We own, operate and provide the following products and services to our customers:
- a desktop software application known as “Spark” that can be used by financial industry professionals and self-directed private investors to access real time stock market information and related functionality;
- a service known as “YourIR” or “Your Investor Relations” that automates the displaying of share prices, charts and company announcements on our customers’ websites and sends email alerts to our customers’ investors and stakeholders;
- custom market information services delivered by way of agreed Application Programming Interfaces (APIs) to customers.
The types of personal information we collect and hold about our customer
We collect the following types of personal information:
Information about our customers. The types of personal information collected from our customers are limited to name, company name, email and postal addresses, phone numbers and other contact information, usage information, details of the type of account and data packs that customers purchase from us, login details, social media account names, credit card details, data entered into Iguana² products and services by customers (including, but not limited to stocks searched for, stock watchlists and stock alert parameters), billing information and any other information that customers provide to us in order for us to supply them with our products and services. Credit card details are not stored by us (other than the last 4 digits of the credit card) and are held by our payment gateway provider, eWAY.
Information required for the support, maintenance and security of Iguana² products and/or services. In order to support and maintain Iguana² products and services, we collect and process user information including, computer and device information, IP addresses, network information, user access logs, usernames, passwords, error messages, statistical data and information included by our customers in technical support tickets, telephone calls, emails and other communications they send to the Iguana² support team. We also collect the DNS location of any inbound traffic to ensure that inbound traffic from locations that should not be accessing Iguana² products and/or services are restricted.
How we collect personal information
Our policy is to only collect personal information by means that are fair in the circumstances.
We collect personal information about our customers in one or more of the following ways:
- when our customers sign up to Iguana² products and services;
- when the information is collected by Iguana² products and services;
- when it is voluntarily disclosed to us during our provision of technical support or to answer any enquiries whether by telephone call, survey, e-mail, online form, support ticket or otherwise.
How we use personal information
How we use and process that personal information includes
- As required to provide Iguana² products and services to our customers.
- In order to store personal information in databases and systems in our hosting environments at third party data centres.
- To support and manage our customers’ use of Iguana² products and/or services.
- Backing up and restoring data that includes customer personal information.
- When conducting research and development of Iguana² products and services.
- To communicate with existing and potential customers about the use of Iguana² products and services and to market new services and products to them (such as by reaching out to customers who are also twitter influencers using their twitter handles).
- To handle customer complaints.
- To send newsletters and other communications to our customers concerning Iguana² products and services.
- To carry out security audits, investigate security incidents and implement security processes and procedures that require access to personal information.
- To issue invoices to our customers.
- To enforce our customer and end user licence agreements.
- To comply with our obligations under our supplier agreements, including but not limited to by disclosing customer personal information to Market Information Providers confirming the list of locations in which market information that we make available through our products and services is received and to report to Market Information Providers usage of their market information in order to comply with our agreements with them.
The lawful basis for collecting the personal information includes
- Performance of our contracts with our customers and suppliers.
- Required to identify customers and to identify persons who wish to exercise their rights under privacy law to access or correct their personal information or to exercise their other rights with respect to their personal information.
- Where customers have given consent to the processing of their personal data for one or more specific purposes.
- Necessary for our legitimate interests (in order to operate and grow our business, to allow our customers to operate Iguana² products and services, to enable us to operate our IT systems and networks, to manage our hosting environments and to ensure the successful delivery of our products and services).
- To comply with our legal and statutory obligations (including our obligations to our Market Information Providers).
- Required in order to determine which privacy law applies to the individual.
- To market Iguana² products and services.
- Necessary for our internal business purposes such as billing.
Analytics data and cookies
We also collect information about our customers through their use of Iguana² products and services, known as analytics data. Such analytics data includes information about devices accessing Iguana² products and services, the amount of time our customers spend using Iguana² products and services and in which parts of them, and the path navigated.
Except where it is necessary to collect or process such information in order to investigate a security incident or potential breach of our customer agreement by any person:
- all such information is de-identified data and is not collected in a form that could reasonably be expected to identify an individual; and
- we only use analytics data to help us review, enhance, market and improve Iguana² products and services (for statistical, marketing or research purposes).
We may collect information using “cookies” and other similar technologies. Cookies are small packets of data that Iguana² products and services may store on your computer’s or mobile device’s hard drive (or other storage medium that you use to access them). We use both 1st and 3rd-party session cookies and persistent cookies as follows:
- Session Cookies: We use session cookies to make it easier for you to navigate the Iguana² website. A session ID cookie expires when you close the website.
- Persistent Cookies: A persistent cookie remains on your device for an extended period of time or until you delete them. You can remove persistent cookies by following directions provided in your web browser’s “help” file or settings. To the extent we provide a log-in portal or related feature on Iguana² products and services, persistent cookies can be used to store your passwords so that you don’t have to enter them more than once. Persistent cookies also enable us to track and target the interests of our visitors to personalise the experience on the Iguana² website.
If you do not want us to place a cookie on your electronic device or computer, you may be able to turn that feature off on your electronic device or computer. Please consult your browser’s documentation for information on how to do this and how to delete persistent cookies. If you decide not to accept cookies from us, certain aspects of Iguana² products and services may not function properly or as intended.
How we hold and secure personal information
We hold and store personal information that we collect in the following locations:
- our offices, computer systems and third party owned and operated hosting facilities;
- third party owned accounting and compliance cloud-based software providers;
- third party owned cloud-based email providers;
- third party owned cloud-based customer relationship management and email marketing providers; and
- on electronic devices at our offices and at the premises of our personnel.
We take reasonable steps to protect personal information that we hold using such technical and organisational security measures as are reasonable in the circumstances to take against loss, unauthorised access, modification and disclosure and other misuse. Such measures ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.
We implement the following technical and organisational security measures in our organisation:
- we only use reputable hosting providers to host personal information;
- complex passwords and other access control procedures in our computer systems;
- SSL encryption for data transmitted via Iguana² products and services both in transit and at rest;
- blocking high level domain IP inbound access to our systems and ensuring that our systems are regularly patched;
- antivirus software;
- secure routers and firewalls to protect company devices and systems from inbound attacks or viruses;
- physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, use of access cards and alarms;
- with respect to personal information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such personal information is destroyed or de-identified.
We also have a data breach response plan in place so that we will know how to respond to any data breaches if and when they occur.
Who we disclose personal information to
We disclose personal information that we collect to the following third parties:
- our payment gateway provider who we need to communicate with in order to provide Iguana² products and services;
- reputable hosting providers and backup hosting providers who host databases that we use to provide Iguana² products and services;
- our employees, officers, agents and/or suppliers. We ensure that they are aware of their information security responsibilities and have entered into agreements requiring them to comply with privacy and confidentiality obligations that apply to personal information that we provide to them;
- email marketing companies who send emails on our behalf;
- when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
- to potential acquirers, joint venture partners, business partners and other similar third parties where Iguana² undergoes a potential or actual merger, corporate restructure or acquisition;
- where a person provides written consent to the disclosure of their personal information;
- where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person;
- if we are contacted by any person who represents to us that they are our customer, for security purposes, we will discuss the personal information that we hold about them with them but only if they verify their identity;
- to our Market Information Providers in accordance with our contractual obligations to them;
- governmental authorities, bodies and regulators for the enforcement of a law imposing a pecuniary penalty or to avoid prejudice to the maintenance of the law by any public sector agency;
- to any court or tribunal for the conduct of proceedings (being proceedings that have been commenced or are reasonably in contemplation); and/or
- where required by law.
We transfer personal information to our contractors and service providers who assist us with the supply and provision of Iguana² products and services, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance. We transfer personal information to our hosting providers in Australia and our offshore contractors and service providers located outside of Australia. Our offshore contractors and service providers are currently located in the United States and New Zealand.
Third party websites
Iguana² products and services and our emails and website (whether delivered by us or our contractors) may include links to third party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third party website operator complies with applicable data protection and privacy laws. You should consider the privacy policies of any relevant third party website prior to sending personal information to them.
You may interact with social media platforms via social media widgets and tools linking to our social media accounts (e.g. our twitter account) that may be installed on our website. These widgets and tools may collect your IP address and other personal information. Your interactions with such widgets and tools, and any single sign-on services, are governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal information.
Interacting with us without disclosing personal information
How to access and correct personal information held by us
We rely on our customers to ensure that all personal information collected from them and held by us is accurate, up to date, complete, relevant and not misleading. Customers who wish to access, update, modify or correct the personal information held by us about them should contact our Privacy Officer using the details set out below.
We retain personal information held in Iguana² products and services for a minimum period of 7 years. It is our policy to retain personal information in a form which permits identification of any person only as long as is necessary for the purposes for which the personal information was collected and for any other related, directly related or compatible purposes if and where permitted by applicable law. We will only process personal information that you provide to us for the length of time permitted by applicable law. We may use de-identified data for research and marketing purposes or otherwise commercialise it.
We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law.
Our contact details
Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or to make a privacy complaint, may contact our Privacy Officer using the following details:
Iguana2 Pty Ltd
+61 2 8067 8694
Three International Towers
Level 24, 300 Barangaroo Ave
Sydney NSW 2000
We will use our best endeavours to resolve any privacy complaint with the complainant within a reasonable time frame. This may include working with the complainant on a collaborative basis.
If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the APPs, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:
Telephone: 1300 363 992
Online Form: forms.business.gov.au/smartforms/landing.htm
Address: GPO Box 5218, Sydney NSW 2001
New Zealand Customers and Data Subjects
Collection of personal information
We will only collect personal information for a lawful purpose which is connected to a function or activity of our businesses to the extent that it is necessary for such purpose.
Provision of personal information to third parties
Where it is necessary for personal information to be given to a third party in connection with the provision of services that they provide to us that we use to provide Iguana² products and services, we will do everything reasonably within our power to prevent unauthorised use or disclosure of the information by them.
Requests for access to and correction of personal information
Individuals whose personal information is governed by the Privacy Act (New Zealand) are entitled to seek access to and correction of it in accordance with that legislation.
As set out above, any person who wishes to access personal information about them held by us should contact us. You may request urgent access to your personal information in accordance with section 41 of the Privacy Act (New Zealand) and state why the request should be treated as urgent. We will on receipt of such request, consider the request and determine the priority given to it and ensure that we provide reasonable assistance to a person who makes such a request.
We will also take such steps as are reasonable in the circumstances to ensure that personal information that we hold is accurate, up to date, complete and not misleading.
In the event that a person wishes to access their personal information and it is readily retrievable by us, they can also request from us either of the following: (a) to obtain confirmation from us as to whether or not we hold such personal information; and (b) to obtain access to the personal information and be advised if they are able to correct such personal information.
We will as soon as possible and in any event no later than 20 working days from the date on which the request is made, decide to grant or refuse the request and notify the person who made the request of our decision. We may in our discretion charge a reasonable fee for making information available in compliance with the request or for correcting any information in compliance with a request (in whole or in part) or for attaching a statement of any correction sought but not made, subject to our compliance with New Zealand’s Information Privacy Principles.
If a person submits a request to access their personal information to us, we may refuse their request on one or more of the grounds set out in section 30 of the Privacy Act (New Zealand). If we refuse to comply with a request to access their personal information, we will provide the individual who made the request with our reasons for our denial and an opportunity to file a complaint with the Commissioner or to seek an investigation and a review of the refusal.
Where we hold personal information governed by the Privacy Act (New Zealand) about an individual, they are entitled to request correction of the information and request that there be attached to the information a statement of the correction sought but not made.
If you are not satisfied with our response to any privacy-related concern you may have, you can contact the Office of the Privacy Commissioner:
Office of the Privacy Commissioner
Telephone: 0800 803 909
PO Box 10-094, Wellington 6143, New Zealand
European Customers and Data Subjects
Collection of personal data
Purpose and legal basis for processing customer and data subject personal data
Who will receive customer and data subject personal data
Information about who we disclose personal information to is set out in section 7 above and applies equally to personal data.
We transfer customer personal information to our contractors and service providers who assist us with the supply and provision of Iguana² products and/or services, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance. Provided that we comply with applicable law, we may transfer personal information to our hosting providers in Australia and our offshore contractors and service providers located outside of Australia. Our offshore contractors and service providers are currently located in the United States and New Zealand. When transferring personal data governed by the GDPR internationally, we will ensure that such transfers are in compliance with the GDPR and that we have legally binding agreements in place to govern the receipt and processing of personal data offshore. Information about other appropriate or suitable safeguards is available from us on request.
Retention of customer and data subject personal data
It is our policy to retain personal data in a form which permits identification of any person only as long as is necessary for the purposes for which the personal data was collected for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal data (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect any other person's vital interests).
Requirement to provide customer and data subject personal data to us
Please see section 10 above for information about the requirement to provide personal information to us and the limitations that apply where personal information is not provided. Those requirements and limitations apply equivalently to personal data governed by the GDPR.
Rights under the GDPR
Under the GDPR, you have a number of rights, including:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to processing
You also have the right to lodge a complaint with any relevant supervisory authority. You are encouraged to contact us in the first instance, if you wish to exercise any of your applicable rights under the GDPR.