Privacy Policy

This privacy policy ("Privacy Policy") applies to Raconteur Operations Pty Ltd and our related entities (“Raconteur”, “us”, “we” and “our”) and details our commitment to protecting the privacy of our customers and users.

This Privacy Policy describes how and why we collect Personal Information about you, how we use, manage, store, and disclose that information, and how you can exercise your privacy rights. This Privacy Policy also outlines how you can contact us to access and update your Personal Information and/or how you can raise any privacy concerns.

Capitalised terms that are not defined in this Privacy Policy have the meaning given to them in our Terms of Service. We recommend that you read this Privacy Policy in full to ensure you are fully informed.

Terms used in our Privacy Policy

“Services” refers to any of the products and services we may provide to you.

When referenced in this Privacy Policy, “Personal Information” means any information or data that identifies you, or that could reasonably be used (for instance, in combination with other data) to identify you directly or indirectly, including by reference to identifiers such as names, identification numbers, location data, and/or online identifiers. Personal Information can include information you provide to us (for example, through our Sites and your use of the Services), publicly available information, and/or information we collect from other sources as described in this Privacy Policy.

Updates to our Privacy Policy

We may update this Privacy Policy from time to time by posting a new version on any of our Sites. Where there are material changes to the Privacy Policy, we will use reasonable endeavours to notify you by email or in-application notification.

If you do not agree with its terms or any of the changes we make, you should either cease using the Services or exercise whatever rights you may have, as described in this Privacy Policy, to opt out of how we use your Personal Information.

Why do we collect your Personal Information?

We collect your Personal Information to supply you with the Services and to further improve, enhance and secure our Services. We may also use your Personal Information to:

• perform and administer the Services;

• understand the way you use the Services for the purposes of improving the Services;

• improve your experience when using the Services, including by personalising the Services, developing new products or features, or otherwise learning about your level of satisfaction;

• to address and reply to requests for customer support;

• facilitate the predictive functionality and the provision of recommendations, comments and prompts forming part of the Services;

• to process transactions;

• identify, remedy and prevent any technical or security issues affecting the Services;

• send you information by email, mail or other channels;

• send you marketing communications, offers and opportunities relating to us;

• enforce our Agreement with you;

• perform any other functions described in our terms and conditions or this Privacy Policy.

If you do not consent to providing us with Personal Information, you might not be able to use the Services or otherwise create an account with Raconteur. Additionally, the functionality or usability of the Services may be impacted, and/or we may not be able to communicate with you about the Services.

What Personal Information do we collect?

The Personal Information we may collect includes information that you provide voluntarily to us, information that we collect automatically and information that we obtain from third party sources. This may include, but is not limited to:

• your contact details, including your name, mailing and email addresses, and phone numbers;

• any usernames you may hold, job title(s), company name, photographs, and any additional information connected with a profile or Account that you create or that is created for you;

• your billing information, including your payment details and billing address;

• preferences about the way you would like us to communicate with you, including in respect of marketing communications;

• information about the way you access and use the Services, your interactions with other users, and your use of features, links and third-party integrations;

• information about the device on which you are using the Services, including the device type and settings, operating system, device identifiers, application IDs, and crash information. We may use your Wi-Fi and IP address from your device or browser to ascertain your general location, but we will only collect GPS location data from your mobile device with your consent;

• analytics information collected when you use the Services, or information that we generate or derive, including through queries we run in respect of use of the services and content contained in the services. This data, which could incorporate Personal Information, may include the username and IP address of the person using the Services, the parts of the Services being accessed and used, any relevant domain names and identifiers, and data about attachments (including their original filenames and sizes). We may also collect aggregated analytics data about the use of the Services, which will not contain Personal Information;

• information about third-party services you integrate when using the Services. We will connect any such services to the Services, and we may receive information about your account (including Personal Information) from the third-party service provider. We will not collect or hold your passwords for any third-party services; and

• information about our user base and the performance of marketing campaigns. This might include Personal Information and/or aggregated information that does not identify individuals.

We may also process Personal Information incorporated in the content that users create, provide, post, host, upload, store, communicate or display when you use the Services (“User Content”). Any processing of Personal Information is required to provide the Services. Where we process Personal Information in the User Content, we do so on behalf of our customers and users and it is their responsibility to have lawful grounds to use or collect that Personal Information. We will not be responsible for obtaining consent for the use of any sensitive information that is incorporated in any User Content.

How do we collect Personal Information?

We collect Personal Information in a number of ways, including:

• when you establish an account with us, or when another user (for instance, a user from your company) creates an account for you;

• when you create or amend your profile;

• when you use the Services;

• through your device or browser, as outlined above;

• when you submit Personal Information directly to us, including through the use of our Sites and Services, where you submit online forms, and where you send emails or other communications to us;

• from third parties. To ensure we are providing you with information, marketing, offers and opportunities that are relevant to you, we may collect information about you from sources including our marketing partners, publicly-accessible databases and social media.

• from your third-party service providers. We may collect information from the providers of third-party services you integrate when using the Services, as described above; and

• by running analytics or generating analytics data in connection with the Services.

How do we disclose Personal Information?

We may disclose the Personal Information we collect:

• with your account Admin(s), where you use the Services as part of a team (for instance, a purchaser team in an acquisition transaction). An account Admin may be able to access and control your Account and retrieve, share or delete your Personal Information;

• with other users of the Services. For example, your name, photograph and contact details may be displayed to other users, including in your profile and in posts or notifications. Similar types of Personal Information might also be made available to others in your organisation to allow them to locate and collaborate with you. You can also choose to share information with others as part of the Services, such as when you use our Team Chat to collaborate with other users.

• with our service providers, such as our technology service providers. Those providers may access your Personal Information as we may direct or permit in order to facilitate and improve your use of the Services;

• in accordance with legal requirements and our legal rights – for example, where necessary to comply with statutory or legal requirements, to prevent fraud, to prevent death or serious injury, or to protect our proprietary rights.

• to related entities of Raconteur for the purposes of performing the Services and operating our group’s business.

• to a new owner or potential buyer of Raconteur, where the ownership of all or substantially all of the Raconteur’s business, or individual business units owned by Raconteur, were to change. This information would be provided in order to allow the Raconteur’s Services to continue to operate.

Some of the recipients described above, including our service providers, your Account’s Admin(s), other users of the Services, any new owner of Raconteur, are or may be located offshore.

We may disclose your Personal Information to third parties to allow them to market to you (including through direct marketing) if we have first obtained your consent or if we have other lawful grounds to do so.

Data retention, access, correction, and deletion

We retain Personal Information we collect from you where we have an ongoing legitimate business need to do so, and where you have not requested us to delete your Personal information, pursuant to any privacy laws that apply to Your Content.  Examples of legitimate business needs include, but are not limited to continuing to provide you access to the Services or to comply with applicable legal or audit requirements.

You have a right to request a copy of your Personal Information, to object to our usage of your Personal Information, to request the correction of Your Personal Information, or to request the deletion or restriction of your Personal Information.   Your requests and choices may be limited in certain cases such as, but not limited to situations where your request would reveal information pertaining to another person, or where you ask us to delete Your Personal Data, and we are permitted by law to retain Your Personal Data, or have a compelling legitimate reason for doing so.

Subject to any privacy laws that apply to Your Content, when we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymise it or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible.

Security

In storing your Personal Information, we use a number of security and organisational measures and technologies to safeguard your Personal Information from unauthorised access, modification or disclosure and misuse, interference or loss.

We, and our third-party service providers, employ a combination of security and organisational measures and technologies to safeguard your data. We utilise Render Services, Inc (ReAnder) which utilises Google Cloud Platform (GCP) and Amazon Web Services (AWS) for hosting.

Render utilises the following security measures:

• Web Application Firewalls (WAFs): These protect web applications from common attack like cross-site scripting (XSS) and SQL injection.

• Intrusion Detection Systems (IDS): These systems monitor network traffic for malicious activity and alert for potential threats.

• Vulnerability Scanning and Penetration Testing: Render conducts regular scans to identify and address vulnerabilities in their systems, and penetration tests simulate real-world attacks to further evaluate security.

• Role-based Access Control and Least Privilege: Access to systems and data is restricted based on individual roles, minimising the risk of unauthorised access.

• Secure Development Practices: Render’s development team follows secure coding practices to prevent vulnerabilities in applications.

• Compliance Certifications: Render is certified with ISO 27001 and SOC 2 Type 2.

In addition, the AWS platform utilises the following security measures:

• Storage and encryption of all data at rest with 256-bit encryption.

• File level encryption with information rights management policies to track, expire and prevent printing of documents.

• Virtual elimination of risks from Trojan viruses, worms, and application vulnerabilities.

• Encryption of data uploaded through HTTPS/SSL.

AWS holds the following information security certifications:

• SOC 1/SSAE 3402

• SOC2

• SOC 3

• FISMA, DIACAP, FedRAMP

• PCI DSS Level 1

• ISO 27001

• ITAR

• FIPS 140-2

We do not currently offer multi-tenancy, which means that data from different customers may reside on shared infrastructure. We plan to introduce multi-tenancy as a feature of Enterprise plans and you will be notified when this feature is made available to users of the Platform.

Google Workspace APIs are not used to develop, improve, or train generalised AI and/or ML models. Raconteur's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use Policy.

Legal basis for processing Personal Information (EEA and UK visitors)

If you are a visitor from the European Economic Area or the United Kingdom, our legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which we collect it.

However, we will normally collect Personal Information from you only where we have your consent to do so, where we need the Personal Information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect Personal Information from you or may otherwise need the Personal Information to protect your vital interests or those of another person (e.g. other users).

If we ask you to provide Personal Information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Information is mandatory or not (as well as of the possible consequences if you do not provide your Personal Information).

Similarly, if we collect and use your Personal Information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.

Most of the ways in which we use your personal data are based on our legitimate interests in:

• providing and administering the Services;

• keeping our Sites and the Services secure;

• keeping the Services up to date and enhancing them, both generally and for your use of them; and

• marketing our products and services.

When we rely on our legitimate interests as a lawful ground to process your Personal Information, we do so taking into account the potential impact on your privacy and we offer the right to object to or opt out from processing as described below in the “Your privacy rights” section below.

If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided under the “Contacting Raconteur about Privacy” heading below.

International data transfers (EEA and UK visitors)

Your Personal Information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have privacy laws that are different to the laws of your country (and, in some cases, may not be as protective).

Our group companies and third-party services providers and partners operate around the world, including in the United States of America (specifically San Fransisco, California), the Netherlands, Germany, South Africa, Hong Kong and the United Kingdom. This means that when we collect your Personal Information we may process it in any of these countries, pursuant to any privacy laws that apply to Your Content.

We currently host our servers for the Services using a combination of AWS and GCP.

California user requests

Californian users of the Services will have additional rights afforded to them under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA, effective 1 January 2023).

The CCPA and the CPRA provide California users various rights with respect to the personal information we collect, including the right to, with certain limitations:

• request to access the personal information we hold about you;

• request that we delete any or all of your personal information;

• opt out of the “sale” of your personal information;

• opt out of the “sharing” of your personal information for cross-context behavioural advertising.

California users of the Services may make a request with respect to any of these rights by contacting us by using the contact details provided under the ‘Contacting Raconteur about Privacy’ heading below.

Your privacy rights

You have the following privacy rights, regardless of the legal jurisdiction of Your Content:

• If you wish to access, correct, update or request deletion of your Personal Information, you can do so at any time by contacting us using the contact details provided under the “Contacting Raconteur about Privacy” heading below. In the event we cannot grant you access to your Personal Information, we will tell you why.

• You can object to processing of your Personal Information or ask us to restrict processing of your Personal Information. Again, you can exercise these rights by contacting us using the contact details provided under the “Contacting Raconteur about Privacy” heading below.

• You have the right to opt-out of marketing communications we send you at any time, and for which you have previously elected to opt-in. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. If you do opt out, please provide us sufficient time to process your preferences. Additionally, if you do opt out, we may still contact you for transactional or informational purposes, and with these purposes potentially including customer service issues, payment inquiries, or product inquiries.

• If we have collected and processed your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.

• You have the right to complain to a privacy authority about our collection and use of your Personal Information. For more information, please contact your local privacy authority.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable privacy laws.

Please note that we do not offer any of the rights described above with respect to any Personal Information that is incorporated in any User Content. We process such content on behalf of our customers and if your Personal Information is contained in any such content, you should contact the customer on whose behalf we have stored the information.

Contacting Raconteur about Privacy

Please contact us using the below details if you have queries about our Privacy Policy and privacy practices, or the way we deal with your Personal Information. You may also contact us using these details if you wish to exercise any of your privacy rights described in the section entitled “Your privacy rights” above.

Email: privacy@raconteurtech.com

Position title and name:

Co-CEO, Elle Curran