Introduction

Maintaining your Personal Data secure and ensuring your Privacy is extremely important to Emotous. As a result, we have adopted a Privacy Policy and Notice goal to inform everyone of what data we collect and why, how we handle your data; what entitles us to process the data; and what rights you have under applicable Personal Data Protection laws.

Emotous will never sell your Personal Data, not now, not ever.
As necessary, Emotous will modify this Privacy Policy, from time to time, on a need basis, always posting the updated version.

Applicable Laws

The Emotous Privacy Policy is provided in line with the following Applicable Personal Data Protection Legislation:

GDPR
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (the GDPR), which became enforceable across the EU and the EEA from May 25th, 2018 having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’)

ePrivacy
The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;

CCPA
The California Consumer Privacy Act 2018 (the CCPA), assembly Bill of the State of California United States of America No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by Governor June 28, 2018. Filed with Secretary of State June 28, 2018 and enforceable from January 1st, 2020 onwards.

HIPAAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

Australian Government
The Australian Privacy Act 1988 is the principal piece of Australian legislation protecting the handling of personal information in the federal public sector and in the private sector. Other statutory provisions also affect privacy and separate privacy regimes apply to state and territory public sectors. This department assists the Attorney- General to administer the Privacy Act. The Privacy Act was significantly amended in 2014 and 2017 to enhance the protection of privacy in Australia.

Emotous collect certain information from and about its users three ways: directly from our Web Server logs, Cookies, the user, including in response to surveys and questionnaires and content shared in forums.

The primary goal of Processing Personal Data is to allow Emotous the identification of those natural persons who have either joined programs that are provided by or supported by Emotous under the scope of Emotional Intelligence and other Assessments or act as Certified Practitioners towards such assessments (the “Certs”).

Emotous also work with 3rd parties to provide products and services, this requires the need to Process Personal Data pertaining to those Customers who acquire the products and services, in terms of the sale as the delivery of those products and services. Emotous and each of its staff are perfectly aware of the fact that Personal Data and Health Information may represent a risk towards you if accessed by unauthorized 3rd parties; Emotous has established Operating Policies, Processes, and mechanisms (technological and human-based) we have developed to ensure your Personal Data you have entrusted with Emotous will be maintained, handled and shared in a manner that warrants its Security, Accuracy, Confidentiality, and Privacy, hence assuring your Personal Data Protection.

What we do with Personal Data

We do not process any data that is not required as an enabler for the delivery of our services to you. The Personal Data under processing through our Services or otherwise consist of the following categories:

If you are undergoing an Emotous assessment or coaching support supported by one of our platforms and methodology:

• Business and personal contact data, such as your first and last name, e-mail and mailing addresses, phone
  number, job title and organization name.
• Assessment data, including the responses you provide to any assessments we make available to you and any Personal Data about you which is contained within reports issued by us, based on those responses.

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

• Create and, providing assessment reports based on provided replies when completing our assessments;
• Enable security features of the Services, such as sending you security codes via email or SMS, and
  remembering devices from which you have previously logged in;
• Communicate with you about the Services, including sending you support information, announcements, updates, security alerts, and administrative messages;

These data sets (above) are processed under either the Legal Basis of fulfilling a Contractual Obligation (where we have been hired by your employer or an Emotous Partner contracted by you or your employer is using our services to deliver his/ her services to you or your organization), so the case of a registered user; or Legitimate Interest while the natural person inputting the data has not yet been identified, yet doing so on his/ her free will.

If you are an Emotous Partner, including a 6Seconds Assessor working with Emotous:

• Profile data, such as your first and last name, e-mail address, and password when you create an account to log
  in to our Services (“Account”). You are also required to tell us where you are based.
• Demographic data, such as your city, state, country of residence, postal code, and age.
• Content you choose to upload to the Services, such as text and images, along with the metadata associated with the files you upload.

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

• Provide, operate and improve the Services, including to facilitate the creation of, maintain and secure your Account;
• Enable security features of the Services, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
• Communicate with you about the Services, including by sending you support information, announcements, updates, security alerts, and support and administrative messages;

This data set is processed under the Legal Basis of Explicit Consent

If you are a user taking an assessment or utilizing one of our Services, an Emotous Partner, a certified assessor, a Customer or any other type of website visitor:

• Feedback or correspondence, Personal Data you provide when you contact us with questions, feedback, or otherwise correspond with us online.

This data set is processed under the Legal Basis of Legitimate Interest since it is mandatory for the delivery and quality assurance of the services that we deliver to you.

• Transaction data, consists of data about payments to and from you and other details of products or services you have purchased from us.

This data set is processed under the Legal Basis of Explicit Consent that derives from the fact that you have taken action to purchase a product or service from us.

Profiling:

• Usage data, data on how you use the Services and interact with us, including where you use any interactive
  features of the Services
• Marketing data, such as your preferences for receiving communications about our activities, events, and publications, and details about how you engage with our communications.

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

• Improve the quality of experience when you interact with our Services;
• Respond to your requests, questions and feedback;
• Understand your needs and interests, and personalize your experience with the Services and our communications.

Our Legal Basis for Proceeding with this Profiling activities is Legitimate Interest, however and because it is “Profiling”, you may exercise your Right to Opt-out or object to such Processing activities at any time.

• Information and Marketing we may send you Emotous-related marketing communications (including newsletters, surveys and other promotional materials related to the Services and other products and services we offer) as permitted by law. You will have the ability to opt-out of our marketing and promotional communications by exercising your Rights under the law.

We do not share Personal Data with any 3rd party that is not involved in the delivery of our services, unless under a legal obligation.

The Controller

The Controller is Emotous Pty Ltd an Australian based organization located at 110 Hutt Street, Adelaide SA 5066 Australia.

DPO contacts

We have someone in our team who is responsible for ensuring our on-going compliance towards applicable Personal Data Protection laws; contact details below:
Mr. David John Dare
Country: Australia
email info@emotous.com

Data Retention

We will maintain your Personal Data for the duration of the service contract with our Corporate Client (where that is the case) or until you ask us to erase it by exercising your Rights under the law.

Note that if you have been enlisted to use our assessments and services by our Corporate Clients (including our Emotous Partners and Certified Assessors to our tools) and you ask for your Personal Data to be erased, we will inform our Client of that request and it shall be that Client’s decision either to erase the data or not, since our contractual obligation is to assure the service towards all of its registered users.

The erasure of your Personal Data takes place over both “live repositories” as well as backups as determined under the law upon 30 days of either your valid request for it to be erased or after termination of the service contract with our Corporate Client.

Ensuring the Security and Confidentiality of your Data

We resort to secure and encrypted hosting environments to host and process your Personal Data, observing the highest market standards and operated under market best practices, and all transfer of Data from and to your browser is also encrypted.

Regardless of the potential need of transferring your Personal Data to other countries (so our partners may provide their component of our service) we have in place all required by law technical and legal measures/ commitments.
Our partners (in the delivery of our service) consist of:

• Our EQ Assessment provider using Amazon Web Services – for the hosting of their service on the Cloud in the U.S.;
• Zoom – as a communication channel;

Your Rights under the Law

You may exercise the following Rights where these apply to you:
[Australian Privacy Act 1988] Being told generally what kind of information we are collecting and how we collect it; generally why your personal information is being collected; that your personal information can only be collected for a lawful purpose; finding out what information we hold and have it corrected if it is incorrect, out of date or incomplete; advising that your personal information must be stored securely and protected from interference or misuse.
[HIPAA] The right to receive a notice of privacy practices. Please refer to this Privacy Policy plus the information provided to you upon requesting your Explicit Consent to become a “Participant”.
[GDPR] Right of access. The right to obtain from us confirmation as to whether your Personal Data is being processed by us, and where that is the case, access to such Personal Data. To prevent violating your Privacy there may be the need to identify you prior to sharing the Personal Data with you.
[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:

• Know the categories of personal information we collect and the categories of sources from which we got the information;
• Know the business or commercial purposes for which we collect and share personal information;
• Know the categories of third parties and other entities with whom we share personal information; and
• Access the specific pieces of personal information we have collected about you.

[GDPR] Right to rectification – you can ask for the update of inaccurate Personal Data pertaining to you. You may directly amend existing information while logged-in towards us or by submitting a request as herein defined ahead.
[GDPR] Right to erasure – you can ask us to erase your Personal Data, which will be done unless there is a legal obligation or Legitimate Interest from our side to maintain it.
[CCPA] Right to deletion – again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may ask us to delete their Personal Data.
[GDPR] The right to restrict processing – you may request of us to have in place specific processing restrictions. If you exercise this right make sure to explain which are those restrictions and the reason for the request and we will provide you a reply, either acknowledging your request or denying it and explaining why.
[GDPR] The right to object to processing – you may object to processing activities that occur under our Legitimate Interest, however we may refuse to comply if that means no longer being able to deliver our services.
[CCPA] Right to opt-out of sales – As previously informed we do not “sell “ Personal Data
[GDPR] Right to data portability – you may ask us to provide all the Personal Data that we have pertaining to you or just some that you specifically ask us for.
[GDPR] Right to be informed about a Personal Data Breach – in case of an incident that breaches your Privacy (in the sense that your Personal Data under Processing by us has been/ or even potentially has been exposed to unauthorized 3rd parties) you have the Right to be informed within 72 hours of such incident.
[GDPR] Right to lodge a complaint with a supervisory authority – you have the right to lodge a complaint regarding our Processing activities over your Personal Data towards any of the EU Member States data protection Supervisory Authorities. [CCPA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against.

For any of the above-mentioned CCPA related rights, you may designate an authorized agent to submit a request on your behalf. In the request, you or your authorized agent must provide sufficient information for us to confirm the identity of such authorized agent as well as your own. We are also required to verify that your agent has been properly authorized to request information on your behalf and this may represent additional time to fulfil your request.

Exercising your Rights

You may exercise your Rights towards us by sending us an email to info@emotous.com

Final note

Our service includes links to other websites whose privacy practices may differ from our own. If you submit personal data to any of those sites, your information is governed by their privacy policies, hence we strongly encourage you to carefully read the privacy policy of any website you visit.