Effective: 25 May 2018 for EU citizens & 10 June 2018 for non-EU citizens.
(view previous version)
New modifications effective 15 August 2019: References to ‘Group Edition’, ‘Community Edition’ and ‘Student Record’.
Your privacy is important, so whether you are new to CareMonkey or a long-term user, please take the time to get to know our practices – and if you have any questions contact us.
We’ve tried to keep this policy as simple as possible, but if you are not familiar with terms like cookies, IP addresses, pixel tags and browsers, then read about these in our Definitions first.
In short, CareMonkey will NEVER share or rent your data to anyone without your consent.
Information we collect
Personal Information collected from Users:
Our Services may be used to collect the following information, which is added and controlled by the User:
- Health Information. Our Services may collect information for an Individual’s Care Profile, which may be shared with an Organisation as a Medical Form. This may include emergency contacts, medical conditions & disabilities, medical action plans (e.g. asthma or allergy action plan), medications, and other information about an individual defined as “health information”. CareMonkey may be used to collect “health information” on behalf of the User, or another individual that User is responsible for (e.g. their child).
- Personal Information. Our Services may collect personal details such as an individual’s name, location, date of birth, nationality, family details and other information defined as “Personal Information” that allows identification of the individual;
- Contact Information. Our Services may collect information such as an individual’s email address, telephone & fax number, usernames, address (residential, business and postal), and other information that allows us to contact the individual;
- Other Information requested by Organisations. Our Services may collect information via eForms that are designed by the Organisation (Customer).
- Other Information added by Users. Our Services may collect any additional information a User chooses to add into CareMonkey.
- User Correspondence. We may collect any personal correspondence that an individual sends us, or that is sent to us by others (e.g. Users, Customers, business partners, suppliers) about the individual’s activities.
- Financial Information. Our Services can be used to collect consent and/or payments. CareMonkey uses a Third-Party payment gateway to process payments (e.g. Stripe). If a User chooses to make a payment in CareMonkey, they can securely store their Credit Card and contact details in that Third-Party payment gateway for future transactions. CareMonkey Services do not collect or store any Credit Card information.
Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information.
Information automatically collected about Users:
- Non-Personal Information. We collect information on how you interact with our Services, such as the IP address from which you access the Services, date and time, information about your browser, operating system and computer or device, pages viewed and items clicked. We may also collect location information, including location information automatically provided by your computer or device.
Information collected from Organisations
- CareMonkey Account Information. The Service may collect information about a Customer (“Organisation”) account including organisation name, logo, organisation contact information including address (physical and website URL), and Super-Admin contact information (including name and email address).
- Financial Information. The Service may collect financial information in order to provide a Customer our Services.
- Member Request Information. The Service requires basic information about Members (e.g. students and/or staff) in order for the Organisation to send and request information. This includes the Members name and email address(s) of the User who is responsible for that member.
- Additional Member Information. Organisations can add additional optional information about Members including secondary email address, mobile number, Profile ID (e.g. Student ID, Club Member ID, Employee ID), manual tags, notes and injury reports.
- Groups and eForms. The Service collects and stores any information and settings about Groups and eForms, including Members and communications sent (emails, SMS and push notifications).
- Authorised Supervisors. The Service logs when staff are given Authorised Supervisor access, including which groups, how long for, and if they logged in and accessed any Member records.
- Information sent to us in regards to an Organisation. We may collect any correspondence related to an Organisation from Individuals.
Information automatically collected about Organisations
- Usage Information. We collect usage information in regards to any Admin or Authorised Supervisor activity related to our Services, such as the IP address from which you access the Services, date and time, information about your browser, operating system and computer or device, pages viewed and items clicked. We may also collect location information, including location information automatically provided by your computer or device. We also log all information about Groups and eForms, including Members, responses, changes, and communications (email, SMS & push notifications).
How we use information we collect
When personal information is used and disclosed:
One of CareMonkey’s core purposes is to help our Customers (Organisations such as schools, clubs, businesses) deliver on their duty of care obligations. Customers do this by using the Services to collect Member’s Personal Information such as emergency contacts, medical conditions, emergency action plans, and consent. The Organisation’s Admins can then make this information available to Authorised Supervisors for the purpose of ensuring they know exactly what to do, who to call, and what to tell paramedics in an emergency (including secure offline access via the Mobile App).
- We will never use Personal Information collected in our Services for any purposes other than making the information available to an authorised Organisation’s Admins and/or Authorised Supervisors, or other Individuals authorised by the User.
- We will never use the Personal Information for any marketing or commercial purposes, and we will maintain all Health Information in the strictest confidence.
- We will not disclose or sell Personal Information to unrelated third parties under any circumstances.
In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected, and with consent from the User. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
Our Services will retain Personal Information until the User and/or Customer (Organisation) deems it no longer necessary to be kept. CareMonkey does not automatically delete Personal Information added to Care Profiles by Users, because CareMonkey Care Profiles are fully User controlled. In Community Edition Users can choose to share Personal Information in CareMonkey with other Users/Organisations, revoke access to live Care Profiles, and permanently delete their account at anytime. If the User shared any eForm response with an Organisation (e.g. Medical form, consent form), the shared eForm response is then controlled by the Organisation. It is the responsibility of the Organisation to delete Personal Information if it is no longer required for compliance or legal reasons.
Other ways we use personal information:
- To provide, maintain and improve our Services, which may include:
- The provision of goods and services;
- Verifying an individual’s identity;
- Communications between Users, Organisations and CareMonkey (including email, phone and Live Chat from the Website or Mobile App);
- Analysing trends, administering or optimising the Services, monitoring usage or traffic patterns (including to track users’ movements around the Services);
- Investigating complaints about or made by an individual.
- Basic account data will be visible to the CareMonkey support team in any location. This includes User/account holder name and email address.
- Circumstances which we must disclose an individual’s Personal Information.
- If we have reason to suspect that a User is in breach of any Terms of Services, or we have reason to suspect a User has been otherwise engaged in any fraudulent, deceptive or unlawful activity (in which case we may be required disclose that information to a governmental authority); and/or
- As required or permitted by any law.
- In order to sell our business (in that we may need to transfer Personal Information to a new owner). In this case, we will ensure that the new owner has privacy policies consistent with this policy.
- Our Services do not use third-party products to send profile requests and eForms requests to Users.
- The Company does use other third-party systems to run our business and communicate with Users, Customers and Prospects. We ensure any third-party products do not store any private medical information in any system outside CareMonkey. These service providers may be located in the United States of America, and include:
- Zoho – CareMonkey integrates with Zoho to support Users with Live Chat.
- Customer Relationship Management (CRM) – To manage our leads and customer database (separate to User data).
- Marketing Automation Platform – To send marketing promotions.
- Accounting Software – To process account payments.
- Google Analytics – To analyse web traffic.
- Google Cloud Translation – To perform language translations.
- Email – To send or reply to emails from a User, Customer or Prospect.
- The Emails we send (like most emails) are sent encrypted, however they are stored on third party systems (e.g. email clients such as gmail/outlook) as clear text. For this reason, emails we send never contain any confidential information such as medical information or contact details.
User must be a legal adult
As part of our Terms of Service, children under legal age are not allowed to be Users of CareMonkey. CareMonkey is designed for Adult Users to share electronic medical and consent forms with other Organisations on behalf of themselves, or for Individuals they are responsible for (e.g. their child).
A User can only input information on behalf of other adults if they have that Individual’s recorded consent.
Privacy by Default
CareMonkey sets default privacy settings to the highest level. This means that no other User or Organisation can see any information the Users add into CareMonkey until the User chooses to share it.
Transparency and Choice
People have different privacy concerns. Our goal is to be clear about what information the Service collects, so that you can make meaningful choices about how that it is used. For example, Users can control:
- Sharing of Personal Information. Community Edition Users must deliberately Share a Care Profile, or submit an eForm response to an Organisation before that Organisation can see any information.
- View, add and edit. CareMonkey Community Edition is designed to make Users responsible for adding, sharing and updating personal information and active eForm responses. Users may see and edit what current User information is stored in the Care Profile, and see which organisations have access to their CareMonkey Care Profile. CareMonkey Group Edition is designed to make the Organisation and/or Parent/Guardian Users responsible for adding, sharing and updating personal information and active eForm responses. The Organisation controls access to the Student Record.
- Revoke access. At anytime, Community Edition Users can revoke Organisation (or another User) access to a current Care Profile.
- Data portability. Users can export personal data stored in CareMonkey in an open standard electronic format (JSON). This includes ‘observed’ data such as Recent Logins, and Registered Devices. Users can also transfer control of Care Profile information to other CareMonkey Users (e.g. transfer control of their child’s Care Profile to another parent/guardian, or to the child once they become a legal adult).
- Permanently delete account. Users can permanently delete their CareMonkey Account (including all Care Profile information) at anytime.
- If a User has completed an eForm response for an Organisation, that eForm response is controlled by the Organisation (for example, if a parent completes a consent form for their child to attend an excursion, that consent form and a snapshot of the Care Profile at the time of consent is stored by CareMonkey on behalf of the Organisation).
- If a User chooses to permanently delete their account, CareMonkey will make the User aware of which Organisations have stored shared information, and provide contact details of the Organisation for the User to direct requests for erasure.
- Users have the right to erasure (right to ask an Organisation to delete personal information), and the Organisation has the right to refuse if that personal data is required to comply with legal obligations of an official authority, or if the data is necessary for the exercise of legal claims.
- If the Organisation has no grounds to refuse a request to erasure, they must comply without undue delay, and CareMonkey provides the tools for the Organisation to permanently delete the information about the Member.
- Blocking Cookies. Users may also set their browser to block all cookies, including cookies associated with our Services, or to indicate when a cookie is being set by us (see Cookies Policy). However, it is important to remember that many of our Services may not function properly if cookies are disabled. For example, the Services require a Cookie to securely login a User on a registered device.
- Opt-Outs. Users can “opt-out” of having personal information used for certain purposes. If you opt-out, we may not be able to provide certain features (see section “Opting “IN” or “OUT””).
Opting “IN” or “OUT”
- The Services to store any Personal Information the User chooses to add to their account;
- The Services to send them communications on behalf of an Organisation;
- The Services to send them important notices, such as changes to our terms, conditions and policies. Because this information is important to the individual’s interaction with us, Users may not opt out of receiving these communications if they wish to continue using the Services.
If an individual has set-up a CareMonkey Account and wants to Opt Out, they can do so by permanently deleting their account.
If an individual has never set-up a CareMonkey Account and wants to Opt Out of communications from a related Organisation, they can do so by contacting that Organisation, and asking to be excluded. If that is unsuccessful, they should contact us on the details below to action their request.
If an Individual wishes to unsubscribe from any CareMonkey marketing updates (e.g. new feature updates, webinar invites, etc), you can do so by unsubscribing on the email Unsubscribe link, or by visiting https://www.caremonkey.com/unsubscribe.
Security and Safety of Personal Information
The security of your personal information is important to us. We maintain a variety of appropriate technical and organisational safeguards to protect your personal information. We limit access to Personal Information about you to employees who we believe reasonably need to come into contact with that information to provide Services to you or in order to do their jobs. Further, we have implemented physical, electronic and procedural safeguards designed to protect personal information about you. For more information see our Security Practices.
CareMonkey uses SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept liability for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.
We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
We are not liable for any loss, damage or claim arising out of another User/Organisation’s use of the Personal information where the User authorised sharing of that Personal Information to that User/Organisation.
Data Breach Policy
If an individual suspects any misuse or loss of, or unauthorised access to their Personal Information, they should let us know immediately (Contact Us details below).
If we become aware of any unauthorised access to an individual’s Personal Information, we will inform the User and/or Customer at the earliest opportunity as per our Data Breach Policy.
Compliance and cooperation with regulatory authorities
When we receive formal written complaints, we will contact the person who made the complaint to follow up. We will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our Users directly.
Complaints and Disputes
If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the contact details below. If there is a dispute regarding Personal Information, both parties must first attempt to resolve the issue directly between each other.
If we become aware of any unauthorised access to an Individual’s Personal Information, we will inform the User and/or Customer at the earliest opportunity once we have established what was accessed and how it was accessed.
In the event that you are not satisfied with our handling of your complaint, you can refer the complaint to your relevant local authority (e.g. Australian Privacy Commissioner, UK’s Information Commissioner’s Office (ICO)) .
Changes to Policy
All correspondence with regards to privacy and security should be addressed to:
The Data Protection Officer
CareMonkey Pty Ltd
25 Gwynne Street
Cremorne VIC 3121
You may contact the Data Protection Officer by email in the first instance.