Privacy policy
Last updated on July 12, 2024
This Privacy Policy explains how Deputy collects, uses, protects and shares your personal information and your rights in relation to that information. If you have any questions, please don’t hesitate to contact us using the contact details at the end of this Privacy Policy.
When we refer to “Deputy”, “we” or “us”, we mean Deputec Pty Ltd and its related companies including Deputy Corporation and Deputy EMEA Limited. Capitalized terms that are not defined in this Privacy Policy have the meanings given to them in Deputy’s subscription agreement available at deputy.com/terms/subscription-agreement (“Subscription Terms”).
This Privacy Policy applies in connection with your use of Deputy’s online workforce management software services, or any other Deputy services and products that refer or link to this Privacy Policy including our associated support services (together, the “Services”) that Deputy either provides to your employer organization or to you directly and any other interactions that you have with us, including when you visit our website or speak with us over the phone.
Deputy’s Services are mostly intended for use by employer organizations. The party to the Subscription Terms will control its instance of the Services and be responsible for the personal information it discloses to Deputy.
Please note that if Deputy is providing the Services to your employer organization, we use your personal information to allow you to access and use the Services for and on behalf of your employer organization. This makes us a "processor" for the purposes of the GDPR. However, there will be circumstances under which we use your personal information for purposes that are not for and on behalf of your employer organization, for example, if you use the Services or contact us outside of the context of your relationship with your employer organization. Under these circumstances, we may be a “controller" for the purposes of the GDPR. This distinction between whether we act as processor or controller has a number of implications from a GDPR perspective. Please refer to the section titled ‘Additional information for EU/United Kingdom residents’ below for more information that will only apply to you if you are an EU/United Kingdom resident.
If you are a California resident, please review our Privacy Policy California Addendum at deputy.com/terms/privacy-policy-california-addendum.
This Privacy Policy does not apply to any third-party websites, applications or software that integrates with the Services or any other third-party products, services or businesses.
Personal information collected and received by Deputy
Deputy collects and receives several different types of personal information, including the following:
| Information type | Examples |
|---|---|
| Profile information | personal information that is provided by you when you sign up and use our Services such as your name, date of birth, email address, phone number, residential address, gender (including gender neutrality) and profile photo. |
| Financial information | transaction history, credit card details and other billing information; financial details including bank account, tax and superannuation/pension information if your instance of the Services includes the Deputy HR product. |
| Employment information | information about your employer(s), term of employment, your remuneration, and position or job function; shift information, including the time and date of shifts worked and scheduled; photos of you when you clock in and out of shifts (if your instance of the Services has this feature turned on); onboarding forms and documents if your instance of the Services includes the Deputy HR product. |
| Job applicant information | resume or job application information such as the details provided in your resume, your eligibility to work, your education, training/certifications, previous employment details and job application videos (optional) if your instance of the Services includes the Deputy HR product. |
| Sensitive information | biometric information if your instance of the Services has a “kiosk” (often an iPad device) installed and facial recognition features are enabled; identity information such as social security number, copies of passport and driver’s licence and citizenship and immigration status information if your instance of the Services includes the Deputy HR product. |
| Geolocation information | if you clock in and/or clock out of your shift on a phone or mobile device. |
| Usage and activity information | information on how the Service is accessed and used, as well as usernames and passwords; records of your communications and interactions with us. |
| Device information | information about your device (e.g. desktop, laptop, phone, tablet) used to access the Services such as connection type and settings, operating system, browser type, IP address, time zone settings, the time spent on webpages, unique device identifiers and other diagnostic data; cookies (and related online tracking technologies) to deliver enhanced functionality and better understand your interaction and usage. |
| Your content | content submitted to Deputy’s websites, or when you participate in any interactive features; information you create and submit to us or enter into the Services (including through Deputy’s Newsfeed service or the Deputy HR product). |
| Your preferences, interests, and opinions | your preferences in receiving marketing communications from us; your feedback and opinions about us and the Services. |
| Support information | information provided by you to our support teams providing assistance to you in relation to our Services including: contact information, written and oral summaries of the issue, documents, images & recordings. |
Certain aspects of your personal information, for example profile information, are required for many Services and if you fail to supply such information as requested for any specific Service, we may be unable to provide you with the Services in full and your enjoyment of such Services may be more limited.
How Deputy collects personal information
We may collect personal information about you when:
you provide it to us directly – e.g. by submitting a form, contacting us or entering it in using the Services
we receive it from another party or source – e.g. your employer organization, our related companies, public information and the parties described under ‘Sharing and disclosure of personal information’ below
we collect it automatically – e.g. via cookies and log data relating to your use of the Services.
We may combine personal information with information we collect through other means, and create new information from reviews, investigations and analysis.
If you provide us with information about another person (e.g. if you work for an employer organization and you provide the personal information of the organization’s employees to us), you will let that other person know that we may handle their personal information in the ways set out in this Privacy Policy, and that they can access the Privacy Policy by visiting this website or requesting a copy of it from us.
Purposes of information collected
Information is collected, stored, used and disclosed by Deputy for purposes including the following:
To provide the Services to you and our customers (e.g. your employer organization) and to administer, assess, maintain and improve the performance of the Services.
To allow you to access and use the Services (including authentication).
To personalize and optimize your experience when using the Services and to ensure the Services are relevant to you, your device, and to deliver targeted content based on your information, location and preferences.
To provide you with assistance and support in relation to your use of the Services, such as responding to a request or complaint that you may have.
To research and develop the Services for the purpose of improving the Services, and to allow you to participate in surveys or interactive features of our Services when you choose to do so.
To communicate with you about the Services and deliver promotional materials, special offers and general information about the Services which are similar to those you already use or enquired about unless you have opted not to receive such information.
To protect the safety and security of the Services including detecting and responding to security incidents and other malicious or unlawful activity, and to detect, prevent and address technical issues.
To protect Deputy’s legitimate business interests including for fulfilling and exercising our obligations and rights including in circumstances where we are required to comply with regulatory orders and audit processes, and for exercising or defending legal claims.
To generate de-identified statistical data to uncover collective insights about the use of our Services (and not to specifically analyze personal characteristics).
To verify your identity and to detect fraud and potential fraud, including fraudulent payments and fraudulent use of the Services.
In connection with business transfers to facilitate the sale, purchase, merger or demerger of any business by us, including assessing potential transfers and managing transitional arrangements.
Other uses where you have provided your express consent.
Sharing and disclosure of Information
Deputy may share or disclose personal information to various third parties. These third parties are likely to include:
Your and our representatives.
Technology and media partners (e.g. telecommunication service providers) that perform services for us or connect with the Services (e.g. third-party applications, data storage services).
Social media platforms (e.g. where you interact with our account or link your account to us or the Services).
Our lawyers, accountants and professional advisors.
Other third-party service providers, such as third-party branding service providers.
Our related companies.
Law enforcement authorities and government agencies where we are required or permitted to do so by law, or as a result of a legal process.
Any third party that your employer directs us to share or disclose your personal information to.
Deputy operates in multiple countries and regions including Australia, New Zealand, USA, Canada, the United Kingdom and the EU. We may handle personal information, and transfer it to recipients, in these countries and other countries, including the Philippines and Vietnam.
Security of information
Deputy uses industry-standard technical and organizational measures to secure the information that we collect and store about you and we will use commercially reasonable endeavours to protect your information from unauthorised access, alteration, disclosure or destruction. For more information about our security measures, please visit our Trust Center at deputy.com/trust.
Please note that no security system is impenetrable and we cannot and do not guarantee the security of your information during transmission through the internet or while stored on our systems or otherwise in our care.
Retention
Your personal information will be retained for the period that is necessary to fulfil the purpose it was originally collected for, or to fulfil the purpose outlined in this Privacy Policy, or to meet legislative or regulatory obligations, such as financial reporting requirements.
After it is determined that your personal information reaches the end of its retention period, we will either delete or anonymize your information or, if this is not possible then we will securely store your information and isolate it from any further use until deletion is possible.
Cookies
We also use cookies and similar technologies to collect information and improve our Services. For more details about how we use cookies and similar technologies, as well as your opt-out controls and other options, please see our Cookie Policy at deputy.com/terms/cookie-policy.
Marketing
From time to time we may send you direct marketing communications regarding our Services. We may contact you by electronic messages (e.g. email), online (e.g. through our Services) and by other means, unless you opt-out or we are subject to legal restrictions from doing so. You may opt-out of receiving marketing communications from us at any time by contacting us via the contact details at the end of this Privacy Policy or by using the opt-out mechanism included in our marketing communications.
Rights in relation to personal information
Subject to certain limitations and restrictions (e.g. depending on circumstances such as where you reside) you may have the right to exercise certain rights in relation to your personal information, including the following:
The right of access to personal information we hold about you.
The right to know what personal information we collect about you, and how it is used and shared.
The right of rectification to update your personal information if it is inaccurate or incomplete.
The right to erasure/deletion (‘right to be forgotten’) of your personal information.
The right to object to our use and handling of your personal information.
The right to restrict our handling of your personal information.
The right of data portability for transfer of your personal information to another party.
The right to withdraw consent you have previously provided to our handling of personal information.
Please note that in order to verify your request or the applicability of any of these rights to your circumstances, we may ask you for further information and to verify your identity before responding to such requests.
Where a request relating to any of the above rights has been made and information has been shared with third parties, Deputy will take all reasonable steps to notify third parties of the request.
If you have any questions about these privacy rights, or how to exercise them, please contact us using the contact details at the end of this Privacy Policy. We will confirm receipt of your request and provide information on how we intend to respond. Further, we will respond to your request in accordance with permitted or required timeframes set out in applicable laws.
In certain circumstances, for example, if we only hold your personal information because we are providing the Services to your employer organization, it may be more appropriate for you to exercise these rights against your employer organization rather than against Deputy, in which case we will advise you to do so if you contact us in the first instance.
Complaints
We take your privacy concerns seriously. If you have a complaint regarding our handling of your personal information or concerning our privacy practices, you may file a complaint with us using the contact details set out at the bottom of this Privacy Policy. We will confirm receipt of your complaint and, where appropriate, open an investigation into your complaint.
We may need to contact you to request further details of your complaint. If an investigation has been opened following a complaint made by you, then we will contact you with the result of that complaint as soon as possible. In the unlikely circumstances we are unable to resolve your complaint to your satisfaction, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. For reference, we set out below the identify of some of the relevant authorities:
If you reside in the EU and you are unsure of who the data protection authority is in your country, please refer to this link: https://edpb.europa.eu/about-edpb/board/members_en
If you reside in Australia, your data protection authority is the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/
If you reside in the United Kingdom, your data protection authority is the Information Commissioner’s Office (ICO): https://ico.org.uk/
If you reside in the United States, data protection regulations are developing, and privacy is handled on a state-by-state basis – in these instances, refer to your state’s Attorney General’s website. The US Department of Commerce also has a dedicated contact to liaise with EU data protection authorities in the event of enquiries or referrals: https://www.privacyshield.gov/article?id=DPA-Liaison-at-Department-of-Commerce
Dispute Resolution and Class Action Waiver
Any dispute, controversy or claim arising out of or relating to this Privacy Policy, or any aspect of the relationship between you and Deputy, whether based in contract, tort, statute, fraud, misrepresentation, or any other legal theory, will be resolved through final and binding arbitration before a neutral arbitrator instead of in a court by a judge or jury, unless you opt out of this arbitration agreement within 30 days of the first acceptance date of any version of this Privacy Policy (the Opt Out Deadline).
You may opt out of these arbitration procedures by emailing us at legal@deputy.com by the Opt Out Deadline and stating that you reject the agreement to arbitrate. Unless you opt out by the Opt Out Deadline, you agree that you and Deputy are each waiving the right to sue in court and to have a trial by a jury.
The arbitrator shall have the power to rule on any challenge to its own jurisdiction, the arbitrability of any claim, or to the validity or enforceability of any portion of the agreement to arbitrate. The arbitrator shall also have the power to award temporary, interim, or permanent injunctive relief or relief providing for specific performance of this Privacy Policy, but only to the extent necessary to provide relief warranted by the individual claim before the arbitrator.
You and Deputy agree to arbitrate solely on an individual basis, and agree that this Privacy Policy does not permit class arbitration or any claims brought as a plaintiff or class member in any class or representative arbitration proceeding.
The arbitration shall be administered by an arbitration service selected by Deputy in accordance with its applicable rules and procedures. Judgement on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.
Additional information for EU/United Kingdom residents
Basis for handling personal information
Where we process your personal information as a processor on behalf of your employer organization, your employer organization is responsible for ensuring that there is a legal basis under the GDPR for us processing your personal information on their behalf.
Where we process your personal information as a controller, we need to ensure that there is a legal basis under the GDPR to justify our processing of your personal information. There are a number of different ways that we are lawfully able to process your personal information. We have set these out below.
Where processing your personal information is necessary for us to carry out our obligations arising from any contracts entered into between you and us
If you enter into a contract with us directly in relation to the Services, we may process certain personal information about you in order to perform our obligations under such contract.
Where processing your personal information is within our legitimate interests
We may process your personal information for the purposes of our legitimate interests, for example, in order to: enforce the terms of our website, analyse log data/user statistics to improve the Services for all users, communicate with you about your access to the Services and/or our website, ensure the Services and our website run smoothly and to respond to any of your questions, feedback, claims or disputes.
We do not think that any of our data processing activities prejudice individuals in any way. However, you do have the right to object to us processing your personal information on this basis. Please refer to the section titled “Rights in relation to personal information” for more details about exercising your rights.
Where you give us your consent to process your personal information
We will obtain your opt-in consent prior to sharing your personal information with third-party applications and carrying out certain marketing activities.
As and when we introduce these particular processing activities, we will provide you with more information so that you can decide whether you want to opt-in.
You have the right to withdraw your consent to these activities. Please refer to the section titled “Rights in relation to personal information” for more details about exercising your rights.
Where processing your personal information is necessary for our compliance with a legal obligation
In certain circumstances, we may disclose your personal information for the purposes of compliance with a legal obligation (for example, to comply with a law, regulation or compulsory legal request).
International transfers
If you are based within the UK/EU we will only process and/or transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with the GDPR and the means of transfer provides adequate safeguards in relation to your personal information, including for example:
By way of a data transfer agreement with your employer organization, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal information by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
By way of a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal information by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
By transferring your personal information to a country where there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation; or
Where it is necessary for the conclusion or performance of a contract between Deputy and a third party and the transfer is in your interests for the purposes of that contract (for example, if we need to transfer your personal information to a benefits provider based outside the EEA); or
Where you have consented to the data transfer.
Privacy Policy changes
Deputy may change this Privacy Policy at any time. Deputy will post any such changes online. If the changes are material, we may provide a more prominent notice in-app or send you an email notice. If you disagree with any changes to this Privacy Policy, you will need to stop using the Services and deactivate your account.
Contact Us
If Deputy is providing the Services to your employer and/or you are not party to the Subscription Terms (and your employer is) then your employer will be able to help you with your privacy-related questions and requests. Please note that Deputy is not responsible for the privacy or security practices of an employer organization, which may be different to the practices described in this Privacy Policy.
If you otherwise have questions about this Privacy Policy, concerns about how your information is handled, or if you wish to exercise your legal rights, please email us at privacy@deputy.com. California residents may alternatively call us on 1-888-532-4785. The company responsible for our compliance with this Privacy Policy is Deputec Pty Ltd ACN 133 632 327 of Level 13, 580 George Street, Sydney NSW 2000 Australia and our UK Representative is Deputy EMEA Limited of Herschel House, 58 Herschel Street, Slough, Berkshire, United Kingdom, SL1 1PG.
European Representative
Pursuant to Article 27 of the GDPR, Deputy has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters relating to the GDPR:
by using EDPO’s online request form; or
by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.