Potentiality Online Community

PRIVACY POLICY

Potentiality Pty Ltd, Potentiality UK and other companies within our group ("Potentiality", "We", "Us" or "Our") respect the privacy of Our client organizations ("Clients") and every person who uses Our Online Communities ("you", "your" or a "user"). This Privacy Policy governs the way in which We use and disclose personal information ("Personal Information") held on Our Online Communities. Personal Information includes any information that identifies you personally (see paragraph A below for specific categories).

We are the controller of Personal Information provided through our public facing website (the "Website") and the processor of Personal Information if provided through our Online Communities. In the latter case the Client will be the controller and will determine the purposes and means of processing.

We will always process your Personal Information in accordance with all applicable data protection and privacy laws. We do not transfer Personal Information outside a Client's jurisdiction or to third parties except as permitted in accordance with applicable data protection and privacy laws.

We may provide additional privacy information in connection with a particular Potentiality product or service. Such information prevails over this Policy to the extent of any conflict.

By using Our Online Communities and/or by submitting Personal Information to Potentiality, you agree to the processing of your Personal Information in the manner provided in this Policy. If you do not agree with this Policy, please do not use Our Online Communities or provide Us with your Personal Information.

Additional short-form privacy notices may be provided at the point of collection.

A. Personal Information

Personal Information means any information about an individual from which they can be identified. Personal Information can include:

· Identity data – first name, last name, user name or similar identifier, title, date of birth and gender

· Contact data – billing address, delivery address, email address and telephone numbers

· Transaction data – details about payments to and from you and other details of products you have purchased from Us

· Technical data – IP address, login data, browser type and version, time zone setting and location, browser plug in types and versions, operating system and platform and other technology on the devices you use to access Our Services

· Profile data – username and password, interests, preferences, feedback and survey responses

· Usage data – information about how you use Our Services

· Marketing and communications data – preferences for receiving marketing and your communications preferences.

We do not collect any special categories of Personal Information about you (e.g. race, ethnicity, religious beliefs, political beliefs or sexual orientation).

We may collect, use and share aggregated data, such as statistical or demographic data, which is not Personal Information, and which cannot be used to identify you.

In some circumstances We may anonymize your Personal Information (so that it can no longer be associated with you) for research and statistical purposes in which case We may use this information indefinitely without further notice to you.

Please notify Us if any of your Personal Information changes.

B. Collection of Personal Information

Your Personal Information is collected in two main ways:

through our Website;
from the records of your organisation;
from you when you login to and use Our Online Community.

C. Use of Personal Information

We use your Personal Information in the following ways:

Purpose / Activity	Type of Data	Lawful Basis for Processing
Answer queries on our website	Identity, Contact	Necessary for legitimate interests (responding to queries)
Registration on our Online Communities	Identity, Contact	Performance of contract
Maintain security protocols (passwords, user logins)	Identity, Contact, Technical	Performance of contract
Carry out contractual obligations with users and clients	Identity, Contact	Performance of contract
Enable use of our services	Identity, Contact, Technical	Necessary for legitimate interests (developing our products/services); Performance of contract
Manage payments, fees and charges	Identity, Contact, Financial	Necessary for legitimate interests (recovering debts); Performance of contract
Use data analytics to improve services	Technical	Necessary for legitimate interests (developing and improving our services)
General administration of our services	Identity, Contact	Necessary for legitimate interests (developing and improving our services); Performance of contract
Comply with legal or regulatory obligations	Identity, Contact	Necessary to comply with legal obligations

Legitimate Interest means Our interest in conducting and managing Our business to enable Us to give you the best service/product and the best and most secure experience. We make sure We consider and balance any potential impact on you (both positive and negative) and your rights before We process your Personal Information for Our legitimate interests. We do not use your Personal Information for activities where Our interests are overridden by the impact on you (unless We have your consent or are otherwise required or permitted to by law). You can obtain further information about how We assess Our legitimate interests against any potential impact on you in respect of specific activities by contacting Us.

Performance of Contract means processing your Personal Information where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering such a contract.

Comply with a legal or regulatory obligation means processing your Personal Information where it is necessary for compliance with a legal or regulatory obligation that We are subject to

D. Disclosure of Personal Information

We may disclose your Personal Information to third parties in the following circumstances:

if We are under a legal obligation or entitlement to do so;
to enforce or apply a contract with you, a Client, to a group company or otherwise with your consent;
to detect fraud or unauthorised access;
to protect Our rights, property, or safety, or that of others; or
pursuant to a sale, merger, assignment, joint venture or other transfer or disposition of a portion or all of the assets of Potentiality.

In particular, We may provide your Personal Information to companies within Our group and to the third party service providers set out in paragraph F below.

We require all third parties to respect the security of your Personal Information and to treat it in accordance with law. We do not allow Our service providers to use your Personal Information for their own purposes and only permit them to process your Personal Information for specified purposes and in accordance with Our instructions.

We will not share your Personal Information with third parties for marketing purposes.

E. Cookies

What are "cookies"?
Cookies contain information that is transferred to your computer's hard drive. They help Us to improve Our Online Communities and to deliver a better and more personalised service.

Can I refuse to accept cookies?

You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. Unless you have adjusted your browser setting so that it will refuse cookies, Our system will issue cookies when you access Our Online Communities.

What cookies do We use on Our Online Communities?

We make use of the following cookies:

Google Analytics: This tracks the pages that a user views and sends information to Google Analytics so that We can understand what information is useful to users. This cookie does not collect Personal Information.
ASP.net: A standard cookie placed by Microsoft's .net framework in order for it to function correctly.
Login tracker: This tracks whether you are currently logged in to the Online Community, and is only activated if you click the "remember me" tick box.

We do not use cookies to provide marketing information to third parties.

F. Security

We are committed to protecting the security of your Personal Information and respecting your choices regarding its intended use. We safeguard your Personal Information against loss, misuse, unauthorised access or disclosure, alteration, or destruction through a layered security approach that includes:

Hosting all data within Amazon Web Services (AWS), which provides industry-leading security, compliance, and monitoring standards.
Advanced network protection measures, including firewalls, intrusion detection, and continuous monitoring.
Fine-grained access controls, with access restricted only to authorised personnel on a need-to-know basis.
Mandatory confidentiality obligations for all staff and contractors with access to Personal Information.
Use of confidentiality agreements.

While we follow best-practice security frameworks and leverage AWS's secure infrastructure, no method of transmission over the Internet or method of electronic storage is completely secure. Therefore, we cannot guarantee absolute protection of your Personal Information.

G. Sub-Processors

Potentiality engages carefully selected third-party service providers ("sub-processors") to support the delivery and security of our Online Communities and related services. These providers may process limited personal information on our behalf for hosting, analytics, payment processing, communication, or monitoring purposes.

Sub-Processor	Purpose	Data Types Processed	Data Location
Amazon Web Services (AWS)	Hosting and data storage	Account information, user data, system logs	Australia / United Kingdom
Stripe	Payment processing (where applicable)	Billing details, payment identifiers	Global
MessageBird / CloudFront	Communication and content delivery	Email address, message metadata	Global
OpenAI	AI-powered features within the platform (where enabled)	Text entered by user (minimised, anonymised where possible)	United States
Monitoring & Detection Tools (CloudTrail, GuardDuty, Datadog)	Security logging, monitoring and alerting	System events, IP logs, metadata	Australia / Global

We may update this list from time to time.

H. International Transfers

We may share your Personal Information within Our corporate group. In particular, if you are located in Europe We may provide your Personal Information to Potentiality Pty Ltd in Australia for the purposes of providing Our Services to you (including the provision of IT administration and support services). Potentiality UK Ltd has entered into a Data Processing Agreement with Potentiality Pty Ltd which mirrors the requirements of the EEA Model Clauses. We do not transfer your Personal Information outside the EEA except to Potentiality Pty Ltd as set out above.

I. Account Security

Your password is the key to protection of your Personal Information. Use unique numbers, letters and special characters, and do not disclose your password or user name to anyone. If you do share your password or user name with others, remember that you are responsible for all actions taken in the name of your account. If you lose control of your password, you may lose substantial control over your Personal Information and may be subject to legally binding actions taken on your behalf. Therefore, if your password has been compromised for any reason, you should immediately notify Us and change your password.

J. Hyperlinks to other websites

Our Online Communities contain hyperlinks to websites owned and operated by third parties. These websites have their own privacy policies and We urge you to review them. They will govern the use of Personal Information you submit whilst visiting these websites. We do not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.

K. Your rights

You have the right to:

1. Request access to your Personal Information (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Information We hold about you and to check that We are lawfully processing it.

2. Request correction of the Personal Information that We hold about you. This enables you to have any incomplete or inaccurate data We hold about you corrected, though We may need to verify the accuracy of the new data you provide to Us.

3. Request erasure of your Personal Information. This enables you to ask Us to delete or remove Personal Information where there is no good reason for Us continuing to process it. You also have the right to ask Us to delete or remove your Personal Information where you have successfully exercised your right to object to processing (see below), where We may have processed your information unlawfully or where We are required to erase your Personal Information to comply with local law. Note, however, that We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

4. Object to processing of your Personal Information where We are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object if We are processing your Personal Information for direct marketing purposes. In some cases, We may demonstrate that We have compelling legitimate grounds to process your information which override your rights and freedoms.

5. Request restriction of processing of your Personal Information. This enables you to ask Us to suspend the processing of your Personal Information in the following scenarios: (a) if you want Us to establish the data's accuracy; (b) where Our use of the data is unlawful but you do not want Us to erase it; (c) where you need Us to hold the data even if We no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to Our use of your data but We need to verify whether We have overriding legitimate grounds to use it.

6. Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for Us to use or where We used the information to perform a contract with you.

7. Withdraw consent at any time where We are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, We may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact Us as set out in paragraph N below.

Fees

There will usually be no fee for exercising the rights set out above. However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive (or alternatively refuse to comply with the request).

What We may need from you

We may need to request specific information from you to help Us confirm your identity and ensure your right to access your Personal Information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to a person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up Our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take Us longer than a month if your request is particularly complex or you have made a number of requests. In this case, We will notify you and keep you updated.

L. Retention

We will only retain your Personal Information for as long as necessary to fulfil the purposes We collected it for and to satisfy any legal, accounting or reporting requirements. To determine the appropriate retention period for Personal Information, We consider the amount, nature and sensitivity of the Personal Information, the potential risk of harm from unauthorised use or disclosure of your Personal Information, the purposes for which We process your Personal Information and whether We can achieve those purposes through other means, and applicable legal requirements.

By law We have to keep basic information about Our customers (including contact, identity, financial and transaction data) for 6 years after they cease being customers for tax purposes.

In some circumstances you can ask Us to delete your data (see above).

M. Changes to this Privacy Policy

From time to time We may make reasonable changes to this Privacy Policy, for example where required by law, regulation or Our business model. When We do We will publish the changes on Our Online Communities. If you do not agree to such changes, please do not continue to use Our Online Communities.

N. Enquiries and Complaints

You can make enquiries, requests to access/delete or correct your information, or complain about alleged breaches of privacy to Our Privacy Officer:

Asia Pacific
Privacy Officer
Potentiality Pty Ltd
privacyofficer@ptly.com
Suite 108, Level 1, 480 St Kilda Road, Melbourne VIC 3004

Europe
Privacy Officer
Potentiality UK Ltd
privacyofficer@ptly.com
Suite 3 Priory Villas, Priory Road High Wycombe, HP13 6GZ, United Kingdom

We aim to acknowledge receipt of requests within 10 working days, and aim to resolve all complaints within 30 working days. This may not be possible in all circumstances depending on the contents of the complaint. In this situation, We will respond to your complaint in a reasonable time. If you are not satisfied with Our response to your complaint, you can contact the Privacy Commissioner in your jurisdiction.