Privacy Policy

Introduction

YrSpace Limited (we, us, our, YrSpace) complies with the New Zealand Privacy Act 1993 (the Act) and the General Data Protection Regulation of the European Union (GDPR) when dealing with personal information.  Personal information is information about an identifiable individual (a natural person), and includes personal data, personally identifiable information and equivalent information under applicable privacy and data protection laws.

This policy sets out how we will collect, use, disclose and protect your personal information when you use the YrSpace website (yrspace.com), and the Service (as defined in our Terms of Use) or any of our related services.

This policy does not limit or exclude any of your rights under the Act.  If you wish to seek further information on the Act, see www.privacy.org.nz.  For further information on the GDPR, see https://ec.europa.eu/info/law/law-topic/data-protection_en. 

Changes to
this
policy

We may change this policy by uploading a revised policy onto the website or the Service.  The change will apply from the date that we upload the revised policy.

This policy was last updated on [insert date].

What
pesonal
information
do
we
collect

We collect, hold and process two categories of personal information:
Account and Marketing Data is personal information that we collect about you:

in connection with the creation or administration of a customer account

if you ask to receive information about us or our services and products or sign up for our newsletter

when you contact us directly (e.g. telephone call, email)

when you visit our website. 

The Account and Marketing Data we collect may include company/personal names, usernames, phone numbers, email addresses, your location, billing information, information about how you use the Service (for example, traffic volumes, time spent on pages), your IP address and/or other device identifying data, and other information required to provide a service or information you have requested from us.

Visitor or Employee Data is personal information about our customers’ visitors or employees that is input into the Service.  Visitor
and
Employee
Data
may include visitors’ and employees’ names, phone numbers, email addresses, location, photos, times of visits and any other information that a customer decides to capture about its visitors and employees.  Visitor or Employee Data may also include data gathered through facial recognition technology and/or the use of beacons. 

We will not disclose, move, access, process or use Visitor or Employee Data except as provided in our Terms of Service and we require our customers to comply with applicable privacy and data protection laws.  If you visit or are employed by one of our customers, our customer controls the Visitor or Employee Data it collects, uses and discloses about you.  Please contact the relevant customer if you have any concerns about its processing of Visitor or Employee Data. 

For the purposes of the GDPR, our customers are the data controller when storing or otherwise processing Visitor or Employee Data that we hold solely for the purpose of providing the Service and we are the data processor.  We are the data controller when storing or otherwise processing Visitor or Employee Data that we use for our own purposes.

We only process Visitor or Employee Data as authorised by our customers in our Terms of Use or other agreements with our customers that govern the processing of Visitor or Employee Data (as applicable).  Unless required otherwise under applicable law, if we receive any request or enquiry relating to Visitor or Employee Data that we hold solely for the purpose of providing the Service, we will forward this request to our relevant customer.  If we receive any requests or enquiries relating to Visitor or Employee Data that we use for our own purposes, we will deal with these requests or enquiries as set out in this privacy policy.

The
remainder
of
this
privacy
policy
sets
out
how
we
will
collect,
use,
disclose
and
protect
Account
and
Marketing
Data
and
does
not
apply
to
Visitor
or
Employee
Data.

Who
do
we
collect
your
personal
information
from

We collect personal information about you from:

you, when you provide that personal information to us, including via the website or the Service and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you buy or use our services and products

third parties where you have authorised this or the information is publicly available.  

If possible, we will collect personal information from you directly.  

How
we
use
your
personal
information
We will use your personal information:  

to verify your identity

to provide services and products to you

to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose) 

to improve the services and products that we provide to you

to undertake credit checks of you (if necessary)

to bill you and to collect money that you owe us, including authorising and processing credit card transactions

to respond to communications from you, including a complaint

to conduct research and statistical analysis (on an anonymised basis)

to protect and/or enforce our legal rights and interests, including defending any claim

for any other purpose authorised by you or the Act.

We may transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
You can stop receiving our marketing emails by following the unsubscribe instructions included in those emails.

Disclosing
your
personal
information

We may disclose your personal information to:  

another company within our group

any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products 

a credit reference agency for the purpose of credit checking you

other third parties (for anonymised statistical information)

a person who can require us to supply your personal information (e.g. a regulatory authority)

any other person authorised by the Act or another law (e.g. a law enforcement agency) 

any other person authorised by you.

A business that supports our services and products may be located outside New Zealand.  This may mean your personal information is held and processed outside New Zealand.

We share information about your use of the website or the Service with our trusted analytics partners through the use of cookies, pixel tags and similar storage technologies.  Please refer to the Cookies section of this policy for further information. 

Children
We do not intend to collect personal information from or about children aged under 16.  If you have reason to believe that we have collected personal information from or about a child under the age of 16, please contact us at [insert email address]. 

International
transfers
of
personal
information

A business that supports our website, products and services may be located outside of New Zealand (the country where we are incorporated) and also outside of the country where you are located.  This means that the personal information we collect may be transferred to, and stored in, a country outside of New Zealand and the country where you are located.

If you are located in the European Economic Area (EEA), your personal information may be transferred outside of the EEA.   Under the GDPR, the transfer of personal information to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection.  In the absence of an adequacy decision, we may transfer personal information if other appropriate safeguards are in place.

Where we transfer personal information outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where approved transfer mechanisms are in place to protect your personal information (e.g. to organisations in the United States under the EU-U.S. Privacy Shield framework or by entering into the European Commission’s Standard Contractual Clauses).  For further information, please contact at [insert
email
address].

Some of the personal information we collect is processed in New Zealand.  New Zealand is recognised by the European Commission as a country that has an adequate level of data protection and we rely on this decision in transferring personal information to New Zealand.

Protecting
your
personal
information

We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse.  

You can play an important role in keeping your personal information secure by maintaining the confidentiality of any password and accounts used in relation to our products and services.  Please do not disclose your password to third parties.  Please notify us immediately if there is any unauthorised use of your account or any other breach of security.

Accessing and
correcting
your
personal
information

Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information.  Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.

In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction.  If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.

If you want to exercise either of the above rights, email us at alan@yrspace.com.  Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).

We may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.

Other
rights

In addition to the rights to access and correct your personal information, if you are based in the European Union, you have the additional rights set out in the GDPR Additional Terms section of this privacy policy below.

California
privacy
rights

YrSpace does not share Visitor or Employee Data with third parties for direct marketing purposes.   You can request and receive confirmation of this at [insert email address] once a year, free of charge.

Internet
use

While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.

If you post your personal information on the website’s support message board, you acknowledge and agree that the information you post is publicly available.

If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information.  We suggest you review that site’s privacy policy before you provide personal information.

Cookies
We use cookies (an alphanumeric identifier that we transfer to your computer’s hard drive so that we can recognise your browser) to monitor your use of the website.

The cookies we use include Google Analytics cookies.  Information about Google’s cookies is available from: https://www.google.com.au/policies/technologies/types/.  Google’s privacy policy relating to its cookies is available at https://www.google.com/policies/privacy/partners/.  If you would like to customise or opt out of these settings please visit: https://tools.google.com/dlpage/gaoptout.

You can control and/or delete cookies as you wish.  You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed.  If you do this, however, you may have to manually adjust some preferences every time you visit our website and attempt use our services, you may not be able to access certain parts of our website or services, and some functionalities may not work.  You can find out more information about how to change your browser cookie settings at http://www.aboutcookies.org.uk.

DATA
Retention
policy

The personal information that we collect and use will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.  

GDPR ADDITIONAL TERMS

Lawful
basis
for
processing
personal
information

Our lawful basis for processing (as that term is defined in the GDPR) personal information that we collect, use and disclose depends on the personal information collected and the context in which we collect it.  

Generally, we collect personal information from you where we have your consent, where processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, or where processing is necessary for the purposes of our legitimate interests (except where such interests are overridden by your interests or fundamental rights and freedoms).  

Where we process personal information based on your consent, you may withdraw your consent at any time.  

Despite the above, we may process your personal information where such processing is necessary for compliance with applicable laws. 

If you have any question about the legal basis on which we process personal information or need further information, please contact us at [insert email address].

Your
rights
under
the
gdpr

If you are located in the European Union, your rights in relation to your personal information include: 

right
of
access
-
if you ask us, we will confirm whether we are processing your personal information and provide you with a copy of that personal information

right
to
rectification
-
if the personal information we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed.  We will take reasonable steps to ensure inaccurate personal information is rectified.  If we have shared your personal information with any third party, we will tell them about the rectification where possible

right
to
erasure

when your personal information is no longer needed for the purposes for which you provided it, we will delete it.  You may request that we delete your personal information and we will do so if deletion does not contravene any applicable law.  If we have shared your personal data with any third party, we will take reasonable steps to inform those third parties that they must delete your personal information

right
to
withdraw
consent
-
if the basis of our processing of your personal information is consent, you can withdraw that consent at any time 

right
to
restrict
processing
-
you may request that we restrict or block the processing of your personal information in certain circumstances.  If we have shared your personal information with any third party, we will tell them about this request where possible 

right
to
object
to
processing
-
you may request that we stop processing your personal information
at any time and we will do so to the extent required by the GDPR

rights
related
to
automated
decision-making,
including
profiling
-
you have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such automated decision-making is necessary for entering into, or the performance of, a contract with you, is authorised by applicable laws or is based on your explicit consent.  We do not undertake automated individual decision-making.

right
to
data
portability
-
you may obtain your personal information from us that you have consented to give us or that is necessary to perform a contract with you.  We will provide this personal information in a commonly used, machine-readable and interoperable format to enable data portability to another data controller.  Where technically feasible, and at your request, we will transmit your personal information directly to another data controller 

the
right
to
complain
to
a
supervisory
authority
-
you can report any concern you have about our privacy practices to your local data protection authority.

Where personal information is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing. 

If you would like to exercise any of your above rights, please contact us at [insert email address].  If you are not satisfied by the way we deal with your query, you may refer your query to your local data protection authority.