide a copy of their personal information that we hold, except where such a fee would be contrary to applicable law. Our customers have the right to request correction or deletion of their personal data.
14. Incident Management for Privacy Incidents
    1. We take the privacy of our customers seriously and have implemented procedures for managing and responding to any incidents that may compromise the privacy of our users. If we become aware of a privacy incident, we will promptly assess the nature and scope of the incident and determine the appropriate course of action. This may include:
       1. Notifying affected users and any relevant regulatory authorities, as required by law;
       2. Taking steps to secure any compromised systems or data;
       3. Conducting a thorough investigation to determine the root cause of the incident;
       4. Implementing corrective actions to prevent similar incidents from occurring in the future.
       We will also keep affected users informed of any significant developments related to the incident, including any steps they can take to protect their personal information.
15. Our contact details
    1. Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or make a privacy complaint, may contact us using the following details: Mythradon Pty Ltd
    2. We will use our best endeavours to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis or otherwise resolving the complaint.
    3. If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the Australian Privacy Principles, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:
       Telephone: 1300 363 992
       Email: enquiries@oaic.gov.au
       Address: GPO Box 5218, Sydney NSW 2001