This Privacy Policy describes how BlueSana Pty Ltd (ACN 661 711 977) and its subsidiaries and related group entities (together “us”, “our” or “we”) collects, holds, uses and discloses personal information of individuals in connection with our services provided via our website at www.bluesana.com.au (“Website”) and the BlueSana platform (“Platform”).
This policy applies to all individuals who access or use our Website or Platform. The specific privacy rights and protections available to you will depend on your location and the applicable data protection laws.
For individuals located in Australia and outside the EU/EEA, all personal information collected by us will be treated in accordance with the Australian Privacy Principles (“APPs”) contained in the Privacy Act 1988 (Cth) (“Privacy Act”).
For individuals located in the European Union or European Economic Area, all personal information will be collected in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
Where there are differences between the requirements of the APPs and GDPR, we will comply with the standard applicable to your location and circumstances.
This summary provides a brief overview of our privacy practices. For full details, please read our complete Privacy Policy below.
What personal information do we collect?
We collect personal information such as your name, contact details, payment information, and technical data when you interact with us or our Website and/or Platform.
Why do we collect your personal information?
We may use your personal information to provide our services, process payments, manage your account, improve our Website, and send you relevant marketing communications (where you have consented or where we have a legitimate interest).
Who do we share your personal information with?
We may share your personal information with trusted third-party service providers (e.g., payment processors, IT support), other customers (where necessary for the provision of the services) and, in certain circumstances, with legal or regulatory authorities.
What are your rights?
For individuals located in Australia and outside the EU/EEA: Under the APPs, you have the right to access and correct your personal information we hold about you, subject to certain exceptions under the Privacy Act.
For individuals in the EU/EEA: Under the GDPR, you have the right to access, correct, erase, restrict, object to the processing of, and request data portability of any personal information we hold about you, subject to applicable laws and certain exceptions.
How can you contact us?
For any questions, complaints or to exercise your rights, please contact our privacy officer by email to contact@bluesana.com.au.
Please read this Privacy Policy carefully. By using our services, you acknowledge that you have read and understood this Privacy Policy.
For individuals in the EU/EEA: Your use of our services does not constitute consent to processing where we rely on other legal bases under GDPR (such as contract performance or legitimate interests). Where we do rely on consent, you have the right to withdraw it at any time.
If you do not agree with any part of this Privacy Policy, please do not use our services.
Who collects your personal information?
1. BlueSana Pty Ltd (ACN 661 711 977) whose registered office is located at JPL Partners, Suite 6, Level 2, 64 Croydon Street, Cronulla NSW 2230.
What personal information do we collect?
2. Personal information means any information about an identified individual or an individual who can be identified (directly or indirectly).
3. The types of personal information that we collect will depend on your dealings with us. Personal information that we may collect when you use our services include:
a. your contact details, including your first and last name, email address, mobile number, mailing or street address (“Contact Information”);
b. if you are employed or engaged by an organisation that is a customer of ours, we will collect the organisation’s name, industry, your job title and role and department and function (“Employment Information”);
c. your billing information, including your bank account and credit card details (“Billing Information”);
d. your Internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website and/or the Platform (“Technical Data”);
e. your transaction history, including how you have used our services; and
f. any additional information relating to you where you are identifiable that you provide to us directly in communications with us or other users of our services, including through feedback or surveys, or direct communications with other users via the Platform.
Directly from you
4. We may collect personal information from you when you:
a. establish a profile on the Platform;
b. use our services;
c. undertake any monetary transactions with us in relation to our services;
d. correspond or communicate with us, for example, via telephone, email, and written enquiries directed to us;
e. interact with us on our social media, for example, LinkedIn, X (formerly known as Twitter) or other platforms;
f. use the Website to sign up to receive our newsletter and/or subscribe to our mailing list (if applicable); and/or
g. provide the information to us as part of your dealings with us.
Indirectly from other sources
5. As you interact with the Website, we may automatically collect Technical Data. We collect this personal information by using cookies, server logs, and other similar technologies. For more information see paragraphs 6 and 7 below.
6. A cookie is a data file that our Website stores on your device. We use cookies to help remember information about your preferences and record information about how you interact with our Website to improve your experience. This includes providing relevant information and remembering your preferences and settings.
7. When you first visit our Website, you will be presented with a cookie banner allowing you to accept or reject non-essential cookies. We will only place non-essential cookies after obtaining your consent. Essential cookies necessary for the Website to function do not require consent. You can adjust your cookie preferences at any time through your browser settings, though this may affect some Website functionality.
8. We may also receive personal information about you from various third parties and public sources, such as:
a. contact, financial, and transaction data from providers of technical, payment, and delivery services; and/or
b. identity and contact information from publicly available sources (e.g. company registers, LinkedIn etc.).
Why do we collect your personal information?
9. We collect, hold, use and disclose your personal information for various purposes associated with providing the services to you and also in connection with our business, including so that we can:
a. perform our obligations in the course of, or in connection with, providing the Services to you;
b. process and respond to queries, requests, complaints and feedback from you;
c. manage our relationship with you;
d. process payment transactions;
e. verify your identity;
f. inform you about our business and services;
g. send you marketing information about our services (with your prior consent where required by applicable law, or where we have another lawful basis such as legitimate interest, and subject to your right to opt-out);
h. manage your subscription to our mailing lists;
i. for security purposes;
j. communicate with you and with the relevant authorities in the event that your personal information has been subject to a data breach;
k. comply with other obligations including our legal, tax and accounting obligations; and
l. transmit your personal information to any unaffiliated third parties including our third-party service providers and agents, and relevant governmental and/or regulatory authorities, for the aforementioned purposes.
Legal basis for processing personal data (EU only)
10. For individuals in the EU/EEA: We will only process your personal data when we have a legal basis to do so under the GDPR. Most commonly, we will process your personal data in the following circumstances:
Disclosure to third parties
11. We may disclose personal information for the purposes described in this Privacy Policy to:
a. our employees and related bodies corporate;
b. other customers (where necessary for the provision of services and where you have been informed of such sharing);
c. third-party service providers including, third parties who provide IT and system administration services, payment processing, data analytics, marketing, and customer support services;
d. our professional advisers, including lawyers, accountants, tax advisers, and insurers who provide consultancy, banking, legal, insurance, and accounting services;
e. anyone to whom our assets or businesses (or any part of them) are transferred; and/or
f. specific third parties authorised by you to receive information held by us.
12. If we are legally permitted or required to, we may also disclose your personal information in order to comply with our legal obligations or to protect or enforce our rights.
13. We may also disclose non-personal, de-identified and aggregated information (i.e. information that is not personal information) to third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional purposes.
Overseas Disclosure
14. We may transfer your personal information outside Australia and, for EU/EEA individuals, outside the European Economic Area.
15. For Australian individuals: Whenever we transfer your personal information overseas, we will take reasonable steps to ensure the overseas recipient does not breach the APPs in accordance with APP 8.1, unless an exception applies.
16. For EU/EEA individuals: We will only transfer your personal information outside the EEA where we have implemented appropriate safeguards in accordance with ,GDPR Chapter V requirements, including:
a. the country has been deemed to provide an adequate level of protection for personal information by the European Commission; and/or
b. we may use specific contracts which give your personal information the same protection it has under the Privacy Act or GDPR (as applicable).
Links to other sites from the Website and/or Platform
17. The Website and/or Platform may contain hyperlinks to third-party websites or services.
18. This Privacy Policy does not apply to third-party websites or services. Your use of any third-party website or service is governed by the privacy policy and terms of use for that website or service, and we are not responsible for the privacy practices of such third parties. If you communicate with us via a social media platform, for example, X (formerly known as Twitter), then the terms and privacy policy for the social media platform will also apply.
19. We do not endorse any of these third parties, their products or services, or the content on their websites.
How do we protect your personal information?
20. We will take reasonable steps to keep secure any personal information which we hold and to keep this information accurate and up to date. However, we also rely on you to notify us of any changes to your personal information to ensure its accuracy.
21. We implement reasonable electronic and procedural measures to protect our customers’ information from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, including but not limited to:
a. personal information held and stored electronically is protected by industry-standard encryption, internal and external firewalls, multi-factor authentication, limited access via file passwords, and files designated read-only or no access;
b. where personal information is held and stored in third-party cloud environments (such as, Microsoft Azure) those environments provide industry-standard encryption and network protections. We select cloud service providers that offer robust security frameworks and certifications (such as ISO 27001 or equivalent). We do not download or process personal information in other environments; and
c. where we disclose personal information to third parties, our contractual arrangements with them include specific privacy requirements.
22. Please be aware that while we implement reasonable security measures, no method of transmission over the Internet or method of electronic storage is completely secure. While absolute security cannot be guaranteed, we maintain a comprehensive information security program and continuously review and enhance our security measures to protect your information. To the extent permitted by law, we will not be liable for any unauthorised access to, or loss of, personal information that is beyond our reasonable control.
How long do we retain your personal information?
23. We will hold copies of your personal information for as long as necessary to provide the services to you, undertake activities described in the “Why do we collect your personal information?” section above, and comply with applicable legal retention requirements. Generally, we will retain personal information for no longer than 7 years after the termination of our relationship, unless a longer retention period is required or permitted by law (including for taxation, accounting, or legal purposes). We will also retain a copy of your personal information in connection with administering our business and in order to fulfil our legal obligations.
24. We will take steps to securely destroy or delete your personal information once it is no longer needed. In some circumstances, we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
How do we use AI and automated decisions?
25. The Platform employs artificial intelligence and machine learning algorithms as part of its matching process to connect organisations with suitable ESG suppliers. This AI-driven process is designed to enhance the efficiency and relevance of ESG supplier recommendations for these organisations. We are committed to adhering to principles of fairness, transparency and accountability in automated decision-making, and regularly audit our AI systems to identify and mitigate potential biases.
26. In the operation of this AI matching program, the following kinds of personal information may be used:
a. Contact Information;
b. Employment Information; and
c. any other personal information voluntarily entered by our customers into the Platform that is relevant to the matching criteria (e.g. specific ESG requirements, industry focus, geographic location).
27. The AI matching program makes decisions regarding the identification and presentation of potential ESG supplier matches to organisations. These decisions involve:
a. identifying and ranking ESG suppliers that best align with an organisation’s stated requirements and preferences; and
b. facilitating the initial connection or recommendation between an organisation and a prospective ESG supplier.
28. While personal information is utilised in the operation of the AI matching program, the decisions made by the program primarily relate to the identification and recommendation of ESG suppliers to other organisations. While these automated decisions are not intended to significantly affect individual rights, you have the right to obtain human intervention, express your point of view, and contest any decision made by our AI system that affects you. To exercise these rights, please contact us using the details provided in paragraph 40. The primary impact of these decisions is on the business operations and commercial relationships of the organisations involved, rather than on the personal rights or interests of an individual.
Australian customers
29. Under the APPs, you have the right to access the personal information that we hold about you, and to request that it is corrected.
30. We will provide you with access to your personal information or update or correct your personal information, unless we are lawfully excluded from granting your request under the Privacy Act (for example, where providing access would pose a serious threat to the life, health or safety of any individual, or would have an unreasonable impact on the privacy of others).
EU customers only
31. Under the GDPR, you have the following rights concerning any personal information that we hold about you:
a. access your personal information;
b. request to update or correct your personal information;
c. request the deletion or removal of personal information – we will accept your request unless there is statutory obligation or prevailing right for us to retain your personal information;
d. request the suspension of the processing of your personal information in certain scenarios (for example, if you want us to establish the accuracy of the information or confirm the reason for processing it);
e. object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) – we will cease further use of the relevant information, unless we have compelling legitimate grounds for continued use of the personal information, which may override your interest in objecting, or if we require the information for the establishment, exercise, or defence of legal claims;
f. object to direct marketing or to us applying profiling in relation to direct marketing – we will cease to process your personal information for such purposes;
g. request the transfer of your personal information to you or to a third party in a commonly used electronic format, where the information is automated information which you initially provided consent for us to use or where we used the information to perform a contract with you;
h. withdraw your consent for us to process your personal information, where we are relying on your consent to do so – this will not affect the lawfulness of any processing carried out before you withdraw your consent; and
i. make a complaint at any time to the relevant privacy regulator in your jurisdiction.
32. Please be aware that if you exercise a right under paragraphs 31 c., d., e., or h. above, we may not be able to provide certain services to you. We will advise you if this is the case at the time you make your request.
How to exercise your rights
33. If you wish to exercise any of the rights set out above, please contact us using the contact information in paragraph 40 below.
34. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
35. We will endeavour to respond to your request as soon as possible and within thirty (30) days of receipt of your request. If we need more time to respond to your request, we will notify you within thirty (30) days of receipt of your request and provide you with an estimate of when we will be able to respond to your request which will not exceed a further thirty (30) days except in exceptional circumstances. If we refuse your request to exercise your rights, we will inform you of the reasons why we are unable to do so.
How to make a complaint
36. If you wish to complain about how we have handled your personal information under the APPs or GDPR, while you have the right to lodge a complaint directly with the privacy regulator in your jurisdiction (the Office of the Australian Information Commissioner for Australian customers, or your local supervisory authority for EU customers), we encourage you to firstsubmit your complaint to us in writing using the contact information in paragraph 40 below. We are committed to addressing your concerns promptly and will make reasonable efforts to resolve any complaint fairly and efficiently.
37. We will respond to your complaint as soon as reasonably possible and will endeavour to respond to you within thirty (30) days of receipt of your written complaint (or within the timeframes required by applicable law). To the extent that we feel your complaint is complex or that we require further time to provide a substantive response, we will send you a notice to that effect.
38. You must provide all reasonable assistance to us to allow us to address your enquiry or complaint, including providing us with all appropriate and relevant information and feedback on our written request.
39. If you are not satisfied with how we have handled your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (using the details below) if you are an Australian customer, or the relevant privacy supervisory authority in your jurisdiction if you are an EU customer:
Office of the Australian Information Commissioner
Postal: GPO Box 5218, Sydney, NSW 2001
Fax: +61 2 6123 5145
Website: https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us
40. If you wish to opt-out of our marketing communications, access, correct, erase, or object to the information we hold about you, make a request relating to your personal information, or make a complaint about how we have handled your personal information please contact us using the details below:
Privacy Officer
Email: contact@bluesana.com.au
