Security Research Policy

Company Promise

Keeping user information safe and secure is a top priority for us at Harvest Digital Planning, and we welcome the contribution of external security researchers.

Scope

If you believe you've found a security issue in any website, service, or software owned or operated by Harvest Digital Planning, we encourage you to notify us.

How to Submit a Report

To submit a vulnerability report to Harvest Digital Planning, please send us a PGP encrypted message at security@harvestdp.com (see https://harvestdp.com/.well-known/security.txt for more information).

Your submission will be reviewed and validated by a member of our security team.

Safe Harbour

Harvest Digital Planning supports safe harbour for security researchers who:

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
Only interact with accounts you own or with explicit permission of the account holder. If you do encounter Personally Identifiable Information (PII) contact us immediately, do not proceed with access, and immediately purge any local information.
Provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party.

We will consider activities conducted consistent with this policy to constitute "authorised" conduct and will not pursue civil action or initiate a complaint to law enforcement. We will help to the extent we can if legal action is initiated by a third party against you.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Preferences

Please provide detailed reports with reproducible steps and a clearly defined impact.
Submit one vulnerability per report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service (DDoS) is prohibited

This Privacy Policy describes how Social Pinpoint Pty Ltd (“Social Pinpoint”, “we”, “us” or “our”) (ABN: 12 148 958 927) collects, protects, discloses, stores and uses your personal information through its provision of online software applications and other digital products (the “Software”) and services (together, the “Services”).

Our Software is operated by an external operator (the “Operator”) who licences the Software from Social Pinpoint and may, from time to time, collect information for various reasons outlined in their Privacy Policy, Privacy Statement, or any other applicable Agreement. You should check these documents and ensure you are comfortable with how the Operator will collect and handle your personal information.

This Privacy Policy has been prepared to take into account the following privacy laws:

Australia - Privacy Act 1988 (Cth) (“Privacy Act") and the Australian Privacy Principles (“APPs"). See Appendix 1 for Privacy Act and APP specific provisions.
Canada - The Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
European Union - General Data Protection Regulation 2016/679 (“GDPR”). See Appendix 2 for GDPR specific provisions.
New Zealand - Privacy Act 1993.

If the Operator is a government entity or located in another jurisdiction, we may also contractually agree to comply with additional privacy laws.

What information is collected?

Personal Information

Customers:

In providing its Services, the type of personal information collected by Social Pinpoint may include (but may not be limited to) the following types of information, when this information is shared:

Your name
Email address
Phone number
The organisation you work for
Your job title
Your preferences and opinions with respect to the Services
Details of the Services requested by you and provided to you and Social Pinpoint’s response to you, including with respect to any support requests
Any feedback you provide to Social Pinpoint, including in any feedback surveys
Your IP address
Other unique ID numbers
Any other personal information requested by Social Pinpoint and/or provided to Social Pinpoint by you or by a third party.

Users of our Services:

The Operator may collect a range of personal information from you when you use our Services (whether as a staff admin user for the Operator or as a visitor to the Operator’s website), depending on their specific requirements and needs. Personal information may be collected in a range of ways including through a registration process or through various activities and interactions on the site.

The type of personal information collected will vary between Operators and may include (but may not be limited to) the following types of information, when this information is shared:

Your name
Email address
Username
Profile picture
Phone number
Your IP address
User-agent string
Other unique ID numbers
Social network account IDs
Physical address, postcode, or other locational attributes
Demographic information such as age, gender, etc.
Information about your preferences
Your recorded thoughts, ideas, opinions, etc. as expressed by you. This may include sensitive information if you provide political opinions.

You will need to check the Privacy Policy of the Operator to confirm what personal information is collected.

Where an Operator collects your personal information, this personal information may also be collected and accessed by Social Pinpoint in fulfilling our duties and responsibilities to the Operator and to internally analyse and improve our Services and Software.

Cookie Policy

Our websites use cookies to record and log data. We use both session-based and persistent cookies, dependent upon how you use or interact with our websites.

Cookies are small data files sent by us to your computer, or from your computer or mobile device to us each time you visit our website. They are unique to you or your web browser. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them, or until they expire.

When you use one of our websites, we may use technologies such as cookies to store information about your visit. If you have provided us with personal information, cookies may be associated with this information.

We use this information to better understand how people use our websites, to improve our products, to ensure that we give you the best experience we can, to detect fraud or abuse and to help our customers learn about which engagements and content most matter to their communities.

If you do not wish to have cookies enabled, or wish to be notified of their use, most modern browsers will allow you to adjust this in the settings. Please note that disabling the use of cookies on our software may result in restricted/impacted functionality, and you may not be able to take full advantage of the service.

We use the following categories of cookies on our sites:

Necessary cookies

These cookies are essential to enable you to browse around our websites and use its features. Without these cookies, functionality related to certain tools and accessing secure areas of the site could not be provided.

Preferences cookies

Also known as “functionality cookies,” these cookies allow a website to remember the choices you have made in the past, like what language you prefer or what your username and password is so that you can automatically log in next time.

Statistical cookies

Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. The purpose of this information is to help understand how users are engaging with the website and to improve website functions.

Operators may also use cookies on our Software. Operators are responsible for notifying you of the cookies they use and how you can control which cookies are enabled.

Links

This Privacy Policy does not apply to third party websites or digital services which may be linked to content published by either Social Pinpoint or the Operator. We recommend you read the privacy statement of the relevant service when you access these third party sites.

How do we use your information?

Customers:

Social Pinpoint may use information it collects (personal or otherwise) in order to:

provide our Services to you
allow you to access our Software
send you updates and information where you have consented or would reasonably expect to receive them
respond to your enquiries
to request your feedback
maintain our licenced Software
for internal record keeping, administrative, invoicing and billing purposes
detect and rectify fraud or other behavior that violates any terms of use
comply with our contractual or legal obligations and resolve any disputes that we may have
conduct de-identified research, analytics and business development
improve our Services, Software and our website
if otherwise required or authorised by law

Users of our Services:

Social Pinpoint may access and use the information collected by the Operator (personal or otherwise) in order to:

allow you to access our Software
respond to your enquiries
maintain our licenced Software
detect and rectify fraud or other behaviour that violates any terms of use
respond to service requests from the Operator
comply with our contractual or legal obligations and resolve any disputes that we may have
monitor sites to ensure adequate safety and security
conduct de-identified research, analytics and business development
improve our Software and services
if otherwise required or authorised by law

How do we protect your information?

Social Pinpoint takes the privacy of your information very seriously, and we use industry standard practices to keep your data safe and secure.

How do we disclose your personal information?

Customers:

In providing the Services, our Software and our website Social Pinpoint may disclose your personal information to:

our third party helpdesk management provider for customer support tickets
our third party email management system to send email updates and notifications
our employees, contractors and/or related entities
our existing or potential agents or business partners
anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred
credit reporting agencies, courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you
courts, tribunals, regulatory authorities and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights
any other third parties as required or permitted by law, such as where we receive a subpoena

Users of our Services:

In providing the Services and our website, Social Pinpoint may disclose your personal information to:

our third party email management system to send email updates and notifications
our third party authentication and authorisation provider for our Software, if enabled
other third party service providers for the management of security, fraud detection, internal logs, basemaps and geocoding services, content moderators, graphic providers, web mapping tools and software which allows for the functionality of a browser
Social media sites when you choose to share content or authenticate your user account through them
any other third parties as required or permitted by law, such as where we receive a subpoena

Contact us

To contact us about our Privacy Policy, compliance with any applicable privacy laws, or to modify or delete your personal data, please email our Privacy Officer at: info@socialpinpoint.com

The Privacy Officer will review all messages received and respond to each message upon due consideration. We may require further information to respond to your message, or may refer you to the Operator when appropriate.

Changes to this Policy

We reserve the right to modify this policy from time to time, at our sole discretion. If we make a material change to the Privacy Policy we will notify you and the modified policy shall be effective once we notify you of the change. If we do not make any material amendments then we will post the modified policy on our website and it shall be effective once posted. We recommend that you regularly check our website to make sure you are aware of our most up-to-date policy.

Appendix 1 – The Privacy Act and the APPs

The Privacy Act and the APPs set out the core requirements for the protection of personal information in Australia. Please read the Privacy Policy above and this Appendix carefully and contact us at the details at the end of the Privacy Policy if you have any questions

How do I access, change or delete my personal information?

In some cases you may be able to access and correct your personal information by logging into your account (if the Software provides this functionality), where you can update your personal details.

You may also request a copy of, changes to, or deletion of, the personal information we hold, and we will act on this request within a reasonable period of time unless we are legally permitted to refuse to do so, in which case we will provide you with details of our refusal in writing.

Before acting on your request we may be contractually required to provide notification to or seek the consent of the Operator.

Social Pinpoint will endeavour to respond to your request or inquiry within 30 days.

How do I make a complaint?

If you wish to make a complaint, please contact us using the details in the contact section above and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. If you are not satisfied with our response you also have the right to contact the Office of the Australian Information Commissioner.

Will my personal information be transferred overseas?

Where we disclose your personal information to third parties in our Privacy Policy, these third parties may store, transfer or access personal information outside of Australia, including but not limited to the United States of America and the Philippines.

We will only disclose your personal information to countries with laws which protect your personal information in a way which is substantially similar to the Australian Privacy Principles or we will take such steps as are reasonable in the circumstances to ensure the third party protects your personal information in accordance with the Australian Privacy Principles.

Appendix 2 – The GDPR

Under the GDPR individuals located in the EU have extra rights which apply to their personal information. Personal information under the GDPR is often referred to as personal data and is defined as information relating to an identified or identifiable natural person (individual). This Appendix sets out the additional rights we give to individuals located in the EU when we sign a GDPR compliant data processing agreement with an Operator, including how we process personal information lawfully, transparently and fairly. Please read the Privacy Policy above and this Appendix carefully and contact us at the details at the end of the Privacy Policy if you have any questions.

What personal information is relevant?

This Appendix applies to the personal information set out in the Privacy Policy above where we sign a GDPR compliant data processing agreement with an Operator. This includes any sensitive information also listed in the Privacy Policy above which is known as ‘special categories of data’ under the GDPR.

Our commitment to you

Your personal information will:

be processed lawfully, fairly and in a transparent manner by us;
only be collected for the specific purposes we have identified in the ‘collection and use of personal information’ clause above and personal information will not be further processed in a manner that is incompatible with the purposes we have identified;
be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
be kept up to date, where it is possible and within our control to do so (please let us know if you would like us to rectify any of your personal information);
be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal information was collected or required by an applicable controller; and
be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.

How do we process personal information?

If the GDPR applies and we act as a controller, we must have a legal basis to process your personal information. We will process your personal information in accordance with the following legal bases:

Legitimate interests: We will process your personal information for our legitimate interests to allow you to access and use our website, to send you marketing content we think may be of interest to you, to contact you if you leave your contact details with us or if you otherwise initiate contact with us, to review and improve our Services and for our internal business purposes.
Performing a contract: We will rely on performing a contract to process your personal information where we are preparing to enter into a contract with you or we are carrying out our obligations under a contract with you, including where you have entered into a contract with us for our Services or the licensing of our Software.
Legal obligation: We will rely on a legal obligation to process your personal information where we are subject to a legal obligation, including to respond to any illegal activity and for taxation purposes.
Consent: If we need to rely on consent, we will ask for consent to process any of your personal information for that specific purpose before we process your personal information for that purpose.

Upon written request, we may provide you with a list of the third parties we use to process your personal information and the locations of those third parties.

Data retention

If the GDPR applies or we have signed a GDPR compliant data processing agreement, and we act as a processor:

We will only retain your personal information in accordance with the controller’s instructions and we will delete or return your personal information to the controller in accordance with the terms of the applicable data processing agreement.

If the GDPR applies and we act as a controller:

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information, whether we can achieve those purposes through other means and the applicable legal requirements.

In some circumstances you can ask us to delete your data: see ‘access, erasure and data portability’ below for further information.

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for analytics, research or statistical purposes in which case we may use this anonymised information indefinitely without further notice to you.

Data transfers

The countries to which we send data for the purposes listed above may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries:

we will perform those transfers in accordance with the requirements of the GDPR (for example, by using the Standard Contractual Clauses as a safeguard); and
we will protect the transferred personal information in accordance with the Privacy Policy, as supplemented by this Appendix.

Countries to which we may transfer personal data include Australia, the Philippines and the United States of America.

Extra rights for EU individuals

Objecting to processing:

You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights and freedoms, in order to proceed with the processing of your personal information.

Restricting processing:

You have the right to request that we restrict the processing of your personal information if:

you are concerned about the accuracy of your personal information
you believe your personal information has been unlawfully processed
you need us to maintain the personal information solely for the purpose of a legal claim
we are in the process of considering your objection in relation to processing on the basis of legitimate interests

Access, erasure and data portability:

You may have the right to request details of the personal information we hold about you, or to request that we erase the personal information we hold about you, or that we transfer this information to a third party.

Rectification:

If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, incomplete, misleading or out of date.

Note that if we are acting as a processor of your personal information, before acting on a rights request we will need to seek the instructions of the relevant Operator.

If the GDPR applies and we act as a controller of your personal information, we will endeavour to respond to your request or inquiry within 30 days.

Harvest Digital Planning

Security Research Policy

Company Promise

Scope

How to Submit a Report

Safe Harbour

Preferences

Want to work with us?

Talk to a member of our team to discuss your requirements