Effective Date: 4 Oct 2020
What this policy covers
Your privacy is important to us, and so is being transparent about how we collect, use, and share personal information about you on behalf of your employer. This policy is intended to help you understand:
- What personal information we collect about you;
- How we use personal information we collect;
- How we share personal information we collect;
- How we store and secure personal information we collect;
- How to access and control your personal information;
- How we transfer personal information we collect internationally; and
- Other important privacy information.
Xrosswork complies with all relevant privacy laws where we operate, including the requirements applicable to us under the Privacy Act 1988 (Cth) (Privacy Act) and relevant State laws in Australia. In addition to the Privacy Act, individuals located in the European Economic Area (EEA) may also have rights under privacy rules known as the European Union General Data Protection Regulation (GDPR). The GDPR imposes additional obligations on organisations collecting and processing the personal data of individuals located in the EEA (Data Subjects) and provides additional rights to those individuals. Details of how we meet the additional obligations imposed by the GDPR are outlined in Appendix 1.
Where we provide the Services under contract with an organisation that controls the personal information processed by the Services. For more information, please see Notice to End Users under section 8 below.
Why use Xrosswork?
We strongly believe that talented people should have easy and effective access to opportunities across the organisation. The Xrosswork solution helps achieve this by providing an intuitive and user-friendly SaaS solution to connect people skills, experience and availability with opportunities across your organisation.
Our mission is to provide a solution to help identify an employee’s talents and desired career path, exchange knowledge through greater collaboration and align employees to opportunities within your organisation.
What personal information we collect about you.
We collect personal information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as further described below.
Personal information you provide to us: We collect personal information provided in your resume as well as any or additional information you may add to your personal profile provided on the Xrosswork platform.
If you choose not to provide certain personal information to us, we may not be able to provide some of the features and functionality of our Services to you.
Account and Profile Information: We collect personal information about you when you register for an account, create or modify your profile, set preferences or sign-up through the Services. For example, you provide your contact information when you register for the Services. You also have the option of adding a display name, profile photo, job title, and other details to your profile information to be displayed in our Services. We keep track of your preferences when you select settings within the Services.
Content you provide through our products: The Services include the Xrosswork products you use, where we collect and store content that you post, send, receive and share. This content includes any personal information about you that you may choose to include. Examples of content we collect and store include: the summary and description added to an assignment or question, the pages you create in static pages management, the messages you exchange in the messaging plugin or app, comments you enter in connection with an assignment, and any feedback you provide to us. Content also includes the files and links you upload to the Services. We collect feedback you provide directly to us through the product and we collect content using analytics techniques that hash, filter or otherwise scrub the information to exclude personal information that might identify you or your organisation; and we collect clickstream data about how you interact with and use features in the Services.
Content you provide through our websites: The Services also include our websites owned or operated by Xrosswork. For example, you provide content to us when you provide feedback or when you participate in any interactive features, surveys, contests, promotions, sweepstakes, activities or events.
Personal information you provide through our support channels: The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue.
Information we collect automatically when you use the Services: We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.
Your use of the Services: We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use; the links you click on; the type, size and filenames of attachments you upload to the Services; frequently used search terms; and how you interact with others on the Services. We also collect information about the teams and people you work with and how you work with them, like who you collaborate with and communicate with most frequently.
Device and Connection Information: We collect information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you access or use our Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Services.
Information and content we receive from other sources: We may collect content and information related to you provided by other users for the purpose of providing you the Services. An example would be performance review related to an assignment, endorsement of your skills. Another example would be any voting of a question or answer you provided on Xrosswork Knowledge will impact your “Reputation”. Another example would be CVs, skills matrices, and user profile pictures provided to us by your employer.
Xrosswork Partners: We work with a global network of partners who provide consulting, implementation, training and other services around our products. Some of these partners also help us to market and promote our products, generate leads for us, and resell our products. We receive information from these partners, such as billing information, billing and technical contact information, company name, what Xrosswork products you have purchased or may be interested in, evaluation information you have provided, what events you have attended, and what country you are in.
How we use personal information we collect.
How we use the personal information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. Below are the specific purposes for which we use the personal information we collect about you.
To provide the Services and personalise your experience: We use personal information about you to provide the Services to you, including to process transactions with you, authenticate you when you log in, provide customer support, and operate and maintain the Services. For example, we use the name and picture you provide in your account to identify you to other Service users. Our Services also include tailored features that personalise your experience, enhance your productivity, and improve your ability to collaborate effectively with others by automatically analysing the activities of your team to provide search results, activity feeds, notifications, connections and recommendations that are most relevant for you and your team. For example, we may use your stated job title and activity to return search results we think are relevant to your job function. We also use personal information about you to connect you with other team members seeking your subject matter expertise. We may use your email domain to infer your affiliation with a particular organisation or industry to personalise the content and experience you receive on our websites.
To communicate with you about the Services: We use your contact information to send transactional communications via email and within the Services, including responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages. We send you email notifications when you or others interact with you on the Services, for example, when a task is assigned to you. We also provide tailored communications based on your activity and interactions with us. For example, certain actions you take in the Services may automatically trigger a feature within the Services that would make that task easier. We also send you communications as you commence using a particular Service to help you become more proficient in using that Service. These communications are part of the Services and in most cases you can opt out of them. If an opt out is available, you will find that option within the communication itself or in your account settings.
Customer support: We use your personal information to resolve technical issues you encounter, to respond to your requests for assistance, to analyse crash information, and to repair and improve the Services.
For safety and security: We use personal information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.
To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use personal information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
With your consent: We use personal information about you where you have given us consent to do so for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote the Services, with your permission.
For data analytics purposes: We may de-identify personal information or information about the way you use our Services so that the information can no longer be linked back to you. We may then use and disclose this de-identified information for data analytics purposes or otherwise in the course of our business.
How we share personal information we collect.
We make collaboration tools, and we want them to work well for you. This means sharing personal information through the Services. We share personal information we collect about you in the ways discussed below, including in connection with possible business transfers, but we are not in the business of selling personal information about you to advertisers or other third parties.
Sharing with other Service users: When you use the Services, we share certain personal information about you with other Service users.
For collaboration: You can create content, which may contain personal information about you, and grant permission to others to see, share, edit, copy and download that content based on settings you or your administrator (if applicable) select. Some of the collaboration features of the Services display some or all of your profile information to other Service users when you share or interact with specific content. For example, when you comment on an assignment page or a Knowledge question, we display your profile picture and name next to your comments so that other users with access to the page or issue understand who made the comment. When you send a private message to another user, the recipient can view any personal information in your profile card. Similarly, when you publish an assignment, your name is displayed as the author of that assignment, and Service users with permission to view the page can view your profile information as well.
Managed accounts and administrators: If you register or access the Services using an email address with a domain that is owned by your employer or organisation, and such organisation wishes to establish an account or site, certain personal information about you including your name, profile picture, contact info, content and past use of your account may become accessible to that organisation’s administrator and other Service users sharing the same domain. If you are an administrator for a particular site or group of users within the Services, we may share your contact information with current or past Service users, for the purpose of facilitating Service-related requests.
Service Providers: We work with third-party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis and other services for us, which may require them to access or use personal information about you. If a service provider needs to access personal information about you to perform services on our behalf, they do so under close instruction from us, including policies and procedures designed to protect your personal information.
With your consent: We share personal information about you with third parties when you give us consent to do so. For example, we may display personal testimonials of satisfied customers on our public websites. With your consent, we may post your name alongside the testimonial.
Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may share personal information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or government request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect Xrosswork, our customers or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose personal information to assist in preventing the death or serious bodily injury of any person.
How we store and secure personal information we collect.
Personal information storage and security: We use data hosting service providers in Australia to host the personal information we collect, and we use technical measures to secure your data. While we implement safeguards designed to protect your personal information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.
How long we keep personal information: How long we keep personal information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or make anonymous your personal information or, if this is not possible (for example, because the personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further use until deletion is possible.
Account information: We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain some of your personal information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services. Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Services, not to specifically analyse personal characteristics about you.
Information you share on the Services: If your account is deactivated or disabled, some of your information and the content you have provided will remain in order to allow your team members or other users to make full use of the Services. For example, we continue to display messages you sent to the users that received them and continue to display content you provided.
Managed accounts: If the Services are made available to you through an organisation (e.g., your employer), we retain your personal information as long as required by the administrator of your account. For more information, see “Managed accounts and administrators” above.
How to access and control your personal information.
You have certain choices available to you when it comes to your personal information. Below is a summary of those choices, how to exercise them and any limitations.
Your Choices: You have the right to request a copy of your personal information, to object to our use of your personal information (including for marketing purposes), to request the deletion or restriction of your personal information, or to request your personal information in a structured, electronic format. Below, we describe the tools and processes for making these requests. You can exercise some of the choices by logging into the Services and using settings available within the Services or your account. Where the Services are administered for you by an administrator (see “Notice to End Users” below), you may need to contact your administrator to assist with your requests first. For all other requests, you may contact us as provided in section 9 below to request assistance.
Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal personal information about another person, or if you ask to delete personal information which we or your administrator are permitted by law or have compelling legitimate interests to keep. Where you have asked us to share data with third parties, for example, by installing third-party apps, you will need to contact those third-party service providers directly to have your personal information deleted or otherwise restricted. If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work or where you feel your rights were infringed.
Access and update your personal information: Our Services and related documentation give you the ability to access and update certain information about you from within the Service. For example, you can access your profile information from your account and search for content containing personal information about you using keyword searches in the Service. You can update your profile information within your profile settings and modify content that contains personal information about you using the editing tools associated with that content or through your organisation’s internal systems if the profile information is updated automatically through our API (you will know that this is the case if your profile information is cannot be changed on your profile page).
Please note that while any changes you make to your own personal information will be reflected within the Service, we may retain all personal information you submit for backup or archiving purpose, if we are required to by law or where we otherwise have a legitimate reason to do so.
Deactivate your account: If you no longer wish to use our Services, you or your administrator may be able to deactivate your Services account. If you can deactivate your own account, that setting is available to you in your account settings. Otherwise, please contact your administrator. If you are an administrator and are unable to deactivate an account through your administrator settings, please contact Xrosswork support. Please be aware that deactivating your account does not delete your personal information; your personal information remains visible to other Service users based on your past participation within the Services. For more information on how to delete your personal information, see below.
Delete your personal information: Our Services and related documentation give you the ability to delete certain information about you from within the Service. For example, you can remove content that contains personal information about you using the keyword search and editing tools associated with that content, and you can remove certain profile information within your profile settings. Please note, however, that we may need to retain certain personal information for record keeping purposes, to complete transactions or to comply with our legal obligations.
Request that we stop using your personal information: In some cases, you may ask us to stop accessing, storing, using and otherwise processing your personal information where you believe we don’t have the appropriate rights to do so. For example, if you believe a Services account was created for you without your permission or you are no longer an active user, you can request that we delete your account as provided in this policy. Where you gave us consent to use your personal information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your personal information for marketing purposes by contacting us, as provided below. When you make such requests, we may need time to investigate and facilitate your request. If there is delay or dispute as to whether we have the right to continue using your personal information, we will restrict any further use of your personal information until the request is honored or the dispute is resolved, provided your administrator does not object (where applicable).
Opt out of communications: You may opt out of receiving communications from us by using the unsubscribe link within each email, updating your email preferences within your Service account settings page, or by contacting us as provided below to have your contact information removed from our promotional email list or registration database. Even after you opt out from receiving promotional messages from us, you may continue to receive transactional messages from us regarding our Services. You can opt out of some notification messages in your account settings.
Send “Do Not Track” Signals: Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving marketing from us as described above.
Data portability: Data portability is the ability to obtain some of your personal information in a format you can move from one service provider to another (for instance, when you transfer your mobile phone number to another carrier). Depending on the context, this applies to some of your personal information, but not to all of your personal information. Should you request it, we will provide you with an electronic file of your basic account information and the information you create such as your list of favourites.
How we transfer personal information we collect internationally.
International transfers of personal information we collect: We collect personal information globally and primarily store that personal information in Australia unless chosen otherwise by the organisation’s administrator (e.g your employer). We transfer, process and store your personal information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing you the Services. Whenever we transfer your personal information, we take steps to protect it.
International transfers within the Xrosswork Companies: To facilitate our global operations, we transfer personal information to Australia and allow access to that personal information from countries in which the Xrosswork owned or operated companies have operations for the purposes described in this policy. These countries may not have equivalent privacy and data protection laws to the laws of many of the countries where our customers and users are based.
Other important privacy information.
Notice to End Users: Many of our products are intended for use by organisations. Where the Services are made available to you through an organisation (e.g. your employer), that organisation is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to that organisation’s policies. We are not responsible for the privacy or security practices of an administrator’s organisation, which may be different than this policy.
Administrators are able to:
- require you to reset your account password;
- restrict, suspend or terminate your access to the Services;
- access information in and about your account; and
- access or retain information stored as part of your account.
In some cases, administrators can also:
- restrict, suspend or terminate your account access;
- change the email address associated with your account;
- change your personal information, including profile information; and
- restrict your ability to edit, restrict, modify or delete information.
Even if the Services are not currently administered to you by an organisation, if you use an email address provided by an organisation (such as your work email address) to access the Services, then the owner of the domain associated with your email address (e.g. your employer) may assert administrative control over your account and use of the Services at a later date. You will be notified if this happens.
Please contact your organisation or refer to your administrator’s organisational policies for more information.
Our policy towards children: The Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such personal information. If you become aware that a child has provided us with personal information, please contact our support services.
If you have questions or concerns about how your personal information is handled, please contact us in writing and direct your inquiry to our privacy officer using the following contact details:
Xrosswork Pty Ltd
Level 2, 710 Collins St, Docklands VIC 3008
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
To the extent that Xrosswork processes any personal information of individuals located in the EU, offers our Services to individuals located in the EU or monitors the behaviour of individuals when in the EU, the GDPR will apply. Under the GDPR, personal information must be processed in a lawful, fair and transparent manner. Details of how we meet additional obligations imposed by the GDPR are outlined in this appendix.
In this appendix, “personal information” has the meaning given to “personal data” under the GDPR and means any information relating to an identified or identifiable natural person.
What personal information do we collect?
To the extent we collect more sensitive personal information, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data and data about sex life or sexual orientation or genetic and biometric data, the GDPR sets out additional protections for this kind of information. We will only collect and process such personal information with your explicit consent or where otherwise lawfully permitted.
How we use the personal information we collect.
If you are an individual located in the EEA, we process personal information about you only where we have a legal basis for doing so, including where:
- we need to process your personal information to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;
- the processing satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
- you give us consent to do so for a specific purpose; or
- we need to process your data to comply with a legal obligation.
If you have consented to our use of personal information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your personal information because we or a third party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use, however, in some cases, this may mean you can no longer use the Services.
How we store and secure personal information.
Please refer to section 5 for more information about how we store and secure your personal information, including information about how long we keep the personal information we collect about you.
We may transfer the personal data we collect about you so that it can be stored securely in Australia (where we host the personal information we collect). If we transfer any of your personal information we collect out of the EEA, it will only be done with relevant protections in place and in accordance with current legally recognised mechanisms for overseas data transfer.
Your rights as a Data Subject.
Under the GDPR, as a Data Subject you have the right to:
- be informed as to how your personal information is being collected and used;
- access your personal information;
- have your data deleted or corrected where it is inaccurate;
- ask us to delete your personal information if there is no need for us to keep it;
- object to your data being processed and to restrict processing;
- withdraw consent to having your data processed;
- have your data provided in a standard format so that it can be transferred elsewhere;
- not be subject to a decision based solely on automated processing; and
- lodge a complaint with a data protection authority if you are not happy with how we handle a complaint.
The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
For other European jurisdictions, please refer to the European Commission’s website for details of the relevant data protection authorities.