Ranqx Limited (we, us, our) complies with the New Zealand Privacy Act 1993 and other applicable privacy and data protection laws when dealing with personal information including, where applicable, the General Data Protection Regulation of the European Union(GDPR) and the California Consumer Privacy Act 2018 (CCPA).
Personal information is information about an identifiable individual (a natural person), and includes personal data, personally identifiable information and equivalent information under applicable privacy and data protection laws.
This policy sets out how we will collect, use, disclose and protect personal information.
This policy does not limit or exclude any individual’s rights under applicable laws.
Changes to this policy
We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.
This policy was last updated on 1 September 2020.
What personal information do we collect
Ranqx is a software platform that enables banks, lenders or other financial institutions to offer digital financial processing services to their business customers.
We collect, hold and process two categories of personal information:
- personal information that we collect about individuals:
- who contact us directly (e.g. telephone call, website enquiry form or email) or visit our website
- who ask to receive information about us or the Ranqx platform
We refer to this information as Marketing Data. The Marketing Data we collect may include company/personal names, phone numbers, physical addresses, email addresses and any other contact information provided to us, information about how the individual uses our website (for example, traffic volumes, time spent on pages), IP address and/or other device identifying data and information contained in correspondence with us.
- personal information that forms part of thedata that is collected from or about our customer’s business customers or generated through our customer’s use of the Ranqx platform, including:
- personal information about the person submitting information on behalf of the business e.g. name, job title and contact details
- where our customer’s customer is an individual (i.e.. a sole trader), financial information about the sole trader’s business
We refer to data that collected or generated through our customer’s use of the Ranqx platform as Customer Data. We collect and process Customer Data solely as a service provider for our customers. We do not use or disclose Customer Data other than for the purpose of providing the Ranqx platform to our customers.
If we receive any requests relating to personal information that is part of the Customer Data, such as requests to access personal information, we will forward this request to the relevant customer.
Who do we collect personal information from
We collect Marketing Data from you when you provide personal information to us, including through submitting a contact request on our website, through any contact with us (e.g. telephone call or email) or when you visit our website:
When you visit our website, we may collect information about you:
- by recording clickstream data, which is non-personal information that is recorded when you click anywhere on a webpage and is used for the purposes of collecting, analysing and reporting data about how you use our website; and
How we use personal information
We may use personal information about you:
- to market the Ranqx platform to you, including contacting you electronically (e.g. by text or email for this purpose). You can stop receiving our marketing emails by following the unsubscribe instructions included in those emails
- to improve our website
- to respond to communications from you, including enquiries and complaints
- to protect and/or enforce our legal rights and interests, including defending any claim
- for any other purpose authorised by you or applicable law
- to respond to lawful requests by public authorities, including to meet law enforcement requirements.
Disclosing personal information
We may disclose personal information to:
- another company within our group
- any business that supports our business, including any person that hosts or maintains any underlying IT system or data centre that we use to provide our website
- a person who can require us to supply personal information (e.g. a regulatory authority)
- any other person authorised by applicable law (e.g. a law enforcement agency)
- professional advisers e.g. accountants, lawyers, auditors
- any other person authorised by the relevant individual
- any other company in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
Protecting personal information
We will take reasonable steps to keep personal information safe from loss, unauthorised activity, or other misuse. We implement appropriate technical and organisational measures to ensure a level of security appropriate to risks inherent in processing personal information.
International transfers of personal information
A business that supports our business may be located outside of New Zealand (the country where we are incorporated) and also outside of the country where you are located. This means that the personal information we collect may be transferred to, and stored in, a country outside of New Zealand and the country where you are located.
If you are located in the European Economic Area (EEA), your personal information may be transferred outside of the EEA. Under the GDPR, the transfer of personal information to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal information if other appropriate safeguards are in place.
Where we transfer personal information outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where approved transfer mechanisms are in place to protect your personal information (e.g. by entering into the European Commission’s Standard Contractual Clauses). For further information, please contact us at email@example.com.
Some of the personal information we collect is processed in New Zealand. New Zealand is recognised by the European Commission as a country that has an adequate level of data protection and we rely on this decision in transferring personal information to New Zealand.
Accessing and correcting your personal information
Subject to certain grounds for refusal set out in applicable law, you have the right to access readily retrievable personal information that we hold about you and to request a correction to your personal information.
Where you request a correction, if we think the correction is reasonable and we are reasonably able to change your personal information, we will make the correction. In all other cases, we will take reasonable steps to make a note of the personal information that was the subject of your correction request.
If you believe we hold personal information about you and want to exercise either of the above rights, email us at firstname.lastname@example.org. We will need evidence to confirm that you are the individual to whom the personal information relates. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting). In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
In addition to the rights to access and correct your personal information:
- if you are based in the European Union, you have the additional rights set out in the GDPR Addendum below
- if you are based in California and the CCPA applies to our collection of personal information, you may have the additional rights set out in the CCPA Addendum below.
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
For the purposes of the GDPR:
- we are the data controller (as defined in the GDPR)when processing Marketing Data; and
- our customers are the data controller when we are processing Customer Data.
We will not process Customer Data except as provided in our agreements with our customers. If we receive any data subject requests relating to Customer Data, such as requests to access personal data, we will forward this request to the relevant customer.
The remainder of this GDPR Addendum applies to Marketing Data only and does not apply to Customer Data.
Lawful basis for processing personal information
Our lawful basis for processing (as that term is defined in the GDPR) personal data that we collect, use and disclose depends on the personal information collected and the context in which we collect it.
Generally, we collect personal information from you where we have your consent or where processing is necessary for the purposes of our legitimate interests (except where such interests are overridden by your interests or fundamental rights and freedoms). Where we process personal data based on your consent, you may withdraw your consent at any time.
Despite the above, we may process your personal data where such processing is necessary for compliance with applicable laws.
If you have any question about the legal basis on which we process personal data or need further information, please contact us at email@example.com.
Your rights under the GDPR
If you are located in the European Union, your rights in relation to your personal information include:
- right of access – if you ask us, we will confirm whether we are processing your personal information and provide you with a copy of that personal information
- right to rectification – if the personal information we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take reasonable steps to ensure inaccurate personal information is rectified. If we have shared your personal information with any third party, we will tell them about the rectification where possible
- right to erasure – when your personal information is no longer needed for the purposes for which you provided it, we will delete it. You may request that we delete your personal information and we will do so if deletion does not contravene any applicable law. If we have shared your personal data with any third party, we will take reasonable steps to inform those third parties that they must delete your personal information
- right to withdraw consent – if the basis of our processing of your personal information is consent, you can withdraw that consent at any time
- right to restrict processing – you may request that we restrict or block the processing of your personal information in certain circumstances. If we have shared your personal information with any third party, we will tell them about this request where possible
- right to object to processing – you may request that we stop processing your personal information at any time and we will do so to the extent required by the GDPR
- rights related to automated decision-making, including profiling – you have the right to not be subject to a decision based solely on automated processing, including profiling. We do not undertake automated individual decision-making
- right to data portability – you may obtain your personal information from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal information in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal information directly to another data controller
- the right to complain to a supervisory authority – you can report any concern you have about our privacy practices to your local data protection authority.
Where personal information is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.
If you would like to exercise any of your above rights, please contact us at firstname.lastname@example.org. If you are not satisfied by the way we deal with your query, you may refer your query to your local data protection authority.