At a glance

To provide and advertise our services we store and process personal information. We outline how personal information is collected, when personal information is used, how people can access, correct, or destroy personal information, and how people can opt-out. We ensure personal information is protected by applying risk based security controls in accordance with the Australian Privacy Principles and the SOC2 security framework.

Scope

The Lookout Way (TLW) information systems that store and process personal information for the purposes of operating, supporting, and marketing our services directly to Lookout Care Suite customers and Lookout Connect candidates.

Collection

We collect personal information to contact and transact with people. The main way we collect personal information is directly from people with their consent, such as when they make an enquiry about our services, or when they engage our services. The secondary ways we collect personal information is from a person’s own promotion (e.g. LinkedIn), public records (e.g. Website), or their interactions with our marketing campaigns.

If the person is a Lookout Care Suite prospect or customer, the kinds of information we may collect are:

• Personal information such as name, address, title, role, and IP address
• Contact information such as email and phone number
• Financial information such as credit card or bank account details
• Statistical information such as the usage patterns, buying decisions, tracking pixels, tracking cookies, devices, networks, and operating systems
• Information sent to us in general correspondence via email, web chat, or phone

If the person is a Lookout Connect candidate, the kinds of information we may collect are:

• Personal information such as name, address, date of birth, IP address, and biography
• Contact information such as email and phone number
• Sensitive information such as immunisation history, employment history, employment preferences, background checks, and qualification checks
• Statistical information such as the usage patterns, tracking pixels, tracking cookies, devices, networks, and operating systems
• Information sent to us in general correspondence via email, web chat, or phone

For all other people the kinds of information we may collect are:

• Information sent to us in general correspondence via email, web chat, or phone
• Statistical information such as the usage patterns, tracking pixels, tracking cookies, devices, networks, and operating systems

We do not intend our services to be accessed by children under the age of 16. If a person is under the age of 16 they should not use our services. If we learn personal information has been collected from a person under the age of 16 we will take steps to destroy their personal information stored by us.

Use and disclosure

We may use personal information to:

• Provide access to our services, including billing and implementation support
• Assist with enquries, statements of works, feedback, or complaints
• Market our services, including targeted campaigns such as a “rostering feature” to a “rostering person”
• Improve our services, conduct internal audits, and measure the effectiveness of our support channels and marketing campaigns
• Comply with legal and regulatory obligations imposed on us

We may disclose personal information to:

• Verify a person’s identity. We would do this in high risk scenarios such as resetting a person’s access to our services.
• Assist with hiring (Lookout Connect candidates only). We only make personal information available to the hiring company after obtaining consent from the candidate.
• Prevent or lessen a serious and imminent threat to a person’s life, health or safety, or a serious threat to public health or public safety. We will only do this if there are reasonable grounds.
• Comply with lawful instruction. We will tell the subject when this happens unless we are prevented from doing so.

We do not use or disclose personal information for any other purposes. We do not sell, rent, or lease personal information.

Access, correction, and destruction

We use best effort to keep personal information up-to-date and error free, but we ultimately rely on people to tell us when their personal information needs correcting.

If the person is a Lookout Care Suite customer or a Lookout Connect candidate, then they may log in to our services to gain access to their personal information, make corrections to their personal information, or destroy their account. If destroying their account is not possible, then they may request for their account to be destroyed by making a request to [email protected].

If the person is an end user of Lookout Care Suite, as in, they have been invited or added to Lookout via a service provider, then they should contact the service provider directly and/or cite the Privacy Policy of the service provider.

For all other subjects, such as Lookout Care Suite prospects, please send an email to [email protected] to make a request to access, correct, or destroy personal information stored and processed by us.

Security and confidentiality

We ensure the security, confidentiality, and availability of our services by running a comprehensive information security programme conforming to the SOC2 security framework.

We regularly invite an external independent auditor to examine our policies and controls against the SOC2 security framework. The latest copy of our SOC2 report is available upon request in our Trust Centre.

Our information security programme includes:

• Subprocessors and location of where data is stored and processed
• Code of conduct acknowledged by employees and contractors
• Background checks performed on employees and contractors
• Security awareness training implemented
• Access reviews conducted
• Data encryption utilised
• Penetration testing performed
• Incident response plan tested
• Vulnerabilities scanned and remediated
• Vendor management programme established
• Customer data deleted upon leaving

See our Trust Centre for more details about our information security programme.

Opt-out

We will generally include a link or instruction on how to opt-out of communication from us. If a person believes they have received information from us that they did not opt-in to receive, please send an email to [email protected] so we may correct it.

Contacting people

We may send important notices, such as changes to our terms, conditions and policies. Where such information is materially important to a person’s use of our services, they may not opt out of receiving these communications.

Notifiable breaches

We have an Incident Response Plan which outlines how we would respond to suspected or actual breaches of personal information.

Our plan includes:

• Forming a response team and internal escalation pathways
• Working to contain, remediate, and mitigate
• Notifying affected people within 3 business days, including any recommended actions for people to take
• Reporting to the Office of the Australian Information Commissioner within 30 calendar days
• Cooperating with incident responders, customers, regulators, and the authorities

See our Trust Centre for a copy of our Incident Response Plan.

Feedback and complaints

We welcome and encourage feedback. If you have feedback about this policy, or if you would like to make a complaint under this policy, please send an email to [email protected].