This policy outlines the way we at Lah-Lah Productions (ABN 82 166 345 848) collect, hold, use and disclose personal information. We may collect personal information of adult and children clients.
WHAT PERSONAL INFORMATION WE COLLECT & HOW AND WHY WE COLLECT IT
What personal information do we collect?
The personal information we collect is generally limited to
your name and contact details;
your educational institution details;
credit or direct debit details; and
any communications we have. However, we may also collect information about how you use our website, via third parties.
Children under 13 and COPPA
In accordance with the US Children’s Online Privacy Protection Act (“COPPA”) we do not knowingly request or solicit any personal information from anyone under age of 13 without verifiable parental consent. Where this information is collected by oversight, and without any parental consent, we will delete such information as soon as possible. We may request proof of age at any stage to ensure we can verify that minors are not using our website.
US Educational institutions
In the event that our website is used by an educational institution that is subject to the provisions of the Family Educational Rights and Privacy Act 1974 (FERPA), the educational institution appoints us as a “school official” as that term is used in FERPA, and determines that we have a “legitimate educational interest,” for providing the Stripy Sock Club Online Services, including all videos, worksheets, and documents, including any sheet music, and pdf activities (“Services”).
We agree to be bound by all relevant provisions of FERPA, and agree that personally identifiable student information as defined in FERPA will remain under the “direct control” of the educational institution, will be used only to provide the Services to the student, and will only be disclosed to third parties as necessary to provide the Services.
In the event that students under the age of 13 are authorized by their educational institution to create an account and submit personal information as defined in COPPA, the educational institution shall be responsible for obtaining verifiable parental consent prior to making the Service available to such students.
How do we collect your personal information?
The main way we collect information is when you give it to us, for example, via our website sign up or other forms, via phone, email, when you submit comments or feedback or via social media. However, we may also collect personal information from a parent or guardian.
Why do we collect your personal information?
We need your personal information to:
communicate with you in relation to your enquiry;
send you news if you have signed up (you can unsubscribe at any time);
conduct our business, and enable your use of our website, products and services; and
in some cases to comply with our legal obligations, such as record keeping (currently the law requires us to keep adult records for 7 years and children's records until they turn 25 years of age).
We also collect personal information to analyse and enhance our business operations and improve your experience with our business. This is used as statistical information to analyse traffic to our website, and to customise content and advertising we provide.
You can opt out of the collection and use of this information by changing your privacy settings or opting out. To opt out of Google collection, you can go here: https://tools.google.com/dlpage/gaoptout
To change your Facebook ad preferences you can go here: https://www.facebook.com/adpreferences/advertisers
WHEN WE DISCLOSE PERSONAL INFORMATION & HOW YOU CAN ACCESS IT
When do we disclose your personal information?
We will take reasonable precautions to protect your personal information, including against loss, unauthorised access, disclosure, misuse or modification. It is kept securely and accessible only to authorised personnel. Information is kept in accordance with our legal record keeping obligations and then destroyed appropriately. We generally will not disclose your personal information unless:
it is required or authorised by law*; or
it is reasonably necessary for one of the purposes for which we collect it.
* This can include where we are of the reasonable belief that there is a serious risk to life, health or safety of you or another person. For example, if there is evidence of clear danger of harm to self and/or others, we may be legally required to report this information to the authorities responsible for ensuring safety. This includes if there is a strong suspicion of physical or sexual abuse or emotional, or neglect or exposure to family violence of any person under 18 years of age. A court order could also require the us to release information contained in records.
However, we do disclose your personal information where it is necessary to obtain third party services, such as analytics, data storage, payment service providers or marketing and advertising services. To protect your personal information we endeavour to ensure that our third party service providers also comply with the Australian Privacy Principles, but some third parties we use may collect, hold and process personal information overseas. You can opt out of the collection and use of this information by changing your privacy settings or opting out.
How can you access or delete your information?
If you want access to your information to correct or have it deleted please email us at firstname.lastname@example.org. Except where we are permitted or required by law to withhold it, we will help you. If you consider that we have breached any privacy laws please also email us at email@example.com. You can make a complaint with the Office of the Australian Information Commissioner phone on 1300 363 992, online at http://www.oaic.gov.au/privacy/making-a- privacy-complaint or post to: Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW 2001.
ADDITIONAL PROVISIONS FOR EUROPEAN CITIZENS
If you are a resident of the European Economic Area (“EEA”) you have certain rights and protections under the GDPR regarding the processing of your personal information. We are a controller under the GDPR as we collect, use and store your personal information to enable us to provide you with our website services and information about them.
We rely on the following lawful means of processing your personal information:
where you have given us valid express consent to use your personal information we will rely on that consent, and only use the personal or sensitive information for the specific purpose for which you have given consent;
where we need comply with the law, or act to in an emergency, we will rely on that lawful means of processing your personal information.
If you are an EEA resident, you have various rights including the right to be informed; right of access; right to rectification; right to object; right to restriction of processing; right to erasure or to be forgotten; right to data portability; and right not to be subject to automated processing. If you want to access personal information we hold about you, or ask if that the information be corrected, please contact us at firstname.lastname@example.org. In some circumstances, you also have a right to object to or ask that we restrict certain processing activities or delete your personal information. If you would like to limit or request deletion of your personal information or exercise any other rights you can do so by contacting us. You can withdraw your consent to our collection or processing of your personal information. You can do so by contacting us at email@example.com or by opting out of email newsletter communications by following the instructions in those emails or by clicking unsubscribe. If you withdraw your consent to the use of your personal information, you may not have access to our services, and we might not be able to provide you with our services. In some circumstances where we have a legal basis to do so we may continue to process your information after you have withdrawn consent, for example if it is necessary to comply with an independent legal obligation or if it is necessary to do so to protect our legitimate interest in keeping our services secure.
All personal information stored on our website platform is treated as confidential. It is stored securely and is accessed by authorized personnel only. Our collection is limited in relation to what is necessary, for the purpose for which the personal information is processed, and kept only for so long as is necessary for the purpose for which the personal information was collected. We implement and maintain appropriate technical, security and organisational measures to protect personal information against unauthorized or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure. We ensure the encryption and pseudonymisation of personal information and we have adequate cyber security measures in place. By providing us with your personal information you consent to us disclosing it to third parties who reside outside the EEA countries. We will ensure that those third parties are GDPR compliant.