PRIVACY NOTICE – PRIVACY POLICY

Your privacy is important to us, and we have developed this Privacy Policy to protect your personal information. Please read this Policy to understand how we handle your personal information.

Some of the points covered in this policy include:

• We generally collect your personal information directly from you.

• We collect your personal information from you so that we can provide access to our services.

• We may contact you with direct marketing, however you can opt-out at any time.

• You can request that your account be deleted and also request a copy of your personal information.

• You can contact us with any questions you may have in relation to your personal information.

• We are continuously working to enhance privacy options available to you.

OVERVIEW

You have come through to this page from a website which is owned and operated by Alpaca Travel Pty Limited. Alpaca Maps is a service operated by Alpaca Travel Pty Limited.

In this policy, “Alpaca Travel” or “Alpaca Maps” as well as “us”, “we” or “our”, means Alpaca Travel Pty Limited (ABN 29 608 409 990) and its related bodies.

If you are a resident of the European Union, Alpaca Travel Pty Limited is the controller of your personal data for the purposes of the European Union General Data Protection Regulation (the “GDPR”).

This policy sets out:

• what is considered personal information;

• what personal information we collect and hold;

• how we collect, hold, use or disclose personal information;

• the purposes for which we collect personal information;

• what happens if we are not able to collect personal information;

• how to seek access to and correct or delete your personal information;

• whether we disclose personal information outside Australia; and

• how to contact us.

We are bound by the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (the Act) (subject to exemptions that apply to us under that Act). We are also bound by the GDPR.

WHAT IS PERSONAL INFORMATION?

When used in this policy, the term “personal information” has the meaning given to it in the Act. In general terms, it is any information that can be used to personally identify you. This may include (but is not limited to) your name, age, gender, social media handles and contact details (including email addresses). If the information we collect personally identifies you, or you are reasonably identifiable from it, the information will be considered personal information.

 WHAT PERSONAL INFORMATION DO WE COLLECT AND HOLD?

We may collect the following types of personal information:

• name;

• email address;

• your travel information and information on your travel profile (including your country of origin);

• age and/or birth date;

• details about what services you use of ours, including any personal information that was provided through the use of that service (e.g. submitted Content as per our Terms and Conditions);

• any additional information relating to you that you provide to us directly through our websites or indirectly through use of our website or online presence through our representatives or otherwise;

• information you provide to us through engagements from time to time, including feedback surveys and nominated personal information you provide via the website.

HOW DO WE COLLECT PERSONAL INFORMATION?

We collect your personal information directly from you unless it is unreasonable or impractical to do so.

We do this in ways including:

• through your access and use of our website, apps or embeddable content;

• during conversations between you and our representatives;

• from the content you create using our service;

• from the information you provide to our service to display your travel profile.

We may also collect personal information from third parties including:

• advertisers;

• mailing lists;

• contractors and business partners.

WHY DO WE COLLECT, HOLD, USE AND DISCLOSE PERSONAL INFORMATION?

The primary purpose for which we collect your personal information is to enable us to perform our business activities and functions and to provide the best possible quality of customer service. We collect, hold, use and disclose your personal information for the following purposes:

• to provide products and services to you;

• to provide you with content and information or advice about our existing and new products and services;

• to communicate with you (including by email);

• to manage and enhance our products and services;

• to personalise and customise your experience;

• to provide you with access to protected areas of our websites;

• to conduct competitions or promotions on behalf of Alpaca Travel and selected third parties;

• to verify your identity;

• to provide as part of business data to third parties (if you have authorised us to do so);

• to conduct business processing functions for operation of our websites or our business;

• for our administrative, marketing (including direct marketing), promotional, planning, product/service development, quality control and research purposes, or those of our contractors or external service providers;

• to provide your updated personal information to us, our contractors or external service providers;

• to investigate any complaints about or made by you, or if we have reason to suspect that you are in breach of any of our terms and conditions or that you are or have been otherwise engaged in any unlawful activity; and/or

• as required or permitted by any law (including the Act and GDPR).

Your personal information will not be shared, sold, rented or disclosed other than as described in this Privacy Policy.

If you are in the European Union, you have the right to ask us to stop using all or some of your personal information, or to limit our use of it.

WHAT HAPPENS IF WE CAN’T COLLECT YOUR PERSONAL INFORMATION?

If you do not provide us with the personal information described in this policy, some or all of the following may happen:

• we may not be able to provide you with the products or services you requested, either to the same standard, or at all (for example, if you do not register an account of a website, you will not be able to access features or services that are reserved for account holders only);

• we may not be able to provide you with information about products and services that you may want, including information about travel; or

• we may be unable to tailor the content of our websites to your preferences and your experience of our websites may not be as enjoyable or useful.

WHO DO WE DISCLOSE YOUR PERSONAL INFORMATION TO?

We may disclose your personal information to:

• our employees, related bodies corporate, contractors or external service providers for the operation of our websites or our business, fulfilling requests by you, and otherwise provide products and services to you, including without limitation, web hosting providers, IT systems administrators, photographic analysers, data entry service providers, electronic network administrators, and professional advisers such as accountants, solicitors, business advisors and consultants;

• other users of the Service;

• our existing or potential agents, business partners or joint venture entities or partners;

• our sponsors, or promoters of any competition that we conduct or promote via our services;

• specific third parties authorised by you to receive information held by us;

• the police, any relevant authority or enforcement body, or your Internet Service Provider or network administrator, for example, if we have reason to suspect that you have committed a breach of any of our terms and conditions, or have otherwise been engaged in any unlawful activity, and we reasonably believe that disclosure is necessary;

• as required or permitted by any law (including the Act and GDPR).

If you upload an original itinerary to Alpaca Travel or show Alpaca Travel itineraries through the Embeddable Alpaca Map on a third party website, any personal information contained within that map will be able to be seen publicly. We are not liable for the disclosure of this personal information by you.

DIRECT MARKETING MATERIALS

We may send you direct marketing communications and information about products and services that we consider may be of interest to you. These communications may be sent in various forms, including email, in accordance with applicable marketing laws, such as the Spam Act 2004 (Cth). If you indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so.

In addition, at any time, you may opt-out of receiving marketing communications from us by contacting us at legals@alpaca.travel or by using the opt-out facilities provided (e.g. an unsubscribe link). We will then ensure that your name is removed from our mailing list. We do not provide your personal information to other organisations for the purposes of direct marketing unless expressly authorised by you.

If you receive communications from us that you believe have been sent to you other than in accordance with this policy, or in breach of any law, please contact us at legals@alpaca.travel.

ACCESSING AND CORRECTING YOUR PERSONAL INFORMATION

You may request access to any personal information we hold about you, or request information about how the personal information has been collected, processed and stored, what data exists and for what purposes it’s used, at any time by contacting us at legals@alpaca.travel . Where we hold information that you are entitled to access, we will try to provide you with suitable means of accessing it (for example, by mailing or emailing it to you). If you make an access request, we will ask you to verify your identity. There may be instances where we cannot grant you access to the personal information we hold; for example, we may need to refuse access if granting access would interfere with the privacy of others, or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal.

If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may request us to amend it. We will consider if the information requires amendment. If we do not agree that there are grounds for amendment, then we will add a note to the personal information stating that you disagree with it.

HOW DO I DELETE MY ACCOUNT?

If you would like to delete your Alpaca Travel or Alpaca Maps account, please email your request to legals@alpaca.travel using the verified email address that your account is tied to. In some circumstances under the GDPR, you also have a right to ask that your personal information be permanently erased. Should you wish your personal information to be permanently erased, email legals@alpaca.travel.

We will acknowledge your request within 21 days and attend to the deletion of your account as quickly as possible, taking into account that it may take up to 9 months for your personal information to be deleted from our platform backups. We will send a confirmation email to you once the account has been deleted. If your request is not acknowledged within 21 days of sending the request, please contact +61 3 9024 1722.

Where we delete personal information about you, we may still retain some or all of that information for other purposes such as maintaining financial records or protecting or enforcing our legal rights. We may also retain your information in an anonymised form. Any information we retain will be held in accordance with this Privacy Policy.

HOW DO I OBTAIN A COPY OF MY DATA?

If you would like a copy of your personal information held by us, please email your request to legals@alpaca.travel using the verified email address that your Alpaca Travel or Alpaca Maps account is tied to. We will then provide you with a copy of the personal information tied to your account in portable JSON format within 21 days of your request.

DISCLOSURE OF PERSONAL INFORMATION OUTSIDE AUSTRALIA

We may disclose personal information to our related bodies corporate and external service providers located overseas for some of the purposes listed above. We will take all reasonable steps to ensure that the overseas recipients of your personal information do not breach the privacy obligations relating to your personal information, including through conducting a risk assessment to satisfy ourselves that there is an adequate level of protection of your rights.

We may disclose your personal information to entities located outside of Australia, including the following:

• our data hosting and Cloud-based IT service providers; and

• other external service providers located in Lithuania

HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

Your personal information is hosted on the Amazon cloud platform and is protected by the systems associated with that platform including network firewalls, AES-256 Vault encryption on sensitive passwords and nightly backups with seven days of retention. We also offer our you SSL certificates to protect your information sent across the internet.

We take all reasonable steps to protect the personal information that we hold from misuse, loss, or unauthorised access, including by means of firewalls, password access, secure servers and encryption.

If you suspect any misuse or loss of, or unauthorised access to, your personal information, please let us know immediately.

COOKIES

Often we will also collect your personal information through the use of cookies. When you access our website, we may send a “cookie” (which is a small summary file containing a unique ID number) to your computer. This enables us to recognise your computer and greet you each time you visit our website, without bothering you with a request to register or log-in. It also helps us keep track of what content or services you view, so that we may be able to send you content. We also use cookies to measure traffic patterns, to determine which areas of our websites have been visited, and to measure transaction patterns in the aggregate. We use this to research our users’ habits so that we can improve our online products and services. If you do not wish to receive cookies, you can set your browser so that your computer does not accept them. We may also log IP addresses (the electronic addresses of computers connected to the internet) to analyse trends, administer the website, track user movements, and gather broad demographic information.

We may also collect anonymous data (which is not personal information) relating to your activity on our websites (including IP addresses) via cookies, or we may collect information from you in response to a survey. We generally use this information to report statistics, analyse trends, administer our services, diagnose problems and target and improve the quality of our products and services. To the extent this information does not constitute personal information because it does not identify you or anyone else, the Australian Privacy Principles do not apply and we may use this information for any purpose and by any means whatsoever.

TRACKING AND TARGETING

Alpaca Travel collects data about your browsing activity on our Services. We may also use non-personal information that we collect about you on our network to identify you on third party websites where we have an arrangement in place to serve ads on those third party websites. We may also collect anonymous internet usage data from third parties.

One of the reasons we collect usage data is to display targeted advertisements or content on our network and also on third party websites. For that purpose, usage data is collected and assigned to one or more pre-defined categories (for example “holiday seekers”). If this infers a particular interest, a cookie is placed in your web browser which may determine the type of targeted advertising or content that you receive. We target advertisements and content in order to improve your user experience – so that you are served advertisements and content that we believe may be more relevant or useful to you.

To create consumer profiles we also collate anonymous data from other sources across our network, including accounts, surveys or competitions. However, we will not combine usage data with your personal information, or share your personal information with any third party, except in accordance with the Privacy Act 1988 (Cth), the GDPR, and our Privacy Policy.

Advertisements or content may also be ”targeted” to users based on:

• the type of content displayed on a given web page;

• the geographical location of a user (ie. identified by an IP address); or

• specific searches undertaken by a user.

Other reasons we may collect anonymous usage data include:

• to limit the number of times users are served certain ads;

• to monitor the performance of advertising campaigns;

• to audit, research, and analyse usage in order to maintain and improve our services, and to develop new services; and

• to ensure that our ad-serving technologies function properly.

We will not collect usage data or target advertisements based on the following market segments:

• racial or ethnic origin; or

• political opinions; or

• membership of a political association; or

• religious beliefs or affiliations; or

• philosophical beliefs; or

• membership of a professional or trade association; or

• membership of a trade union; or

• sexual preferences or practices; or

• criminal record; or

• health information; or

• genetic information that is not otherwise health information.

If we ever seek to target advertisements based on the above market segments, we will first obtain your express consent.

LINKS

Our website may contain links to other websites operated by third parties. We make no representations or warranties in relation to the privacy practices of any third party website and we are not responsible for the privacy policies or the content of any third party website. Third party websites are responsible for informing you about their own privacy practices.

RETENTION OF YOUR PERSONAL INFORMATION

We will retain your personal information for as long as it is required to provide the services to you, subject to any legal obligations we may have to retain such information. Personal information associated with your account will generally be kept until it is no longer necessary to provide the Services or until you ask us to delete it or your account is deleted, whichever occurs first.

CHANGES TO OUR PRIVACY POLICY

We may, from time to time, review and update this policy, including taking account of new or amended laws, new technology and/or changes to our operations. All personal information held by us will be governed by the most recently updated policy. Any updated versions of this policy will be posted on our website and, if we make material changes, we will provide a prominent notice. If you object to any of the changes to the policy, you should stop using the Services and delete your account.

HOW DO I COMPLAIN ABOUT A BREACH OF PRIVACY?

If you believe your privacy has been breached by us, have any questions or concerns about our Privacy Policy please, contact us using the contact information below and provide details of the incident so that we can investigate it.

We will treat your requests or complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint to discuss your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in a timely and appropriate manner.

Please contact our Privacy Officer/ Data Protection Officer at:

Email: legals@alpaca.travel

+61 3 9024 1722