2. Scope of this policy
This policy applies to all Personal Data that we collect, use, or disclose when providing our websites, platforms, apps, products, and services owned or operated by us, including in relation to the following:
- Employment Hero HR and Payroll Platform (Employment Hero Platform)
- Swag App
- Swag Jobs Board (including the Career Pillar in the Swag App)
- Global Teams Employer of Record services (Global Teams)
(together, the “Services”)
Our Services include “AI Enhancements” that supercharge your experience and allow us to deliver our products with streamlined processes and efficiency. We incorporate our AI Enhancements with transparency ensuring you have full visibility into the functionalities and benefits they bring.
We take the protection of your privacy very seriously. We treat your Personal Data with the utmost care and in compliance with the applicable data protection laws. We may also provide you with additional information when we collect Personal Data where we feel it would be helpful to provide relevant and timely information.
3. Who are we?
In this policy, “Employment Hero”, “we”, “us” or “our” means Employment Hero Pty Ltd and its affiliates. If you want to know more about who we are, please see our list of Employment Hero affiliates here.
4. What is Personal Data?
Personal Data (also known as “Personal Information”) is any information relating to an identified or identifiable natural person, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”).
Special Categories of Personal Data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation (“Special Categories of Personal Data”).
If you can’t be identified, then this notice does not apply to you. An example of this is when your Personal Data has been aggregated and/or anonymised
5. What information do we collect
The Personal Data we collect and process will vary depending on your dealings with us and the Services we provide to you.
We may also collect and process Special Categories of Personal Data with your explicit consent when providing our Services to you, which includes Special Categories of Personal Data submitted by you, or on your behalf, through our Employment Hero Platform or Swag App.
a) Information we collect when you use or request our Services
We collect the information you provide to us when you do things such as request, sign up for and use our Services, update your user profile, or voluntarily engage with us in other ways. The table below shows the information we collect and how it relates to our Services.
|Personal Data we collect||Relevant Services|
|Individual account information including name, username, date of birth and age, details regarding gender, sex, marital status, profile photo, and login credentials||
|Business account information including business name, signatures and organisation, and information about the company’s employees||
|Contact information including residential and/or postal address, email address, telephone number, emergency contact information, and social media handles||
|Employment related information including occupation or job title, information relating to your current employer, information relating to your former employer and role, key dates relating to your current role and/or past roles, superannuation information, salary and/or pension details including documents such as payslips and payment summaries, citizenship and visa status for work eligibility purposes, and tax information||
|Employment performance information including workplace engagement information, and performance reviews||
|Recruitment related information including job vacancy details, profile photo, company details relevant to the job posting such as work location and contact emails, and the name and contact details of any personnel involved in the recruitment process||
|ID verification and credit report information including government-issued identification documents such as passport and driver’s licence to comply with global anti-money laundering (AML), know your customer (KYC) and know your business (KYB) obligations||
|Location information including specific location information you agree to provide us via your device using GPS, wireless, or Bluetooth technology, and location information you manually input (you can control access to precise location information through your device settings)||
|Billing information including payment details such as banking, or debit/credit card details||
|Special Categories of Personal Data including health or disability information, biometric information, immigration information, criminal history and background checks, and certain diversity related information||
Only as necessary and with consent.
b) Information we may collect when providing additional products and services through our platforms and apps
We may collect additional information from you including group certificates, income or earnings information, utility bills, health and life insurance policy statements, information relevant to your lifestyle options including but not limited to, health and fitness information, entertainment services and mobile services, information relevant to your financial needs and objectives, information relevant to your assets and liabilities, income and expenses, and information relevant to your investment preferences and attitude or tolerance to risk. This information will only be collected if you provide it to us.
c) Information we collect from your other interactions with us
We collect information when you interact with us, such as when you use our websites, communicate with us via email, telephone, SMS, video conference, social media or chatbots, make enquiries regarding demos, attend or participate in our events or promotions, or when we collect feedback from you on the Services we provide. The information we may collect in these circumstances include your name, business name, address, email, phone number, company/employer information, job function, team size, reason for contacting us, survey and research responses, social media information, and video and call recordings.
d) Information that we automatically collect from you
We automatically collect usage information when you browse our websites or use our Services to improve our Services and enhance your user experience. This information includes digital interactions data, i.e., how you use our digital properties (including our websites, third-party websites, social media sites, apps and electronic communications), metadata (collected on an anonymous basis), consumer analytic data (collected on an anonymous basis but which can be attributed to you based on other information we have about you), log file information, information about the type of device and operating system used by you, location information, computer IP addresses, and marketing and cookie preferences, including any consent you have given us.
e) Information we collect from third parties
We may collect Personal Data about you from third parties in the process of providing our Services to you in the following ways:
- if you are an individual employed through our Global Teams services, we may collect Personal Data from the party that has engaged us as a Global Teams services customer;
- if you are a user of a third-party job application platform which integrates with our Applicant Tracking System (ATS), we may collect Personal Data about you that is processed through our ATS as provided via the third party platform; and
- if you are based in Australia, we may receive Personal Data about you from your superannuation fund when verifying your membership with them if we are providing our superannuation services and features (Super Services) to you upon your request.
We may further collect your Personal Data from third parties where you have provided consent, or where such Personal Data is provided to us under a legal basis. This includes, but is not limited to, circumstances where an employer provides information about employees through our platforms or apps. This also includes where Personal Data is collected through third-party APIs, or by third party service providers, including social media sites who are permitted to disclose that information to us under a legal basis, or to support our delivery of Services or direct marketing activities. We may also collect Personal Data about you through our affiliates.
Google API policies
Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We may use Google Analytics to obtain certain analytics information regarding your interactions with our Services. You may opt-out from the Google Analytics service using your information by installing the Google Analytics Opt-out Browser tool.
Digital payment terms
You can use the Swag debit card with digital payment providers via your device, and there may be instances where we collect Personal Data from these digital payment providers for fraud prevention and identity verification purposes. You can view our digital payment terms here.
f) Information we collect from you about third parties
6. How and why we process this information
We must have a legal basis to process your Personal Data and we explain these legal bases below. We also explain the purposes for which we process your Personal Data, the processing operations that we carry out, and the categories of data that we use for each purpose.
a) Contractual performance – we have obligations under our contract with you. To fulfil those obligations, we will have to use your data.
b) Consent – in certain cases, we ask for your consent to use your data. Whenever we ask for your consent, we will explain the situations where we use your data, and the purposes for which the data will be used.
c) Legitimate interest – we can process your data when this is necessary for us to achieve a business purpose, or where this is necessary for someone else to achieve their purpose. We explain below what interests we, or others, are trying to achieve when we process your data. Where we process Personal Data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals, and to determine whether individuals’ interests outweigh our interests in the processing activity taking place.
d) Legal obligation – as an organisation, we are obliged to comply with applicable legal and regulatory requirements. In certain cases, we will have to use your data to meet these obligations.
We may process your data for different purposes. We may also provide you with notices that further specify the purposes for some of the processing described below, and on the rare occasions when we need to ask for your consent, we will only do so at the time we collect your Personal Data.
a) Provision of Services and administration of our contract with you (Contractual Performance or Consent)
We use your Personal Data to administer aspects of our relationship with you so we can fulfil the obligations we have in the contract between you and us or based on your explicit consent.
We process your information to:
- fulfil a contract, or take steps linked to contractual obligations;
- provide our Services, including ancillary Services such as customer support and implementations;
- take payment for our Services (where applicable); or
- send you service, technical and other administrative emails, messages, and other types of communications relating to our Services.
b) Our business purposes (Legitimate Interests)
We have an interest in maintaining, developing, and protecting our business interests and legal rights.
We process your information to:
- ensure our Services are working as intended, such as tracking outages or troubleshooting issues that you report to us, to make improvements to our Services;
- ensure your experience with our Services is personalised and customised, and to tailor our communications and marketing to you;
- analyse the data about your activity when you use our Services, and the performance of our Services, to do things like optimise the product design, and develop and improve our products and services (including in relation to our engineering prompts used for our AI Enhancements);
- to develop and improve our products, services, algorithms and models using machine learning;
- conduct surveys and other market research to ensure our Services are relevant to your needs;
- investigate any complaints by or about you;
- investigate any suspected breach of any of our terms and conditions or unlawful activity engaged in by you;
- investigate, raise or defend ourselves from legal claims;
- comply with our compliance, regulatory, auditing, investigative and disciplinary obligations (including disclosure of such information in connection with legal process or litigation) and other ethics and compliance reporting requirements;
- verify your identity and/or carry out credit report checks, and enable us to monitor suspicious or fraudulent activity;
- protect the security of our premises, assets, systems, and intellectual property, and to enforce company policies, including monitoring communications as permitted by law; or
- meet our business interests where doing so involves undertaking mergers, acquisitions, reorganisations, or disposals, as permitted/required in accordance with applicable law.
c) Marketing communication and preferences (Consent)
In some cases, we may send you direct marketing based on our legitimate interests or where you have provided us with explicit consent. These communications may be sent in various forms, including mail, social media, SMS, or email.
You have an absolute right to opt out of direct marketing at any time. You can do this by following the instructions in the communication within the electronic message we send to you, or by contacting us via email at firstname.lastname@example.org.
We may still send you important notices relating to your account, operational activities, and technical updates, even after you have opted out of receiving marketing communications.
d) Cookies and tracking technologies (Consent)
The information that may be recorded includes information regarding your:
- server address;
- domain name;
- date and time of visit;
- previous websites visited;
- use of our sites; and
- browser type.
Apple’s App Tracking Transparency Requirements
The Swag App does not track your activity across the apps on your device of other companies. For this reason it does not require App Tracking Transparency consent such as using an ‘Identifier for Advertiser’ (IDFA).
e) Compliance with law (Legal Obligation)
We analyse and sometimes process your Personal Data to comply with our obligations and exercise our rights under applicable laws.
Those legal obligations, and the processing operations they require us to undertake, are:
- Tax laws and similar obligations (these include tax laws and obligations that apply to us in each of the jurisdictions in which we operate). These require us to undertake tax and national insurance reporting, filing and withholding; and
- Anti-money laundering laws and similar obligations (these include anti-money laundering laws and obligations that apply to us in each of the jurisdictions in which we operate). These require us to undertake specific action to prevent money laundering as part of or in relation to the use of our Services.
Sometimes it is also necessary for us to comply with requirements to respond to court orders, subpoenas, or other legal processes.
In these circumstances we use your personal identification information, contractual relationship information and, in some circumstances, information about your use of the Services.
7. How we share your Personal Data
a) Sharing of information when providing our Services
- Members and personnel of the Employment Hero group – we may share your information between our affiliates and business functions, including with our employees, contractors and representatives for the purposes of the delivery and operation of our Services, and fulfilling requests by you;
- Vendors who support the delivery of our Services – we may disclose your Personal Data (including via APIs) to specific third-party service providers who facilitate the delivery of our Services. These third parties are given access to your Personal Data only to perform these tasks on our behalf or for our benefit, and are required not to use or disclose it for any other purpose;
- Third party service providers – we may disclose your Personal Data to third parties who provide services, software, and content made available for use on or through our Services (including add-ons and integrated service);
- Web browser extensions providers – our sharing of your Personal Data with third parties may occur through the use of verified web browser extensions. These web browser extensions will only be used by the business if it is developed by the third party provider of the standard version of that product or service;
- Legal and regulatory authorities – we may share your information with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws;
- Parties involved in a business sale – in the event that we undergo any reorganisation, restructuring, merger, sale, or other transfer of assets your information will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to any new owners of the business;
- Event partners – we may share your data with event or promotion partners for the purpose of delivering such event or promotion;
- Business partners – we may share your data with our existing or potential agents, business partners, or joint venture entities to enable us to perform our business activities in relation to our services; and
- Your organisation – where you are an employee of one of our customers, we may share your information with your employer and other personnel in your organisation (where it is necessary and reasonable).
b) Sharing of information specific to our Swag Jobs Board
To provide our Swag Jobs Board, we facilitate the connection between job posters and candidates to host the recruitment process and help businesses attract talent. In providing this service, we share your Personal Data with job posters where you are a candidate under this service, or to candidates where you are a job poster under this service.
c) Sharing of information specific to our Global Teams services
To provide our Global Teams services, we act as the employer of record for employees who offer their skills and services to our customers. To provide this service and facilitate the relationship between our customer and the employee, we may share Personal Data of each party with the other, or with partners who support us in providing this service. This means that if you are a customer under this service, we may share your Personal Data with the employee, and if you are an employee under this service, we may share your Personal Data with the customer or relevant partner.
d) Sharing of information with superannuation funds when providing our Super Services (Australian customers/users)
In connection with providing our Super Services, we may share your relevant Personal Data with our partner superannuation funds to check your membership with them (provided that you have given us consent to disclose your Personal Data to the superannuation funds). Once we verify you as a member of a superannuation fund, we will continue sharing your Personal Data with your chosen superannuation fund (including changes to your personal details, employment changes, life event information and other matters) only in connection with providing you access to their services and delivering our Super Services to you.
e) Sharing of your information specific to the Swag Spend Account
We may share your Personal Data with our payment partners if you apply for non-cash payment products that they issue. If we, or the payment partners, share your data with third party organisations (including those based in the US and UK) for the purpose of providing risk assessments and transaction monitoring (PEP and sanctions checking), it will only be related to the provision of the product provided by us via the Swag App that contains the spend account and Swag debit card (Swag Spend Account). We also share your Personal Data with third parties to verify your identity for the purposes of providing you with a Swag Spend Account.
8. International data transfers
We take measures to ensure that international data transfers take place in compliance with applicable laws relating to international data transfers and in accordance with at least the standards that apply in the country whose privacy or data protection laws apply to that Personal Data. If you are a EEA or UK customer or user of our Services, your Personal Data is transferred outside the EEA or the UK in compliance with the relevant requirements under the GDPR.
Where the European Commission or the UK government has determined that certain countries outside of the EEA or the UK have an adequate level of Personal Data protection, e.g., New Zealand, Personal Data can be transferred to such a country from the EEA or UK without any further safeguards being necessary. A full list of such adequate countries is available here (for the EEA) and here (for the UK).
Where information is transferred outside the UK, or the EEA to a location that is not subject to an adequacy decision by the European Commission or the UK government, we ensure data is adequately protected. We may transfer your Personal Data (as described in section 5 above) for the purposes described in section 6 above to another country by relying on the EU Standard Contractual Clauses for the transfers from the EU, or the International Data Transfer Agreement or International Data Transfer Addendum to the EU Standard Contractual Clauses for the transfers from the UK, or relying on such other data transfer mechanisms as available under applicable data protection laws.
A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.
9. Third-party links
The Services may contain links to other websites operated by third parties. We make no representations or warranties in relation to the privacy practices of any third-party website. Third-party websites are responsible for informing you about their own privacy practices and policies and you are encouraged to review the privacy notices.
10. Storage and security of Personal Data
Personal Data held by us will be stored and managed by our third-party suppliers who store data on secure data centres. Further details on our third-party storage provider’s location and security can be found here.
Please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Data we have collected from you.
You can also play an important role in keeping your Personal Data secure by maintaining the confidentiality of any password and accounts used on the Services. Please notify us immediately if there is any unauthorised use of your account by any other internet user, or any other breach of security relating to your account via email at email@example.com.
11. Data retention
We store data for as long as necessary to provide our Services and in accordance with our internal Data Retention Policy. This is a case-by-case determination that depends on things such as the nature of the data, why it is collected and processed, and relevant legal or operational retention needs. You can delete some Personal Data whenever you like, some data is deleted automatically, and some data we retain for longer periods of time.
- We keep account information for as long as your subscription or agreement continues or for as long as it is necessary to deliver our Services.
- We will keep a record of the fact that you have asked us not to send you direct marketing, so that we can respect your request in future. If you unsubscribe from receiving direct marketing, then we will remove your details from our direct marketing mailing list.
Sometimes business and legal requirements oblige us to retain certain information, for specific purposes, and for an extended period of time. Reasons we might retain some data for longer periods of time include security, fraud prevention, financial record-keeping, complying with legal or regulatory requirements, ensuring the continuity of our Services, and when you have had direct communications with us.
12. Your rights and choices
You have the right to access your Personal Data, or to correct, delete or restrict processing of your Personal Data. You can also obtain the Personal Data you provide to us on a contractual basis or with your consent, in a structured, machine-readable format.
You can also correct and delete some Personal Data through your account provided by our Services. Where your Personal Data has been provided to us by a third party acting in the capacity of a data controller (such as your employer), you must ask that third party to correct or delete your Personal Data on your behalf. This third party will then request us to correct or delete the Personal Data from our systems.
In addition, you can object to the processing of your Personal Data in some circumstances, i.e., when we process your Personal Data based on our legitimate interests or where we are using the data for direct marketing.
These rights may be limited, for example, if fulfilling your request would reveal Personal Data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, including obtaining a copy of your legitimate interest balancing test, you can get in touch with us using the details set out below. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or where you believe a breach may have occurred.
For the provision of information marked as mandatory when you register to use our Service, if such information is not provided, then you will not be able to use our Services. All other provision of your information is optional. If you do not provide such information, our provision of certain Services to you may be detracted from.
Where we rely on your consent, such as in relation to direct marketing communications, you will always be able to withdraw that consent at any time.
If you ask to withdraw your consent to our processing of your data, this will not affect any processing which has already taken place.
13. How to get in touch with us
If you have any questions or concerns about how we process your data, please contact us via email at firstname.lastname@example.org.
We have appointed Bird & Bird DPO Service SRL as a Data Protection Officer (DPO) in the UK and Singapore. If you wish to contact them about our privacy practices in these jurisdictions, you may do so using the following contact details:
Bird & Bird DPO Service SRL
Address: Avenue Louise 235 b 1, 1050 Brussels, Belgium
To comply with the EU data protection laws (GDPR), we have appointed a representative in the EU. If you wish to contact them, their details are as follows:
Bird & Bird GDPR Representative Services Ireland
Address: Deloitte House, 29 Earlsfort Terrace, Dublin 2, D02 AY28
14. Enforcement and complaints
We will aim to ensure that all questions and concerns are resolved in a timely and appropriate manner. If you are not satisfied with the outcome of your complaint, or require further information on privacy, you are entitled to contact your local data protection supervisory authority.
The supervisory authority that applies to customers and users in different countries in which we operate are set out below.
|Australia||Office of the Australian Information Commissioner||www.oaic.gov.au|
|New Zealand||Office of the Privacy Commissioner||https://www.privacy.org.nz/your-rights/making-a-complaint/|
|United Kingdom||Information Commissioner’s Office||https://ico.org.uk/make-a-complaint/|
|Singapore||Personal Data Protection Commission||www.pdpc.gov.sg|
|Malaysia||Personal Data Protection Department||Email: email@example.com or complaints portal: https://daftar.pdp.gov.my/|