Skip to main content

Toustone Privacy Notice

At Toustone, respecting your data privacy rights is a top priority. This notice explains why and how we collect personal data about you, how we may process such data, and what rights you have regarding your personal data.

Toustone, as an Australian based company, is not subject to the requirements of the General DataProtection Regulation (GDPR) however we recognise the GDPR as best practise and adhere to its principles in all instances where it does not violate the Australian Privacy Act (1988).

We collect and process your data based on the type of data subject that you are. This notice is laid out such that the general provisions are at the top of this notice. Information specific to the different data subject types are listed in the headings below.

Please read the General Information and then click on the most relevant category(ies) of data subject for your situation.

Privacy Notice Contents
● General Information
● Employees
● Contractors & Temporary Workers
● Suppliers
● Clients
● Other Data Subject Types
● Unsolicited Personal Information
● Retention Schedule

General Information

The information in this section is relevant to all categories of data subject.

Who controls your personal data?

Toustone is responsible for your personal data. You can contact a representative by sending an email to the following address:
privacy@toustone.com.

Your Rights

Individuals under the GDPR have rights. We adhere to conducting our business so that these rights are not violated, and we support your right to make a request to exercise these rights at any point. There are rules and exceptions in relation to these rights. They may not be exercisable in all situations. The GDPR rights are:
1. The right to be informed.
● You have the right to be informed about how Toustone processes your personal
data. Typically, Toustone communicates this information through privacy notices such as this one.
2. The right of data access
● You have a right to obtain a copy of the personal data we hold about you.
3. The right of data rectification
● You have a right to ask for the correction of inaccurate or incomplete personal data
which we hold about you.
4. The right of data erasure
● You have the right to request that personal data be erased when it is no longer needed, where applicable law obliges us to delete the data, or where the processing of it is unlawful. You may also ask us to erase personal data where you have withdrawn your consent or objected to the data processing.
5. The right to restrict data processing
● You have the right to restrict the processing of your personal data. Where that is the case, we may still store your information, but not use it further.
6. The right to data portability
● You have the right to receive your personal data in a structured, machine-readable format for your own purposes, or to request us to share it with a third party.
7. The right to object to data processing
● You have the right to object to our processing of your personal data based on the legitimate interests, where your data privacy rights outweigh our reasoning for legitimate interests. You may also object to our marketing activities or activities related to research.
8. Rights in relation to automated decision making and profiling.
● You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.

You may make a request based upon these data privacy rights by emailing privacy@toustone.com

In certain circumstances, we may need to restrict the above rights to safeguard the public interest (e.g., the prevention or detection of crime) or our business interests (e.g., the maintenance of legal privilege).

Personally identifiable information and the use of AI

Toustone uses some AI tools to support the work we undertake. We do not use AI tools in a way that impinges your
rights under the GDPR or the Australian Privacy Act. We do not disclose personally identifiable or sensitive
information in public AI tools. Where AI tools are used, they are done so securely, accurately, transparently, fair and
lawfully, and with the consent of participants.

Consent as a legal basis for processing
For some data processing, Toustone uses consent as a legal basis. If you have consented to processing by Toustone, please be aware that you have the right to withdraw this consent at any point. If you would like to withdraw consent for a particular type of data processing that Toustone performs, please email the following address: privacy@toustone.com.

Complaints to a Supervisory Authority
You have the right to lodge a complaint with a supervisory authority with regards to the way that Toustone processes your personal data.

How we share your data?
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us unless it has been authorised by Toustone. They
will hold it securely and retain it for the period we instruct.
In some circumstances we are legally obliged to share information, for example under a court order. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making to satisfy ourselves we have a legal basis on which to share the information.

Where personal data is shared with an organisation who is based in a “Third Country” (a country not governed by the GDPR), Toustone will implement appropriate safeguards to ensure the ongoing protection of personal data, e.g. Standard Contractual Clauses, or International Data Transfer Agreements.

How we protect your information?
We implement appropriate technical and organisational measures to protect any personal data that we hold from unauthorised disclosure, use, alteration, or destruction. Where appropriate, we use encryption and other technologies that assist in securing the data you provide. We also require our service providers to comply with strict data privacy requirements when they process your personal data.

How long do we keep your personal data?
We only keep your personal data for as long as necessary for the purposes described in this privacy notice, or until you notify us that you no longer wish us to process your data. After this time, we will securely delete your personal data, unless we are required to keep it to meet legal or
regulatory obligations, or to resolve potential legal disputes.

Contact and Further Information

If you have any questions about how we use your personal data, or wish to make a complaint about how we handle it, you may contact Toustone at: privacy@toustone.com.

If you would like to be provided with information about a specific personal data processing activity, you can submit a request for this at privacy@toustone.com.

We collect only the personal data from you that we need for the purposes described above.
Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Notice.
In the case that you are working at a third-party site (for example Toustone customer location or facility), such third-party may need to process your personal data for their purposes acting as a data controller. In these cases, you will receive or may request a separate privacy notice from the
relevant data controller.

What happens if you do not provide us with the information we have requested?
Where it concerns processing operations related to your employment (as described above), Toustone will not be able to adequately employ you without certain personal data and you may not be able to exercise your employee rights if you do not provide the personal data requested.
Although we cannot mandate you to share your personal data with us, please note that this then may have consequences which could affect your employment in a negative manner, such as not being able to exercise your statutory rights or even to continue your employment. Whenever you are asked to provide us with any personal data related to you, we will indicate which personal data is required, and which personal data may be provided voluntarily.
● You may obtain a copy of our assessment regarding our legitimate interest to process your
personal data by submitting a request to privacy@toustone.com
● In some cases, we process your personal data on the basis of statutory requirements, for example, on the basis of employment law, allowances, tax or reporting obligations, cooperation obligations with authorities or statutory retention periods, in order to carry out our contractual responsibilities as an employer;
● In exceptional circumstances we may ask your consent at the time of collecting the personal data, for example photos, communications materials, and events. If we ask you for consent to use your personal data for a particular purpose, we will remind you that you are free to withdraw your consent at any time and we will tell you how you can do this.
Regarding special categories of personal data, we will only process such data in accordance with applicable law and:
● with your explicit consent for specific activities in accordance with applicable law;
● when necessary for exercising rights based on employment, or social protection law or as authorised by collective agreement, or for preventive and occupational medicine or and evaluation of working abilities; or
● where necessary for establishment, exercise, and defence of legal claims.
Regarding personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.

Employees

The information in this section applies to current, past, or potential employees. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Toustone Privacy Notice table 1
toustone privacy notice table 2

Transfers of Personal Data to Third Parties

Toustone may transfer your personal data to third parties. Toustone may transfer your personal data to the following third parties:
● Xero
● Australian Tax Department
● Your nominated superannuation fund.
● Westpac
● Google Drive
● Amazon Web Services

Contractors & Temporary Workers

The information in this section applies to current past and potential contractors, or workers working under a service contract. Depending on your specific circumstances, your data may be used in all, some, or none of the below listed processes:

toustone privacy notice table 3
toustone privacy notice table 4

Transfers of Personal Data to Third Parties

Toustone may transfer your personal data to third parties. Toustone may transfer your personal data to the following third parties:
● Xero
● Australian Tax Department
● Your nominated superannuation fund.
● Westpac
● Google Drive
● Amazon Web Services

Suppliers

This section applies to past, current, and potential third-party suppliers. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

toustone privacy notice table 5

Transfers of Personal Data to Third Parties

Toustone may transfer your personal data to third parties. Toustone may transfer your personal data to the following third parties:
● Xero
● Westpac
● Google Drive

Clients

This section applies to past, current, and potential clients. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

toustone privacy notice table 6
toustone privacy notice table 7
toustone privacy notice table 8

Transfers of Personal Data to Third Parties

Toustone may transfer your personal data to third parties. Toustone may transfer your personal data to the following third parties:
● Hubspot
● LinkedIn
● Freshdesk
● Google Drive
● Xero

Other Data Subject Types

This section applies to other data subject types who may not have been captured in the above listed categories. Depending on your specific circumstances, your data may be used in all, some or none of the below listed processes:

toustone privacy notice table 9

Transfers of Personal Data to Third Parties

Toustone may transfer your personal data to third parties. Toustone may transfer your personal data to the following third parties:
● Amazon Web Services
● Google Drive
● Hubspot
● Google Analytics
● Yellowfin

Unsolicited Personal Information

If you send Toustone unsolicited personal information, for example a CV, Toustone reserves the right to immediately delete that information without informing you, or to decide which category of data subject that you appear to be, and also to manage your personal data within the remit of that category as described elsewhere in this Privacy Notice.

Retention Schedule

Toustone uses the following retention schedule. The following minimum retention periods shall apply:

toustone privacy notice table 10

Where it is not practical to segregate and manage specific data types uniquely, then a blanket 7-year policy will be applied to all data with a prescribed retention period of 6 years or less.