1.1 Our Business
QWB Lab Limited, a New Zealand incorporated limited liability company (company number 8229162) and related entity QWB Lab FlexCo (company number FN636143f), anAustrian incorporated limited liability company (each or together referred to herein as “QWB Lab” or as “our“ or “we” or “us”) provide and operate an online platform service offering (the “QWB Lab Platform”) that through a specialised suite of tools enables cultural organisations to measure, understand, improve and articulate their impact on wellbeing, inspired by the OECD wellbeing framework.
QWB Lab also has a public website https://qwblab.com (the “QWB Lab Website”) – it and the QWB Platform are both subject to the Terms of Use at www.qwblab.com/terms-of-use.
1.2 Our approach to Data Privacy
QWB Lab respects your Personal Information that it collects and uses for the purposes stated below.
This Privacy Policy sets out our, and your, rights and obligations in relation to Personal Information you may provide either in relation to:
Please read this Privacy Policy carefully.
In this Privacy Policy, the following terms are defined:
i. A potential or actual Client; or
ii. A member of the public that visits the QWB Lab Website including where that person subscribes to our newsletter or downloads white papers, case studies or other educational or marketing materials; or
iii. Any other person or organisation that we engage with in relation to a potential or actual business relationship or engagement with us (including in relation to services to be or provided by a service provider).
We may collect and hold the following Personal information, as applicable:
when you subscribe to our newsletter via our service provider Mail Chimp (https://mailchimp.com/).
4.1 We collect in the following manner:
4.2 Aggregated anonymous information generated by our IT systems (operated and managed by our service providers), which may track and analyse traffic to the QWB Lab Website, but do not relate to you personally. This is further described in Section 5.1 herein (final paragraph).
5.1 We expect to use the Personal Information we collect from you in the following manner:
5.2 Other technical based purposes
In addition, we may automatically collect certain non-Personal Information concerning the QWB Lab Website pages when you visit from your device in order to display and provide and optimise the provision of webpages to you. This includes date and time of access, the identity of your web browser, the type of operating system you use, your IP address and the identity of the website host or host’s name. We may also use such non-Personal Information for improving the content of the QWB Lab Website or QWB Lab Platform (as applicable). This information may come from server log files (temporarily stored) and/or cookies (where permitted, see Section 7).
5.3 Data retention
We will keep Personal Information (or Personal Data) about you, to use for the above purposes, for a reasonable period of time necessary for the operation and management of our business but subject to our obligations under Sections 9 and 10.
We will only permit access to your Personal Information with other organisations or individuals or government agencies strictly for the following purposes, where necessary and incidental in the provision of:
i. QWB Lab platform services;
ii. QWB Lab website;
by our service providers.
As at the date of this policy, our service providers are:
- Webflow, a service provider who hosts and operates the QWB Lab Website from its data centre in the USA;
- MailChimp, a service provider who hosts and provides its service from its data centre in the USA;
- IT Effect Limited (a New Zealand incorporated company) being a service provider that manages and supports the MS Azure hosted QWB Lab Platform.
Our service providers provide their services to us in accordance with applicable privacy policies and laws.
Where we need to disclose your Personal Information pursuant to a court or government agency in order to satisfy any mandatory applicable law, regulation, judicial or other legal process or government agency request provided, we will use our reasonable endeavours to give you advanced written notice of such requirements in the USA.
7.1 Cookies
We may use cookie files containing information that can identify the computer you are working from (as referred to in Section 4.2 and Section 5.2). A cookie file is anonymous and is only used to identify visits from the same web browser.
We may use the information generated by such cookie files to: (i) track traffic patterns to and from the QWB Lab Website; and (ii) enable you to enter the QWB Lab Platform
7.2 How to turn Section 7.1 cookies off?
You can choose to refuse cookies by turning them off in your web browser and/or deleting them from your hard drive. Some QWB Lab Website pages may not function properly if the cookies are turned off.
We use our reasonable commercial efforts to ensure the security, integrity and privacy of your Personal Information and avoid unauthorised loss, use or disclosure.
This includes a variety of measures including Client authenticated ID and password-based use of the QWB Lab Client Portal and otherwise encryption of data, use of IT firewalls and certain cyber-attack protections
As no data transmission over the internet can be guaranteed to be completely secure, we cannot ensure the security of any information you transmit or receive through the QWB Lab Website and or QWB Lab Platform (as applicable). While, as stated, we take precautions to minimise related risks, you use the internet for transmission at your own risk.
It is also important that you take steps to protect your Personal information like:
• Using a strong password with numbers, letters and special characters;
• Not sharing your password with anyone, ever;
• Remembering to close the browser after using our Webpages.
In addition, if you post your Personal information on the QWB Lab Website in any publicly accessible fields or in our LinkedIn page, you acknowledge and agree that the information you post is publicly available.
How to access or correct your Personal Information?
9.1 Data subject Users not located in the European Economic Area (EEA)
9.1.1 Subject to applicable laws, you have the right to access your Personal Information and to receive a copy of that information. We may need to verify your identity to respond your access request (and similarly were made under Section 9.1.2). We will respond to any access request within a reasonable time period. We will give you access in a media form requested provided it is reasonable and practical. We do not expect to need to charge our time for this provided the access request is reasonable. If we cannot give you access, due to mandatory legal grounds, then we will inform you of this in writing.
9.1.2 You also have the right to request the correction of the Personal Information we hold about you. We will take reasonable steps to make appropriate corrections to Personal Information so that it is accurate, complete and up to date. Unless a lawful exception applies, we must update, correct, amend or delete the Personal Information we hold about you within a reasonable time period. If we have shared that Personal Information to others, as contemplated under Section 6, we will use our reasonable commercial efforts to contact them and arrange the relevant change. We do not charge for making corrections.
To seek access to, or correction of, your Personal Information, please contact our Data Privacy Officer as set out below in Section 12.
9.2 Users located in the EEA and GDPR data subjects – Information and exercising specific data subject rights
9.2.1. Name and Address of the controller with respect to the GDPR
In relation to an applicable data subject user the Controller for the purposes of the GDPR and other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
QWB Lab FlexCo
Address: c/o Impact Hub Vienna, Lindengasse 56/18-19, 1070 Vienna, Austria
Email: contactus@qwblab.com
Website: www.qwblab.com
9.2.2 GDPR lawful processing grounds
The ‘lawful processing’ grounds on which QWB Lab will rely to collect and use Personal Data about you will be (as applicable):
• where you are a Client in relation to potential or actual contractual engagements for the provision of QWB Lab Platform Services; or
• where you as a public user have opted in to receiving such information (see Section 10 of this Policy) by way of subscription to our newsletter or you download case studies, white papers or other educational or marketing materials
• in relation to potential or actual contractual engagements with you as Personnel of a service provider to QWB Lab
• based on your express consent to the proposed use obtained prior to our processing.
9.2.3 Your data and disclosure
QWB Lab will only disclose your data to entities situated within the EEA, thereby subject to EU data protection laws, or, to those mandated to adhere to an equivalent level of protection, as determined by an adequacy decision from the European Commission.
Per Section 6 our service providers in non-European countries, have reasonable measures in place to ensure a sufficient level of data protection during the transfer of personal information including by implementing additional technical and organizational safeguards.
9.2.4 Specific data subject rights
If you a data subject under the GDPR are located in country that is a member of the EEA, you have a number of other GDPR rights in relation to our collection and use of your Personal Data. In particular these are:
• Right to Access
You can request confirmation as to whether Personal Information concerning you is being processed by us and if so, to which extent. You have the right to request information as to whether the Personal Information concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
• Right to rectification
You have a right to rectification and/or completion of your data towards the controller if the processed Personal Information concerning you is incorrect or incomplete. The controller must make the rectification without undue delay.
• Right to Restriction of Processing
You may request the restriction of the processing of your Personal Information pursuant to Art. 18 GDPR.
If the processing of Personal Information concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or one of its Member States. If the processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
• Right to Erasure
You have the right to obtain from the controller the erasure of Personal Information concerning you without undue delay and the controller shall have the obligation to erase Personal Information without undue delay where one of the grounds of Art. 17 GDPR applies.
Where the controller has made the Personal Information concerning you public and is obliged pursuant to Art. 17 (1) GDPR to erase the Personal Information, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the Personal Information that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those Personal Information The right to erasure does not apply if the processing falls within an exception pursuant to Art. 17 (3) GDPR.
• Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the Personal Information concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right towards the controller to be informed about these recipients.
• Right to Data Portability
You have the right to receive the Personal Information concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data or have it transmitted to another controller without hindrance from the controller to which the Personal Information has been provided.
• Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of Personal Information concerning you which is based on Art. 6 (1) GDPR, including profiling based on those provisions. The controller will no longer process the Personal Information concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
• Right to withdraw Consent
You have the right to withdraw your declaration of consent law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
• Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of Personal Information relating to you infringes the GDPR
Any request in relation to the exercise any of those rights, please contact our Data Privacy Officer as set out below in Section 12.
10.1 We will give you the option to:
(i) opt in to agree to be contacted by us in relation to our newsletter or where you download case studies, white studies or other educational or marketing materials; and
(ii) opt out and not receive the same.
10.2 We advise that if you exercise you opt out rights per Section 10.1 this may result in any of the content referred to in Section 10.1 not being provided or made available to you.
We will review this Policy regularly, and we may update it from time to time by publishing the latest version on the QWB Lab Website or the QWB Lab Platform (as applicable). You will ensure that you have read the most recent terms posted on the QWB Lab Website or the QWB Lab Platform (as applicable).
If you have a request or enquiry or a complaint about the way we handle your Personal Information (or Personal Data) or to seek to exercise your privacy rights herein in relation to the Personal Information (or Personal Data) we hold about you, you may contact our Data Privacy Officer as follows:
Name: Sabine Doolin
Title: Director, QWB Lab Limited and QWB Lab FlexCo (as applicable)
Email: Sabine@QWBLab.com
Posting:
- QWB Lab Limited, 1/18 Westwell Road, Belmont, Auckland 0622, New Zealand
- QWB Lab FlexCo, c/o Impact Hub Vienna, Lindengasse 56/18-19, 1070 Vienna, Austria
While we endeavour to resolve complaints quickly and informally, if you wish to proceed to a formal privacy complaint, we request that you make your complaint in writing to our Data Privacy Officer, by mail or email as above. We will acknowledge your formal complaint within 10 business days.
If we do not resolve your privacy complaint to your satisfaction, you may lodge a complaint with the New Zealand Privacy Commissioner by making a complaint online at https://www.privacy.org.nz/your-rights/complaint-form/, or writing to them at Privacy Commissioner PO Box 10094, Wellington 6143.
If you are a data subject in the EEA, you can choose to instead lodge a complaint with your local Data Protection Authority (DPA), in Austria this is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Austria.
The list of DPAs in h EEA can be fund at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.