CFS Group Pty Ltd Privacy Policy

V1.0 – 26 April 2021

1. About Us

   1. This Privacy Policy describes how CFS Group Pty Ltd ABN 64 659 918 000 of 411/11 Solent Circuit, Norwest NSW 2153 Australia (we, us, our) manages personal information. It was last updated on 26 April 2021. We may amend this Privacy Policy from time to time.

      
      

   2. We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (APP(s)). If we decide to change this Privacy Policy, we will post the updated version on this webpage. Our policy is to be open and transparent about our privacy practices. We encourage our customers to familiarise themselves with this Privacy Policy to understand how and when we collect, hold, use, transfer, sell, disclose and otherwise process personal information about them.

      
      

   3. This Privacy Policy governs personal information that we collect during the course of operating our business and when we provide services through our platforms and our websites. We own and operate the following platforms to advertise our services and through which our customers may access our services as follows:

      • our motor vehicle dealer management software platform, Virtual Yard, located at https:// virtualyard.com/ that is accessible using a web browser and our smartphone or tablet application for motor vehicle dealers. Virtual Yard provides motor vehicle dealers with vehicle stock management functionality such as sales, lead management, vehicle history checks, social media posting, website development and hosting, photo editing, invoicing, vehicle leasing record-keeping, payment and advertisement functionality (Virtual Yard Platform);

        
        

      • all websites created by our customers using the Virtual Yard Platform (Subscriber Dealer Website(s));

        
        

      • our motor vehicle dealer relationship software, Dealer Central, located at https:// dealercentral.com.au that connects motor vehicle dealers with each other (Dealer Central);

        
        

      • our motor vehicle dealer data distribution service, Advertising Partnership, located at https:// virtualyard.com/australia/advertising-partners that enables motor vehicle dealers to access dealership data and vehicle management data (Advertising Partnership);

        
        

      • our Application Programming Interface (API), located at https://virtualyard.com/api/ that enables you or your authorised third parties to access dealership data and vehicle data;

        
        

      • our vehicle search engine, cars.auto, located at https://cars.auto/ that enables users to search for vehicles that are advertised for sale on Subscriber Dealer Websites and third party motor dealer websites (Cars.auto);

        
        

      • our vehicle classifieds site, carsforsale.com.au, located at https://carsforsale.com.au/ that enables users to search for vehicles that are advertised for sale on the carsforsale.com.au platform; and

        
        

      • any smartphone apps that we release for use in connection with all or any of the above software, platforms, websites, services, search engines, classified sites and APIs,

        
        

        (each, a Platform and together, our Platforms).

        
        

2. The types of personal information we collect and hold

   1. We collect the following types of personal information:

      
      

      Customers of our Platforms: The types of personal information collected from our customers are limited to first and last names, email and postal addresses, phone numbers and other contact information, vehicle specifications, vehicle transaction information, vehicle registration numbers, vehicle identification numbers, encumbrances, vehicle sale prices, vehicle records, usage and ownership information, social media account details, insurance information, images and videos of vehicles, vehicle model and licence numbers, dealer information, PPSR information, bank account details, billing information, credit card details and any other information that you provide to us in order for us to supply you with the services that we make available via our Platforms. Credit card details are not stored by us and are held by our third party payment gateway providers.

      Vehicle owner and potential purchasers of vehicles for sale or rent: The types of personal information collected about third parties may include first and last names, email and postal addresses, contact details, drivers licence information, vehicle model and licence numbers, vehicle registration, usage and ownership specifications, phone numbers and other contact information, insurance information and other vehicle ownership information.

      
      

      Information required for the support, maintenance and security of our Platforms: In order to support and maintain our Platforms and each part thereof, we collect and process user information including IP addresses, email addresses, network information, user access logs, usernames, passwords, statistical data and information included by our customers in technical support tickets, telephone calls to our support team and error messages. We also collect the DNS location of any inbound traffic to ensure that inbound traffic from locations that should not be accessing our Platforms are restricted.

3. How we collect personal information

   1. Our policy is to not collect personal information by means that are unfair or unreasonably intrusive in the circumstances.

      
      

   2. We collect personal information about our customers in one or more of the following ways:

      
      

      1. when our customers enter personal information into our Platforms;

         
         

      2. when our customers provide personal information to us by letter, telephone, email and/or SMS;

         
         

      3. when we conduct public searches via Google, Facebook and other social networks to determine the identity of our customers; and/or

         
         

      4. when it is voluntarily disclosed to us during our provision of technical support or to answer any enquiries and/or in correspondence (such as via telephone, surveys, e-mail and online forms or support tickets).

4. How we use personal information

   1. We use personal information in the following ways:

      
      

      Category

      How we use and process that personal information

      Our reason for collecting the personal information

      
      

      [2]

      Personal information about our customers	• As required to provide our Platform to our customers. • In order to store personal information in databases and systems in our hosting environments at third party data centres. • To support and manage our customers’ use of our Platforms. • Backing up and restoring data that includes personal information. • When conducting research and development of our Platforms. • To communicate with existing and potential customers about the use of our Platforms and to market new services and products to them. • To handle complaints. • To send newsletters and other communications to our customers concerning our Platforms. • To carry out security audits, investigate security incidents and implement security processes and procedures that require access to personal information. • To issue bills and invoices to our customers and to enforce the payment obligations of our customers to pay our fees. • To commercialise and sell personal information to third parties in our absolute discretion as part of our Advertising Partnership service. • When providing it to potential or actual third parties who acquire or we sell part or all of our business(es) or business assets to.	• Performance of our contracts with our customers. • Required to identify customers and to identify persons who wish to exercise their rights under privacy law to access, correct their personal information or to exercise their other rights with respect to their personal information. • Necessary for our legitimate interests (in order to operate and grow our business, to allow our customers to operate our Platforms, to enable us to operate our IT systems and networks, to manage our hosting environments and to ensure the successful delivery of our Platforms). • To comply with our legal and statutory obligations. • Required in order to determine which privacy law applies to the individual. • Necessary for our internal business purposes such as for billing and invoicing purposes. • We sell personal information for a profit. At the time of applying to become our customer, customers are required to complete our Collection Notice under which they consent to our sale of their personal information. • Necessary when we are selling our business(es) or parts thereof or our business assets (or parts thereof).
      Personal information about third parties (such as buyers and sellers of each vehicle transaction)	• To provide and support the functionality of our Platforms to our customers. • To remove personal information upon a request from a data subject. • To commercialise and sell personal information to third parties as part of our Advertising Partnership service.	• Performance of our contracts with our customers. • We sell personal information for a profit. At the time of applying to become our customer, customers are required to complete our Collection Notice under which they consent to our sale of their personal information.

      
      

   2. How Google uses data when you use our partners' sites or apps: https://policies.google.com/technologies/partner-sites

5. Cookie Information

   [3]

   1. We may collect information using “cookies” and other similar technologies. Cookies are small packets of data that our Platforms stores on your computers’ or mobile devices’ hard drive (or other storage medium that you use to browse our Platforms so that your computer will “remember” information about your use. We use both 1st and 3rd-party session cookies and persistent cookies as follows:

      
      

      1. Session Cookies: We use session cookies to make it easier for you to navigate our Platforms. A session ID cookie expires when you close our Platform.

         
         

      2. Persistent Cookies: A persistent cookie remains on your device for an extended period of time or until you delete them. You can remove persistent cookies by following directions provided in your web browser’s “help” file. To the extent we provide a log-in portal or related feature on our Platforms, persistent cookies can be used to store your passwords so that you don’t have to enter it more than once. Persistent cookies also enable us to track and target the interests of our visitors to personalise the experience on our Platforms.

      3. We utilise Google products and services which are subject to the Google Privacy Policy and Google Maps/Google Earth Additional Terms of Service

      
      

   2. If you do not want us to place a cookie on your electronic device or computer, you may be able to turn that feature off on your electronic device or computer. Please consult your browser’s documentation for information on how to do this and how to delete persistent cookies. However, if you decide not to accept cookies from us, certain aspects of our Platforms may not function properly or as intended.

6. Analytics data

   1. We also collect information about our customers through their use of our Platforms, known as analytics data. Such analytics data includes IP information, information about devices accessing our Platforms, the amount of time our customers spend on our Platforms and in which parts of it, and the path navigated through it. However, all such information is de-identified data and is not collected in a form that could reasonably be expected to identify an individual.

      
      

   2. In any event, we only use analytics data to help us review, enhance, market and/or improve our Platforms (for statistical, marketing or research purposes).

7. How we hold and secure personal information

   1. We hold and store personal information that we collect in our offices, computer systems and third party owned and operated hosting facilities, in particular personal information is stored at:

      
      

      1. hosting facilities operated by reputable hosting providers;

         
         

      2. company servers or those of our cloud-based email providers which have restricted access security protocols;

         
         

      3. third party owned cloud-based customer relationship management and marketing providers; and

         
         

      4. computers and other electronic devices at our offices and at the premises of our personnel.

      
      

   2. We take reasonable steps to protect personal information that we hold using such technical and organisational security measures as are reasonable in the circumstances to take against loss, unauthorised access, modification and disclosure and other misuse. Such measures ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.

      
      

   3. We implement the following technical and organisational security measures in our organisation:

      
      

      1. we only use reputable hosting providers to host personal information;

         
         

      2. passwords and access control procedures in our computer systems;

         [4]

      3. encryption for data transmitted via our Platforms both in transit and at rest;

         
         

      4. disaster recovery procedures;

         
         

      5. managing and logging security incidents;

         
         

      6. electronic (e-security) measures for the purposes of securing personal information such as installing antivirus management and email phishing software on emails and applicable company computer software, devices and systems;

         
         

      7. physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of information systems (electronic or otherwise).

8. Offshore Disclosure

   1. We will transfer your personal information to our contractors and service providers who assist us with the supply and provision of our Platforms to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance. We will transfer your personal information to our hosting provider in Sydney and our offshore contractors and service providers located outside of Australia. Our offshore contractors and service providers are currently located in United States of America.

9. Who we disclose personal information to

   1. We only disclose personal information that we collect to third parties as follows:

      1. where we license or sell personal information to other individuals when they subscribe to our Advertising Partnership service in exchange for a fee;

         
         

      2. to software developers, payment gateway providers and insurers who we need to contact in order to operate our Platforms and in accordance with our contractual rights;

         
         

      3. to reputable hosting providers and backup hosting providers who host databases that we use to provide our Platforms;

         
         

      4. our employees, officers, agents and/or suppliers. We ensure that all such personnel and suppliers that we engage are aware of their information security responsibilities and have entered into agreements requiring them to comply with privacy and confidentiality obligations that apply to personal information that we provide to them;

      5. to marketing companies who carry out direct marketing phone calls and send emails on our behalf to generate business for us. All individuals will be given the opportunity to ‘opt out’ of any direct marketing calls or emails;

         
         

      6. when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;

         
         

      7. where we undergo a merger, corporate restructure or acquisition;

         
         

      8. where a person provides written consent to the disclosure of their personal information;

         
         

      9. where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person;

         
         

         [5]

      10. if we are contacted by any person who represents to us that they are our customer, for security purposes, we will only discuss the personal information that we hold about them with them if they identify themselves accurately and truthfully;

          
          

      11. to governmental authorities, bodies and/or regulators for the enforcement of a law imposing a pecuniary penalty and/or to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences;

          
          

      12. to any court or tribunal for the conduct of proceedings (being proceedings that have been commenced or are reasonably in contemplation); and/or

          
          

      13. where required by law.

      
      

10. Third party websites

    1. We may send out tokenised emails and/or SMS links using our websites when you register an account with us and as a potential or actual customer of our Platforms and our websites, emails and/or SMS (whether delivered by us and/or our contractors) may also include other links to third party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third party website operator complies with applicable data protection and privacy laws. You should consider the privacy policies of any relevant third party website prior to sending personal information to them. Our customers should contact us in the first instance, if they have any enquiries about any links on our Platforms.

    2. You may interact with social media platforms via social media widgets and tools such as the Facebook Like button and the Facebook pixel that may be installed on our website or integrated via notifications on our Platforms. These widgets and tools may collect your IP address and other personal information. Your interaction with such widgets and tools, and any single sign-on services is governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal information.

11. Interacting with us without disclosing personal information

    1. If you do not provide us with your personal information, you can only have limited interaction with us. For example, you can browse our website without providing us with personal information, such as the pages that generally describe our Platforms that we make available, and our Contact Us pages. However, when you submit a form on our website or become a customer registered with an account on any of our Platforms, we need to collect personal information from you in order to identify who you are, so that we can provide you with our Platforms, and for the other purposes described in this Privacy Policy. It is not practical for us to provide you with access and/or use of our Platforms (or any part thereof) if you refuse to provide us with personal information.

12. How to access and correct personal information held by us

    1. We rely on our customers to ensure that all personal information collected from them and held by us is accurate, up to date, complete, relevant and not misleading. Customers who wish to access, update, modify and/or correct the personal information held by us about them should contact our Privacy Officer below.

    2. We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee for a copy of your personal information by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law. We will not charge you for the making of any such request and we will endeavour to provide a response to any request for access within 72 hours from the time a request is made.

       
       

       [6]

13. Our contact details

    1. Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or make a privacy complaint, may contact our Privacy Officer using our contact details set out on the applicable Platform.

    2. We will use our best endeavours to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis and resolving the complaint.

    3. If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the APPs, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:

Telephone: 1300 363 992 Email: enquiries@oaic.gov.au

Address: GPO Box 5218, Sydney NSW 2001

[7]