Last updated 18 October 2018
Our businesses, website operate from Australia and this Policy primarily provides information in accordance with our obligations under the Privacy Act 1988 (Cth) (Privacy Act). In addition to the Privacy Act, if you are located in the European Union (EU) (including the European Economic Area (EEA)), the section 'European residents' below provides further information about your additional data subject rights in relation to the processing of your personal information (or personal data) under the General Data Protection Regulation (2016/679) (GDPR) by Alpha-H.
In providing our services to you we may collect and process personal information as outlined below. International Waters Pty Ltd will be a data controller for the purposes of the GDPR and this policy includes information that must be provided to you when we collect your personal information.
In this Policy, personal information means any information about an identified individual or an individual who is reasonably identifiable or as otherwise defined by applicable data protection law. It does not include information that is de-identified (anonymous data).
2. Your acknowledgement and consent
By visiting our website, or providing us with your personal information (either directly or allowing another person to do so on your behalf), you acknowledge and agree that the personal information we collect about you will be collected and handled in accordance with this Policy. If you do not agree with any part of this Policy, you must not provide your personal information to us.
If you do not provide us with your personal information, or if you withdraw any consent we are required by applicable law to have in order to process the personal information you have given us, this may affect our ability to provide services to you or negatively impact the services we can provide to you.
3. Consent and children
Our products and services are available to persons under 18 years of age.
If you are located in the EU and aged under 16 or if you are located in Australia and aged under 18 (underage), you must obtain your parent or guardian's permission before you provide any personal information to us. By providing us with your personal information you confirm that you are not underage or that you have the consent of your parent or a person holding parental responsibility.
If you are an adult holding parental responsibility and provide us with personal information about a child of yours who is underage, you will be considered to have given:
- (on behalf of any dependants who are underage) their consent to the collection of that information about them from you; and
- your consent to the use and disclosure of your personal information (and that of your dependants) for the primary and secondary purposes described in this Policy.
We urge parents to regularly monitor and supervise their children's online activities.4. Personal information that we collect
The personal information we collect about you depends on the dealings you have with us, and may include your:
- name and contact details such as your address, mobile and land telephone number, e-mail address;
- date of birth;
- physical details such as your age and gender;
- health information about your skin such as skin type, allergies, concerns in relation to your skin for example dryness or oiliness, details about your skincare routine;
- image, such as a photo or video of you made during your use of our services;
- opinion, feedback or questions in relation to our services and products;
- opinion in relation to any of our business activities via surveys and/or competitions and trade promotions;
- any other information relevant to your use of our website or our services or products to help us better provide the services and improve and develop our products;
- CV and other application information if you apply for a job with us; and
- if you enquire about stocking our products, then the details that you provide us about your business for the purposes of that enquiry.
We only collect sensitive information where it is reasonably necessary for our functions or activities (for example, providing you with a service in our salon, or providing you with a tailored product recommendation) and either you have explicitly consented, or we are required or authorised by law to do so. This may include health information, information about whether you are pregnant or breastfeeding, details about medication you take which you provide in a Consultation Card, or information for the purposes of a job application such as information about national origin or immigration status, or optional demographic information such as race.
6. Dealing with us anonymously or using a pseudonym
Where possible and lawful, you may interact with us anonymously or using a pseudonym. For example, if you contact us with a general question we will not record your name unless we need it to adequately handle your question.
However, for many of our functions and activities we usually need your name, contact information and other details to enable us to provide our services or products to you.7. Ways we collect your personal information
We may collect personal information from or about you in different ways, including:
- via our website or our social media pages;
- when you request or order a product or service;
- if you complete any survey or entry form for any competition and/or promotion;
- if you apply to be a stockist and you are an individual;
- if you post or email us your information;
- if you apply for any job vacancy with us;
- if you call or text us;
- if you provide us with your information in any other format such as verbally by phone or during your use of our services;
- if you agree to have your photo or video taken during your use of our services; or
- if you make a complaint to us.
We collect your personal information for the following purposes:
- confirming your identity;
- contacting you about a service or product you have enquired about or ordered;
- to provide products and services to you, including processing payment and arranging delivery;
- sending appointment reminders to you;
- providing salon services to you;
- manage and administer a product or service;
- to notify you about special offers and products or services available from us or our participating partners (for example our ‘stockist of the month’, Facebook insights, or Instagram);
- business planning, product development and research development;
- fulfilling any mandatory reporting obligations required by applicable law, including communicating with or notifying you if a notifiable data breach has occurred in relation to your personal information;
- to assess your application for a role with us and to take references;
- any related secondary purpose which we believe you would reasonably expect when we collected your personal information or as a result of our ongoing relationship with you;
- any purpose for which you have consented;
- any purpose for which we are required or authorised by applicable law; and
- to respond to and manage inquiries, complaints, feedback and claims, defend our legal interests and investigate and protect against fraud, theft and other illegal activities.
In the course of providing our products and services to you we may disclose your personal information:
- to our related bodies corporate, suppliers, consultants, contractors or agents so that they can provide you with products or services on our behalf or help us to provide you with the requested products or services including contacting you in relation to the products or services;
- if we merge with or are acquired by another entity, to that entity as a part of the merger or acquisition.
We may use your personal information to identify a product or service that you may be interested in or to contact you about an event or promotion being held at a retailer near you. We may with your consent where required by applicable law, use the contact details you have provided to contact you from time to time whether by phone, email or SMS to tell you about new products or services and special offers that we believe may be of interest to you.
You can withdraw your consent to receiving direct marketing communications from us at any time by unsubscribing from the mailing list by clicking ‘unsubscribe’ at the bottom of any email from us, by contacting us on the details at the end of the policy or by using any other unsubscribe facility provided in the electronic communication you receive.
11. Security and storage of personal information
We take all reasonable and appropriate steps (including organisational and technological measures) to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Where we store your personal information depends on what interaction you have had with us. These include:
- electronic databases, including those for processing customer enquiries or feedback;
- email databases for marketing communications; and
- paper based forms.
Please keep in mind that no information transmitted over the internet can be guaranteed to be 100% secure. We will take all reasonable steps to protect your information or personal details, however we cannot ensure or warrant the security of any information or personal details you transmit to us or receive from our online software. These activities are conducted at your own risk.
We only keep your personal information for as long as it is required for the purpose for which it was collected or as otherwise required by applicable laws. If we no longer need to hold your personal information for any reason, we will take reasonable steps to de-identify or destroy that information. These steps may vary depending on the nature of the information, the way it was collected and how it was stored.12. Data breaches
The Privacy Act requires us to notify affected individuals and the Privacy Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
(a) there is unauthorised access to or disclosure of personal information we hold (or information is lost in circumstances where unauthorised access or disclosure is likely to occur);
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
(c) we are unable to prevent the likely risk of serious harm with remedial action.
If it is not clear whether a suspected data breach meets these criteria, we will investigate and assess the breach to determine whether the breach is an ‘eligible data breach’ that requires us to notify the affected individuals. This is to ensure you are notified if your personal information is involved in a data breach that is likely to result in serious harm. Even if the criteria are not met, we may decide it appropriate to notify you anyway as part of our commitment to taking privacy seriously.13. Access to and correction of your information
We will endeavour to ensure that the personal information collected from you is up to date, accurate and complete.
You may request access to or correction of your personal information we hold about you at any time by contacting our Privacy Officer on the details set out at the end of this Policy. We will need to verify your identity. Subject to any applicable exceptions or requirements, we will provide you with access to the personal information you request within a reasonable time and usually within 28 days. If we decide to refuse your request we will tell you why in writing and how to complain.
14. United Kindom residents
UK General Data Protection Regulation (GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Alpha-H has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
- by using EDPO UK’s online request form: https://edpo.com/uk-gdpr-data-request/
- by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom
15. European residents
General Data Protection Regulation (GDPR) - European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Alpha-H has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:
- using EDPO’s online request form: https://edpo.com/gdpr-data-request/
- writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
If you are an individual customer based in Europe and we offer or provide our products or services to you, our processing of your personal information will be subject to the GDPR and the following additional information applies.
International Waters Pty Ltd is the data controller for the purposes of processing your personal information.
Our legal grounds for processing: We rely on the following legal grounds to process your personal information:
- contract performance - we need to collect and process your personal information to enter into a contract with you when you purchase our products or to perform our obligations under a contract with you when you request and we provide you with our products and services;
- if it is necessary to pursue our legitimate interestsand does not override your rights and interests - this is the usual basis on which we carry our business for the purposes set out above and includes when we carry out research, conduct direct marketing or otherwise communicate with you; and
- with your consent- we need your consent to collect and use your sensitive information such as your health information or to send you direct marketing.
- to comply with laws or regulations that apply to us including exercising our rights.
Transfer of information outside Europe: If we or our service providers or one of our related entities transfers your personal information outside Europe or onwards to a third country from Australia, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information. We will do this by one of the following:
- sending it to a country approved by the European Commission as having adequate privacy protections;
- the recipient has signed a contract based on standard “model contractual clauses” approved by the European Commission, requiring them to protect your personal information) (see http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm; or
- if the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield scheme (https://www.privacyshield.gov/welcome) or another valid scheme; or
- meeting the requirements of an applicable derogation such as obtaining your consent;
How long do we retain your personal information? We retain your personal information for as long as necessary to provide our services and products that you have requested, to comply with our legal obligations, resolve disputes, and enforcing our rights and policies. Unless we have an ongoing relationship with you (e.g. you are a frequent customer) or otherwise required, we will retain your personal information for no longer than 2 years.
Your additional rights and choices: You can -
- ask us to erase your personal information without undue delay in certain circumstances such as if you withdraw your consent and we otherwise have no legal reason to retain it.
- object to, and ask us to restrict, our processing of your personal information in certain circumstances, such as while we verify your assertion the information is inaccurate or if we are processing your information for our legitimate interests or for direct marketing purposes (we may be legally entitled to refuse that request).
- in some circumstances such as where we are processing your information with your consent, receive some personal information you have given us in a structured, commonly used and machine-readable format and/or ask us to transmit it to someone else if technically possible feasible.
- withdraw your consent (but we may be able to continue processing without your consent if there is another legitimate reason to do so).
- lodge a complaint with the relevant European data protection authority if you think that any of your rights have been infringed by us – we can, on request, tell you the relevant authority for the processing of your personal information.
If you have a question or comment regarding this Policy or wish to make a complaint or exercise your privacy rights, please contact our Privacy Officer on the following details:
International Waters Pty Ltd
PO BOX 905
OXENFORD QLD 4210
1800 659 777
We will need to verify you, and we will respond to you within a reasonable period of time to acknowledge your complaint and inform you of the next steps we will take in dealing with your complaint.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) via the OAIC website: www.oaic.gov.au
17. Credit Card information
We use third parties to process any sales paid for via credit card.
Where we use Shopify Payment Gateway Services (Payment Gateway) to process a payment via credit card, we do not directly hold any payment information other than a billing address and a contact email on the website servers. In accordance with the Payment Gateway policies, we may be able to view credit card details, however, we will only use such information for the purposes of credit card verification, transaction approval or to provide a refund. Any information collected by the Payment Gateway may be used in accordance with the Payment Gateway privacy or other policies and is beyond our control. To view the Shopify policies please refer to https://www.shopify.com/legal/privacy/customers