Privacy and Cookies Policy
Part 1: Personal information and privacy1. Introduction
1.2 In this policy:
'we' (or 'us' / 'our' / ‘LeapThought’) means the LeapThought Group of associated companies comprised of LeapThought NZ Ltd, LeapThought Corp, and LeapThought Asia Pte Ltd. Our address and contact details are set out in Part 3 of this policy.
“Customer” means the person and/or entity identified as the owner or user of an account with any of our Services;
"End User" means any people, clients, customers or third parties that make use of or access any of LeapThought’s Services;
1.3 Some of LeapThought Services operate as a hosted service on behalf of other organisations. If an organisation invites an End User to access any of LeapThought’s Services, in this scenario LeapThought acts only as the data processor. In such cases, the organisation (Customer) that has invited the End User will be the data controller and should be contacted if the End User has any questions about how they process personal information.
2. “Personal Information” and other defined terms
2.1 “Personal Information” (“PI” or “personal data”) means any information that can identify an individual either directly or indirectly (i.e. by reference to other information we have access to). “Personal Health Information” (PHI) is any health records or information of an individual obtained by LeapThought with the consent of the individual.
2.2 The term “processing” includes collection, storage, and the ways we use Personal Information/ Personal Health Information when we provide LeapThought’s Services to End Users.
2.3 “Data controller” means the entity which determines the purposes and means of the processing of Personal Information and “data processor” means the entity which processes Personal Information on behalf of the data controller. For the purpose of this policy, LeapThought is the data processor of End Users’ Personal Information collected through LeapThought’s Services and the organisation (Customer) that has invited the End User will be the data controller and should be contacted if the End User has any questions about how they process Personal Information.
3. Collecting Personal Information
3.1 We may collect, store and use the following kinds of PI and/or PHI that Customers or End Users provide to us:
- information that Customers provide when registering to use our services or completing Customer profiles on our website (including Customer name, address, phone number, company name, company address, company email, company phone number and profile picture);
- information that Customers or End Users provide to us when using our services, or that is generated in the course of the use of those services (including personal documents, files, informational content, and the metadata associated with the content);
- information that Customers post to our website for publication on the internet (including Customer name, company name, Customer profile picture and Customer contact details);
- information contained in or relating to any communications, documents or files that End Users send to us or send through our services (including the content of and metadata associated with those documents, files or communications – referred to in this policy as 'Content'); and
- any other Personal Information that Customers or End Users choose to send to us.
3.2 We may collect, store and use the following kinds of Personal Information automatically when End Users use our Services:
3.3 We may collect store and use the following kinds of Personal Information we receive from other sources;
- when Customers want to invite others to use our Services, they may provide us with third parties’ email addresses.
3.4 Before Customers disclose to us the Personal Information of another person, the Customer must obtain that person's consent to both the disclosure and the processing of that Personal Information in accordance with the terms of this policy. This includes where any Content contained in End Users’ documents or files includes Personal Information. In respect of that Content, we will act as a processor of the Personal Information and process and use it only in accordance with Customer instructions. Customers will remain the controller of that information. Where the GDPR applies to that information, then the terms of our Data Processing Addendum (DPA) will apply (as between the Customer and us) and sets out our responsibilities when it comes to our processing activities.
4. Using Customer and End User Personal Information
4.1 We rely upon a number of lawful grounds to ensure that our use of Customer or End User Personal Information is compliant with applicable law. We set out the type of Personal Information, purpose for process and the legal grounds below.
- Provide Customers with services that Customers have signed up for, including customer support services. Legal Ground: Performance of a contract. This processing is necessary for the performance of the contract with our Customer, where we process Personal Information about other individuals in order to provide our services this processing is necessary for the purposes of the legitimate interests pursued by us in providing services to our Customer.
- Administer our website and business and personalize our services for Customers. Legal ground: Legitimate interests. This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop LeapThought’s business and services.
- Send Customers non-marketing commercial communications. Legal ground: Legitimate interests. This processing is necessary for the purposes of the legitimate interests pursued by us to keep Customers informed about changes to our services or terms and conditions.
- Send End Users email notifications that Customers have specifically requested. Legal Ground: Consent. Customers have the right to withdraw End User consent at any time. End Users have the right to withdraw their consent at any time by informing the Customer that is requesting their information, and that Customer will inform LeapThought
- Send Customers marketing communications relating to our business or the businesses of carefully selected third parties which we think may be of interest to Customers, by post or, where Customers have specifically agreed to this, by email or similar technology. Legal Ground: Consent. Customers can inform us at any time if Customers no longer requires marketing communications.
- Deal with enquiries and complaints made by or about Customers or End Users relating to our services. Legal ground: Legitimate interests. This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.
- Keep our website secure and prevent fraud. Legal Ground: Legitimate interest. This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our service;
- Verify compliance with the terms and conditions governing the use of our website (including monitoring messages sent through our website messaging service). Legal ground: Legitimate interests. This processing is necessary for the purposes of the legitimate interests pursued by us to administer and manage LeapThought’s Services.
4.2 However, we will only use Content (i.e., information contained within documents and files sent by an End User) as strictly necessary to provide our services to a Customer. We will never view, access or use that Content for our own purposes.
4.3 If Customers submit Personal Information for publication on our website, we will publish and otherwise use that information in accordance with the licence Customers grant to us.
4.4 Customer account settings can be used to limit the publication of Customer information on our website.
4.5 We will not, without Customers’ express consent, supply Customer Personal Information to any third party for the purpose of their or any other third party's direct marketing.
5. Disclosing Personal Information
5.1 We may disclose Customer or End User Personal Information to any of our employees, officers, insurers, professional advisers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes set out in this policy.
5.2 This includes several service providers and sub-processors we use to provide Customers and End Users with our services, or who provide functionality contained within our services. The list of sub-processors and the potential country of data storage will be provided upon request. 5.3 We may disclose Customer or End User Personal Information/ PHI:
- to the extent that we are required to do so by law;
- in connection with any ongoing or prospective legal proceedings;
- in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
- to the purchaser (or prospective purchaser) of any business or asset that we are (or are contemplating) selling;
- to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that Personal Information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that Personal Information; and
- to other people, where we have End User consent to do so.
5.4 Except as provided in this policy, we will not provide Customer nor End User Personal Information to third parties.
6. International data transfers
6.1 Information that we collect may be stored transferred to, and stored or processed in, countries other than the country Customers and End Users live in. No matter which countries in the world Customer and End User information is stored in, we take steps to ensure that it is kept secure and only used in accordance with this policy and with applicable privacy laws.
6.2 If Customer or End Users are located in the European Economic Area (EEA), this means that Customer or End User information may be transferred outside the EEA. However, it will only be transferred to countries that have been recognised by the European Commission as providing an adequate level of protection of Personal Information, or to third parties who approved transfer mechanisms in place (such as the European Commission's Standard Contractual Clauses or by ensuring that the third party has industry recognised privacy certifications ).
7. Retaining Personal Information
7.1 This Section 7 sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of Personal Information.
7.2 Personal Information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
7.3 Notwithstanding the other provisions of this Section 7, we will retain documents (including electronic documents) containing personal data:
- to the extent that we are required to do so by law;
- if we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and
- in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).
8. Security of Customer and End User Personal Information
8.1 We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of Customer and End User Personal Information.
8.2 We will store all the Personal Information Customer and End User provide on our secure password and firewall-protected servers.
8.3 All data entered through our website or exchanged via our services will be protected by encryption technology. This includes the Content of any documents or files sent using our Services.
8.4 Customers and End Users acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
8.5 Customers or End Users are responsible for keeping the password Customers and End Users use for accessing our services confidential; We will not ask for your password (except when logging in to our services).
9.1 We may update this policy from time to time by publishing a new version on our website.
9.2 Customers and End Users should check this page occasionally to ensure they are happy with any changes to this policy.
9.3 We may notify End Users of changes to this policy by email or through the logged-in area on our website.
10. End User rights
10.1 We are committed to protecting and respecting End User privacy; therefore, we have extended the following rights granted under the GDPR to all users of our Services, regardless of where End Users live End Users can:
- ask to receive information regarding the nature, processing and disclosure of End User Personal Information (right to information);
- request a copy of End User Personal Information we hold (right to access);
- request that we update or corrected user Personal Information held by us at any time (right to rectification);
- request, on legitimate grounds, that we erase End User Personal Information (right to erasure);
- request, on legitimate grounds, that we restrict the processing of End User Personal Information (right to restrict processing);
- ask for a copy of End User Personal Information in machine readable form that supports re-use and End User can request that we transfer End User Personal Information to another data controller (right to data portability);
- where our processing of End User Personal Information is based solely on End User consent (refer to section 4 to understand the legal basis we processed user Personal Information), End Users have the right to withdraw user consent at any time (right to withdraw consent). Once we have received notification that an End User has withdrawn End User consent, we will no longer process user information for the purpose or purposes End User originally agreed to, unless we have another legitimate basis for doing so; and
- If End Users are unhappy with how we are processing the Personal Information, End Users have the right to complain to the End User’s local information protection authority. The End User’s local data protection authority will be able to give the End User more information on how to submit a complaint (right to lodge a complaint).
If an End User wishes to exercise any End User rights, please contact us using the details set out in Part 3.
11. Third party websites
11.1 Our website includes hyperlinks to, code snippets from, and details of, third party websites.
11.2 We have no control over, and are not responsible for, the privacy policies and practices of third parties.
12. Updating information
12.1 Please let us know if the Personal Information that we hold about End Users needs to be corrected or updated.
13. NZ law
13.1 Subject to the rights Customers and End Users may have under the GDPR and HIPAA, this policy is governed by the laws of New Zealand and submit to the jurisdiction of the New Zealand courts.
Part 2: Cookies1. About cookies
1.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
1.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
1.3 Cookies do not typically contain any information that personally identifies a user, but Personal Information that we store about Customers or End Users may be linked to the information stored in and obtained from cookies.
1.4 Cookies can be used by web servers to identity and track users as they navigate different pages on a website and identify users returning to a website.
2. Our cookies
2.1 We use both session and persistent cookies on our website.
2.2 The purposes for which they are used, are set out below:
- recognize a computer when a Customer or End User visits the website
- track Customer or End User as they navigate the website
- improve the website's usability
- analyses the use of the website
- administer the website
- prevent fraud and improve the security of the website
- personalize the website for each Customer or End User;
3. Analytics cookies
3.1 We use Google Analytics, to analyse the use of our website.
3.2 Our analytics service providers generate statistical and other information about website use by means of cookies.
3.3 The analytics cookies used by our website currently have the following names: _ga, _gat.
3.4 The information generated relating to our website is used to create reports about the use of our website.
4. Blocking cookies
4.1 Most browsers allow Customers or End Users to refuse to accept cookies. Customers or End Users should check their browser settings for more details
4.2 Blocking all cookies will have a negative impact upon the usability of many websites.
4.3 If Customers or End Users block cookies, they will not be able to use all the features on our website.
5. Deleting cookies
5.1 Customers or End Users can delete cookies already stored on their computer. Customers or End Users should check their browser settings for more details.
5.2 Deleting cookies will have a negative impact on the usability of many websites.
5.3 If Customers or End Users delete cookies, they will not be able to use all the features on our website.
Part 3: Our details1. Our details
1.1 The services are provided by the LeapThought Group.
1.2 We are comprised of:
LeapThought Corp, LeapThought Asia Pty Ltd, and LeapThought NZ Ltd.
If Customers or End Users are resident outside the European Union:
1.3 Our registered office and principal place of business is at 520 Kirkland Way, Ste. 400, Kirkland, WA 98033.
1.4 End users should contact the Customer (the organisation through which information is uploaded/ provided when using LeapThought’s Services.
Date last updated: 11th September 2023