CitizenHR Privacy Policy

Policy Standard

    1. Purpose

This policy explains how Pleme Pty Ltd ABN 74 635 845 260 (Pleme) the developer of CitizenHR is committed to providing quality service to you and this policy outlines our ongoing obligations to you in respect of how we manage all personal information in accordance with the Australia Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Act). 

The APPs govern the way in which we collect, use, disclosed, store, secure and dispose of your Personal Information. 

A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at www.aoic.gov.au. 

Pleme is committed to ensuring the privacy of personal information is protected and we strive to uphold the best practice privacy standards in the collection, storage and use of personal information. 

    1. Definitions

Personal information means any ‘information or an opinion about an identical individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and

  • whether the information or opinion is recorded in a material form or not’.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person. 

Sensitive Information is a subset of personal information and is defined as:

  • information or an opinion (that is also personal information) about an individual’s:

    • racial or ethnic origin;

    • political opinions;

    • membership of a political association;

    • religious beliefs or affiliations;

    • philosophical beliefs;

    • membership of a professional or trade association;

    • membership of a trade union;

    • sexual orientations or practices; or

    • criminal records,

  • health information about an individual;

  • genetic information (that is not otherwise health information);

  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

  • biometric templates.

Sensitive information is generally afforded a higher level of privacy protections than other personal information. 

    1. Scope

The Privacy Policy applies to personal information held about individuals. The privacy Act and this Privacy Policy do not apply to information we hold about companies and other organisation as there are not identifiable individuals covered by the Act. However, Pleme does keep completely confidential all information that we hold about companies and other organisations regarding their strategies, business affairs, accounts, finance or contractual arrangements. 

This Privacy Policy covers Australian:

  • Pleme customers, users, suppliers and third parties;

  • Directors and Officers of Pleme Pty Ltd;

  • Employees (full time and part time);

  • Temporary and Casual employees;

  • Independent contractors; and

  • Third party contractors e.g. consultants.

    1. Collection

Personal Information collected by Pleme is collected for the purpose of managing user transactions for products, services, pages, suppliers, and other third-party relationships.

The Personal information we collect differs depending on which of our products and services you are involved in, and may include:

  • name, address and contact details;

  • date of birth;

  • gender;

  • account and newsletter preferences;

  • for employees, all employment related information;

  • for customers, information about a product, services or subscription you purchased from us, the place of purchase and information about your ownership of the product;

  • for users, information about groups you join, comments you make and your published information;

  • information about any email to us, including recording the email, specific details or comments raised in the email, the reason why you contacted us and the advice we gave you;

  • information relating to your selection of groups and the comments you make;

  • information about third party provider products you obtain through us;

  • your contact details and other business information, place of employment and position;

  • your reviews, product review, platform reviews, comments, photos and forum posts that you have submitted;

  • identification checks, including validity of identity and licence and or passport information where appropriate or necessary;

  • information about your Pleme network profile, such as your user id, profile picture, gender, location, interests and suggestions;

  • the fact that you have clicked on a ‘like’ or ‘comment’ or similar button on our network or services one of our pages on a social network site or group, which we may associate with the details that we store about you;

  • information about your visit to our website, such as your browser software, which pages you view and which items you ‘clicked’ on;

  • service, product or server logs, which hold technical information about your use of Pleme, product or websites, such as your IP address, domain, device and application settings, errors and hardware activity;

  • information about where you device is physically located (for example, when you are using location services, or an application and you have provided your consent to your location being shared with Pleme); and

  • interests and preference that you specify during setup of our services.

When we collect Personal Information we will, where appropriate and where possible, explain to you why we are collecting the information and how we plan to use it.

If we request Personal Information from you and you do not supply it, we may not be able to provide you with access to Pleme or any Pleme related service. 

Pleme only collects Sensitive Information (for example, racial or ethnic origin) where it is reasonably necessary for our functions or activities and either you have consented. Sensitive information will be used by us only:

  • for the primary purpose for which it was obtained;

  • for a secondary purpose that is directly related to the primary purpose; and

  • with your consent; or where required or authorised by law.

    1. How we collect information

Whenever possible, we collect Personal Information directly from you. Collection occurs when you first apply or request to join Pleme or a related service from us to work with us, also during the course of your continues use of Pleme we may continue to collection Personal Information. 

Information may be collected in various ways, such as mail, internet, telephone, email, email conversations, live chats and in various formats such as forms, letters, electronic file notes and recorded conversations. Users will be identified by a Pleme user name and password.

We may also collect Personal Information from other people, organisations and sources, such as when collection from you is impractical or where you have consented to us collecting it from someone else. These may be parties related to Pleme, or third parties such as your agent, where you have appointed an agent to act on your behalf in dealings with us (For example, a lawyer or executor).

    1. Where we store collected information

Pleme stores user personal information in a number of locations, including:

  • user documentation scanned or entered into Pleme’s computer systems, various equipment, programmes, databases, applications and digital archives;

  • physical paperwork filed in a secure location; and

  • electronic files stored securely with third party cloud-hosting providers.

These storage mechanisms may be managed internally by Pleme and held locally in Australia and/or Croatia, or they could be managed by a third party storage provider with whom Pleme has a contractual relationship with and be held on a server locally or overseas. 

    1. What we can use it for

Personal Information will be used by Pleme in association with any past or future sales, transactions, interactions or proposals between Pleme and a potential customers or investor including to:

  • identify you when you make an enquiry. for example, we may ask for your date of birth or email address so we can avoid disclosing information to a person who is not you or has not been authorised by you to receive it;

  • contact you about any problems, products, services provided by us previously, now or in the future;

  • help prevent or detect fraud or loss;

  • contact you by any means (including mail, email or telephone) where necessary or appropriate;

  • contact you for research/feedback purposes;

  • make changes to your Pleme account details;

  • provide you with a product or service you have requested, including checking that a payment is not mad fraudulently, delivering your purchase to you or ensuring that you benefit from any relevant special offer or promotion;

  • train staff and for quality assurance purposes;

  • obtain opinions or comments about Pleme products and/or services, including conducting product/user surveys;

  • respond to your requests for information when you contact us about Pleme and its products and services;

  • conduct prize draws, contests and other promotional offers;

  • consider employing you if you contact us via one of Pleme’s job application websites;

  • record statistical data for marketing analysis; and

  • manage employee information, including using it for safety measures and data matching.

This may include disclosure to our overseas related companies within the Pleme family in Australia and other countries. 


    1. Who can we disclose information to

Pleme will not provide information to a third party unless authorised under the Act. 

In general, Pleme does not sell, rent or otherwise disclose information about you to third parties without your consent. However, there are exceptions. Pleme may disclose your personal information to third party service providers so that they can provide certain contracted services to Pleme, such as IT support or programming, hosting services, telephony services, mailing or sending of documents to you electronically or otherwise, processing payments and providing fraud checking services. 

We prepare anonymous, aggregate or generic data (including “generic” statistics) for a number of purposes, including for product and service development, business promotion and research purposes. As we consider that this is not personal information, we may share it with any third party, such as our suppliers, advertisers, industry bodies, the media and/or the general public where appropriate. 

    1. Data Security and Quality

Pleme will not use any personal information about our customers or employees without taking reasonable steps to ensure that the information is up o date, complete, relevant and not misleading. 

Please take care when submitting personal information to us, in particular when completing free text fields or uploading documents or other materials. Some of our services are automated and we may not recognise that you have provided us with incorrect or sensitive information. 

If you believe that any of the Personal Information that we hold about you is not accurate, complete or up to date, please let us know. 

Pleme will take all reasonable steps to store your personal information safeguarding against loss, misuse and disclosure, such as:

  • following certain procedures, for example checking your identity against available date when you telephone us and using secure passwords for our computer systems;

  • limiting physical access to Pleme’s premises;

  • limiting access to personal information to those who specifically need it to conduct their business responsibilities;

  • requiring our third-party providers to have acceptable security measures to keep personal information secure; and

  • putting in place physical, electronic, and procedural safeguards in line with industry standards; and destroying personal information pursuant to the law and our record retention policies.

Pleme cannot guarantee that your personal information cannot be accessed by an unauthorised person (for example, a hacker) or that unauthorised disclosures will not occur. If we provide you with any passwords or other security devices it is important that you keep these secret and confidential and do not allow them to be used by any other person. Please notify us immediately if the security of these devices is breached. 

    1. Access and Correction

We will generally provide you with access to your personal information within 30 days, subject to some exceptions permitted by law. We will also generally provide access in the manner that you have requested (for example, by providing a copy or allowing a file to be viewed), provided it is reasonable and practicable for us to do so. We may however charge a fee to cover our reasonable costs of locating the information and providing it to you. 

If you ask us to correct personal information that we hold about you, or it we are satisfied that the personal information we hold is inaccurate, out of date, incomplete, irrelevant or misleading, we will take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading. 

If we correct personal information about you, and we have previously disclosed that information to another agency or organisation that is subject to the Act, you may ask us to notify that other entity. If so, we will take reasonable steps to do so, unless this would be impracticable or unlawful. 

    1. Communication

Pleme may use your information to provide you with communications, publications and updates from time to time, by email, social media and through Pleme apps, if you have provided your prior consent or we are otherwise permitted to do so under applicable law. 

If you provide us with an email address or phone number, you consent to electronic communication such as notices or reminders being sent to you via that address or number. 

Pleme may monitor and record communications we receive, including recording and storing threads and comments. This may be done for quality and training purposes to improve the service that we provide, to ensure compliance with our practices and procedure and/or to provide evidence of a transaction such as where a contract is entered into, or a claim is made. 

    1. Our Website

From time to time, Pleme may enable third parties to advertise on its website or inside its applications. If the link is followed to the third-party website from the Pleme website, the website privacy policy of that third party applied, and Pleme accepts no liability for breaches of privacy once such a link has been followed. 

Pleme’s website collects the domain names, not the email addressed of visitors. Our web servers may require you to place a “cookie” (small data file) on your computer’s and/or phones hard drive, in order to tack statistical information about navigation to an throughout certain areas of the site. If you If you are just surfing and reading information on our website, then we collect and store the following information about your visit: 

  • the IP address of your machine when connected to the Internet and the domain name from which you are accessing the Internet;

  • the operating system and the browser your computer uses, and any search engine you are using;

  • the date and time you are visiting;

  • the URLs of the pages you visit; and

  • if you provide it, your email address.

We use that information to measure the number of visitors to different parts of the site and, for example, to measure the effectiveness of advertising. Although we may publish aggregated information about usage patterns, we do not disclose information about individual machines except for the reasons set out below in this section. We do not sell information which identifies you personally. We may gather more extensive information if we are concerned, for example, about security issues. If necessary, we can disclose information to relevant law enforcement authorities. 

Some of our online services may allow you to upload and share messages, photos, video and other content and links with others and/or create a publicly accessible profile for your account. For example:

  • the communities and forums area of our websites, allows you to post comments (with your account name), which are visible to other users of that service; and

  • other services allow you to share a link which if clicked on may allow the recipient to access your uploaded content.

You should not expect any information that you make available to others via Pleme’s online services to be kept private or confidential. Content and links that you share might, for instance, be forwarded by your recipients to others. You should always exercise discretion when using such services.

2. Clarification and Breaches 

    1. Clarification

Further clarification of this policy can be obtained from Pleme Pty Ltd’s website. We may amend this Privacy Policy from time to time. The current version will be posted on our website and a copy may be obtained by contacting us at info@pleme.app 

    1. Breaches of Policy

If you want to report a suspected breach of your privacy or you do not agree with a decision regarding access to your personal information, please contact us. We have an internal complaints process to address such issues and will promptly acknowledge and investigate complaints. 

Any enquires or complaints can be made direct to Pleme Pty Ltd’s information department outlined in section 2.1. 

We expect our procedures will deal fairly and promptly with your complaint. 

    1. Data Breaches

Pleme must notify data breaches as set out below. 

A data breach occurs when personal information held by Pleme is lost or subjected to unauthorised access or disclosure. 

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen, or

  • a database containing personal information is hacked, or

  • personal information is mistakenly provided to the wrong person.

Not all data breaches are notifiable. 

A notifiable data breach or eligible data breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. 

If Pleme has reasonable grounds to believe an eligible data breach may have occurred: 

  • legal advice must be obtained; and

  • Pleme must promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals – follow the Eligible Data Breach Statement Requirement Section below.

Pleme will also immediately:

  • Alert all Directors.

  • Immediately contact our firewall provider to attempt to block a repeat breach and identify the extent of data accessed.

  • Alert internal users of those Pleme systems affected and require passwords be reset.

  • Action any other remedial action that will reduce or stop the risk of serious harm, for example, freezing accounts, remote wiping of devices and having accidental recipients delete or return data.

If Pleme has reasonable grounds to suspect an eligible data breach may have occurred, the notification obligation does not immediately arise and:

  • Legal advice must be obtained.

  • Pleme will undertake a reasonable and expeditious assessment into the relevant circumstances within a maximum of 30 days. Where compliance with the 30 day limit is not possible, must document the reasons for the delay in a manner which demonstrates that we have taken all reasonable steps to complete the assessment within 30 days.

  • Pleme will lead the assessment and determine the investigative steps to be taken.

  • The assessment process and its outcome will be documented so as to assist in any future review of the steps taken. This will be particularly important if the outcome of the assessment is that no "eligible data breach" has occurred.

  • If the assessment finds that an eligible data breach may have occurred we must promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals – follow the Eligible Data Breach Statement Requirements Section below.

Eligible Data Breach Statement Requirements 

Pleme’s notification Statement must include:

  • Pleme’s contact details;

  • a description of the data breach;

  • the kinds of information concerned; and

  • recommendations about the steps individuals should take in response to the data breach.

Identifying Breaches 

Pleme does not employ software to interrogate whether a breach has occurred, but instead relies on the Pleme “firewall” and also that the systems where this information is held require individual login to mitigate risk. A breach is likely to be identified by our firewall provider, or when it enters the public arena. Pleme will continue to monitor whether a more systematic way to identify breaches is possible. 

Pleme has an internal Privacy awareness on-line training course available to all staff. In addition training on identifying and notifying data breaches will take place.