I. Scope

This policy applies to Advena's collection, use, and disclosure of the information of the following types of individuals:

• Attendees: Individuals who provide their information to Advena, Advena representatives, or partners of Advena when they attend or register to attend an event hosted or sponsored by Advena.
• Website Visitors: Individuals who visit or otherwise access websites, web-services, web-applications, API endpoints, or application service endpoints owned, operated or utilized by Advena. This typically includes any subdomain under advena.com.au, and any products operated by Advena where this policy is present.
• Customers: Individuals who register or create an Advena account, subscribe to free or paid services, or who utilize any of Advena's services.
• End Users: Individuals who visit our Customers' websites where the Customer is subscribed to a services in which handles visitor information, such as Firekit, Jaroku or RocketDom.

When this policy mentions “services”, it refers collectively to any products, web-services, APIs or endpoints that Advena owns, operates and that link to this Policy. These may include:

• advena.com.au (and any second and third-level domains);
• advenacs.com (and any second and third-level domains);
• advenacs.com.au (and any second and third-level domains);
• advenapay.com (and any second and third-level domains);
• rocketdom.com (and any second and third-level domains);
• firekit.io (and any second and third-level domains);
• jaroku.com (and any second and third-level domains);
• Any APIs operated by Advena, including – but not limited to:
  • Advena AnyID applications, repositories, and endpoints;
  • Advena AccountKit applications, repositories, and endpoints, and;
  • Advena GraphKit applications, repositories, and endpoints.

When this policy mentions (a, the, or otherwise related language) “Service”, it is referring to all of the services, except in the case where it is reasonably conveyed that a particular website, web-service, web-application, API endpoint, or application service endpoint is being referenced. When this policy mentions “websites”, it is referring collectively to www.advena.com.au as well as any other websites Advena owns, operates and that link to this Policy, including those mentioned above.

(a) Authorized Controllers

When this policy mentions “Us”, “We”, or “Our”, it refers to Advena and Advena Corporation (ABN 58 528 074 321) – the controllers of your information under this policy. Advena is the legally authorized entity that controls your information, and does so across the services. Advena and Advena Corporation are registered business (trading) names to the sole-tradership, held by Bradley Hodges.

(b) Personal Information

The term “Personal Information” in this Privacy Policy refers to any information from which your identity is apparent or can be reasonably ascertained – this excludes your Internet Protocol (“IP”) address. We may collect Personal Information about you for security purposes, which you may read about in § 1(c)¶1.

(c) Security & Your Information

We may collect information about you when you access a service or Website. This information may include your IP address, approximate geolocation (ascertained from your IP address and accurate only to your city), details about your request, basic information about your device, and information relating to the reputation of your IP address (provided by our security partners).

Advena aggregates information and presents it to authorised members of our Cloud Intelligence and Trust & Safety teams for the purposes of auditing. In the event that Advena identifies malicious or unlawful activity, or receives a lawful request from a law enforcement agency, we may use the collected information to identify you.

This information may also be analysed by artificial intelligence ("AI") to determine risk posed to the services by you, or to train our AI to better identify malicious or unlawful activity. We may keep this information for up to 36 months.

II. Information Collection and Use

Our services are maintained in physically secure, accredited facilities which are independently audited. To help protect the privacy of data and Personal Information we collect and hold, we maintain physical, technical and administrative safeguards. We monitor and challenge the security of our systems on an ongoing basis.

(a) Information Storage

Personal Information and Customer information is stored securely in Amsterdam, The Netherlands. This information is held on an array of physically and digitally secure facilities, which are accessible only to our internal network of servers (externally-facing requests are not received, nor are they fulfilled). Our Amsterdam data servers hold the following security and compliance certifications:

• SOC 1 Type II;
• SOC 2 Type II;
• ISO/IEC 27001:2013;
• PCI-DSS;

We maintain our services and websites on a series of collocated data centers, located in:

• San Francisco, California, USA;
• New York, New York, USA;
• Singapore;
• Sydney, Australia;

Our services and websites are then served to you via one of partners' 155+ global anycast data centers. All Personal Information stored in Amsterdam, The Netherlands is securely transmitted to you via modern security protocols and practices. Advena imposes strict internal developmental requirements to ensure data is transported securely at all times, regardless of the destination.

(b) Support Staff and Your Information

Access to your information by supporting staff members is tightly controlled, and information is not made available to staff members until your identity is reasonably established. By design, our system will not allow access to information by any member of our support team until you have been identified.

• [1] Trust & Safety Team and Cloud Intelligence Team

Advena's Trust & Safety Team and Cloud Intelligence Team utilise internal tools which permit access to services and website visitor data, customer data, end user data, usage statistics, traffic intelligence data and machine analysis data. This information is made available to authorised, vetted members of our Information Security Division (which includes Cloud Intelligence Team and Trust & Safety Team) for the purposes of security and auditing. Advena restricts access to this data — including the anonymisation of such data where practical, only permitting access where necessary for the execution of the teams' function.

Our Cloud Intelligence Team regularly monitors the abovementioned data to investigate and prevent potential security threats, cyber attacks and other malicious behaviour. Our Trust & Safety Team access the abovementioned data only to investigate abuse reports. Delegation of access is reviewed annually to ensure integrity when permitting access to controlled data.

• [2] Debt Collections Partners

Advena may — in the case of an unpaid balance — refer a matter to an external collections partner for the purposes of recovery of funds. Where this is the case, collections partners are provided with your full name, date of birth, full address, email address and telephone contact number (for the purposes of identification and contact) as well as information relating to the amount outstanding, the description of where/how the amount was incurred and previous attempt for collections of the funds. We may — at the request of the collections partner, and where approved by Advena — provide further information we determine relevant to the collection of the outstanding balance.

(c) Information We Collect and Use

• [1] Basic Account Information

If you choose to create an account on any of the services or websites, you must first provide us with some Personal Information, such as your name, email address, and password. Your name, email address and other information that you opt-in to allow are provided to third-parties that utilize Advena services with your permission. You are permitted to create and maintain more than one account, as per the Terms of Use (Account) policy (subject to change). Should you choose to enable paid features on your account (such as subscriptions), you will be required to provide a valid billing address.

• [2] Financial and Transaction Data

If you choose to utilize paid services, we will collect Personal Information relating to financial and transaction data, such as your credit/debit card number, credit/debit card particulars (eg. issuer, card type), bank account information, purchase amount, date of purchase, billing address, and payment method. This information is transmitted over a secure, encrypted connection and stored securely by our PCI-compliant payment services partner – Stripe Payments Australia Pty Ltd (ACN 160 180 343), referred to herein as “Stripe”. By providing this information, you allow us to conduct a risk assessment, fraud evaluation, and you accept that we reserve the right to reject payment based on the results of those assessments and evaluations. By making a purchase, choosing to utilize paid services, or by providing your banking data to Advena, you agree to act in accordance with our product usage and various legal policies, and acknowledge that you have read and understand our Payments Policy, Privacy Policy, Refund Policy, and any terms stated on the “Add a New Payment Method” page.

• [3] Activity Tracking

We subscribe to some system functions that allow us to determine whether or not you are actively using our services for features such as notification creation, activity, “last active” status', and for some security functions.

• [4] Event Listening

We detect some client-side activities, such as clicks for some services function. We do this to invoke actions such as displaying modals & warnings, creating notifications, and other system actions. In order to conduct A/B testing, we may anonymously collect clicks to determine function use, and as part of our products. Event listeners are carefully issued and are not capable of being used to determine your identity.

• [5] Browser and Device Data

We may collect browser and device data, including your IP address, device type, device manufacturer, operating system, internet browser type, screen resolution, operating system version, device manufacturer and model, language, browser fingerprint, timezone, internet service provider, upstream Autonomous Systems Number (ASN), and the version of the services you are using for various reasons, including security. Security data is used to create a threat model and determine the legitimacy and safety of connections; Security data is available to delegated Advena Cloud Intelligence Team members only. This data may be collected when accessing the services or when utilizing a service in which Advena provides services for, such as Customers utilizing Firekit. You may request the destruction of this data via a Freedom of Information Act (FIOA) request.

• [6] Additional Information

You may choose to provide us with additional information to help improve and personalize your experience across our services and third-party applications. For example, you may choose to provide a photo of yourself for your account profile picture. If you email us, we may keep your message, email address, and contact information and forward that data to a third-party provider in order to respond to that request. If you connect your account on our services to another service, the other service may send us information that you authorize for use in the services.

• [7] Links

We may keep track of how you interact with hyperlinks and links to external content across our services. We do not track referrals, and we may disable the referrer header on your browser to stop both us and third-parties from tracking you. Hyperlinks and non-public communications shared on services may be processed and converted to in-house, secure links. The legitimacy and security of links shared on the services will be verified prior to the link being made available to anyone.

• [8] Cookies and Sessions

We use cookies and similar technologies to temporarily store information, such as your current login session, and device region. We do not collect the values of these cookies for usage data, however our security partner – Cloudflare – uses their own unique cookie to monitor your connection's behaviour in order to maintain our security. The data Cloudflare collects may be used to identify you across other services. The values of cookies issued by us are available to our services and you only, and are secured server-side using modern security standards.

We may also use unique cookie values to ensure that your connection is not intercepted, and regularly check the value of cookies to ensure that third-parties are not manipulating the value of sessions, or the data you are presented with.

• [9] Advertising

Advena does not permit third-party advertising, except on our SaaS products where our customers have the ability to manipulate page templates. Any breach of this will result in the termination of the infringing account. Advena will never display third-party advertisements on any Service or Website owned or operated by Advena.

• [10] Information and Identity Verification

If Advena needs to verify your identity (for example, in order to recover your account, or for use of our Services or Websites, such as Advena Security Vetting Authority), we may request additional sensitive, personal or identifying information from you. Where this is the case Advena destroys information collected for the purposes of identity verification within 90 days of the verification/confirmation of your identity.

Information collected for the purposes of verifying your identity or information may be provided to our ceritifed, accredited identity service provider. The provider we are providing this information to, and what information we are providing will be made clear at the time we request the information from you.

III. Information Sharing and Disclosure

(a) Information Requests by Law Enforcement & Governments

We, as the controller of your information, reserve the right to preserve, or disclose your information if we believe that it is reasonably necessary to comply with a law, regulation, legal process or government request, to protect the safety of any person; to address fraud, security or technical issues; or to protect our users' rights or property. We do not collect any information with the intention that it will be used to limit or degrade any legal defences or objections. Should We determine that a request for information has been made without sufficient basis, merit or is perceived to be unlawful, We will refuse such request. We must be presented with a reasonable request of information, or a court-issued order to surrender such information before providing it. Where permitted by any relevant order, we'll notify you when a law enforcement agency or government has requested access to your information, however We won't always (for example, in the case of national security, or child exploitation-related requests). Some authentication data and other identifiers are stored in an encrypted form by us, so requests for information are reviewed very carefully before being fulfilled.

Your password is always stored in a non-reversible format. Advena cannot view, decode, or access your plain-text password. Password hashes may be surrended at the request of law enforcement in accordance with the abovementioned, and where the request is valid.

(b) Freedom of Information Act Requests

You may request a copy of your information using automated tools that We provide as part of the services. If you wish to have a detailed report with all information we have collected and presently hold about you, you may submit a Freedom of Information Act (FOIA) request to recover this information. We will always comply with FOIA requests where the request is lawful, reasonable and is financially appropriate to comply with. You must validate your identity with a 100-point identity check prior to FOIA requests being considered.

You may also request the destruction of your information via a Freedom of Information Act Request. Upon completion of a 100-point identity check, your account will be deactivated. Your information will be held for 90 days after a FIOA request for removal is approved. 91 days after your FOIA request for removal is approved, all data that we presently hold about you is destroyed.

The 90-day detention period is necessary to ensure that the information is not being removed as part of an attempt to destroy, conceal or tamper with evidence required as part of a civil or criminal investigation. The 90-day data detention period cannot be overridden, and any lawful requests issued (as per § III(a)¶1 during the 90-day suspension period will be fulfilled.

Freedom of Information Act requests should be directed to:

Privacy Officer — Advena
PO Box 764
Morley, WA 6943
Australia

(c) Third-Parties and Affiliates

Applications you authorize or authenticate with using our services are provided only with information you authorize to be released. As part of our agreement with third-party application operators, We can request to audit their practices and internal policies at any time to ensure that your privacy is being upheld, and that they are not in violation with agreements We establish with them. Sometimes, We have to provide your information to third-parties or vital functions such as billing and security.

(d) Public Information

We may share or disclose your public information, such as your public profile picture, email address, and first-name on login. You can control the information that is made available publically in your account privacy settings.

IV. Accessing, Modifying, and Removing your Personal Information

(a) Accessing and Modifying Information

If you are a registered user of our services, We provide you with tools and account settings to access, correct, delete, or modify the Personal Information you provided to us and associated with your account. You can download a copy of information that we store about you in your account privacy settings.

(b) Removing your Personal Information

You also have the right to request deactivation in your account settings. Following a request to deactivate, your account will become unavailable to the public, and external services using your account. Deactivation can take up to 60 days to remove all information; this is on top of the 90-day detention period described in Section III(b)¶2.

V. Use of services by Minors

(a) Service Usage

The services are not directed to anyone under the age of eighteen (18), and we request that they do not provide Personal Information through the services. Should we determine that a minor is utilizing services, we may limit, suspend or delete the account in question. Upon deactivation of a minor's account, the information stored that is associated with the account will be subject to general deactivation processes. Deactivation can take up to 60 days to remove all information; this is on top of the 90-day detention period described in Section III(b)¶2.

(b) Parental/Guardian Requests

Should a Parent/Legal Guardian request that information be removed from the services, upon reasonable confirmation of guardianship, we will comply with the request and will order the destruction of the relative information following the 90-day detention period described in Section III(b)¶2.

Parental/Guardian requests are only serviceable if the account owner is below the age of 18. Parental/Guardian requests for persons exceeding the age of 18 will not be serviced, as the account owner is legally capable of executing actions on their own account.

VI. Governing Legislation

(a) Applicable Governing Legislation

This Privacy Policy is enforced under the laws of Western Australia, and is thereby governed by all respective, applicable legislation. This Privacy Policy complies with the Privacy Act of 1988.

VII. Updates to this Privacy Policy

(a) Policy Changes and Notification

We may change this Privacy Policy. The “Last updated” legend at top of this Privacy Policy indicates when the Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the services, the scope of which includes this page.

We may issue a notification to your account upon update of this policy via your email address, physical postage/billing address, or through the services. You agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with hard copy disclosures in person. Disclosures and notices in relation to this policy or Personal Information shall be considered to be received by you within 24 hours of the time they are amended and posted.