Privacy Policy

In this Privacy Policy, ‘we’, ‘us’ and ‘our’ means Steadfast Risk Engineering Pty Ltd - ABN 35 629 218 917.

We respect the privacy of your personal information. This Privacy Policy sets out how we collect, store, use and disclose your personal information (including sensitive information) in accordance with the terms below, and applicable Privacy Laws (defined as laws including the Australian Privacy Principles set out in the Privacy Act 1988 (Cth) or in New Zealand, the Privacy Act 2020 , or in Singapore, the Personal Data Protection Act 2012, or in the EU, the General Data Protection Regulation (GDPR) (EU) 2016/679)

What personal information we collect

“Personal information” includes information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified living individual or an individual who is reasonably identifiable (e.g., name and contact details), or data about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access.

As its name suggests, “sensitive information” is a more sensitive subset of personal information, which includes your bank account/payment, criminal history, health information, religion, racial/ethnic origin or sexual orientation. If you are an individual who is either based in or a resident of Australia, the European Union or the United Kingdom, subject to applicable Privacy Laws, we will not process sensitive information about you unless we have received your express consent to the processing of this information.

We collect certain types of information about you if you visit our website, authorise your broker or our agent to provide us with your personal information in relation to insurance or otherwise provide us with your personal information.

The information we collect and hold generally includes your name and contact information (including telephone and facsimile numbers and email addresses), information relating to the operation of your business, other reference information and information about other parties that you may conduct, or are interested in conducting, business with. You may be able to deal with us without identifying yourself (i.e. anonymously or by using a pseudonym) in certain circumstances, such as when making a general inquiry relating to the services we offer. If you wish to do so, please contact us to find out if this is practicable in your circumstances. However, if you do not provide us with the information that we need, we or any of our third-party service providers may not be able to provide you with the appropriate services.

How we collect your personal information

We may collect personal information in a number of ways, including:

directly from you via our website, telephone, in writing or email; and/or
indirectly from third parties, if necessary. For example, your employer or insurance broker may provide us with information about you for the purpose of obtaining our services. We may also obtain personal information from referees, insurers, premium funders and other third- party service providers or publicly from available sources.

You authorise us to contact such third parties for the purposes of providing you with the services that you have requested.

We also automatically collect certain information when you visit our website, some of which may be capable of personally identifying you. Please see the “Cookies” section below for more details.

Our purposes for collecting, holding and using your personal information

We collect and hold your personal information for the purposes of providing our services to you and related purposes. Such purposes include:

providing insurance broker or insurer customers, potential customers and others with our services;
providing insurance brokers with benefits (including passing on customer enquiries to appropriate brokers;
helping to develop and identify services that may interest insurance brokers their customers, potential customers or others;
conducting market or customer research;
developing, establishing and administering alliances and other arrangements with other organisations in relation to the promotion, administration and use of our services;
telling you about our other service offerings which we believe may be relevant (if you have requested to receive this);
statutory or regulatory reporting;
internal or external audit within our group;
sale of our assets or shares to a buyer; and
any other purpose notified to you at the time your personal information is collected

Legal basis for using your personal information

If you are an individual who is either based in or a resident of the European Union or the United Kingdom, we will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. We will make sure that we only use your personal information for the purposes set out above and where we are satisfied:

we need to use your personal information to perform a contract or take steps to enter into a contract with you;
we need to use your personal information for our legitimate interest as a commercial organisation. For example, we may collect your personal details so that we can respond to enquiries submitted via our website. In all such cases, we will look after your information at all times in a way that is proportionate and respects your privacy rights and you have a right to object to processing as explained in the “Accuracy, access and correction of your personal information” section of this Privacy Policy below;
we need to use your personal information to comply with a relevant legal or regulatory obligation that we have; or
we have your consent to using your personal information for a particular activity.

Disclosure of your personal information

We will disclose your personal information to:

our related companies, insurance brokers or third parties who help manage our business and provide our services, including our third-party service providers, such as payment system operators, IT suppliers, lawyers, accountants, other advisers and financial institutions;
if you are an insurance broker or agent, to insurers, reinsurers, other insurance intermediaries, insurance reference bureaus and industry bodies;
any other entities notified to you at the time of collection;
courts, law enforcement, regulators and other government agencies to comply with all applicable laws, regulations and rules;
requests of courts, law enforcement, regulators and other governmental agencies; any other entities notified to you at the time of collection.

Other than (a) when required or permitted by law, (b) as specified in this Privacy Policy or (c) where you have provided your consent, we will not disclose your personal information.

Nothing in this Privacy Policy prevents us from using and disclosing to others de-personalised aggregated data.

Transfer of personal information overseas

We may be disclosing your personal data to the following parties: third party service providers, insurers and/or our related companies as they may be processing your personal information either on our behalf or otherwise for one or more of the above-stated purposes.

Some of the third party service providers to whom we disclose personal information are located in countries outside of your country of residence, for example, Australia (or, in relation to New Zealand, outside New Zealand, or in relation to Singapore, outside Singapore) such as Malaysia, the Philippines, Vietnam and the United States of America. In this regard, unless exempted by applicable Privacy Laws, we will either (a) seek your express or implied consent prior to the transfer of your personal information overseas or (b) we will take reasonable steps to ensure that the overseas recipient does not breach the Privacy Laws applicable in relation to your personal information. Transfer of your personal information will only be made for one or more of the purposes specified in this Privacy Policy.

When we take reasonable steps, we will ensure that transfers of personal information are in accordance with applicable law and carefully managed to protect your privacy rights and transfers are limited to either countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangement are in place to protect your privacy rights. To this end:

we ensure transfers within Steadfast's group of companies will be covered by an agreement entered into by members of Steadfast's group of companies (an intra-group agreement) which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred within our group of companies. Where we transfer your personal information either outside our group of companies or to third parties who help provide our services, we obtain contractual commitments from them to protect your personal information; or

where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information are disclosed.

You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal information when this is transferred as mentioned above.

Your obligations when you provide personal information of others

You must not provide us with personal information (including any sensitive information) of any other individual (including any of your employees or customers if you are an insurance broker) unless you have the express or implied consent of that individual to do so. If you do provide us with such information about another individual, before doing so you:

must tell that individual that you will be providing their information to us; and
warrant that you have that individual’s consent to provide their information to us

If you have not done this, you must tell us before you provide any third-party information.

Your obligations when we provide you with personal information

If we give you, or provide you access to, the personal information of any individual, you must only use it:

for the purposes we have agreed to; and
in compliance with applicable Privacy Laws and this Privacy Policy

You must also ensure that your agents, advisers, employees and contractors meet the above requirements.

Accuracy, access and correction of your personal information

We take reasonable steps to ensure that your personal information is accurate, complete and up-to-date whenever we collect, use or disclose it. However, we also rely on you to advise us of any changes to your personal information. All personal information identified as being incorrect is updated in our database and, where applicable and appropriate, on our website.

Please contact us using our contact details below as soon as possible if there are any changes to your personal information or if you believe the personal information we hold about you is not accurate, complete or up-to-date. We may refuse to correct personal information if the correction would not improve the accuracy, completeness, relevance or would make the information misleading. If we refuse to correct your personal information, we will record that a request was made and advise you why the request was refused.

You can make a request to access your personal information by contacting us using the contact details below. If you make an access request, we will provide you with access to the personal information we hold about you unless otherwise required or permitted by law. We will notify you of the basis for any denial of access to your personal information.

We may charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. We may also charge the reasonable cost of third parties who assist us in complying with the access request.

If you are an individual based in or a resident of the European Union or the United Kingdom, there are additional rights available to you. Please see below your detailed rights including rights of access, erasures, rectification and portability of your personal data.

Right	What this means
Access	You can ask us to: confirm whether we are processing your personal information; give you a copy of that data; and provide you with other information about your personal information such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, and where we got your data from, to the extent that information has not already been provided to you in this Privacy Policy.
Rectification	You can ask us to rectify inaccurate personal information. We may seek to verify the accuracy of the data before rectifying it.
Erasure	You can ask us to erase your personal information, but only where: it is no longer needed for the purposes for which it was collected; or you have withdrawn your consent (where the data processing was based on consent); or following a successful right to object (see ‘Objection‘ below); or it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal information if the processing of your personal information is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
Restriction	You can ask us to restrict (i.e. keep but not use) your personal information, but only where: its accuracy is contested (see ‘Rectification’ above), to allow us to verify its accuracy; or the processing is unlawful, but you do not want it erased; or it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal information following a request for restriction, where: we have your consent; to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
Portability	You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format but case only where: the processing is based on your consent or on the performance of a contract with you; and the processing is carried out by automated means.
Objection	You can object to any processing of your personal information which has our ‘legitimate interests’ as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
International transfers	You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
Supervisory Authority	You have a right to lodge a complaint with your local supervisory authority about our processing of your personal information. For example, in the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk/). We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.

If you wish to access any of the above – mentioned rights, we may ask you for additional information to confirm your identity and for security purposes, in particular before disclosing personal information to you.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Security of your personal information

We take reasonable steps to protect any personal information that we hold from misuse, interference and loss, and from unauthorised access, alteration and disclosure.

For example, we maintain physical security over our paper and electronic data stores and premises, such as locks and security systems. We also maintain computer and network security. For example, we use firewalls (security measures for the Internet) and other security systems such as user identifiers and passwords to control access to computer systems.

However, data protection measures are never completely secure and, despite the measures we have put in place, we cannot guarantee the security of your personal information. You must take care to ensure you protect your personal information (for example, by protecting any usernames and passwords). You should notify us as soon as possible if you become aware of any security breaches. We will where required by applicable Privacy Law, as soon as reasonably possible, notify you of material security breach concerning your personal information.

How long do we retain your personal information

We will retain your Personal Information for no longer than is required for any purpose under this privacy policy unless we are required by law to retain the information for a longer period. We will make reasonable efforts to destroy or de-identify your Personal Information after this time.

Links to third party sites

Our website may contain links to other third-party websites. We do not endorse or otherwise accept responsibility for the content or privacy practices of those websites or any products or services offered on them. We recommend that you check the privacy policies of these third-party websites to find out how these third parties may collect and deal with your personal information.

Cookies

Like many website operators, we may use standard technology called cookies on our website. Cookies are small data files that are downloaded onto your computer when you visit a particular website. Cookies help provide additional functionality to the site or to help us analyse site usage more accurately. For instance, our server may set cookie that keeps you from having to enter a password more than once during a visit to one of our sites. In all cases in which cookies are used, the cookie will not collect personal information except with your consent.

You can disable cookies by turning them off in your browser; however, our website may not function properly if you do so.

If you follow a link from our website to another website, please be aware that the owner of the other website will have their own privacy and cookie policies for their site. We recommend you read their policies, as we are not responsible or liable for what happens at their website.

You can adjust the settings in your web browser to determine whether sites can set cookies on your device. If you’ve visited this site before, there may be previously set cookies on your computer. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them,

visit www.aboutcookies.org or www.allaboutcookies.org.

You may opt out of being tracked by Google Analytics across all websites by following the guidance outlined in their website.

Direct marketing and how to opt out

When we collect your personal information, e.g., via email, post, SMS, app notification, telephone or targeted online advertisements, we may use your personal data to send you direct marketing communications about our insurance products or our related services. We limit direct marketing to a reasonable and proportionate level, and to send you communications which we believe may be of interest to you, based on the information we have about you.

Our processing of your personal data for direct marketing purposes is based on our legitimate interests, but where opt-in consent is required by law we may seek your consent where applicable. If you no longer wish to receive such information, or you do not want us to disclose your personal information to any other organisation (including insurance brokers or any other related companies), you can opt out by following the opt-out links in electronic communications, de-activating the push notification or alert to your mobile phone, or contacting us using our contact details below.

Administration of personal information

You may refuse or withdraw your consent for the collection, use and/or disclosure of your personal information in our possession by giving us reasonable notice so long as there are no legal or contractual restrictions preventing you from doing so. If you withdraw your consent for us to use your personal information for your insurance matters, this will affect our ability to provide you with the products and services that you asked for or have with us

If the purpose for which your personal information is collected is no longer served by the retention of such data, or when the retention is no longer necessary for any other legal or business purpose, we will ensure that the hard copy of your personal data will be completely destroyed and electronic personal data as much as possible.

Updates of Privacy Policy

We reserve the right to amend our Privacy Policy from time to time to ensure we properly manage and process your personal data. Any amended Privacy Policy will be posted on our website.

How to make a complaint

If you wish to make a complaint about a breach of this Privacy Policy or any breach of applicable Privacy Laws, you can contact us using the contact details below. You will need to provide us with sufficient details regarding your complaint together with any supporting evidence and information.

We will refer your complaint to our Privacy Officer who will investigate the issue and determine the steps that we will undertake to resolve your complaint. We will contact you if we require any additional information from you and will notify you in writing of the outcome of the investigation. We will try to resolve any complaint within 14 working days in Melbourne . If this is not possible, you will be contacted within that time to let you know how long it should take us to resolve your complaint. If you are not satisfied with our determination, you can contact us to discuss your concerns or complain to the relevant local data protection supervisory authority (i.e., your place of habitual residence, place or work or place of alleged infringement). This is the Australian Privacy Commissioner in Australia (at www.oaic.gov.au), the New Zealand Privacy Commissioner in New Zealand (at www.privacy.org.nz), the Personal Data Protection Commissioner in Singapore (at www.pdpc.gov.sg) and the Information Commissioner’s Office in the UK (at www.ico.co.uk).

How to contact us

If you wish to gain access to your personal information, want us to correct or update it, have a complaint about a breach of your privacy or any other query relating to our Privacy Policy, please contact our Privacy Officer during business hours in Melbourne on:

The Privacy Officer

Telephone: 0427 975 978

Josh Giansiracusa - Josh.gia@steadfastrisk.com.au

Alternatively, you can contact us via:

Steadfast Risk Engineering Pty Ltd

Level 4, 99 Bathurst Street, Sydney NSW 2000

Attention: Company Secretary

For further information on privacy, please visit:

in Australia, the Office of the Australian Information Commissioner at http://www.oaic.gov.au/
or

in New Zealand, the New Zealand Privacy Commissioner at www.privacy.org.nz
or

in Singapore, the Personal Data Protection Commission at www.pdpc.gov.sg
or

in the UK / Europe, the Information Commissioner’s Office at www.ico.co.uk

Dated: 15 February 2022