Effective: 9 December 2020

Last updated: 9 August 2024

In this Privacy Policy, “we”, “us” and “our” refer to Expense Check Pty Ltd ABN 34 163 634 946 (trading as Kanopi Cover) (Kanopi). We are committed to protecting your privacy and we understand that the Kanopi website and Kanopi integrations (together the Platform) that we operate depends on the privacy of the personal information that we collect, use, disclose and otherwise process. This Privacy Policy explains how we collect, use, store, disclose and otherwise handle personal information.

When you provide personal information to us or you access and use the Platform (including via the apps we publish) you are deemed to consent to our collection, use and disclosure of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us and you.

We reserve the right (at our discretion) to modify or replace this Privacy Policy from time to time. When we do so, we will make the Policy (as modified or replaced) available on the Platform and on our website. While we will use reasonable endeavours to notify you of any changes to our Privacy Policy, we recommend that you check the Platform and our website periodically to ensure that you are aware of our current Privacy Policy and the approach we take to managing your personal information.

While we ensure that the Privacy Policy is accessible via our website and via the Platform, we will make a copy of this Privacy Policy available to you free of charge on request.

What personal information do we collect?

For the purpose of this Privacy Policy, “personal information” is information or an opinion that identifies an individual or that could reasonably identify the individual, regardless of whether the information or opinion is in a material form or not. The nature of the personal information we collect may vary from individual to individual. However, we may collect (in general terms) the following types of personal information:

• identity information, such as your full name and your date and place of birth;
• contact information, such as your email address, telephone or mobile phone number, mail or street address (including, if applicable, your business address), and other information that may be used to contact you;
• details of your employer;
• financial information (including bank account details);
• property information (to the extent such information can identify you);
• geolocation and computer-generated information, such as your device ID, device type, computer and connection information, statistics on page views, traffic to and from the Platform, IP address and standard web log information;
• details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services to you and to respond to your enquiries;
• other information that we are required or authorised to collect in relation to assist us and organisations to comply with their legal requirements under applicable anti-money laundering and counter-terrorism laws;
• any additional information relating to you or about you that you have provided to us through the Platform or otherwise in any interaction that you have with us or with any of our employees or authorised representatives;
• any additional information relating to you that you provide to us directly through our website, the Platform or any apps that we release; and/or
• information that you provide to us through customer surveys and via other means not expressly set out above.

In addition to the foregoing information, we may also collect information about your financial position, credit history or other types of credit-related information about you, including:

• credit information about you;
• credit eligibility information about you, including information relating to credit worthiness;
• personal information which we may derive from the credit information collected about you; and/or
• certain credit-related information about you. 

The nature and amount of the information may vary from time to time, but may include some or all of the information summarised above, together with information about your financial position and employment details, together with credit worthiness information about you, and other information that we may obtain from credit reporting bodies in a credit report.

We may also collect information about you when you visit our website or access our Platform, including details of the IP address from which you accessed our website or the Platform, the date and time of access, and any third party website from which you linked to our website or the Platform. We may also collect statistics on page views, traffic to and from our website and Platform, and other transactional information about your access to our website, Platform and the online services that we supply or make available to you.

Can you deal with us on an anonymous or pseudonymous basis?

In accordance with Australia’s privacy laws, where it is lawful and reasonable to do so, you have the right to deal with us on an anonymous or pseudonymous basis. This means that you do not need to provide us with personal information if and when that information is requested. Subject to the following, we will give you the option of not identifying yourself to us, or using a pseudonym, in dealing with us.

However, if you choose to interact with us on an anonymous or pseudonymous basis, or you do not submit your personal information to us when we request the information, we may not be able to provide you with the products or services that you request. In particular, you may not be able to access the Platform or use our services without providing us the person information that we request you provide.

Further, we reserve the right to request your identity from you in certain circumstances, and to verify your identity if we consider that it is appropriate or reasonable for us to do so. For example, when you request that we give you access to or that we correct personal information that we hold about you, or when you inform us that you wish to make a complaint regarding the manner in which your personal information has been handled, we reserve the right to request your identity and contact details in order to deal with your request and to respond to your complaint.

If you do not wish to have your personal information used or disclosed in a manner described in this Privacy Policy, please contact us. However, you may be unable to access or use all or any part of our website or the Platform. Further, we may still use or disclose your personal information if:

• we subsequently notify you of the intended use or disclosure and you do not object to our use or disclosure of the personal information in the manner we describe in our notice to you;
• we believe that the use or disclosure is reasonably necessary to assist a law enforcement agency or an agency responsible for government or public security in the performance of their function;
• to enforce our contracts and agreements, and to protect our rights;
• the protect the users of our website, the Platform and our services; or
• we believe that we are required or authorised by law to use or to disclose the information.

How do we collect personal information?

We collect personal information only through lawful and fair means. Generally, we will collect personal information about you from you directly, or via the third-party service through which you were referred to us. However, there may be situations where we collect information about you from other sources or third parties, including other users of our Platform and services.

We may collect personal information when you:

• register or are registered on our website or our Platform;
• communicate with us through correspondence, chats, email or when you share information with us from other social applications, services or websites;
• directly contact us in the course of us making the Platform available to you or in the course of us providing services to you or to any entity associated with you (such as your employer);
• interact with our website, our Platform, our services, content and advertising;
• apply for a job with us; or
• invest in our business or enquire as to a potential purchase in our business.

We may also collect personal information about you from current and prospective suppliers of goods and/or services to us.

In addition, when you apply for a job or a position with us, we may collect information from you (including your name, your contact details, your work history and a relevant records check) from any recruitment consultant, your previous employers and others who may be able to provide information to us to assist in our decision on whether to make you an offer of employment or to engage you under a contract. If you are unsuccessful in your current application, we reserve the right to retain your application on file and we may take your application (and the information in your application) into account for future employment opportunities with us. This Privacy Policy does not apply to acts and practices in relation to employee records of our current and former employees, which are exempt from the Privacy Act 1988 (Cth).

We may also obtain personal information about you from other people or organisations, such as our alliance partners, service providers, agents, advisors, brokers or employers. We may need to collect credit information about you, such as a credit report, to facilitate our provision of services to you.

We may also collect information about you from publicly available sources of information, including (for example) registers maintained by the Australian Securities & Investments Commission and the Australian Business Register.

How do we handle information received on an unsolicited basis?

Generally, we only collect personal information when we specifically request the information or when we take active steps to collect that information. However, from time to time, personal information may be volunteered to us without us requesting the information or taking steps to collect the information. For example, we may receive personal information about an individual when we receive misdirected mail or emails or when someone applies for a job with us on his/her initiative and not in response to an advertised vacancy.

Where we receive information on an unsolicited basis, in accordance with our statutory obligations, we will determine whether we could lawfully have collected the information if we had requested the information or otherwise taken active steps to collect the information. If we determine that we could not have lawfully collected the information had we requested the information or otherwise taken active steps to collect the information, then (unless we are required or authorised by law to retain the information in question) we will take reasonable steps to destroy or to de-identify that unsolicited information.

Why do we collect, use and disclose personal information?

We only use and disclose personal information for the primary purpose(s) for which we collected the information, any secondary purpose related to the primary purpose for which you would reasonably expect us to use or disclose that information, and as otherwise permitted or required by law. We collect, use, and disclose your personal information only where we have a legal basis to do so. The legal grounds for processing your personal information may include your consent, the fulfilment of a contract with you or your organisation, compliance with our legal obligations, or our legitimate interests in operating and improving our services, provided these interests are not overridden by your rights and interests.

We will use the personal information we collect from you for the purpose of providing our products and/or services to you or to your organisation or employer. Additionally, we may use and disclose your personal information for any one or more of the following purposes:

• to enable you to access and to use our website and our Platform;
• to operate, protect and improve our services and the experience of our users, including by performing analytics on the use of our website and our Platform;
• on our own behalf and on behalf of our partners, we may use your personal information in a de-identified and aggregated manner to conduct research on how the Platform is used, and to enable our customers to conduct research on how the Platform is used in relation to products and/or services;
• for identity verification purposes;
• if we are providing you (or an entity related to you) with credit, to assess your credit worthiness (or the credit worthiness of your related entity receiving the credit), ongoing management and control of your credit arrangement, debt recovery purposes, and to register any security interest which you may grant to us;
• to send you service, support and administrative messages, reminders, technical notices, updates, security alerts and information in response to your requests;
• to send you marketing and promotional messages and other information in respect of our products or services (including our website and Platform) that we consider may be of interest to you;
• to comply with our legal and statutory obligations, resolve any disputes that we may have with any of our users or customers, and to enforce our contracts with third parties or with you or your organisation;
• to comply with our obligations owed to a third party under a contract entered into with the third party;
• to monitor access to our website, the Platform and the products and services we supply;
• to process transactions and to administer accounts (including by processing of invoices, bills, statements of account and related financial matters necessary to enable us to provide the Platform, and associated products and services, to you or to your organisation under relevant contractual arrangements;
• to address queries and to resolve complaints;
• for quality assurance purposes, including to improve the quality of the Platform, as well as the products and services that we provide;
• to maintain a safe working environment for our staff and contractors (and their personnel); and
• to consider your application for employment with us.

We may use and disclose personal information to generate aggregated statistical data for the purpose of monitoring the use of our website, the Platform and our services, including for quality assurance and research purposes (including in order to assess trends in the use of the Platform). We will take reasonable steps to ensure that such information used and disclosed for this purpose is de-identified and aggregated, so that the statistical data and reports cannot be used to identify any particular individual.

Periodically, we may send emails or other communications containing marketing materials or promotions of our products and services (including the Platform) or otherwise directly market our products and services to you on the basis that you would reasonably expect us to do so, where we have collected your personal information from you already. Where we collect personal information about you from a third party, then we will not use that personal information to directly market to you without your consent. By your use of our website, you consent to us doing so. Please note that by accessing or using our Platform, you are deemed to consent to our use of your personal information for direct marketing purposes, subject to the following.

If you no longer wish to receive marketing communications from us, you may unsubscribe at any time by using the unsubscribe facility that we include with every marketing communication or by contacting us using the contact information specified below. We will action your removal request as soon as practicable. There is no charge payable by you to us for removing you from our mailing list.

To whom do we disclose your personal information?

We may disclose your personal information to third parties, but only on an as-needs basis and in order to fulfil one or more of the purposes for which the information was collected, any secondary purpose related to the primary purpose of collection or otherwise as required or authorised by law. We may disclose personal information for the purposes described in this Privacy Policy to:

• our directors, officers, employees and related bodies corporate;
• third party agents, contractors, suppliers and service providers, in order to enable them to supply goods or services to us or on our behalf, or to assist us in providing our goods and services to our clients and stakeholders;
• our professional advisers, insurers and auditors;
• governmental and regulatory authorities, including law enforcement, where we have a good faith belief that we are required by law to disclose personal information in response to a request or demand for information, or in order to satisfy a legal requirement imposed on us (or any of our service providers) to disclose information (in this situation, we will limit the disclosure of the information to minimise the amount of information disclosed to a government or regulatory authority);
• our business partners and investors, as well as to prospective partners and investors;
• other persons in the trade with whom you may have had dealings for the purposes of assisting us in assessing your credit worthiness;
• anyone to whom our assets or business (or any part of them) are transferred or anyone who is conducting due diligence on our assets or businesses (or any part of them) with a view to acquiring such assets or businesses (or any part of them); and
• third parties where you consent to the use or disclosure.

As at the effective date of this Privacy Policy, we may disclose your personal information to recipients located outside Australia, including but not limited to the Netherlands. When we transfer your personal information to an overseas recipient, we will take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information. This includes entering into binding agreements with the recipient to maintain the security and confidentiality of your personal information. By providing us with your personal information, you consent to such transfers and acknowledge that, in some cases, the recipient may not be subject to the same legal standards that apply in Australia. You understand and acknowledge that if you consent to our disclosure of your personal information to the recipient, we would not be responsible for the disclosed information and you cannot seek redress against us for our disclosure to the recipient. By providing us with your personal information, you consent and agree to our disclosure of personal information to the selected recipients located outside Australia.

Further, you acknowledge and agree that our website and our Platform (and the personal information contained on the website and Platform) may be hosted on servers (including servers offered through third party service providers under contract to us) that are located in jurisdiction(s) outside Australia. Where we enter into any contract with a service provider to host our data, website and/or our Platform on our behalf, we will use our reasonable endeavours to ensure that the contract reserves for us the right to control access to the personal information hosted and to avoid the need for the service provider to access the information it hosts for us.

If you communicate with us via email or through a social network service such as Facebook or Twitter, the email or the message may be routed through servers that are located outside Australia and, in relation to a message sent through Facebook or Twitter, the social network provider and its partners could collect, hold and process your personal information in jurisdiction(s) outside Australia.

What happens in case of a data breach?

We take the security of your personal information seriously. In the event of a data breach that is likely to result in serious harm to you or other individuals, we will promptly notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) scheme under the Privacy Amendment (Notifiable Data Breaches) Act 2017. Our notification will include the nature of the breach, the types of information involved, and the steps we have taken or plan to take to address the breach, as well as any steps you can take to mitigate potential harm.

Disclosure to credit reporting bodies

We may disclose your personal information with certain Australian credit reporting bodies (CRBs). Information disclosed to CRBs will be held by each CRB on its system accessed by the customers of the credit reporting database and used to provide its credit reporting services (including the maintenance of credit information files and supplying the information to other customers of the relevant CRB). You can obtain copies of each CRB’s privacy policy which deals with how they may use your personal information from their website. The CRBs to which we may disclose your personal information are as follows:

• Veda Advantage Ltd – (www.veda.com.au);
• Dun & Bradstreet (Australia) Pty Ltd – (www.dnb.com.au); and
• Experian –  (www.experian.com.au).

If you fail to make a payment obligation to us as and when the obligation is due, we may disclose details of such events to CRBs. A CRB may use such information (and other personal information provided to them by us) in reports given to other credit providers to help assess your credit worthiness. You may have certain rights to request that CRBs do not use credit reporting information about you if you believe on reasonable grounds that you have been or are likely to be a victim of fraud.

Our use of cookies

We may use cookies and similar technologies to enhance your experience on our website and Platform. Cookies are small data files stored on your device that help us remember your preferences and track your interactions with our services. You can manage or disable cookies through your browser settings; however, please note that some features of our website or Platform may not function properly if cookies are disabled. We may also use third-party analytics and advertising services that use cookies and similar technologies to collect information about your online activities across different websites and services.

Security of your personal information

We take reasonable steps to ensure that your personal information is stored in a manner that reasonably protects it from misuse and loss and from unauthorised access, use or disclosure. However, you agree that no data transmission over the internet or mobile data and communication services can be guaranteed as being totally secure. 

When we no longer need your personal information for the purpose(s) for which we collected the information, we will take reasonable steps to destroy or to permanently de-identify your information, unless we are required by law to keep your personal information for a longer period.

Access to your personal information

You have the right to request access to the personal information we hold about you and to request that we correct any inaccuracies. To make a request, please contact us in writing using the details provided below. We will respond to your request within a reasonable time frame and will take reasonable steps to provide you with access in the manner you request. We do not charge a fee for processing your request for access, but we may charge a fee to cover the costs of providing copies of your personal information. If we refuse your request for access or correction, we will provide you with a written explanation of our reasons.

To protect your personal information, we reserve the right to ask that you verify your identity before we release the information to you. Further, to the maximum extent permitted by law, we reserve the right to redact information we make available in response to your request, in order to protect the privacy of other individuals.

In some circumstances, we may refuse your request in certain situations including (but not limited to) where:

• giving access would unreasonably impact on the privacy of others;
• the information relates to existing or anticipated legal proceedings, and the information would not be discoverable in those proceedings;
• giving access would be unlawful;
• denying access is otherwise required or authorised by law; or
• the request for access is frivolous or vexatious.

If we refuse to provide you with access to, or we refuse to correct your personal information, we will provide you with a written explanation of our reasons.

Maintaining the quality of your personal information

We will take reasonable steps to ensure that your personal information is accurate, complete and up-to-date. However, the accuracy of the information we hold depends largely on the accuracy of the information you supply to us. If you consider that the information we hold is not up to date or is inaccurate, please advise us as soon as practicable and we will take reasonable steps to correct the information. Where we collect certain credit information, we will notify any third party with which we have disclosed the information. In respect of information other than credit information, we will only notify a third party if you request that we do so.

Complaints and Enquiries

If you have any queries or complaints about the Privacy Policy or how we handle your personal information, please contact our Privacy Officer via privacy@kanopicover.com 

We will acknowledge receipt of your complaint and will endeavour to respond within a reasonable time following our receipt of your complaint (generally 30 days from our receipt). Where dealing with your complaint requires a more detailed investigation, it may take longer to resolve. If this is the case, we will update you periodically on progress.

We reserve the right to verify your identity and to seek (where appropriate) further information from you in connection with the complaint. We may also seek information regarding the complaint from third parties, subject to our obligations regarding the privacy of personal information.

Where we are required by law to do so, we will acknowledge your complaint in writing and provide information in writing to you on how we will deal with your complaint. Further, if we are required by law to do so, we will provide our determination on your complaint to you in writing. We reserve the right to refuse to investigate and otherwise deal with a complaint, if we consider it to be vexatious or frivolous. Where we determine not to investigate or deal with your complaint, we will notify you in writing, including the reasons why we will not investigate or deal with your complaint.

If you are dissatisfied with the outcome of your complaint, you may escalate the complaint to the Office of the Australian Information Commissioner.