The personal data which we collect and hold about you may include:

• personally identifiable information such as your name, contact information, addresses, email addresses, phone and facsimile numbers;

• demographic information such as your gender, age or date of birth, hometown and interests;

• financial data such as payment and banking details, including credit card information;

• mobile device and server data such as your device ID, device type, geo-location information, computer and connection information, statistics on page views, traffic to and from the website, ad data, IP address and standard web log information;

• details of our projects in which you have participated or will participate (in any capacity) including any additional information necessary to deliver that project and respond to your enquiries;

• any additional information relating to you (such as interests and preferences) that you provide to us through our website or paper forms, through any online presence or through other websites or accounts from which you permit us to collect information;

• any other personal data that may be required to facilitate your dealings with us or our projects generally, such as information regarding donors, participants and students, families of participants and students, supporters, staff, volunteers and school representatives.

By voluntarily giving us personal data, when you visit the Eat Up website or when you choose to become involved with us and our projects or following us on any social media channels you consent to our collection, use and disclosure of your personal data in accordance with this policy and any other arrangements that apply between us.

We collect your personal data in many ways including:

• when you visit, log onto or donate on our website;

• when you communicate with us through correspondence, chats, email, phone, in person or when you share information with us from other social applications, services or websites;

• when you interact with our website and social media channels, services, content and advertising;

• from cookies;

• when you take part in any of our projects, either as a volunteer, staff member and/or participant (including on behalf of anyone under the age of 18);

• when you donate to our charitable causes;

• from third parties, such as our related entities, business or commercial partners, credit reporting bodies, wholesale or other customers, or your representatives; or

• from publicly available sources of information.

We collect your personal data for the primary purpose of funding and performing our functions and activities including:

• to seek, facilitate and record your participation in any of our projects;

• to respond to your questions or comments and to provide information about us and our projects to you;

• to manage our relationship with you and any other person or organisation you represent;

• to ask for donations and support;

• to assist with our administration and to assess, train and work with and manage our staff;

• to assist with our research, planning, service development, record-keeping and internal reporting processes;

• to create transaction records, accounts, tax invoices or receipts;

• to obtain opinions or comments about our projects and perform research and analysis to assist us to provide, develop and improve our projects;

• to send you support and administrative messages, reminders, updates and information requested concerning our projects;

• to prevent fraudulent transactions;

• to disclose to our trusted third-party suppliers or professional advisors;

• to facilitate and/or comply with our legal obligations and address disputes; or

• for such other purposes as may be required or permitted by law.

Sensitive information is defined in the Privacy Act to include information or opinion about such things as your racial or ethnic origin, sexual orientation or practices, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.

If you provide sensitive information to us for any reason (for example if you provide us with health information such as information about allergies you (or someone under the age of 18) might have) you consent to us collecting, using and disclosing that information for the purpose for which you disclosed it and as permitted in accordance with the applicable law. We will handle any sensitive information that we receive in accordance with the applicable law and this policy.

Your information may be disclosed to:

• our employees, agents, officers and related bodies corporate;

• third party service providers and commercial suppliers (including payment systems operators (e.g. merchants receiving card payments) and providers that host our web servers, manage our IT, payment processing, data analysis, email delivery and those involved in the operation of our projects;

• professional advisers or specific third parties for law enforcement or public safety matters as permitted by law;

• anyone to whom our assets or businesses (or any part of them) are transferred. You acknowledge that such transfers may occur and the transferee may decline to honour commitments we made under this policy; or

• specific third parties authorised by you to receive information held by us.

We require our service providers to keep personal data confidential and not to use or disclose it for any purpose other than performing services for us or on our behalf.

You should be aware that some information that you upload to parts of our social media pages may be available to be viewed by the public. You should use discretion in deciding what information to upload to such sites.

With the use of cookies, we may collect personal data about you when you access our website. You can disable cookies through your internet browser. However, certain aspects of our website may require the information collected by cookies to function properly.

Our website may contain links that lead to other websites. These services might set up their own cookies to remember you. If you click on these links, we are not held responsible for your data and privacy protection.

We may hold your personal data and information in either electronic or hard copy form.

The security measures we take to protect your personal data and information include:

• storing and encryption of your personal data in a secure environment;

• allowing access to the secure physical and electronic storage facilities strictly by authorised personnel only;

• ensuring that providers of our cloud-based storage facilities have appropriate security measures in place to protect any information stored on such facilities consistent with our policy;

• monitoring and tracking details of any access and/or change to your personal data, including the date and time at which your information is accessed and/or changed, and by whom;

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure secure processing.

We cannot guarantee the security of your personal data. Except to the extent liability cannot be excluded due to the operation of statute, we exclude all liability (including in negligence) for any consequences of any unauthorised access to your personal data. Please notify us immediately if you become aware of any breach of security.

In the case of a personal data breach, we will notify the personal data breach to the Office of the Australian Information Commissioner without undue delay after becoming aware of it, unless the personal data breach is unlikely to result in serious harm or an unlikely risk to the rights and freedoms of natural persons.

When the personal data breach is likely to result in a serious harm or is a high risk to the rights and freedoms of natural persons we will communicate to you in clear and plain language the personal data breach and the nature of the personal data breach which will contain at least the information and security measures taken.

When your personal data is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your personal data.

Where you have allowed us to collect and process certain personal data from you, you have certain rights in relation to the processing of your personal data, including the following rights:

1. Right of access to your personal data.

2. Right to rectification or correction of any inaccurate personal data we have.

3. Right to ask for a copy of your personal data held by us and you have the right to transfer such personal data to another entity.

4. Right to withdraw consent to the use of your personal data.

5. Right to object to further processing of your personal data for direct marketing purposes.

6. Right to file complaint with the applicable data protection authority about our processing of your personal data if you have any concerns with how it has been handled.

If you have a complaint about the way we have handled your personal data, or for further information about our policy or practices or to access or correct your personal data, you can contact us at the following email address: eatup@eatup.org.au.