1.1 Centaur Software Development Co Pty Ltd (ACN 057 620 390) (‘Centaur Software’) is committed to maintaining the security of personal information (‘Personal Information’) provided to us and providing a compliant and transparent approach to data protection.
1.2 When you share Personal Information with us, we treat it with care and take our responsibility to protect it seriously.
1.3 We adhere to the Australian Privacy Principles in the Privacy Act 1988 (Cth) (‘Privacy Act’), the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) and applicable State and Territory laws pertaining to health service providers and the handling of personal information and health records.
2. About Centaur Software
2.1 Centaur Software is a leading Australian provider of practice management software and related hardware to our customers (‘Customers’). Our products and services include the supply of related imaging and photography devices and ongoing training and support services.
(collectively our ‘Services’)
2.1 Centaur Software is committed to maintaining high standards of data security. We comply with the applicable standards and obligations set out under the Privacy Act and the GDPR.
3. The types of Personal Information we collect
3.1 “Personal Information” is information or an opinion that can reasonably identify an individual.
3.2 We collect Personal Information for the primary purpose of supplying our Services, providing information to our Customers and marketing.
3.3 Centaur Software collects the following types of Personal Information:
(a) Customers Personal Information such as your name and title, the name of your clinic or business, practitioner registration details, your address, phone number, email address, payment details such as your credit or debit card details and any other Personal Information required for us to provide you with our Services, communicate with you and to keep a record of your transactions.
(b) Marketing Personal Information so that we can market our Website and our Services or that of third parties to you in accordance with your preferences. Before we share your Personal Information with any third party for marketing purposes, we will obtain your explicit consent. You may also unsubscribe from our mailing list at any time by following the opt-out link on any message sent to you. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you.
3.4 We may collect Personal Information from you, including but not limited to, when you provide us with feedback, when you provide us with data about your business activities, a password when you register with us, when you change your content or email preferences, when you respond to our surveys and promotions, or when you communicate with our customer support.
3.5 Centaur Software may also collect any other type of Personal Information you provide to us while interacting with us through your use of our Website and the supply of our Services.
3.6 Some Centaur Applications/Services utilise the OAuth2 standard to allow our Customers to securely send emails via O365 and Google Mail. Only the senders email address and the refresh token, required for OAuth2, are stored within the local database and both are encrypted, secured, and not shared with anyone. Our Customer has the option to delete their senders email address from the database.
4. Sensitive Personal Information
4.1 As part of our Services, we process the Personal Information of patients uploaded by our Customers which may include health information, racial or ethnic origin data, and genetic data. This type of information is referred to in the Privacy Act and under the GDPR as sensitive information (‘Sensitive Data’).
4.2 The Personal Information of patients may include name, contact information (address, phone, email and SMS messaging), date of birth, patient details, treatment notes and records, health insurance details, Medicare numbers, accounting and payments details, images, and other health information submitted by Customers when using our Services.
4.3 Sensitive Data will only be used by us for the purpose of supplying our Services or where required or authorised by law.
4.4 It is the responsibility of Customers to ensure that they have obtained the explicit and informed consent (or rely on another legal basis) of patients including that of minors to use their Personal Information and Sensitive Data in the supply of our Services to Customers.
4.5 Where we process Sensitive Data, we use high-level data encryption and document protection on all such data.
5. How we collect Personal Information
5.1 Centaur Software collects Personal Information from you in a variety of ways, including when you interact with us electronically or in person, when you access our Website and when we provide our Services to you.
6. How we use your Personal Information
6.1 We use your Personal Information and you consent to us using your Personal Information to:
(a) provide you with our Services;
(b) administer our business activities;
(c) process transactions involving our business and through our Website where you have purchased our Services.
(d) manage, research and develop our Services including through data analytics;
(e) provide you with information about our Services;
(f) communicate with you by a variety of measures including, but not limited to, by telephone, email, sms or mail;
(g) to meet legal, regulatory and compliance obligations; and
(h) investigate any complaints.
6.2 If you choose to withhold your Personal Information, it may not be possible for us to provide you with our Services or for you to access certain parts of our Website and for us to respond to your query.
7. Sharing your Personal Information with third-parties
7.3 We may share your Personal Information with third-party service providers to help us provide our Services and to provide you with a payment platform.
7.5 If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our databases, together with any Personal Information and non-Personal Information contained in those databases.
8. Legal basis in the European Union (EU) for the collection and processing of your Personal Data
8.1 “Personal Data” refers to any information relating to an identifiable natural person who can be identified directly or indirectly. This includes information such as your name, email address, and contact details.
8.2 The legal basis for collecting and processing your Personal Data will depend on how your Personal Data is being used and how it was collected.
8.3 When you engage our Services, we process Personal Data on your behalf as a Data Processor where you are the Data Controller and otherwise to the extent that we are a Data Controller as defined in the GDPR.
8.4 The legal basis that collect and process your Personal Data is based on the following:
(a) Contractual basis. This legal basis applies to the collection or processing of Personal Data in order to fulfil or perform a contract with you, or to which you are a party.
(b) Consensual basis. This applies where you have provided your consent to the collection or processing of Personal Data for a specific purpose (for example, to provide you with marketing updates). You can withdraw your consent at any time by updating your email preferences, opting-out, or by contacting us directly.
(c) Legitimate interests. This applies where we have a legitimate interest to collect or process your Personal Data. For example, it may be to respond to an enquiry about our Services, or to improve our Services.
(d) Legal obligations. This applies where it is necessary to disclose your Personal Data to comply with a legal obligation.
8.5 Unless otherwise required by contractual obligation or any other legal basis, we only store your Personal Data while it remains necessary to fulfil the purpose for which it was collected, or if the purpose of the processing could not reasonably be fulfilled by other means. Periods of data retention will apply differently for each specific category of data.
8.6 When we use third-parties to process your Personal Information on our behalf, we ensure that the such Personal Information is pursuant to our documented instructions and in accordance with the legal basis for the processing.
8.7 We only employ third-party data processors that are compliant with the GDPR requirements and that have sufficient security measures in place to protect and safeguard your data.
9. International Data Transfers
9.1 We may store, process and transfer your data, including your Personal Information in countries other than the country you live in. Data transfer may occur in and between countries outside of Australia which may include but are not limited to the United States and Europe provided these are countries that the European Commission has approved as providing an adequate level of protection for Personal Data.
9.2 As part of our obligations under the GDPR, we only transfer the data of individuals residing in the EU to countries outside of the EU with adequate privacy data laws or to a third party where we have approved transfer mechanisms in place to protect your Personal Data (by entering into the European Commission’s Standard Contractual Clauses for data protection for data that is transferred internationally or ensuring the entity is Privacy Shield certified for data transfer to third parties based in the United States.
9.3 If the above safeguards do not apply, we will request your explicit consent to any transfers and you will have the right to withdraw this consent at any time.
10. How we secure your Data and Data Breach
10.1 We are committed to ensuring that the data you provide to us is secure. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure data and protect this data from misuse, interference, loss and unauthorised access, modification and disclosure.
10.2 A reportable “Data Breach” is a security incident where the integrity of Personal Information or Personal Data is compromised through being destroyed, lost, altered, corrupted, disclosed or accessed by an unauthorised person where it is likely to result in serious harm to any individual affected.
10.3 We have procedures and systems in place including a data breach incident response plan, specific data breach policies and procedures and personnel to deal with an actual or suspected “Data Breach” and will notify you and the applicable regulator in accordance with our obligations under the NDB and GDRP.
10.4 Please report any actual or suspected breaches in relation to the supply of our Services for investigation to Centaur Software by using the Contact Us section provided on our Website.
11. Data Access Request under the GDPR (Right of Access and Correction)
11.1 It is important that the Personal Data we hold is accurate and up to date. Please keep us informed of any changes to your data to ensure it is relevant, accurate, complete and current.
11.2 We comply with your rights under the GDPR (subject to the grounds set out in the GDPR and applicable law) that permit you:
(a) to be informed as to how your Personal Data is being used;
(b) to access your Personal Data and to know specifically what information is held about you and how it is processed, where and for what purpose (we will provide you a copy of your Personal Data in electronic format free of charge if requested);
(c) to rectify your Personal Data if it is inaccurate or incomplete;
(d) to erase your Personal Data (also known as ‘the right to be forgotten’) if you wish to delete or remove your Personal Data;
(e) to restrict Data Processing of your Personal Data;
(f) to retain and reuse your Personal Data for your own purposes (“Personal Data portability”);
(g) to object to your Personal Data being used; and
(h) to object against automated decision making and profiling.
11.3 You can contact us any time to exercise your rights under the GDPR including as to:
(a) request access to Personal Data that we hold about you (“Data Access Request”);
(b) to correct any Personal Data that we hold about you;
(c) delete Personal Data that we hold about you; or
(d) opt out of emails, marketing, and any other notifications that you receive from us.
11.4 We may ask you to verify your identity before acting on any of your requests. All Data Access Requests will be processed within one (1) month and will be provided in a digital format free of charge.
11.5 If you have any questions about the Company’s collection and storage of data, please Contact us using the contact details provided below.
12. The types of non-Personal Information we collect
12.1 We collect non-Personal Data from you when you visit our Website or social media pages.
12.2 The information collected is generally anonymous traffic data and may include your IP address, browser type, device information, and language. The information that we collect is in aggregate form so that it cannot identify any individual user.
12.3 We use technologies and third-party services that use Google Analytics, pixels, tags and web beacons (code snippets) on our Website to improve user experience, the supply of our Services and to analyse how our Website is used.
13. Access to and how you can control your Personal Information
13.1 You may request details of Personal Information that we hold about you in accordance with the provisions of the Privacy Act 1988 (Cth).
13.2 If you would like a copy of your data or believe that your data is inaccurate, out of date, incomplete, irrelevant, please Contact us using the contact details provided below.
14. Complaints about privacy
If you have any complaints about our privacy practices, please contact us and we will respond promptly to your notice.
16. Our contact details
16.1 You can contact us:
(a) using the support section provided on our website located at www.centaursoftware.com.au;
(b) by telephone on 1300 855 966; or
(c) by email at email@example.com
16.2 Our Data Protection Officer can be contacted at firstname.lastname@example.org
© 2020 Centaur Software Development Co Pty Ltd. ALL RIGHTS RESERVED.