Privacy Statement

Introduction


This statement provides a high-level overview of our privacy practices for visitors to our website; for detailed information, including legal bases, data sharing, and your full rights, please refer to our full Privacy Policy located at https://www.identitii.com/legal/governance.


Who we are


Identitii Limited
Registered Address: C/- Boardroom Pty Limited, Level 8, 210 George Street, Sydney NSW 2000
Contact number: +61 2 8806 0438


Identitii Limited (referred to as ‘Identitii’, ‘we’ or ‘us’) includes Identitii Limited (ABN 83 603 107 044) and its wholly owned subsidiaries. This Privacy Statement applies to Identitii Limited and BNDRY Pty Ltd (ABN 49 678 808 449). It summarises our privacy practices for visitors to our website and other social media and explains how we handle personal data collected in compliance with the Privacy Act 1988 (Cth) and the General Data Protection Regulation (GDPR). For customers, our contractual data processing terms apply. For employees, contractors, or other relevant stakeholders, our full Privacy Policy is here.


Privacy policies of other websites


Our website contains links to external sites. Identitii is not responsible for their privacy practices, and users should review their respective privacy policies.


Your personal information


What personal data we collect


Identitii follows the principle of data minimisation, collecting only the personal data necessary for specified purposes. We ensure data is gathered for clear and legitimate reasons and is not used in ways that contradict those purposes. Regular reviews help keep data relevant and limited to its intended use, and our collection methods are designed to avoid unnecessary or excessive information. We are committed to maintaining accurate and up-to-date personal data. We validate data at the point of collection and review it regularly to ensure its accuracy. Individuals can request updates or corrections by contacting privacy@identitii.com, and we handle all correction requests promptly. To maintain data integrity, we implement technical and organisational measures, including validation checks within data entry systems.


We collect personal data necessary for communication, service provision, and compliance, including:

  • Contact details (name, address, email, phone number, job title)

  • Employment information (history, professional qualifications)

  • Device details (IP address, browser, operating system – with consent)

  • Cookie data (strictly necessary, analytics, marketing, session, persistent)

  • Marketing preferences (subscriptions, engagement with marketing emails)

  • Customer support interactions (queries, emails)

  • Social media engagement (profile details, interactions, shared content, demographics, and device information)

  • Feedback, complaints, and survey responses


How we collect personal data


We collect data directly through visiting our website, form submissions, surveys, customer support, social media, and marketing interactions. Indirectly, we collect data from business partners, affiliates, and public sources. We use cookies to enhance functionality and improve user experience. Upon visiting our website, you can manage cookie preferences through our consent banner. You can disable cookies through your browser settings. Note that disabling cookies may affect website functionality. Upon visiting our website, you can manage cookie preferences through our consent banner. Except for strictly necessary cookies used to record your choices, no cookies are activated until you make a clear, affirmative selection.


Our website makes use of the following cookie types:

  • Necessary: Essential for the website to function properly, such as enabling security features and allowing users to navigate the site.

  • Functional: Enhance usability by remembering preferences and customisations, such as language settings.

  • Analytics: Collect anonymous data on user interactions and website performance to improve user experience.

  • Performance: Monitor and optimise website performance, ensuring fast load times and smooth navigation.

  • Advertisement: Track browsing behaviour to deliver personalised ads and limit ad frequency.


Why we collect personal data and our legal basis


We process personal data for:

  • Investor relations – Legitimate interest (GDPR Article 6(1)(f)).

  • Recruitment – Legitimate interest (GDPR Article 6(1)(f)).

  • Regulatory compliance – To meet legal obligations (GDPR Article 6(1)(c)).

  • Security operations – Legitimate interest (GDPR Article 6(1)(f)).

  • Service provision – To fulfil contractual obligations (GDPR Article 6(1)(b)).

  • Website analytics and marketing communications – With user consent (GDPR Article 6(1)(a)).


For any sensitive personal data we collect, we rely on Article 9(2)(a) of the GDPR, which requires explicit consent, unless another exception under Articles 9(2)(b)–(j) applies. For example, processing may also occur where necessary for employment, legal claims, or substantial public interest as defined under relevant law.


Where we store your data


We store data primarily in Australia and the United States, with some processing in the European Union and the Philippines. Where data is transferred outside of Australia or the EEA, we rely on mechanisms such as the whitelist defined by the Australian Government, adequacy decisions issued by the European Commission, or Standard Contractual Clauses (SCCs). Where SCCs are used, we conduct Transfer Impact Assessments (TIAs) to evaluate the legal and operational environment in the destination country.


How we use and disclose personal data


We use personal data to:

  • Provide and improve services

  • Communicate with users

  • Analyse website traffic

  • Send marketing communications (with consent)

  • Fulfil legal and regulatory obligations

  • Recruit team members

  • Protect information assets

  • Communicate with investors

  • Enhance security and compliance through automated decision-making (ADM)


ADM is used for fraud detection, security monitoring, and access management. We process personal data for these purposes based on legitimate interests (security and fraud prevention), legal obligations, and contractual necessity. We ensure meaningful human involvement in all automated decision-making processes that may significantly affect you. This includes review by trained personnel, escalation to a privacy or risk officer if concerns are raised, and documented outcomes to ensure fairness, transparency, and accountability.


We disclose your personal data to:

  • Employees, officers, and authorised contractors

  • Third-party service providers (e.g., marketing, hosting, analytics)

  • Data subjects, upon request

  • Government agencies and authorities when legally required or to prevent serious harm

  • Potential purchasers in the event of a business sale, transfer, or change of control, under confidentiality obligations and as permitted by law


Visit https://www.identitii.com/legal/subprocessors for a list of third-party subprocessors.


How we protect your data


Security controls

We implement technical and organisational measures to protect personal information, including encryption (TLS 1.2+ in transit, AES-256 at rest), least privilege access with MFA, and firewalls with intrusion detection and prevention systems. Secure coding practices, regular security testing, and vendor due diligence further strengthen our security. Employees receive mandatory cybersecurity training upon hiring and annually, with strict incident reporting protocols.


Compliance and monitoring

We conduct internal and third-party security audits, annual risk assessments, and comply with the Australian Privacy Act 1988, APPs, GDPR, and relevant security frameworks like ISO 27001 and SOC 2. Continuous security monitoring, penetration testing, and automated threat detection help identify and mitigate risks.


Data breach response

If a data breach is suspected, we act immediately to contain it and mitigate risks. We assess the incident to determine if it qualifies as an eligible data breach likely to cause serious harm. If required, we notify affected individuals as soon as practicable and inform the relevant supervisory authority within 72 hours. If direct notification is impractical, a public notice is published. A post-incident review is conducted to analyse the root cause, implement corrective actions, and report findings to senior management and regulators if necessary.


How long we retain your data


Personal data is retained only as long as necessary for its intended purpose or as required by law. When no longer needed, data is securely deleted, anonymised, or de-identified. This approach aligns with our obligations under Australian Privacy Principle (APP) 11.2 and Article 5(1)(e) of the GDPR, which require us to take reasonable steps to destroy or de-identify personal information when it is no longer needed for the purposes for which it was collected, or as otherwise required by law.



Your data protection rights


Identitii ensures you are informed of your rights under relevant privacy laws. You have the right to:

  • Right to access – Request confirmation of whether your data is processed and access to that data.

  • Right to rectification – Request correction of inaccurate or incomplete personal data.

  • Right to erasure (Right to Be Forgotten) – Request deletion of your personal data under certain conditions.

  • Right to restrict processing – Request a temporary halt to data processing under specific circumstances.

  • Right to object to processing – Object to processing based on legitimate interests or for direct marketing.

  • Right to data portability – Request a machine-readable copy of your data or transfer to another organisation.

  • Right to challenge automated decision-making and profiling – Contest decisions made solely by automated processes and request human intervention.

  • Right to notification of rectification, erasure, or restriction – Be informed when your data is corrected, erased, or processing is restricted.

  • Right to lodge a complaint – Submit a complaint to Identitii or a supervisory authority if you believe your rights were violated.

  • Right to sue for serious invasions of privacy – Take legal action under Australian law for serious breaches involving personal information.


How to exercise your rights


To exercise your rights, contact us at privacy@identitii.com or mail C/- Boardroom Pty Limited, Level 8, 210 George Street, Sydney NSW 2000. We will respond within 30 days. If we deny a request, we will provide a written explanation.


Lodging a complaint


If you believe we have not handled your personal data appropriately, you can lodge a complaint with us at privacy@identitii.com or by mail. If unsatisfied, you can escalate the complaint to:


Keep a record of your complaint, including key details, dates, and responses received.



Changes to our privacy policy


We update this Privacy Statement regularly. Any changes will be published on our website, and material updates will be communicated via our website.

© 2024 Identitii Limited. All rights reserved.

ABN 83 603 107 044 | Privacy Statement

© 2024 Identitii Limited. All rights reserved.

ABN 83 603 107 044 | Privacy Statement

Identitii (ASX:ID8)

C/- Boardroom Pty Limited. Level 8, 210 George Street, Sydney NSW 2000, Australia

Identitii (ASX:ID8)

C/- Boardroom Pty Limited.
Level 8, 210 George Street,
Sydney NSW 2000, Australia