Client Culture Global Privacy Policy 

‍

1. About Client Culture and This Policy

Client Culture Pty Ltd (ABN 88 619 177 132) (“Client Culture”, “we”, “us”, “our”) provides client and employee experience measurement and analytics services to business customers worldwide.  This Privacy Policy explains how we collect, use, disclose and protect personal information (also called personal data) when we act as either data controller or data processor/service provider across:

•  Australia – under the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs);
•  United Kingdom – under the Data Protection Act 2018 and UK GDPR; and
•  European Economic Area (EEA) – under the EU General Data Protection Regulation (GDPR).

This Policy applies to our websites, SaaS platform, professional services and marketing activities.  Local addenda in Section 16 set out country‑specific rights and obligations.

‍

2. Key Definitions

“Personal information / personal data” – information about an identified or reasonably identifiable individual.

“Processing” – any operation performed on personal data such as collection, storage, use or disclosure.

“Controller” – the entity that determines the purposes and means of processing.

“Processor / Service Provider” – the entity that processes personal data on behalf of a controller.

‍

3. What We Collect

• Identity & contact data: Name, title, role, business email, phone (e.g. Client upload; survey respondent entry; website forms)
• Interaction data:  Survey scores and free‑text feedback; support tickets (e.g. Respondent; end‑user device)
• Technical data: IP address, device ID, browser type, cookies, log files (e.g. Automatically via cookies & SDK)
• Usage analytics: Page views, click‑stream, session metadata (Cookies; analytics tools) 
• Business profile: Company name, industry segment, relationship tier (Client upload; CRM sync)
• Regulatory IDs (AU only): ABN/ACN of enterprise contacts (Public registers or client upload).

We do not intentionally collect special‑category or sensitive information unless a client instructs us and appropriate safeguards are in place.

‍

4. How and Why We Process Personal Data

Purpose | Legal Basis (UK/EU) | APP Compliance

Deliver SaaS platform & surveys | Contract performance (Art 6‑1‑b) | APP 3, 6

Improve and secure our services | Legitimate interests (Art 6‑1‑f) | APP 11  

Marketing our products to B2B prospects | Consent or legitimate interests | APP 7 (opt‑out)

Legal & compliance, fraud prevention | Legal obligation (Art 6‑1‑c) | APP 6, 11  

Where we rely on legitimate interests, we have conducted balancing tests to ensure your interests and fundamental rights are not overridden.

‍

5. Disclosure to Third Parties

We only share personal data:

1. Within the Client Culture group on a need‑to‑know basis and under intra‑group data‑sharing agreements.
2. With authorised sub‑processors (e.g., cloud hosting, email delivery, analytics) bound by written contracts that meet Art 28 GDPR and APP 8 requirements.
3. With business customers (our clients) when we act as their processor, transmitting respondent feedback to them.
4. With regulators, courts or law‑enforcement where required by law.

We do not sell personal information.

‍

‍6. International Transfers

We host data in Australia and the EEA.  If we must transfer personal data internationally we use one or more of:

1. European Commission Standard Contractual Clauses (2021) with the UK International Data‑Transfer Addendum;
2. The EU–US Data Privacy Framework (or its successor) for transfers to certified US vendors;
3. Partner or supplier adequacy decisions recognised by the European Commission or UK ICO.

‍

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy or to comply with legal obligations.  Client survey data is retained while you remain an active customer plus 24 months, unless an earlier deletion request is received.  Archived and backup copies are securely destroyed within 90 days thereafter.

‍

8. Security Measures

We maintain technical and organisational security aligned with ISO 27001/SOC 2 controls, including:

1. TLS 1.2+ encryption in transit and AES‑256 at rest
2. Role‑based access control and MFA for staff
3. Annual penetration testing and independent audits
4. 24×7 infrastructure monitoring and incident‑response plan

‍

9. Cookies & Similar Technologies

Our websites and platform use cookies, SDKs and pixels to:

1.  authenticate users;
2.  remember preferences;
3.  analyse traffic; and
4.  deliver relevant B2B advertising.

You can manage cookies through your browser.

‍

10. Your Privacy Rights

EU / UK (GDPR): Access, rectification, erasure, restriction, portability, object, withdraw consent, complaint to DPA

Australia (APPs): Access, correction, anonymity / pseudonymity, complaint to OAIC       

To exercise any right, email privacy@clientculture.com.  We respond within 30 days (21 days for APP access requests).

‍

11. Children

Our services are directed to business users.  We do not knowingly collect data from anyone under 16 years of age.

‍

12. Automated Decision‑Making

We do not use personal data for solely automated decisions that have legal or similarly significant effects.

‍

13. Links to Other Sites

This Policy does not cover third‑party sites linked from our platform.  Please review their privacy notices.

‍

14. Changes to This Policy

We may update this Policy from time to time.  Material changes will be notified via email or platform banner and posted on our website with a revised “updated date”.

‍

15. Contact & Complaints

Privacy Officer / Data Protection Officer

Client Culture Pty Ltd

Email: privacy@clientculture.com

If you believe we have not resolved your concern, you may contact:

• Office of the Australian Information Commissioner (OAIC) – oaic.gov.au
• UK Information Commissioner’s Office (ICO) – ico.org.uk
• Your local EU supervisory authority – see ec.europa.eu

‍

16. Regional Addenda

16.1 Australia

• We comply with the APPs and Notifiable Data Breaches (NDB) scheme.  Eligible data breaches will be notified to affected individuals and the OAIC within 30 days.
• You may request to remain anonymous or use a pseudonym where practicable.

16.2 European Economic Area & Switzerland

• Data‑protection impact assessments (DPIAs) are conducted for high‑risk processing.
• Cross‑border transfers rely on SCCs, adequacy decisions or appropriate safeguards.
• You have the right to lodge a complaint with your Member‑State supervisory authority.

16.3 United Kingdom

• Transfers from the UK follow the UK International Data‑Transfer Addendum.
• Individuals may complain to the ICO (see Section 15).

‍

End of Policy

‍