Temperzone Customer Security and Privacy Policy

POLICY VERSION 0.2 – 18/04/2018

Contents

  • Privacy Statement
  • Temperzone Limited Privacy Policy
  • Why do we collect your personal information?
  • What happens if you don’t give us your personal information
  • How we handle your personal information
  • Overseas Disclosure and Data Storage
  • Your personal information and our marketing practices
  • Google Analytics Demographic and Interest data
  • How to access and correct your personal information
  • How to make a Complaint
  • Privacy Contact Information
  • Security and Privacy Incidents
  • Incident definitions
  • Incident Reporting and Management
  • Incident Reporting
  • Ongoing Incident Management
  • Incident Response Process

Privacy Statement

Any Customer or Personal data collected or shared as part of normal business practice by Temperzone, its distributors, dealers, subcontractors, or contracted agencies, is governed by the Temperzone Limited Privacy Policy below:

Temperzone Limited Privacy Policy

This statement explains how Temperzone collect, hold, use and disclose your customer and personal information and who we share it with.

Why do we collect your personal information?

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable.

We collect personal information so that we can:

  • identify you, your company and conduct appropriate checks;
  • understand your requirements and provide you with a product or service;
  • set up, administer and manage our products, services and systems;
  • manage, train and develop our employees and representatives;
  • manage complaints and disputes; and
  • better understand your needs, your behaviours and how you interact with us, so we can engage in product and service research, development and business strategy including managing the delivery of our services and products via the ways we communicate with you.

What happens if you don’t give us your personal information?
If we ask for your personal information and you don’t give it to us, we may not be able to provide you with any, some, or all the features of our products or services. How we handle your personal information We collect your personal information directly from you and, in some cases, from other people or organisations, including suppliers of products and services to Temperzone.

We’ll use a variety of methods to collect your personal information from, and disclose your personal information to, these persons and organisations, including written forms, telephone calls and via electronic delivery. We may collect and disclose your personal information to these persons and organisations during the information life cycle, regularly, or on an ad hoc basis, depending on the purpose of collection.

Under various laws in Australia, New Zealand, and other countries we either operate in or obtain products or services from, we will be (or may be) authorised or required to collect your personal information. These laws may be related to Workplace Health and Safety, Employment, Tax, Corporate, etc. We will use and disclose your personal information for the purposes we collected it as well as purposes that are related, where you would reasonably expect us to.

We may disclose your personal information to and/or collect your personal information from:

  • websites and mobile applications, including the use of cookies or similar technology;
  • customer, product, business or strategic research and development organisations;
  • data warehouses, strategic learning organisations, data partners, analytic consultants;
  • social media and other virtual communities and networks where people create, share or exchange information;
  • publicly available sources of information;
  • industry relevant organisations;
  • a third party that we’ve contracted to provide services, products or administrative services – for example:
  • information technology providers,
  • administration or business management services, consultancy firms, auditors and business management consultants,
  • marketing agencies and other marketing service providers,
  • print/mail/digital service providers,
  • imaging and document management services;
  • accounting or finance professionals and advisers;
  • government, statutory or regulatory bodies and enforcement bodies;
  • legal and any other professional advisers or consultants;
  • debt collection agencies;
  • Any other organisation or person, where you’ve asked them to provide your personal information to us or asked us to obtain personal information from them.

Your information may be stored onsite at one of Temperzone’s offices, in an offsite data centre or secure storage location contracted by Temperzone and may be stored electronically using a 3rd part hosted service e.g. Microsoft Office 365.

Overseas Disclosure and Data Storage

Sometimes, we need to provide your personal information to – or get personal information about you from – persons or organisations located overseas, for the same purposes as in ‘Why do we collect personal information?’ and ‘How we handle your personal information.’

The list of countries includes:

  • New Zealand
  • Australia
  • Singapore
  • Indonesia
  • South Pacific countries
  • other countries where we are engaged in business or related activities with you or your company or organisation

From time to time, we may need to disclose your personal information to, and collect your personal information from, parties in other countries not on this list. Nevertheless, we will always use all reasonable efforts to disclose and collect your personal information in accordance with privacy laws.

Your personal information and our marketing practices

We might, from time to time, let you know – including via mail, SMS, email, telephone or online – about news, special offers, products and services that you might be interested in.

We will use your personal information to engage in marketing unless you tell us otherwise. You can contact us to update your marketing preferences at any time.

To carry out our marketing, we collect your personal information from and disclose it to others that provide us with specialised data matching, trending or analytical services, as well as general marketing services, as set out in ‘How we handle your personal information’.

We may also collect your personal information for marketing through business dealings, seminars, trade shows, competitions and by accessing contact lists.

We, and other people who provide us with services, may combine the personal information collected from you or others, with the information we or our service providers already hold about you.

We may also use online targeted marketing, data and audience matching and market segmentation to improve advertising relevance to you.

Temperzone’s website and apps may use information from Google's Interest-based advertising or 3rd party audience data for in company analysis of site demographics and interests solely for marketing the Temperzone and Hitachi Air Conditioning Brands in Australia and New Zealand. All data collected is anonymous. Data and reports are not provided to third parties by Temperzone Australia.

If you do not want your information to be used for promotional and marketing purpose you can contact Temperzone either via the available unsubscribe links available on our websites or in applications, or contact us at unsubscribe@temperzone.com.

How to access and correct your personal information

You have the right to access, update and correct your personal information held by us. To do this, please send an email with your request and contact details to privacy@temperzone.com. We may need to contact you to verify your identity before we provide any data.

How to make a Complaint

The following complaint process can be used if you have a complaint about how we collect, hold, use or disclose your personal information or a privacy related issue such as refusal to provide access or correction.

By following the complaint handling process we can resolve your complaint effectively and efficiently.

Step 1. Contact Temperzone to let them know what the issue is

  • If you would like to make a complaint, please let us know by contacting us as we may be able to resolve the complaint for you.
  • If not, the staff member will refer you to a Manager or their delegate and they will attempt to resolve the complaint.
  • A response is usually provided to you within 5 business days.
  • You can contact the Temperzone by using the relevant Complaints contact in Privacy Contact Information below.

Step 2. Review by Temperzone Privacy Manager

If you are not satisfied with the outcome of the Temperzone review in Step 1, you can request the complaint be referred to the Temperzone Privacy Manager for review or you can contact the Temperzone Privacy Manager.

The Temperzone Privacy Manager will contact you to discuss if additional information is required and will usually contact you with a decision within 15 business days of receiving your complaint.

You can contact the Temperzone Privacy Manager by using the relevant contact in the Privacy Contact Information below.

Step 3. Seek review by an external service

  • We expect our complaints process will deal fairly and promptly with your complaint. However, if you remain dissatisfied, you may be able to access the services of your relevant privacy commissioner, e.g.:
  • Office of the Australian Information Commissioner (OAIC) - https://oaic.gov.au/
  • Office of the Privacy Commissioner NZ - https://www.privacy.org.nz/
  • Company employees, contractors, vendors and suppliers may come into possession of personally-identifiable information as a part of their relationship with the company. Each person must comply with all laws, regulations and policies and ensure that such information is properly protected.

Privacy Contact Information



Security and Privacy Incidents

Incident definitions

An incident is defined as any breach of security, privacy, continuity, legal or regulatory controls over information assets of any type. Examples of such incidents include:

  • Penetrations of systems, applications, networks, databases
  • Denial of service attacks
  • Misuse or mishandling of assets
  • Virus or other malware contamination
  • Transaction errors
  • Breaches of confidentiality agreements or contracts
  • Legal or regulatory violations

Incident Reporting and Management

Every user of Temperzone Customer information must protect that information and ensure that it is used for relevant Customer business purposes only. Any incidents or questionable issues in the security of this information must be reported.

All staff accessing Customer information will be advised of any incident handling and reporting processes that are specific to that Customer. These processes will be detailed as part of the overall Customer solution design.

Incident Reporting

All Customer security and privacy incidents and (suspected) weaknesses will be reported to the Temperzone Security Manager as soon as possible by either Temperzone, its subcontractors, or the Customer.

  • Incidents can be reported either by phone, email or directly in the service desk system using the correct contact information supplied.
  • The Temperzone Security Manager will coordinate a response to all security incidents and weaknesses as soon as possible and will put structures and processes in place to ensure that the response is fast and effective
  • If the incident is deemed High, then the Temperzone Security Manager will assemble an Incident Team made up of the required resources from the Temperzone and its subcontractors.
  • Should the Incident Team determine that the incident directly affects a Customer system or information then the Incident Response process will be initiated.

Ongoing Incident Management

  • The Temperzone Security Manager will quantify the types, volumes and costs of security incidents so that it can monitor its progress in this area and design security mechanisms to address incidents on a strategic level
  • Evidence on incidents will be collected and handled in such a fashion as to conform to the applicable legal, statutory, regulatory and policy requirements.

Incident Response Process

The Temperzone Security Manager will co-ordinate any required resources to investigate incidents and will report significant losses or threats to the Customer. Where an Incident Severity is 1 or 2 the Customer will be invited to participate directly as part of the Incident Team.

The following definitions (and examples) are used to assign severity and to ensure the appropriate level of urgency is applied until resolution.

Incident Severity

1

2

3

4

Definition

Security/Privacy breach

Critical security/privacy threat

Possible security/privacy threat

Incidents with little or no business impact

Business

Impact

High

Medium

Medium – Low

Low – None

Example

Denial of service (DOS) attack, systems penetrated

Critical security/privacy exploit or risk detected

Important threat identified by software vendor

 

Based on the Incident severity the following are the targeted call back frequencies and restoration times:

 Severity

Target Call Back Frequency
(during business hours only)

Target Resolution Time

1

Every 1 hour

4 hours

2

Every 3 hours

12 hours

3

Once every day

24 hours

4

Once every second day

96 hours

Temperzone will work with the Customer before engaging any law enforcement or other authorities.

Incidents involving misuse by either Temperzone or Customer employees will be referred to Temperzone Human Resources for investigation.