GDPR Policy

Updated: 16/09/24

At Whippet Notes Pty Ltd ACN 674 427 224 ("Whippet Notes," "we," "us," or "our"), safeguarding your privacy is at the heart of what we do. This GDPR Policy outlines our practices regarding the collection, use, and protection of your personal information when you use our software application and services. By engaging with Whippet Notes, you consent to the processing of your information as described in this policy.

Information We Collect

We collect and process the following categories of personal data:

Personal Information You Provide

Contact Details and Account Information: Your name, email address, phone number, and business name when you create an account with us.

Payment Information: Data necessary to process your payments, such as credit card number and security code. All payment data is stored by Stripe, Inc.

Usage Information: Data on how you interact with our services, including content you upload or submit.

Communications: Correspondence between you and us, including queries and feedback.Marketing Data: Your communication preferences and interactions.

Device Data: Information about your device, including model, operating system, and software versions.

Online Activity Data: Details of your engagement with our services, such as pages viewed, time spent, navigation paths, and interactions with communications.

Consultation Recordings and Transcriptions: Personal and sensitive information contained in audio recordings and their transcriptions.

Information Collected Automatically

Cookies and Similar Technologies: We use cookies to enhance user experience and ensure account security. For more information, please refer to our Cookie Policy.

Legal Basis for Processing Personal Data

We process your personal data based on the following legal grounds:

Performance of a Contract (Article 6(1)(b) GDPR): Processing is necessary to provide our services as per our agreement with you.
Legitimate Interests (Article 6(1)(f) GDPR): For purposes such as improving our services, fraud prevention, and ensuring network security.
Consent (Article 6(1)(a) GDPR): For certain types of processing like marketing communications and non-essential cookies. You have the right to withdraw consent at any time.
Compliance with Legal Obligations (Article 6(1)(c) GDPR): Processing necessary to comply with legal requirements.

How We Use Your Information

Providing Our Services

Service Operation: To operate and maintain Whippet Notes, fulfilling our contractual obligations.
User Support and Communication: To respond to your inquiries, provide customer support, and send service-related communications.

Enhancing User Experience

Personalisation and Improvement: To analyse your interactions and preferences to optimise and personalise our services.
Protection Against Misuse: To investigate and prevent unauthorised or illegal activities.

Research and Development

Innovation: To support our research and development efforts, analysing data to improve our services. Personal data is anonymised where possible.

Marketing Communications

Product-Specific Communication: We may send you communications related to the product and services you have signed up for. All communications are specific to the product.

International Data Transfers

We may transfer your personal data to countries outside the European Economic Area (EEA), including to Australia and the United States, where our servers and service providers are located.

AWS Servers: We use AWS servers located in Australia for Australian and New Zealand users and in Ireland for UK/EU users.
Third-Party Service Providers: We share data with providers like OpenAI, Stripe, Intercom, Datadog, and Google Analytics.

We ensure appropriate safeguards are in place for international data transfers, such as:

Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission to protect your data when transferred outside the EEA.
Data Privacy Framework Certification: Datadog is certified under the EU-U.S. Data Privacy Framework.
Data Processing Agreements: All third-party processors are bound by agreements consistent with GDPR requirements.

Data Retention Policy

We retain your personal data until you request us to remove it. Upon your request, we will erase your data within 30 days.

Account Information: Retained until you request deletion.
Legal Obligations: Certain data may be retained to comply with legal obligations, resolve disputes, or enforce agreements.

Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of Access: Request access to the personal data we hold about you.
Right to Rectification: Correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data under certain conditions.
Right to Restrict Processing: Request that we limit the processing of your data.
Right to Data Portability: Receive your data in a structured, commonly used format.
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise your rights, please contact us at support@whippetnotes.com. We will respond to your request within 30 days.

Data Security Measures

We implement appropriate technical and organisational measures to protect your personal data:

Encryption

Data in Transit: All data transmitted between your device and our servers is encrypted using Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols.
Data at Rest: Personal data stored on our servers is encrypted using advanced encryption standards (e.g., AES-256).

Access Controls

Role-Based Access: Access to personal data is restricted to authorised personnel who require access to perform their job functions.
Authentication Measures: We use strong authentication protocols, including multi-factor authentication.
Access Logs: All access to personal data is logged and regularly audited.

Network Security

Firewalls and Intrusion Detection: We employ firewalls and intrusion detection/prevention systems.
Secure Network Architecture: Our systems are designed with network segmentation and defense-in-depth strategies.

Regular Security Assessments

Vulnerability Scanning: We perform regular vulnerability scans.
Patch Management: We promptly apply security patches and updates.

Physical Security

Secure Data Centres: Our servers are hosted in AWS data centres with 24/7 security and controlled access.
Environmental Controls: Data centres have fire suppression and climate control systems.

Data Minimisation and Pseudonymisation

Minimisation: We collect only the personal data necessary.
Pseudonymisation: We use techniques to reduce the association between data and individuals.

Employee Training and Policies

Training Programs: Regular training on data protection and security best practices.
Confidentiality Agreements: Employees sign confidentiality and non-disclosure agreements.
Acceptable Use Policies: Enforcement of strict policies governing system use.

Incident Response Plan

Preparedness: Comprehensive plan to address potential data breaches.
Notification Procedures: We will notify affected users and authorities as required.

Data Backup and Recovery

Regular Backups: Regular backups of critical data.
Secure Storage: Backups are encrypted and stored securely.
Disaster Recovery Plan: Plan to restore services in the event of an outage.

Third-Party Security

Vendor Assessments: Due diligence and security assessments of third-party service providers.
Data Processing Agreements: Third-party processors are bound by data protection agreements.

Data Breach Notification

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach is likely to result in a high risk, we will also notify you without undue delay.

Third-Party Processors

We may share your personal data with third-party processors:

- Stripe: Processes payment transactions. Stripe Privacy Policy.
- OpenAI: Provides transcription services. OpenAI Privacy Policy.
- AWS: Hosts our servers and data storage. AWS Privacy Policy.
- Google Analytics: Collects data to analyse website usage.
- Intercom: Provides in-product messaging and email communications. Data stored in the EU. Intercom Privacy Policy.
- Datadog: Monitors system performance. Data stored in the U.S.; Datadog is certified under the EU-U.S. Data Privacy Framework. Datadog Privacy Policy.

These providers are bound by data processing agreements consistent with GDPR requirements and are prohibited from using your personal data for any other purposes.

Cookie Policy

We use cookies and similar technologies to enhance your experience. Please refer to our Cookie Policy for detailed information.

Accessing and Updating Your Information

You can access and update your personal information by logging into your account or contacting us at support@whippetnotes.com.

Opting Out of Communications

All our communications are specific to the product and services you have signed up for. If you wish to stop receiving these communications, you can adjust your preferences in your account settings or contact us at support@whippetnotes.com.

Policy Updates

We may update this privacy policy from time to time. The updated version will be indicated by an updated "Effective Date" and will be effective as soon as it is accessible. If we make material changes, we may notify you by email or through a notice on our website. We encourage you to review this policy frequently.

Contact Information

For any privacy-related inquiries or concerns, please contact our Data Protection Officer at support@whippetnotes.com.

‍Data Protection Officer:
‍Ciaran McCaughey
Phone: +61 424 795 782
Email: support@whippetnotes.com