Foundation for Indigenous Sustainable Health (“FISH”) believes privacy is an important right of individuals.  FISH is committed to protecting personal information by complying with relevant laws, and takes steps to protect your personal information from misuse and to use your information only in the ways described in this privacy policy and in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”).   

Anonymity and pseudonymity

In most circumstances, it is impractical for people to communicate with us anonymously. However, in circumstances where it is lawful and practicable to do so, we will provide you with the option of not identifying yourself, or using a pseudonym, when interacting with us.

Personal information we collect 

Personal information means information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. 

We only collect personal information by lawful and fair means where reasonably necessary for our functions or activities as a not-for-profit organisation focussed on developing sustainable health through community based programmes and providing learning experiences in life skills, personal development, and creative initiatives in Indigenous communities.

We collect personal information which:

– you provide to us in the course of engaging with one of our creative, cultural, education and employment, health, housing, and justice services;

– you provide during the course of events organised by FISH;

– you provide to us in order to subscribe to our mailing list;

– you provide to us in person, by phone, by post, via our website or via other forms of electronic communication; or

– is provided to us by third parties who have disclosed that information to us (and only if it would be unreasonable or impracticable to collect the information directly from you).

Further, when you visit our website (the “Site”), our service provider, Shopify, automatically collects certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device on our behalf. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”. 

We collect Device Information using the following technologies: 

– “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org. 

– “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps. 

– “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site. 

Additionally when you make a purchase or attempt to make a purchase through the Site, Shopify also collects certain personal information from you on our behalf, including your name, billing address, shipping address, payment information (including credit card numbers), email address, and phone number. We refer to this information as “Order Information”. 

When we talk about “Personal Information” in this Privacy Policy, this includes  both Device Information and Order Information. 

How do we use your Personal Information? 
We, or our service providers on our behalf, may collect, store (in hard copy or electronic form), use or disclose and otherwise process your Personal Information for the primary purpose of conducting and supporting our functions or activities.

Without limiting the foregoing, we may collect, store, use or disclose your personal information:

– to provide you with products and services under any contract between you and FISH;

– to contact you should we need to do so;

– to address any enquiries, complaints or feedback from you;

– to provide you with useful information and various event information; and

– to do anything FISH is required or authorised to do by law.

We use the Order Information that we collect generally to fulfil any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to: 

– communicate with you; 

– screen our orders for potential risk or fraud; and 

– when in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services. 

We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns). 

We will not use your Personal Information for a secondary purpose unless:

– you consent to the use or disclosure or you would reasonably expect us to use it for a secondary purpose which is related to the primary purpose;

– the use or disclosure is required or authorised by law; or

– the use or disclosure is otherwise permitted by the Privacy Act (for example, as a necessary part of an investigation of suspected unlawful activity).

Sharing your Personal Information 

Without legitimate grounds for doing so, FISH does not provide personal information you provide to us to third parties other than to:

– related group companies;

– third parties to help us use your Personal Information to facilitate purchases made by you, as described above;

– third parties where you have given your consent (express or implied);

– our professional advisors, contractors or other service providers, such as Shopify, whom we may engage to carry out, advise or assist with the fulfilment of your purchase and the carrying out of the functions or activities of FISH; and

– government agencies or other similar entities as required or permitted by law – such as to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

We use Shopify to power our online store. They provide us with the online e-commerce platform that allows us to sell our products to you. Shopify collects Order Information on our behalf in order to assist us in running our online store and fulfil any orders you place. Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall. You can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy.

We also use Google Analytics to help us understand how our customers use the Site — you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout. 

When providing third parties with your Personal Information, we endeavour to ensure that those third parties handle your Personal Information in accordance with the Privacy Act and this privacy policy.

Do not track 
Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser. 

Cross-border disclosure

We are based in Australia.

We may send your personal information to other organisations or persons located overseas. For example, indirect overseas disclosure of your Personal Information to third parties overseas may occur as Shopify is based in Canada and Shopify may also send data to the United States in the course of operating its business.   

If we disclose Personal Information to a third party in a country which does not have equivalent privacy laws to Australia, we will take reasonable steps in the circumstances to ensure that the overseas recipient does not breach the Privacy Act. In particular, we will not send your Personal Information overseas unless either:

– we reasonably believe that the recipient of the information is subject to a law or binding scheme that has the effect of protecting information in a way that, overall, is at least substantially similar to the way in which the Privacy Act protects personal information and there are mechanisms that you can access to take action to enforce that protection of the law or binding scheme; or

– you have consented to the transfer.

Direct marketing

When you opt in, we may also use your personal information for marketing purposes to send you news, information about our activities and general promotional material which we believe may be useful or of interest to you. 

We may contact you by email, mail or telephone. You can let us know at any time if you no longer wish to receive these communications, by contacting us (using the contact details set out below) or using the opt-out/unsubscribe facility in our communications.

Behavioural advertising 
We also use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work. 

You can opt out of targeted advertising by using the links below: 
– Facebook: https://www.facebook.com/settings/?tab=ads 
– Google: https://www.google.com/settings/ads/anonymous 
– Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads 

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/. 

Specific rights for EU residents only 
In many cases, the control and processing of the personal information of EU residents is subject to the requirements of the GDPR.

If you are a European resident, then you may have additional rights under the GDPR, including the right to:

– withdraw your consent, where we rely upon it for processing your Personal Information, at any time;

– ask us to confirm if we are using your Personal Information;

– ask us to delete your Personal Information;

– ask us to stop or restrict how we process your Personal Information;

– subject to certain conditions, ask us to help you move your Personal Information to other companies; and

– be informed and know about any protections that we have put in place when we are transferring your data overseas.

Some of these rights will apply in very limited circumstances. For example, the right to request the deletion of your Personal Information, or to stop or restrict its use, is not usually available where it remains necessary for us to retain and use your personal information for the purposes for which it was collected, or where we have a legal obligation to retain or use the information.

If you would like to exercise any of these  rights, please contact us through the contact information below. 

Additionally, if you are a European resident we note that we are processing your information in order to fulfil contracts we might have with you (for example, if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above. 

Security of Personal Information and Data retention 
We take reasonable steps to protect your data from misuse, interference and loss, and from unauthorised access, modification or disclosure.

When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information. We will take reasonable steps to destroy or permanently de-identify Personal Information which is no longer needed for the purposes described in this privacy policy.

Access to Personal Information

Subject to any exceptions in the Privacy Act, if you have provided us with Personal Information, you have a right to request access to it.  If you are of the belief that FISH holds Personal Information relating to you and you wish to obtain access to this information, please contact us on the details provided below.  We may ask you to provide proof of your identity if you request access to or correction of your Personal Information.

In the event that a request for access is made, we will review our records to determine what Personal Information relating to you we hold and endeavour to respond to your request within a reasonable period after the request is made, but in any event, within 30 days.

Once we have notified you of the nature of the Personal Information relating to you which we hold, we will give you access to your Personal Information in the manner requested by you, if it is reasonable and practicable to do so.

We do not levy a charge in respect of the making of a request for access to Personal Information held by us.  However, we may charge you for the reasonable costs incurred by us in providing you with access to the Personal Information held by us.

The Privacy Act provides instances where a holder of Personal Information may refuse to provide an individual with access to their Personal Information.  If we refuse to give you access to your Personal Information, we will give you a written notice that sets out our reasons for the refusal and the mechanisms available to complain about our refusal.    

Complaints, questions or further information 

If you wish to make a complaint about a breach of your privacy by FISH, you may contact us using the contact details provided below.  All complaints will be investigated by a representative of FISH.  We will endeavour to resolve your complaint as quickly as possible and, in any event, within 30 days.  We will notify you of the outcome of the investigation, including how we propose to resolve your complaint and what, if any, corrective measures we will implement.

If you are not satisfied with our handling of your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner.  For more information about doing so, visit https://www.oaic.gov.au/privacy/privacy-complaints/. 

Changes 
We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. 

Minors 
The Site is not intended for individuals under the age of 18. 

Contact us 
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by by e‑mail at [email protected] or by mail using the details provided below: 

Foundation for Indigenous Sustainable Health 
[Re: Privacy Compliance Officer] 
Foundation for Indigenous Sustainable Health , PO Box 7741, Cloisters Square WA 6850, Australia