Revision date: February 2023
Sarah & Sebastian Pty Ltd (ACN 155 463 764) (“SARAH & SEBASTIAN”, “we”, “our” or “us”) is committed to protecting the privacy and security of our clients and visitors to our online and retail stores in accordance with the Australian Privacy Principles (“APPs”) set out in the Privacy Act 1988 (Cth) (“Privacy Act”).
You acknowledge and agree that we, our affiliates and each of their officers, employees, agents and contractors are permitted to collect, store, use and disclose your personal information in accordance with this policy and the Privacy Act.
If you are located:
- in the European Union (“EU”), you have additional rights under the EU General Data Protection Regulation (“GDPR”);
- in the United Kingdom (“UK”), you have additional rights under the UK General Data Protection Regulation; or
- in California, you have additional rights under the California Consumer Privacy Act (“CCPA”), as applicable.
PERSONAL INFORMATION WE COLLECT
“Personal information” means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether that information or opinion is true or not or recorded in a material form or not. The types of personal information we may collect and hold about you, depending upon the interaction in-store or online includes:
- Identifying and contact information such as your name, shipping and billing addresses, email address and phone numbers;
- Your date of birth;
- Information about products and services you have purchased, ordered or enquired about;
- Payment information including credit or debit card details, bank details or information in regards to other accepted payment solutions such as Paypal, Afterpay or Klarna, method of payment and any additional information required for user authentication processes;
- Images captured by CCTV security cameras in our stores;
- Health information (only as necessary to provide our products and services to you) collected through our piercing waiver including pre-existing conditions;
- Information from contacting us with feedback or complaints and details of products returned, refunds made to you or repairs processed; and
- Personal information learnt about you from social media platforms and video sharing sites like Instagram, Facebook, LinkedIn and YouTube; such as your profile picture, username, handle, likes, location and friends/followers list.
We will only collect sensitive information (as defined by the relevant privacy legislation) from you, including health information, to the extent that it is reasonably necessary to the services we provide to you, if:
- we have your consent (written or verbal); or
- the collection is required by law and is consistent with the provisions of the relevant privacy legislation.
If you wish to apply for employment with SARAH & SEBASTIAN, we collect personal information when recruiting personnel, such as your name, contact details, qualifications, and work history. Generally, we will collect this information directly from you (or your recruiter, where applicable).
We may also collect personal information from third parties in ways which you would expect (for example, from recruitment agencies or referees you have nominated). Before offering you a position, we may conduct background checks to determine your suitability for certain positions (for example, where the position involves handling finances).
If you become an employee of SARAH & SEBASTIAN, we will collect your tax file number and superannuation fund details.
When you visit or browse our Website, we automatically collect certain information about your device, including information about:
- Your web browser;
- IP address;
- Time zone;
- Cookies on your device;
- The web pages you visit on the Website;
- How you got to our Website (for example, referring websites or search terms); and
- Your interactions on our Website.
We collect this information using the following technologies:
- Log files - track actions occurring on our Website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- Web beacons, tags, and pixels - electronic files used to record information about how you browse our Website.
From time to time, you may be able to visit our Website or deal with us anonymously or by pseudonym. However, please be aware that, if you do not provide us with certain information that we request, we may not be able to provide you with the products or services you require.
HOW WE USE YOUR PERSONAL INFORMATION
We use the personal information that we collect generally to fulfil orders (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we may use this information to:
- Communicate with you;
- Safely undertake our piercing and soldering services;
- Screen our orders for potential risk or fraud;
- When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services;
- to communicate with you and provide information that we think may interest or benefit you, including information about our products or services, the Website, offers, competitions, promotions, events and surveys; and
- For recruitment purposes, such as assessing applications for employment.
We may use the collected device information to:
- supply you with advertising that is more relevant to you when you are visiting our Website or other websites that promote our products;
- help us screen for potential risk and fraud (in particular, your IP address);
- improve and optimise our Website (for example, by generating analytics about how our customers browse and interact with our Website, and to assess the success of our marketing and advertising campaigns); and
- to perform research and analysis about our products, services and the Website;
- provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
With your express consent, we may use your personal information for the purposes of marketing our products and services or to inform you of new products, services, promotions or events that we believe you may be interested in. If you would like to stop receiving any of these marketing communications, you can opt out by writing to us at the contact details below and informing us that you no longer wish to receive these materials. If, at any time, you would like to stop receiving future electronic marketing messages (such as emails or SMS), you can click the “unsubscribe” link in the electronic marketing messages we send.
HOW WE DISCLOSE OR SHARE YOUR PERSONAL INFORMATION
SARAH & SEBASTIAN does not sell personal information to any third parties. However, in order to provide the products or services requested by you, we may share or disclose your personal information to the following third parties:
- SARAH & SEBASTIAN contractors and service providers including shipping companies, payment service providers and software, email and website service providers on a confidential basis. These third parties may only use this information in relation to our business and are prohibited from using your personal information for promotional purposes or selling your information. Shopfiy, for example, powers our e-commerce platform so your personal information is shared with Shopify if you make a purchase on our Website.
- Service providers and other third parties in relation to our marketing or business development efforts.
- Financial and credit card institutions to process payments, billing providers and payment gateways, hosting companies, web developers, internet service providers, customer service providers, customer support specialists, fulfilment and delivery companies;
- Third parties in order to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights; and
- Any other person or organisation that we advise you of or which you would reasonably expect.
We may provide your personal information to our affiliates or third parties that may be located in or outside of Australia, including New Zealand, Europe, UK, Russia, the United States and Canada. Where we do disclose your personal information to an overseas entity, we take steps reasonably necessary to ensure that:
- there is legal basis for the transfer of your personal information;
- your personal information is treated securely (including, using reasonable endeavours to ensure that each overseas entity receiving your personal information are bound by Standard Contractual Clauses approved by the European Commission, which can be found at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en).
If we sell or purchase any business or assets (in whole or in part), your personal information may be disclosed to the prospective buyer/seller. If our business or our assets (in whole or in part) is acquired by a third party, your personal information held by SARAH & SEBASTIAN may be an asset which is transferred to the buyer.
HOW WE STORE YOUR PERSONAL INFORMATION
Your personal information is stored on SARAH & SEBASTIAN’s IT systems in Australia and on the IT systems of our contractors or service providers, some of whom are located overseas including in the USA and Canada and other countries from time to time.
We take reasonable steps to destroy or permanently de-identify your personal information if it is no longer needed for a purpose which it may be used or disclosed under the APPs and we are not required by law or a court/tribunal order to retain the information.
We have a comprehensive data breach notification policy and response plan (“Response Plan”), which outlines the steps our personnel are required to take in the event of a data breach. This allows us to identify and deal with a data breach quickly to mitigate any harm that may result. As part of the Response Plane, we will notify you as soon as practicable if we:
- discover or suspect that your personal information has been lost, accessed by, or disclosed to, any unauthorised person or in any unauthorised manner;
- believe you are likely to suffer serious harm as a result; and
- are unable to prevent the likely risk of harm.
If you would like more information on our Response Plan, please contact us using the details below.
CCTV and security
Please note that where CCTV is in operation in our stores you may be captured on CCTV and your image stored. All CCTV footage is captured purely for your security and for the prevention and detection of crime. If you would like to know more about this, please contact us using the details provided below.
The transmission of information via the internet is not completely secure. While we do our best to protect your personal information, we cannot guarantee the security of any personal information transmitted through the Website. You provide your personal information to us at your own risk and we are not responsible for any unauthorised access to, and disclosure of, your personal information.
THIRD PARTY LINKS
DO NOT TRACK
Please note we do not support ‘Do Not Track’. ‘Do Not Track’ is a preference you can set in your web browser to inform websites that you do not want to be tracked. We do not alter our Website’s data collection or practices when we see a ‘Do Not Track’ signal from your browser.
YOUR RIGHTS – ACCESS AND CORRECTION
You have the right to request that we provide you with access to your personal information or to ask us to correct any personal information we hold about you that is out-of-date, incorrect, incomplete, or misleading. We may require proof of identity.
If you have created an account on our Website, you can update your account details by accessing your account and editing your account information. You can also contact us by submitting a request in writing to the address set out below. If we are able to, we will action your request within a reasonable timeframe (usually within 30 days) following receipt of your request.
We may decline an access or correction request in circumstances prescribed by the Privacy Act. If complying with your request for access requires considerable time and expense on our part, we may charge you a reasonable fee for providing you with the information.
If we do refuse your access or correction request, we will provide you with written reasons for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction (if you ask us to do so).
If you are located in the EU, UK or California, you have the additional rights set out below.
You may make a complaint about privacy to our Privacy Officer using the contact details set out below.
Our Privacy Officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint.
Your complaint will then be investigated. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved.
In most cases, we will investigate and respond to a complaint within a reasonable time, usually within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.
If you are not satisfied with our response to your complaint, you may make a complaint to the Office of the Australian Information Commissioner (OAIC) or under the GDPR or CCPA, the local regulator of your jurisdiction as applicable.
EU and UK RESIDENTS
How we use your personal information
We can only collect and use your personal information if we have a valid lawful reason to do so. Our reasons are:
- Consent – you have consented to our processing of your personal information for a specific purpose
- Contract – we process your personal information to fulfil a contract you have with us or, alternatively, because you have requested us to take specific steps before you enter into a contract with us
- Legitimate interests – we process your personal information for our legitimate interests (or a third party’s legitimate interests) unless the legitimate interests are overridden by a good reason to protect your personal information
- Legal obligations – we process your personal information in order for us to comply with the law (which does not include complying with contractual obligations)
Further to the section HOW WE USE YOUR PERSONAL INFORMATION, we may use your personal information for the following purposes/reasons:
Personal information uses
To provide and administer our products and services
For marketing purposes
To manage our relationship with you
To provide customer support
To comply with our legal obligations
To prevent and detect fraudulent activity
To conduct market, consumer and other research
To ensure content is relevant
If you are located in the EU or the UK, you have the following additional rights:
- The right to information – you can request confirmation about the following: whether your personal information is being processed by us; the purpose of processing; the categories of personal information which are processed; the recipients (or types of recipients) who may receive the personal information; the anticipated retention period of the personal information; and your rights to rectification, erasure, to restrict (or object) to processing and to lodge a complaint with a data protection supervisory authority in the EU or the UK.
- The right to object to or restrict our processing of your personal information for: (i) direct marketing purposes; (ii) for scientific, historical research or statistical purposes; or (iii) where our processing is based on legitimate interest grounds or because it is in the public’s interest. We will respond to your objection request within a month. However, there may be some circumstances where we are not required to stop processing your personal information. If this is the case, we will provide you with a written explanation.
- The right to restrict processing – in some circumstances, you can request us to restrict our use of your personal information in which case we will not use or disclose your personal information while it is restricted. We will respond to your restriction request within a month.
- The right to erasure – you can request us to erase your personal information where it is no longer required for a purpose for which it was collected or where, for example, you have exercised successfully your right to object to processing. We will respond to your erasure request within a month. However, where there are legal or other reasons for us to retain your personal information, we will provide you with a written explanation.
- The right to data portability – you can request us to provide you with a copy of the personal information you have provided to us. We are required to provide it to you in an electronic format that can be reused easily. You can also request us to transfer your personal information in an electronic format to another entity.
- The right to transparency – we are required to provide you with information that is: (i) concise, transparent, intelligible and in an easily accessible form; (ii) in clear and plain language; and (iii) in writing, including electronically where appropriate.
- The right to consent – we must be able to demonstrate that you have given us consent. Your consent must be given in a way that is: (i) clearly distinguishable from other matters that may be included in the document; (ii) in an intelligible and easily accessible form; and (iii) in clear and plain language. You have the right to withdraw your consent at any time, and you must be informed of this prior to providing consent.
You can exercise any of these rights by contacting us using the contact details below.
You also have the right to:
- access your personal information and request the correction of your personal information (see “YOUR RIGHTS – ACCESS AND CORRECTION” above); and
- lodge a complaint with a data protection authority if you are unhappy with the outcome of a privacy complaint. The “COMPLAINTS” section above explains our complaints handling process. A list of EU data protection authorities is available at https://ec.europa.eu/. The UK data protection authority is the Information Commissioner’s Office (https://ico.org.uk).
If you are a resident of the State of California, you may exercise the rights described below. By choosing to exercise your rights as described below, you are declaring that you are a California resident as defined in the CCPA.
- Right to Deletion. You have the right to request us to delete any of your personal information. If we delete your personal information, you will permanently lose access to your personal information and/or your SARAH & SEBASTIAN account. We may deny your deletion request when permitted by applicable law or for business purposes including, without limitation, when personal information is needed to comply with our legal obligations, meet regulatory requirements, support our business operations, resolve disputes, maintain security or to prevent fraud and abuse. We retain anonymised information after your account has been closed.
- Right to Correction. You have the right to update or modify your personal information. If you have a customer account, you may update or modify your personal information by accessing your account and editing your account information. If you do not have a customer account, then you may request that your personal information be updated by emailing us at: email@example.com.
- Right to Non-Discrimination. SARAH & SEBASTIAN will not discriminate against individuals who exercise their rights under the CCPA.
- Exercising your Rights. If you wish to exercise one of these rights, please contact us using the contact details below. Before we can process any such request, we will need to verify your identity. We reserve the right to deny a request where we are unable to satisfactorily complete this process. If you authorise someone to make a request on your behalf, we may also deny your request if we are unable to verify that the individual making the request is authorised to act on your behalf.
1300 050 220
ATTN: PRIVACY OFFICER
SARAH & SEBASTIAN
5C, 32 Ralph Street
Alexandria New South Wales 2015
You can find more information about privacy and the protection of your personal information on the website of the OAIC at https://www.oaic.gov.au/ (for Australian residents), https://commission.europa.eu/index_en (for EU residents), https://ico.org.uk/ (for UK residents) or https://oag.ca.gov/ (for California residents).