YELLOW LINES APP PRIVACY POLICY OUR COMMITTMENT AND PROCESSES Yellow Lines deeply values all former, current, and potential customers and collaborators and we are committed to this Policy and the overarching Australian Privacy Principles (APPs) under the Privacy Act 1988. Yellow Lines ("we" or "the business") is an Entity based in Victoria, Australia. This APP Privacy Policy (Policy) will be made freely available on the website www.yellowlines.com.au, or can be requested via email or post by contacting any Yellow Lines staff member. The Yellow Lines person responsible for this Policy, and any related inquiry, is Mr Donovan Ferguson. Any individual or organisation is welcome to contact (or complain to) Yellow Lines regarding this Policy, and its application as relates to handling of information. Inquiries can be directed to email address privacy@yellowlines.com.au, or posted to PO Box 198 KINGLAKE VIC 3763, or Mr Donovan Ferguson can be contacted on phone number 0409 054 321. In the event an individual or organisation is not satisfied with how Yellow Lines handles an inquiry/complaint, that individual has the option to contact the Office of the Australian Information Commissioner (OAIC). Further information is available www.oaic.gov.au. Yellow Lines is committed to cooperating and working with the OAIC in such circumstances. Yellow Lines will keep a record of changes made to this Policy, so that any person can retrospectively review any change that occurred. Under this Policy, Yellow Lines aims to acknowledge (receipt of) any inquiry/complaint within 72 hours of receipt (inquiries relying solely on ground postal services may take longer). If time is of the essence then we encourage using email or telephone. Depending on the nature of the inquiry, Yellow Lines will aim to provide a reasonable final/full response within 2 weeks (14 days), if not sooner. Yellow Lines does not have any Policy to routinely destroy personal information that has been collected, however Yellow Lines may choose, at its sole discretion, to irrevocably destroy information relating to individuals where it is no longer deemed necessary to be collected/collated. Doing so will not discharge our commitment/responsibilities under this Policy to prevent any breach of an individual’s privacy. However, if information is destroyed, it will be securely irrevocably destroyed, preventing any access to, review, or update of the information by any party (including Yellow Lines). Destroyed means gone/non-existent - there is no longer any information. An individual whose personal information has been collected/collated by Yellow Lines may request that it be irrevocably destroyed. This can be done by contacting the person responsible for this Policy via any of the methods described. Depending on the nature of the information, Yellow Lines may choose to retain the records in a de-identified format (as opposed to irrevocably destroying the entire information). This would allow for audit compliance type activity e.g. engagement with the Australian Taxation Office. PERSONAL INFORMATION Any personal information collected by Yellow Lines is done so for the sole purpose of selling and/or delivering the professional services and products which are core to our business. Types of personal information that Yellow Lines will collect and store indefinitely include name, email address, occupation, address, phone number, employer name, job title. Additionally, other (non personal) information will be collected about the professional services and/or products (goods and services) that Yellow Lines seeks to and/or delivers to customers. Such information is routinely required to conduct business in a professional and diligent manner. Where personal information has been collected/collated by Yellow Lines, the subject of such information may request to review and/or correct it at any time. The personal information we collect is stored in Microsoft Exchange, computer, tablet, smartphone applications, cloud storage, and back-ups of the afore mentioned systems and data. Individuals who include their pronoun in communications are volunteerily sharing personal information with Yellow Lines, and to the extent possible that information will be bound under this Policy. Yellow Lines cannot prevent an individual from sending us personal information, however, we do not request it and there is no commercial reason for any individual or organisation to do so. However, Yellow Lines are deeply respectful of an individuals right to include this personal information in their communicaions because we believe it helps us to foster cultural safety and inclusivity. Yellow Lines will not collate or analyse this personal information. When we recieve this personal information it will sit at rest in the format it was recieved, which is typically in an individuals signature block within email, and it will not be added to any database (such as contacts records). If an individual chooses to include their pronoun in communications, the individual should be aware that if they later decide that they do not want to share their pronoun or if they wish to change their pronoun, it is very difficult to comprehensively change historic communications that have this information included. If other individuals or organisations are copied on or forwarded these communications, it is likely impossible for that pronoun information to be recalled or changed in the future. SENSITIVE PERSONAL INFORMATION Yellow Lines does not routinely collect sensitive personal information (SPI) as it is not required to conduct our business. SPI examples include date of birth (age), sex, personal preferences, racial or ethnic origin, religious affiliation, political opinions, an indivudals pronoun. The Yellow Lines website includes an inquiry ("Contact Us") page, to allow potential customers to engage with the business. Such inquiries are transmitted to Yellow Lines by our website hosting provider, via email (SMTP). The detail of the inquiry is not stored in any other location (although our website hosting provider may record it in their logs, and/or create a back-up containing the information). While all (outbound) Yellow Lines email is transmitted via SSL encrypted ports, incoming email may not be encrypted, and so senders of inquiries via our website (or by any email) should not include any SPI. INFORMATION SHARING There is no circumstance whatsoever where Yellow Lines will sell, barter, or indiscriminently share any personal information. Any person providing personal information to Yellow Lines is assured that the business has no desire or intent to breach their privacy. Buying or selling information is not part of our business model. The following third party service provider types, as a part of their day to day business providing services to Yellow Lines, would have access to some of the information that we collect/collate as part of everyday business. Some of these parties may also have infrastructure, systems, information, and resources outside of Australia. - Our legal practitioner - Our accounting practitioner - Our email hosting providers - Our website hosting provider - Our accounting software provider - Our professional networking provider (LinkedIn) - Our computer and smartphone operating system and software providers - The Australian Taxation Office IF THIS POLICY IS BREACHED In the event that Yellow Lines becomes aware of a breach of this Policy which impacts the personal information of any individual, Yellow Lines will take assertive action to notify impacted individual(s), and to every extent possible prevent further breach. Yellow Lines would execute such a notification as soon as possible, and would prioritise making such a notification over avoiding reputational damage to Yellow Lines. Where applicable, we will follow the obligations for organisations under the OAIC Notifiable Data Breaches scheme. In the event that any of the third party service provider types we identify in this Policy was to incur and notify a privacy breach, Yellow Lines will proactively treat this as a potential breach of our Policy, and will take action to disclose the potential breach to any impacted individual. What constitutes personal information and ultimately whether a privacy breach has occured will be interpreted under Australian law (Privacy Act 1988). COMMUNICATIONS AND MARKETING Yellow Lines does not conduct any targeted and/or unsolicited direct marketing via door to door, telephone call, SMS, or email. Any marketing/sales/proposal material exchanged will be in response to a direct request for information on products and services (goods and services). In the event an individual is contacted (at their request), that individual may also subsequently request no further contact, and without giving any reason. In the event an individual wishes to engage with Yellow Lines anonymously, the individual should make this clear to Yellow Lines at the earliest opportunity so that we can assist with maintaining this. Yellow Lines will facilitate anonymous engagement via receipt of phone call, with it being the responsibility of the inbound caller to hide/block their phone number if desired. Alternatively, an individual can create a pseudonym to use within communications, allowing them to remain anonymous whilst still maintaining some continuity of engagement. Yellow Lines will not attempt to identify an individual who chooses to be anonymous, although under these circumstances it may be impractical for Yellow Lines to facilitate any meaningful engagement. The Yellow Lines www.yellowlines.com.au website is a simple customer facing (promotional) website to provide information on the professional services and products (goods and services) that Yellow Lines provides. Yellow Lines does not leverage cookies for the purpose of covertly or overtly collecting or analysing any personal information. Our website is "dumb" and harmless, unless an individual chooses to submit an inquiry via the "Contact Us" form and includes personal information or SPI within. No field in the "Contact Us" form is mandatory, allowing a person to choose to include limited information, be anonymous, or use a pseudonym if desired, however, under these circumstances it may be impractical for Yellow Lines to facilitate any meaningful engagement or even respond. The "Contact Us" form should not be considered secure, and no SPI should be entered into or sent via the "Contact Us" form. However, in the event that a person does submit SPI via the "Contact Us" form, the information will be bound by this Policy regardless. Yellow Lines encourages people to submit minimal detail via the "Contact Us" form. The "Contact Us" form is a simple (non-secure) tool for an individual to initiate contact/engagement. REVIEWING THIS POLICY In the event of a material change to this Policy, and therefore a change our commitment/responsibility on the handling of information, Yellow Lines will notify any impacted party a minimum of sixty (60) days prior to that Policy change. The notification process will include instructions on how an individual may request to have the handling of current or future collected/collated information changed (such as destroyed) prior to the Policy change coming into effect. This Privacy Policy was last reviewed for update on Monday 30 January 2023. At a minimum, this Policy will be reviewed annually. Yellow Lines loves getting feedback of all types. Please send any feedback on privacy related matters to privacy@yellowlines.com.au. ************************************* CHANGE LOG 03/01/2019 V1 * Created new Policy. 21/01/2019 V1.1 * Added detail of Time Palette, including clarifying that Yellow Lines is the parent of Time Palette, and for the purpose of individuals dealing with us, this Policy applies equally to both. It was deemed that this change to this Policy will not impact previously collected Personal Information of any individual, and therefore Yellow Lines did not provided 60 days notice of the Policy change, and is not required to actively notify any individual of the Policy change beyond making this newly updated Policy available. 05/01/2020 V1.2 * Annual review of Policy completed. No changes made. 11/01/2021 V1.3 Annual review of Policy Completed. * Revised wording to clarify that potential delay in acknowleding and responding to any feedback/complaint reliant on postal services relates to "ground mail" otherwise known as "snail mail" e.g. Australia Post. 04/12/2022 V1.4 * Removed references to Time Palette due to standalone website deprecation. It was deemed that this change to this Policy will not impact previously collected Personal Information of any individual, and therefore Yellow Lines did not provided 60 days notice of the Policy change, and is not required to actively notify any individual of the Policy change beyond making this newly updated Policy available. 30/01/2023 V1.5 * Added reference to Sensitive Personal Information (SPI) as relates to individuals including their pronoun in communications. It was deemed that a prenoun is SPI. A review determined that individuals have previously included this SPI in commuications with Yellow Lines. Yellow Lines believes that this change to our Policy represents 'good housekeeping' and therefore Yellow Lines did not provided 60 days notice of the Policy change, and is not required to actively notify any individual of the Policy change beyond making this newly updated Policy available. * Added three (3) third party service provider types (for clarity and completeness). It was deemed that this change to this Policy will not impact previously collected Personal Information of any individual, and therefore Yellow Lines did not provided 60 days notice of the Policy change, and is not required to actively notify any individual of the Policy change beyond making this newly updated Policy available. 01/01/2024 V1.6 * Revised classification of a pronoun from Sensitive Personal Information (SPI) to Personal Information. * Updated PO Box address from PO Box 245 to PO Box 198.