Q&A ERP (Pty) Ltd Privacy Statement
Last Updated on 1 June 19th, 2020
PRIVACY, SECURITY AND TRANSPARENCY
Thank you for visiting the online, digital communication, telephone and face-to-face communication (non-digital) and mobile resources published by Q&A ERP (Pty) Ltd. Our privacy statement, contained in the pages that follow, serves, to give notice about the types of personal information we collect, how we use it, who we share it with and why, and what we do to try to protect it. We delve into those matters in a fair amount of detail in the pages that follow. We encourage you to read them carefully. In the meantime, we provide a quick overview below.
• What do we collect?
There are two types of information that we obtain from you online and offline, which we then store and use:
• non-personal information that’s collected automatically from each online visitor, such as your device operating system; and
• personal information that you voluntarily provide to us or that is collected automatically.
SEE SECTION BELOW FOR MORE DETAIL: WHAT PERSONAL INFORMATION DO WE COLLECT AND HOW DO WE USE IT?
• Why do we use it?
We use non-personal information to administer our online, offline and mobile resources, make them better, and to make business decisions about what programs our customers might like.
We use voluntarily provided personal information to respond to your inquiries and provide you with the services you have requested, amongst other uses as further described below. We do not sell or rent your personal information to third party data vendors or marketing companies. As you might expect, we disclose your information when required by law.
SEE SECTION BELOW FOR MORE DETAIL: Here are some of the ways you voluntarily give us your personal information and how we use it
• When do we share it?
We share personal information when needed to fulfill our legal obligations and when our vendors and business partners need it to perform under the contracts we have with them. We do not sell or rent any personal information to third party data brokers or marketing companies.
SEE SECTION BELOW FOR MORE DETAIL: WHEN/WITH WHOM DO WE SHARE PERSONAL INFORMATION?
• Your Privacy Choices and Rights
You do not have to provide personal information to enjoy most of the features of our online, offline and mobile resources. Moreover, you can opt out of certain activities like newsletters and announcements. Data subjects whose personal information was obtained while they were in the GDPR Jurisdictions have certain additional rights.
SEE SECTION BELOW FOR MORE DETAIL: YOUR RIGHTS AND OPTIONS
• Contacting Us
Questions about this highlights page or our online, offline privacy statement may be sent BY Courier (not post) to Q&A ERP (Pty) Ltd, Attn: Legal & Compliance Department, 1 Ngunis Street, Southdowns Estate, Irene, Centurion, Gauteng, South Africa or by email to firstname.lastname@example.org.
This privacy statement was amended on 1 June, 2020 and is effective as of this date. The English language version of this privacy statement is the controlling version regardless of any translation you may attempt.
NAVIGATING THROUGH THIS STATEMENT
You can use the links below to navigate to areas of this statement that apply specifically to you, or which may otherwise be of interest:
Some Important Vocabulary
Who Do We Collect Personal Information From?
What Personal Information Do We Collect and How Do We Use It?
When/With Whom Do We Share Personal Information?
Your Rights And Options
How Do We Protect Collected Personal Information?
The South African Protection of Private Information Act
The EU General Data Protection Regulation
Changes To This Privacy Statement
SOME IMPORTANT VOCABULARY
Although not itself a contract, this privacy statement is an important document that explains how we address some of our legal obligations, and your related legal rights, involving personal information, so clarity is important. We’ll use this section to let you know about some words that have special meanings whenever you see them in this statement. Let’s start with the word “statement” itself: when we reference “this statement”, “this privacy statement”, and “our statement”, we mean this Q&A ERP (Pty) Ltd online privacy statement you are reading now. Wherever we say “Q&A ERP” or “we”, “us”, or “our”, we mean Q&A ERP (Pty) Ltd We use the words “you” and “your” to mean you, the reader, and other visitors to our online and mobile resources who are, in all cases, over the age of 13. This age requirement is discussed in more detail later in this statement.
When we talk about our “online and mobile resources”, we mean all websites and other internet features we own that allow you to interact with our websites, as well apps we’ve created and distributed to let our customers and followers view our online, offline and mobile resources or otherwise interact with the content we provide. An “affinity action” is when you “follow” us, “like” us or take a similar or analogous action on our external social media presence. When we refer to “personal information”, we generally mean information that can be used to identify you or that can be easily linked to you. Thus, a fairly comprehensive list of personal information would include such things as your name, address, telephone number, email address, social security or identity number and date of birth. The privacy laws in some jurisdictions include unique elements in what they consider to be the personal information of the consumers or data subjects they protect. If those laws apply to us, as in the case of the South African Protection of Personal Information Act (POPIA) or European General Data Protection Regulation (“GDPR”), our use of the phrase “personal information” includes the unique elements required by such laws. When we reference the “GDPR Jurisdictions” we mean the countries comprised by the European Economic Area, the United Kingdom (which soon will leave the European Union), Switzerland and Japan which, having received an “adequacy decision” from the European Commission, adheres to the material terms of the GDPR.
WHO DO WE COLLECT PERSONAL INFORMATION FROM?
We collect personal information from four groups of data subjects:
• visitors to, and users of, our online and mobile resources
• off-line communication such as telephonic and face-to-face meetings
• our customers
• current members of our workforce and those who apply for posted jobs
• our third party vendors and business partners
The categories of information we collect from each of these groups, and the ways in which we use it, differs. As you may have noticed, it’s possible that the same person could fall into more than one group. For instance, someone who works for us might, on their day off, visit one of our general websites. Most of this statement addresses our processing and sharing of personal information collected from visitors to and users of our online, offline and mobile resources and our customers. The immediately following paragraphs provide a quick summary overview about everyone else.
Our Workforce and Job Applicants
We collect and retain the types of professional or employment related personal information you would expect an employer to have about its existing and former workforce and new job applicants. We provide legally required notices of collection, and describe our use and sharing of the personal information of our workforce and applicants in greater detail in confidential internal human resource manuals and documents accessible to members of our workforce, or by publication on the proprietary workforce/applicant portals and apps we operate. In some cases, such portals and apps may be operated by third parties who transfer the personal information to us. In those situations, the legal responsibility to provide notice usually rests with the third party, not us.
Vendors and Business Partners
Like all corporate enterprises, we buy goods and services, lease equipment and office space and attend industry events. In doing so, we interact with many existing and potential vendors and business partners from whom we necessarily collect certain personal information in connection with our contractual and business relationships. As with our customers, this information is typically limited to minimum business contact information. We use and share personal information collected from our vendors and business partners to manage, administer and perform under our contracts with them, or share information about our products. We describe our use of vendor and business partner personal information in greater detail in our confidential contracts with those parties or on the internal vendor management portals we operate.
WHAT PERSONAL INFORMATION DO WE COLLECT AND HOW DO WE USE IT?
Generally, we collect personal information through automated/technical means and when you voluntarily provide it to us. We describe that automatic collection below. We describe that type of voluntary submission immediately below. By using our online, offline and mobile resources or purchasing our products or services, you are signifying to us that you agree with this section of our privacy statement and that we may use and disclose your information as described.
Voluntarily Submitted Information.
If you participate in certain activities via our online, offline and mobile resources, you may be asked to provide us with information about yourself. The types of personal information we collect in those situations includes identifiers (such as your name, email address, physical address, and phone number), professional information (such as the business you are in), and financial account information (such as your credit card information).
For example, if you choose to send us an email or fill out an online form, you are voluntarily providing personal information to us. In doing so, you agree that we have a reasonable and lawful basis (such as to provide, maintain, and enhance the online, offline and mobile resources and our product and service offerings, create reports on usage of the online, offline and mobile resources, perform our contractual obligations, inform our marketing efforts, comply with law, or satisfy our legitimate business interests) on which to collect, use, and disclose that information for the purpose it is requested and for other reasonable internal business purposes. We do not sell, rent, or trade voluntarily submitted personal information with third parties.
If you don’t want us to collect this type of personal information, please don’t provide it. This means you shouldn’t participate in the activities on our online, offline and mobile resources that request or require it and you may want to communicate with us by phone or regular mail instead. Participation is strictly your choice. Not participating may limit your ability to take full advantage of the online, offline and mobile resources, but it will not affect your ability to access certain information available to the general public on the online, offline and mobile resources.
Here are some of the ways you voluntarily give us your personal information and how we use it:
• Emails and Online Forms – When you send us an email or fill out an online form, such as to contact us, your email address and any other personal information (e.g., home address or phone number) that may be in the content of your message or attached to it, are retained by us and used to respond back directly to you and to process your request. Depending on the personal information provided, communications from us may be in the form of emails, telephone calls, and/or text messages. We may also send you information about any of our products or services we think may be of interest to you.
• Registering for an Account – When you register for an account or you register your child for a sub-account, you submit personal information to us such as your name and email address (or your child’s name and email address) which we then retain. We use that information to create and manage your account and in some cases establish a password and profile to communicate with you and any sub-accounts you created via email.
• Registering for Events – When you register for events, conferences or programs we ourselves may host (rather than outsource to a third party event manager with its own privacy policies), you will be submitting the types of identifiers described above. If the event requires a fee, we may also ask you to submit credit card or other financial information. We use this information to register you for the event and send you communications regarding the event.
• Becoming a Subscriber to Our Service – If you formally become a customer of our product or service offerings, you will be required to enter into a subscription or other agreement via our related website Terms of Service. We use any information provided from our customers to perform our contractual obligations and provide the products and services purchased to them, to manage their accounts and communicate with them.
• Social Media and Community Features – Some of our online and mobile resources may offer social media-like community features letting users post messages and comments, and/or upload image or other files and materials. If you choose to make use of these features, the information you post, including your screen name and any other personal information, will be in the public domain and not covered/protected by this statement.
Automatically Collected Information.
When you visit our online, offline and mobile resources, basic information is passively collected through your web browser via use of tracking technologies, such as a “cookie” which is a small text file that is downloaded onto your computer or mobile device when you access the online, offline and mobile resources. It allows us to recognize your computer or mobile device and store some information about your preferences or past actions. Additional information about cookies and tracking technologies is available in this policy document.
The internet activity information collected through cookies and other similar means includes such things as:
• the domain name and IP address from which you accessed our online, offline and mobile resources;
• the type of browser and operating system you use;
• the date and time and length of your visit;
• the specific page visited, graphics viewed and any documents downloaded;
• the specific links to other sites you accessed from our online, offline and mobile resources; and
• the specific links from other sites you used to access our online, offline and mobile resources.
Additionally, if you access our online, offline and mobile resources from a phone or other mobile device the mobile services provider may transmit to us uniquely identifiable mobile device information which allows us to then collect mobile phone numbers and associate them with the mobile device identification information. Some mobile phone vendors also operate systems that pinpoint the physical location of devices and we may receive this information as well if location services are enabled on your device. If you do not want us to collect and use geolocation data, disable location services through your device settings.
Regardless, we use both automatically collected information and mobile device information to compile generic reports about popular pages on our online, offline and mobile resources, and to see how our customers and followers are accessing our online, offline and mobile resources. We then use that data to administer the online, offline and mobile resources and make them better, make your activities more convenient and efficient and to enhance the functionality of our online, offline and mobile resources, such as by remembering certain of your information in order to save you time.
We use and retain your personal information in accordance with applicable law and as long as necessary to carry out the purposes described above in accordance with our internal data retention procedures.
User Beware: External Sites, Apps, Links and Social Media.
We maintain a presence on one or more external social media platforms such as Twitter, Facebook, YouTube and LinkedIn. We may further allow the community features of our online and mobile resources to connect with, or be viewable from, that external social media presence. Similarly, our online and mobile resources may contain links to other websites or apps controlled by third parties.
WHEN/WITH WHOM DO WE SHARE PERSONAL INFORMATION?
In addition to those third parties set forth above, we may share your information, including personal information, with our corporate affiliates who will use such information in the same way as we can under this privacy statement.
Legally Compelled Disclosures.
We may disclose your information, including personal information, to government authorities, and to other third parties when compelled to do so by such government authorities, or at our discretion or otherwise as required or permitted by law, including but not limited to responding to court orders and subpoenas.
To Prevent Harm.
We may disclose your information, including personal information, when we have reason to believe that someone is causing injury to or interference with our rights or property, other users of the online, offline and mobile resources, or anyone else that could be harmed by such activities.
If Q&A ERP or its affiliates, or substantially all of its or their assets, are acquired by one or more third parties as a result of an acquisition, merger, sale, reorganization, consolidation, or liquidation, personal information may be one of the transferred assets.
Vendors and Business Partners.
We may share your information, including personal information, with our vendors and other third parties with whom we have a contractual relationship. Examples of the categories of third parties with whom we share your information with and why include the vendors from whom we obtain technology and infrastructure services to host our online, offline and mobile resources, perform credit card processing, API integration, and data analytics services. We may also share your information, including personal information, with vendors who provide third party software services that you have chosen to assist you with your sales funnels. We do our best to disclose only the information each of those parties need.
As part of our Security Program, we have adopted standards for those vendors and business partners who receive personal information from us. We attempt to bind such vendors and business partners to those standards via written contracts. Such standards include expectations that when we share personal information with our vendors and business partners, they will comply with all applicable privacy and data security laws and regulations and our Security Program, and will contractually require and cause their subcontractors and agents to do the same. We further attempt to contractually restrict what our vendors and business partners can do with the personal information we provide to them such that it:
• is used only to the extent necessary to carry out the business purpose for which it was provided
• is not disclosed to anyone else without our consent or under our instruction
• remains, as between us and the applicable vendor or business partner, our property
• is not transferred out of the South Africa or the EU without our consent
Please note, however, that we cannot guarantee that all of our vendors and business partners will agree to these contractual requirements; nor can we ensure that, even when they do agree, they will always fully comply.
YOUR RIGHTS AND OPTIONS
If we are using personal information you provided to us in order to enable us to send you materials, such as newsletters or product alerts [via text or email], and you decide you don’t want to receive such materials, you may opt out by following the opt-out instructions in the email or other communication (e.g., by responding to the text with “STOP”), or by contacting us using the contact information below. When we receive your request, we will take reasonable steps to remove your name from our distribution lists. You need to understand it may take a period of time to remove your name from our lists after your request and due to such latency you may still receive materials for a period of time after you opt out. In addition to opting out, you have the ability to access, amend, and delete your personal information by contacting us using the contact information below.
Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not specifically respond to browser “do not track” signals.
South African and European law imposes special restrictions and obligations on commercial website operators who direct their operations toward, and collect and use information from, children under the age of 13 and under 16. We take those age-related requirements very seriously, and consistent with it do not intend for our online, offline and mobile resources to be used by children under the age of 16 without first obtaining the verifiable consent of such child’s parent or legal guardian. Moreover, we do not knowingly collect personal information from minors under the age of 13, only a parent or legal guardian may provide such information after adhering to our verification process for submitting such information via the online, offline and mobile resources. If we become aware that anyone under the age of 18 has submitted personal information to our online, offline and mobile resources, we will delete that information and will not use it for any purpose whatsoever. If you believe that someone under the age of 18 has submitted personal information to our online, offline and mobile resources, please contact us at email@example.com. We encourage parents and legal guardians to talk with their children about the potential risks of providing personal information over the Internet.
HOW DO WE PROTECT COLLECTED PERSONAL INFORMATION?
Our Data Security Program
We will take all reasonable security precautions to protect your personal information provided to our online, offline and mobile resources. We have adopted, implemented and maintain an enterprise-wide corporate information security program that includes technical, organizational, administrative, and other security measures designed to protect, in a manner consistent with accepted industry standards and applicable law, against anticipated or actual threats to the security of personal information (the “Security Program”). We cannot, however, guarantee that your information, whether during transmission or while stored on our systems or otherwise in our care, will be free from unauthorized access or that loss, misuse, destruction, or alteration will not occur. Except for our duty to maintain the Security Program under applicable law, we disclaim any other liability for any such theft or loss of, unauthorized access or damage to, or interception of any data or communications including personal information. We have every reason to believe our Security Program is reasonable and appropriate for our business and the nature of foreseeable risks to the personal information we collect. We further periodically review and update our Security Program, including as required by applicable law.
Our Incident Response and Management Plan
Despite the significant investment we’ve made in, and our commitment to, the Security Program including enforcement of our third party oversight procedures, we cannot guarantee that your personal information, whether during transmission or while stored on our systems, otherwise in our care, or the care of our vendors and business partners, will be free from either failed or successful attempts at unauthorized access or that loss or accidental destruction will never occur. Except for our duty under applicable law to maintain the Security Program, we necessarily disclaim, to the maximum extent the law allows, any other liability for any such theft or loss of, unauthorized access or damage to, or interception of any data or communications including personal information.
All that said, as part of our Security Program, we have specific incident response and management procedures that are activated whenever we become aware that your personal information was likely to have been compromised. Those procedures include mechanisms to provide, when circumstances and/or our legal obligations warrant, notice to all affected data subjects within the timeframes required by law, as well as to give them such other mitigation and protection services (such as the credit monitoring and ID theft insurance) as may be required by applicable law. We further require, as part of our vendor and business partner oversight procedures, that such parties notify us immediately if they have any reason to believe that an incident adversely affecting personal information we provided to them has occurred.
THE SOUTH AFRICAN PROTECTION OF PRIVATE INFORMATION ACT
When we collect personal information from South African residents, we become subject to, and those residents have rights under, the South African Protection of Private Information Act or “POPIA”. This section of our statement is used to allow us to fulfill our POPIA obligations and explain your POPIA rights. For purposes of this section, the words “you” and “your” mean only such South African residents.
The purpose of the South African POPI Act is to—
(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
(i) balancing the right to privacy against other rights, particularly the right of access to information; and
(ii) protecting important interests, including the free flow of information within the Republic and across international borders;
(b) regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
(c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
(d) establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.
What did we collect from South African Residents?
We collected the following categories of personal information within the last 12 months:
• identifiers such as name, address, IP address, and other similar identifiers
• personal information described in in the POPIA (South African) such as a name, address, telephone number
• commercial information such as products or services purchased
• internet/electronic activity such as browsing history and search history
• geolocation data including geographic coordinates/physical location
• audio, video, electronic or other similar information
We may have disclosed this information for one or more business purposes permitted by the POPIA. Please re-review this part of this privacy statement to understand the scope of purposes and the sources from which we collect it. Similarly, we urge you to re-read this part of this statement where we describe the categories of third parties with which we may share your personal information and why. We do not sell, and within the last 12 months have not sold, personal information to third parties.
Rights of South African Residents
You have the following rights under the POPIA. It’s important to us that you know that if you exercise these rights, we will not “discriminate” against you by treating you differently from other South African residents who use our sites and mobile resources or purchase our services but did not exercise their rights.
• Disclosure – the right to request that we disclose to you, specifically beyond the general statement immediately above, the categories and specific elements of personal information collected including the source of the information, our use of it and, if the information was disclosed or sold to third parties, the categories so disclosed or sold as well as the categories of third party who received or purchased it.
• Access – the right to receive a copy of the categories and specific elements of personal information we collected about you in the preceding 12 months.
• Delete – the right to request that we delete the personal information we collected about you under certain circumstances.
You can exercise these rights up to two different times every 12 months. To do so, just contact us at firstname.lastname@example.org or +27827804088. We may ask you to fill out a request form. The POPIA only allows us to act on your request if we can verify your identity or your authority to make the request so you will also need to follow our instructions for identity verification.
If you make a verifiable request per the above, we will confirm our receipt and respond in the time frames prescribed by the POPIA.
THE EU GENERAL DATA PROTECTION REGULATION
We do collect or otherwise obtain personal information from data subjects located in the GDPR Jurisdictions. When we do so, we become subject to, and those data subjects have rights under, the GDPR. We fulfill our GDPR obligations with respect to our workforce/job applicants, our customers (and their own end-clients), and our vendors and business partners through a series of separate notices, contracts or other terms provided to them at the time, and in the manner and form, GDPR and local law within each GDPR Jurisdiction requires.
We describe, in the immediately following section of this statement, how we comply with the GDPR for personal information collected from visitors to and users of our online, offline and mobile resources while they were in a GDPR Jurisdiction. Thus for purposes of that section, the words “you” and “your” mean only such GDPR Jurisdiction-based visitors and users.
What do we collect from you in the GDPR Jurisdictions and how do we use it?
We collect from you the categories of personal information already described here. The lawful basis on which we rely for such collection, later use and disclosure, is what the GDPR refers to as legitimate interest. We urge you to re-read this part of our statement where we describe how we use your personal information and our legitimate interests as described in that part of our statement, as well as for fraud prevention and similar security related activities. We urge you to also re-read this part where we describe the categories of third parties with whom we may have shared it. As stated elsewhere in this statement, we do not sell, any of your personal information to third parties nor do we use it for automated decision making.
Cross-border Data Transfers and Third Party Processors
If we transfer personal information from the GDPR Jurisdictions to a location that has not been deemed by the European Commission to have adequate privacy protections, we do so in the manner the GDPR permits.
Rights of Data Subjects in the GDPR Jurisdictions
While we attempt to allow all visitors and users of our online, offline and mobile resources to exercise a degree of control over their personal information, under the GDPR we have a legal obligation to do so for you. More specifically, with respect to personal information collected from you while you were in a GDPR Jurisdiction, you have the below-listed rights:
• Transparency – you have the right to ask us to explain the contents of this statement and the notices it provides. You also have the right to ask us whether we have collected any personal information about you. If we have, you then have these additional rights:
• Access – you have the right to access the personal information we’ve collected about you.
• Correction and Deletion – you have the right, under certain circumstances, to request that we correct inaccuracies, remedy incompleteness, and/or delete the personal information we collected about you.
• Portability – you have the right, under certain circumstances, to request a copy of the personal information we have and receive that copy in a GDPR-prescribed form that permits portability either for yourself, or by asking us to send it to another controller.
• Who, What, Why and Where – you have the right to request that we tell you, specifically, beyond the general statement immediately above
• what categories of personal information we have about you and whether it was collected directly or via another source
• why we collected it and use it including whether we use it for automated decision making
• who we disclose or transfer it to
• where they are located, if outside the GDPR Jurisdictions, and
• how long we plan to store it and how we decide whether to delete it
• Restriction and Objection – you have the right, under certain circumstances, to restrict us from engaging in some types of further processing of your personal information, as well as to object, at any time, to profiling, direct marketing or other uses of your personal information if we have stated our right to undertake those uses is based on “public interest” or legitimate business interests.
If you would like to exercise any of these rights, please contact email@example.com. Your ability to exercise these rights is subject to certain conditions and exemptions that you can read about in Articles 12 through 23 of the GDPR. Among those conditions is our right to decline part or all of a request if we cannot satisfy our reasonable doubts and concerns about your identity in a manner that helps us minimize the risk that unauthorized persons might use a GDPR right to access your personal information. We will respond to all requests without undue delay, and in accordance with the time frames, if any, prescribed by the GDPR. If you are not satisfied with how we use your personal information or respond to your requests, you have the right to complain to your data protection regulator. Contact information for the EU data protection regulators can be found https://webgate.ec.europa.eu/cas/.
CHANGES TO THIS PRIVACY STATEMENT
We reserve the right to change or update this statement from time to time. Please check our online, offline and mobile resources periodically for such changes since all information collected is subject to the statement in place at that time. Typically, we will indicate the effective/amendment date at the beginning of this statement. If we feel it is appropriate, or if the law requires, we’ll also provide a summary of changes we’ve made near the end of the new statement.
If you have questions about our privacy statement or privacy practices, please courier your post/written documents to us at:
Q&A ERP (Pty) Ltd
Attn: Legal & Compliance Department
1 Ngunis Street, Southdowns Estate, Irene, Centurion