I'm In The Right - Privacy Policy

PRIVACY POLICY

1. About I'm in the Right

1.1. This Privacy Policy describes how Reliance (Aus) Pty Ltd trading as I'm in the Right ABN 55 162 611 994 of Suite 4, Level 5, 3 Thomas Holt Drive, Macquarie Park New South Wales 2113 (IITR, we, us, our) manages personal information. It was last updated on 02/05/2021. We may amend this Privacy Policy from time to time.

1.2. We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (APP(s)) and the General Data Protection Regulation 2016/679 (EU) (GDPR). If we decide to change this Privacy Policy, we will post the updated version on this webpage. Our policy is to be open and transparent about our privacy practices. We encourage our customers to familiarise themselves with this Privacy Policy to understand how and when we collect, hold, use, sell, transfer, disclose and otherwise process personal information about them.

1.3. We help individuals who have been involved in motor vehicle accidents (who are not at fault) by hiring them a replacement vehicle to use until their vehicles are repaired or they receive a total loss payout (if the vehicle is a total loss). We then arrange for the hire cost to be recovered from the insurer of the party at fault, so they do not have to pay anything out-of-pocket (other than for certain things such as fuel and tolls). We also provide individuals with accident management support, including by organising the towing of their damaged vehicles, arranging transport from the accident scene, helping them to choose a suitable repairer, supporting them through the insurance claim process, managing the repair of their vehicles or assisting with their total loss claims, and helping them to obtain advice from a personal injury lawyer if they are injured. We own and operate a platform known as "I'm in the right" located at https://www.imintheright.com.au (the IITR Platform) that we use to advertise our services and through which people involved in motor vehicle accidents may apply to become IITR customers.

1.4. We provide the following services to our customers:

  • Hiring replacement motor vehicles owned, maintained and operated by IITR or third party car rental or fleet companies to customers;
  • Cost recovery services to assist our customers to recover hire costs and other losses from the party at fault or their insurer;
  • Hiring out or leasing motor vehicles to customers;
  • Accident management services including:
    • Towing services for the supply of tow truck drivers to our customers;
    • Transport services by arranging transport for customers from the accident scene;
    • Claim support services by providing advice and assistance to customers with the insurance claim process, including help with total loss claims;
    • Repair management services by helping customers choose a suitable repairer and managing the repair of their vehicles;
    • Helping customers obtain advice from a lawyer about their rights if they are injured; and
  • Fleet management services for the purchase, leasing and sale of motor vehicles owned, maintained and operated by IITR, (together, our Services).

2. The types of personal information we collect and hold about our customers

2.1. If you are an individual applying to become an IITR customer, you will be directed to our Collection Notice. The Collection Notice includes a brief summary of our privacy practices and other information set out in this Privacy Policy. You must consent to our collection, use, processing and/or disclosure of your personal information to access and/or use our Services. The Collection Notice notifies our customers of (among other things) the circumstances under which we collect their personal information, the purpose for the collection and the likelihood that we will disclose their personal information to overseas recipients. A copy of the Collection Notice is available at the following URL: https://www.imintheright.com.au/collection-notice

2.2. We collect the following types of personal information:

  • Our customers: The types of personal information collected from our customers are limited to first and last names, date of birth, email and postal addresses, phone numbers and other contact information, vehicle specifications, vehicle registration information, usage and ownership information, insurance information, motor vehicle accident details including images, videos, voice recording and other details, car plate numbers, location information from telematics in IITR vehicles, drivers licence information, membership number assigned by IITR, country of residency, billing information, health information, employment information, credit card details and any other information that you provide to us in order for us to supply you with our Services. Credit card details are not stored by us and are held by our payment gateway provider, Stripe. IITR validates a customer's credit card by charging and reversing out an amount of $1.00.
  •  
  • Other individuals: The types of personal information collected about third parties (such as additional drivers who will be using the replacement vehicles supplied by IITR or its contractors, at fault parties in a motor vehicle accident, passengers in the customer's vehicle and witnesses to the relevant motor vehicle accident) may include first and last names, date of birth, email and postal addresses, drivers licence, car plate numbers, panel beater, mechanic and motor vehicle repairer information, vehicle repair information, vehicle registration, usage and ownership specifications, phone numbers and other contact information, insurance information and other vehicle information that we receive from our customers.
  •  
  • Information required for the support, maintenance and security of the IITR Platform: In order to support and maintain our IITR Platform and each part thereof, we collect and process user information including IP addresses, email addresses, network information, user access logs, usernames, passwords, statistical data and information included by our customers in technical support tickets, telephone calls to the IITR support team and error messages. We also collect the DNS location of any inbound traffic to ensure that inbound traffic from locations that should not be accessing the IITR Platform are restricted.

3. How we collect personal information

3.1. Our policy is to not collect personal information by means that are unfair or unreasonably intrusive in the circumstances.

3.2. We collect personal information about our customers in one or more of the following ways:

  • when our customers enter personal information into the IITR Platform;
  • when our customers provide personal information to us by letter, telephone, email and/or SMS;
  • when it is provided to us by insurers and our referrers and partners such as motor vehicle repairers, towing companies, motor vehicle dealerships, insurers, law firms, insurance brokers, lead generation companies, call centres, marketing companies (including offshore marketing companies) and other accident management companies;
  • when we conduct public searches via Google, Facebook and other social networks to determine the identity of our customers and other parties involved in the motor vehicle accident; and/or
  • when it is voluntarily disclosed to us during our provision of technical support or to answer any enquiries and/or in correspondence (such as via telephone, surveys, e-mail and online forms or support tickets).

4. How we use personal information

4.1. We use personal information in the following ways:

Category How we use and process that personal information Our reason for collecting the personal information
Personal information about our customers
  • As required to provide our Services to our customers (including for example as required to process claims with insurers, to communicate with vehicle hire companies and repairers in connection with motor vehicle accidents).
  • In order to store personal information in databases and systems in our hosting environments at third party data centres.
  • To support and manage our customers' use of our Services.
  • Backing up and restoring data that includes personal information.
  • When conducting research and development of the IITR Platform and Services.
  • To communicate with existing and potential customers about the use of our Services and to market new services and products to them.
  • To handle complaints.
  • To send newsletters and other communications to our customers concerning our IITR Platform and Services.
  • To carry out security audits, investigate security incidents and implement security processes and procedures that require access to personal information.
  • To issue bills and invoices to our customers and to enforce the payment obligations of our customers to pay our fees.
  • We sell personal information to third parties in our absolute discretion.
  • Performance of our contracts with our customers.
  • Required to identify customers and to identify persons who wish to exercise their rights under privacy law to access, correct their personal information or to exercise their other rights with respect to their personal information.
  • Necessary for our legitimate interests (in order to operate and grow our business, to allow our customers to operate the IITR Platform, to enable us to operate our IT systems and networks, to manage our hosting environments and to ensure the successful delivery of our services).
  • To comply with our legal and statutory obligations.
  • Required in order to determine which privacy law applies to the individual.
  • Necessary for our internal business purposes such as for billing and invoicing purposes.
  • We sell personal information for a profit. At the time of applying to become an IITR customer, customers are required to complete our Collection Notice under which they consent to our sale of their personal information and our use and/or disclosure of their personal information.
Personal information about third parties (passengers, witnesses, at fault parties to the motor vehicle accident and/or additional driver nominated by a customer)
  • To communicate with at fault parties and insurers or to provide replacement vehicles to additional drivers (nominated by a customer) as required to provide and support the functionality of the IITR Platform to our customers in relation to motor vehicle accidents.
  • To remove personal information upon a request from a data subject.
  • In order for us to know where to deliver the replacement vehicle to.
  • We sell personal information to third parties in our absolute discretion.
  • Performance of our contracts with our customers.
  • We sell personal information for a profit. At the time of applying to become an IITR customer, customers are required to complete our Collection Notice under which they consent to our sale of their personal information and our use and/or disclosure of their personal information.

5. Analytics data

5.1. We also collect information about our customers through their use of the IITR Platform, known as analytics data. Such analytics data includes IP information, information about devices accessing the IITR Platform, the amount of time our customers spend on the IITR Platform and in which parts of it, and the path navigated through it. However, all such information is de-identified data and is not collected in a form that could reasonably be expected to identify an individual.

5.2. In any event, we only use analytics data to help us review, enhance, market and/or improve the IITR Platform (for statistical, marketing or research purposes).

6. How we hold and secure personal information

6.1. We hold and store personal information that we collect in our offices, computer systems and third party owned and operated hosting facilities, in particular personal information is stored at:

  • hosting facilities operated by Amazon Web Services;
  • company servers or those of our cloud-based email providers which have restricted access security protocols;
  • third party owned cloud-based customer relationship management and marketing providers; and
  • computers and other electronic devices at our offices and at the premises of our personnel.

6.2. We take reasonable steps to protect personal information that we hold using such technical and organisational security measures as are reasonable in the circumstances to take against loss, unauthorised access, modification and disclosure and other misuse. Such measures ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.

6.3. We implement the following technical and organisational security measures in our organisation:

  • Amazon Web Services (PCI compliant Level II in the Sydney Data Centre) to host personal information;
  • 2 factor authentication capability for each user to access our system with minimum password length rules;
  • passwords and access control procedures in our computer systems and ensuring that our personnel have access controls and that system access is aligned to the duties and responsibilities assigned to each role within IITR;
  • third party COMODO 256 bit encryption for data transmitted via the IITR Platform both in transit and at rest;
  • disaster recovery procedures including a fallback data centre in Singapore;
  • blocking high level domain IP inbound access from our systems and ensuring that our systems are periodically patched;
  • managing and logging security incidents;
  • electronic (e-security) measures for the purposes of securing personal information such as installing antivirus management and email phishing software on emails and applicable company computer software, devices and systems;
  • installing secure routers and firewalls to protect company devices and systems from any inbound attacks or viruses;
  • physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of information systems (electronic or otherwise);
  • all of our employees, agents and contractors to comply with privacy and confidentiality provisions in their employment contracts and contractor agreements that we enter into with them;
  • having a data breach response plan and ensuring that we have data breach response procedures, data backup, archiving and disaster recovery processes in place; and
  • with respect to personal information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such personal information is securely destroyed.

7. Offshore Disclosure

7.1. We will transfer your personal information to our contractors and service providers who assist us with the supply and provision of the IITR Platform to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance. We will transfer your personal information to our hosting provider in Sydney and our offshore contractors and service providers located outside of Australia. Our offshore contractors and service providers are currently located in India, the United Kingdom, Singapore, Vietnam and the Philippines.

8. Who we disclose personal information to

8.1. We only disclose personal information that we collect to third parties as follows:

  • to call centres, software developers, payment gateway providers, infrastructure support providers, insurers, finance brokers, dealerships, motor vehicle assessors, panel beaters, mechanics, repairers, salvage yards and auctioneers, law firms, third party drivers, owners, witnesses and other parties involved in motor vehicle accidents, motor vehicle fleet companies and cross hire partner companies who we need to contact in order to provide our Services and in accordance with our contractual rights.;
  • to reputable hosting providers and backup hosting providers who host databases that we use to provide our Services;
  • our employees, officers, agents and/or suppliers. We ensure that all such personnel and suppliers that we engage are aware of their information security responsibilities and have entered into agreements requiring them to comply with privacy and confidentiality obligations that apply to personal information that we provide to them;
  • to lead generation companies or marketing companies who carry out direct marketing phone calls and send emails on our behalf to generate business for us. All individuals will be given the opportunity to ‘opt out' of any direct marketing calls or emails;
  • when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
  • where we license or sell personal information to any third parties or where IITR undergoes a merger, corporate restructure or acquisition;
  • where a person provides written consent to the disclosure of their personal information;
  • where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person;
  • if we are contacted by any person who represents to us that they are our customer, for security purposes, we will only discuss the personal information that we hold about them with them if they identify themselves accurately and truthfully;
  • to governmental authorities, bodies and/or regulators for the enforcement of a law imposing a pecuniary penalty and/or to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences;
  • to any court or tribunal for the conduct of proceedings (being proceedings that have been commenced or are reasonably in contemplation); and/or
  • where required by law.

9. Third party websites

9.1. IITR may send out tokenised emails and/or SMS links using the IITR Platform that directs our customers to a customer application form. The IITR Platform, emails and/or SMS (whether delivered by us and/or our contractors) may also include other links to third party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third party website operator complies with applicable data protection and privacy laws. You should consider the privacy policies of any relevant third party website prior to sending personal information to them. Our customers should contact us in the first instance, if they have any enquiries about any links on the IITR Platform.

9.2. You may interact with social media platforms via social media widgets and tools such as the Facebook Like button and the Facebook pixel that may be installed on our website or integrated via notifications on the IITR Platform. These widgets and tools may collect your IP address and other personal information. Your interaction with such widgets and tools, and any single sign-on services is governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal information.

10. Interacting with us without disclosing personal information

10.1. If you do not provide us with your personal information, you can only have limited interaction with us. For example, you can browse our website without providing us with personal information, such as the pages that generally describe the IITR Platform that we make available, and our Contact Us page. However, when you submit a form on our website or become a customer registered with an account on the IITR Platform, we need to collect personal information from you in order to identify who you are, so that we can provide you with the IITR Platform and our Services, and for the other purposes described in this Privacy Policy. It is not practical for us to provide you with access and/or use of our IITR Platform and our Services (or any part thereof) if you refuse to provide us with personal information.

11. How to access and correct personal information held by us

11.1. We rely on our customers to ensure that all personal information collected from them and held by us is accurate, up to date, complete, relevant and not misleading. Customers who wish to access, update, modify and/or correct the personal information held by us about them should contact our Privacy Officer below.

11.2. Once an account is deleted, we may still be required to retain the data in accordance with our data retention obligations. We retain personal information held in the IITR Platform for a period of 7 years. We only use production data for the sole purpose of improving the IITR Platform. It is our policy to retain personal information in a form which permits identification of any person only as long as is necessary for the purposes for which the personal information was collected; and for any other related, directly related or compatible purposes if and where permitted by applicable law. We will only process personal information that you provide to us for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal information to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person's vital interests).

11.3. We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee for a copy of your personal information by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law. We will not charge you for the making of any such request and we will endeavour to provide a response to any request for access within 72 hours from the time a request is made.

12. Our contact details

12.1. Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or make a privacy complaint, may contact our Privacy Officer using the following details:

12.2. We will use our best endeavours to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis and resolving the complaint.

12.3. If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the APPs, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:

European Customers and Data Subjects

This section of our Privacy Policy applies to personal data of our customers and data subjects that may be collected by us that is governed by the GDPR. Article 4(1) of the GDPR defines "personal data" as any information relating to an identified or identifiable natural person. Although we are not strictly ‘controllers' of personal data that we collect (as defined in the GDPR), in that we do not determine how and why such data will be used, as that is determined by you; we are committed to complying with our requirements under the GDPR in our capacity as a processer.

13. Collection of personal data

13.1. We will require that you consent to our Collection Notice that we provide to you to obtain relevant consents and authorisations necessary for us to process your personal data in accordance with this Privacy Policy. Please see above to understand how we collect data subject personal data and the sources that provide us with your personal data. We do not collect your personal data from any publicly available sources.

13.2. We collect all types of personal data that are voluntarily provided by you and/or collected from third party sources. Please see section 2 above for more information about the categories of personal data that we collect.

14. Purpose and legal basis for processing customer and data subject personal data

14.1. The table in section 4 above sets out the legal basis under which we process customer and data subject personal data pursuant to Article 6(1) of the GDPR. We will not carry out any further processing activities on your personal data, other than as set out in this Privacy Policy.

15. Who will receive customer and data subject personal data

15.1. Information about who we disclose personal information to is set out in section 8 above and applies equally to personal data.

16. International transfers

16.1. We transfer your personal information to our contractors and service providers who assist us with the supply and provision of the IITR Platform to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance. Provided that we comply with applicable law, we transfer your personal information to our hosting provider in Sydney and our offshore contractors and service providers located outside of Australia. Our offshore contractors and service providers are currently located in India, the United Kingdom, Singapore, Vietnam and the Philippines. When transferring personal data governed by the GDPR internationally, we will ensure that such transfers are in compliance with the GDPR and that we have legally binding agreements in place to govern the receipt and processing of personal data offshore. Information about other appropriate or suitable safeguards is available from us on request..

17. Retention of customer and data subject personal data

17.1. It is our policy to retain personal data in a form which permits identification of any person only as long as is necessary for the purposes for which the personal data was collected for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal data (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect any other person's vital interests).

18. Requirement to provide customer and data subject personal data to us

18.1. Please see section 10 above for information about the requirement to provide personal information to us and the limitations that apply where personal information is not provided. Those requirements and limitations apply equivalently to personal data governed by the GDPR.

19. Automated decision making

19.1. We do not use automated decision making during our supply of the IITR Platform and/or services for the purposes of the GDPR (although we use bots on the IITR Platform that includes certain decision making logic).

20. Rights under the GDPR

20.1. Under the GDPR, you have a number of rights, including:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object to processing

20.2. You also have the right to lodge a complaint with any relevant supervisory authority. You are encouraged to contact us in the first instance, if you wish to exercise any of your applicable rights under the GDPR.