Privacy Policy

Formbay Trading Pty Ltd (ABN 31 146 464 995) (referred to as ‘we’, ‘our’ or ‘us’ in this Privacy Policy) is committed to protecting your privacy and personal information. We collect, use, store, manage and disclose all personal information in accordance with the Australian Privacy Principles (‘APPs’) set out in the Privacy Act 1988 (Cth) and the European Union General Data Protection Regulation (‘GDPR’).

This Privacy Policy explains how we collect, use, manage and disclose personal information and how you can contact us if you have queries about our management of your personal information.

We will, in accordance with Article 5 of the GDPR;

  • process your personal information in a lawful, fair and transparent manner;
  • collect your personal information for specified, explicit and legitimate purposes;
  • keep your personal information accurate and where necessary kept up to date;
  • keep your personal information in a form which permits identification of the owner of the personal information no longer than legally necessary; and
  • process your personal information in a manner than ensures it is appropriate secured.

This Privacy Policy applies to use of the FormBay website (www.formbay.com.au) and to any FormBay application (including the FormBay Solar PV Installer Application), software (including the FormBay Trading Software), service or tool (collectively ‘Services’) where this Privacy Policy is referenced, regardless of how the Services are accessed. By registering an account with FormBay, accepting a licence to use our software or application, using our Services, or submitting personal information to us, you accept the terms of this Privacy Policy, and consent to our use, collection, disclosure and retention of personal information as described in this Privacy Policy.

Generally, you have no obligation to provide any personal information requested by us. However, if you do not consent to the terms of this Privacy Policy we may not be able to supply the Services to you. You expressly “consent” when registering an account with Formbay to use our Services (Article 6(1)(a) of the GDPR) in accordance with this Privacy Policy and our Terms of Use. You may withdraw your “consent” at any time by contacting our privacy officer in accordance with Article 7(3) of the GDPR but we may not be able to provide our Services to you if you withdraw consent.

If you are a user based in the EU and are below 16 years of age and wish to use our Services, “consent” can only be given to us from a person with parental responsibility for you in accordance with Article 8(1) of the GDPR.

We reserve the right, at our discretion, to update or revise this Privacy Policy from time to time. Changes to the Privacy Policy will apply immediately to all personal information held by us at that time. Any updated versions of this Privacy Policy will be posted on our website (www.formbay.com.au). Therefore, you should review our Privacy Policy regularly to ensure you are familiar with any changes.

We have an appointed privacy officer to monitor and advise on compliance with the Privacy Act in Australia and a representative in the to deal with the EU GDPR whose details are at the end of this Privacy Policy.

1.    Collection & Disclosure of Personal Information

1.1 To get access to or use some of our Services, we may require you to provide certain information by which your identity, and those of others (i.e. owners of the renewable energy system etc.), can reasonably be ascertained such as names, organisation names, addresses, phone numbers, fax numbers, e-mail addresses, solar panel/inverter/battery and other complementary equipment/componentry serial numbers and specifications unique product identifiers (e.g. solar panel, inverter, battery serial numbers etc.) (‘PV system componentry’), "biometric information" (e.g. for use in “touch ID” logging on) etc (together referred to as personal information). We generally do not collect “Sensitive Information” as defined by s.6(1) of the Privacy Act 1988 (Cth) (such as information concerning your health, sexual orientation/practices, membership of a trade union, political views/association, religious or philosophical beliefs, race or ethnicity). In respect of “biometric information” for use in “touch ID” logging in services, if you decide to use our Services you expressly consent to our processing of that personal information and we will inform you by a “pop-up” notice seeking your express consent the first time you seek to use this service (Article 9(2)(a) of the GDPR).

1.2 You acknowledge and agree that all personal information submitted by you (including personal information related to another individual such as the owner of a renewable energy system) is submitted to us with all necessary consents that we may use such information in the ways contemplated by this Privacy Policy and the Terms of Use for the software or otherwise with respect to the provision of our Services to you.

1.3 Examples of some personal information we may collect include your/owners name, address, organisation, telephone number, email address, position and title.

1.4 We may collect personal information that you provide via our website, via your device (such as a smart phone, tablet or other device), by registering an account with us, or otherwise by telephone, mail, printed and online forms or e-mail, for example when you:

  • submit personal information to us for the purpose of subscribing to our mailing lists or otherwise accessing Services made available by us;
  • knowingly give us information by e-mail, telephone or via our website;
  • complete a FormBay STC Assignment Form; or
  • register an account and provide registration details.

1.5 We may collect personal information from third parties where individuals have expressly or impliedly agreed to disclose personal information to Formbay, or where the information is otherwise publicly available. This may include information with respect to prior solar panel/inverter/battery or other equipment installations and/or PV system componentry, credit worthiness, prior work history or reference checks of a person.

1.6 We may collect computer and connection information including your Internet Protocol (‘ IP’) address to assist in diagnosing problems related with our service and to administer our website. We analyse our website logs and statistics to improve the relevance of content featured on our website. While these logs are IP identifiable, no attempt is made by us to link individuals that browse our website with such IP addresses.

1.7 You have the option of not disclosing personal information to us, unless it is, in our view, impractical for us to deal with you that way or we are otherwise required by law or authorised by a court or tribunal to deal with you on an identified basis. If you choose to withhold any personal information, we may not be able to provide you with part or all of our Services.

1.8 We may collect personal information and disclose that personal information to third parties where it directly relates to the creation & validation of environmental certificates (e.g. small-scale technology certificates (STCs)) (i.e. the “primary purpose” for our collection, validation and disclosure of such personal information).

1.9 You also consent to us collecting and disclosing your personal information in instances where you would reasonably expect us to use or disclose the personal information where such purpose is related to the primary purpose of collection.

1.10 With your consent (see clauses 1.12 - 1.14 below), you permit us to disclose to a third party your personal information to facilitate that third party providing additional/replacement solar panels/inverters/batteries and/or other relevant PV system componentry as well as ancillary services such as plumbing, electrical and other services not directly related to the installation of solar panels/inverters/batteries installed on your premises (“additional services”) to either: your previous/existing customer, and/or to you as a homeowner/business.

1.11 If you are an installer/retailer/service provider holding an account with us, we will send to you an electronic notification that also provides a link to this privacy policy (“short form notice”) before we share your (“party 1”) personal information with a third party seeking to provide additional services (“party 2”) related to your previous/existing customer when you will be able to either consent or not consent to the disclosure of your personal information for the provision of those additional services by party 2. If you fail to provide any response to the electronic notification you will be deemed to have provided consent for such disclosure of your personal information to party 2.

1.12 If you are a homeowner/business owner that has had solar panels/inverters/batteries and/or other relevant PV system componentry installed on your premises by a third party (“party 1”), we will send to you (or to the new installer/retailer/service provider that did not install the original equipment on your premises (“party 2”) and request they procure your written consent by our app) a “short form notice” before we share your personal information with party 2 for the provision of additional service when you will be able to either consent or not consent to the disclosure of your personal information. If you fail to provide any response to the electronic notification you will be deemed to have provided consent for such disclosure of your personal information. If you do not consent to the disclosure of your personal information, we will not be able to provide that information to party 2 and thus they may need to spend more time procuring that information from you and/or other parties delaying the provision of their services to you.

1.13 You expressly consent to:

  • us disclosing personal information to new installers/retailers/wholesalers of relevant PV system componentry;
  • us disclosing personal information regarding PV system componentry to third party service providers that validate the serial numbers of any PV system componentry (e.g. solar panels, inverters, batteries etc.);
  • us disclosing personal information regarding PV system componentry to the manufacturers of any PV system componentry (e.g. solar panels, inverters, batteries etc.) for the purposes of any warranty claim; and
  • a third-party service provider providing PV system componentry validation services to disclose your personal information to another service provider providing similar services and/or the CER in accordance with their own privacy policy.

1.14 We will only disclose personal information for a secondary purpose with your consent and only that personal information sufficient for the secondary purpose and such information will not include any “Sensitive Information”.

2.    Use of Personal Information

2.1 We use the personal information we collect for the purpose for which it is submitted, such as to:

  • provide you with use and access to our Services and ancillary services;
  • verify information or conduct audits regarding our Services;
  • keep a record of our dealings with you and enable us to contact you when necessary, including to provide information and customer service and for other administration matters;
  • develop a data profile to enable us to tailor our Services to you;
  • share with companies verifying the veracity of product (e.g. companies confirming serial numbers/unique product numbering with manufacturers data sets); and
  • share with third parties providing services related to the secondary purpose.

2.2 We maintain mailing lists to keep subscribers informed about areas of specific interest. You may request to join our mailing lists by signing up through our website.

2.3 We may also use your personal information for purposes authorised by laws or regulations such as to prevent or investigate alleged crime or fraud.

2.4 De-identified information may be used for statistical analysis or research purposes.

3.    Direct Marketing

3.1 We will not direct market to you

3.2 Despite using reasonable endeavours to ensure you are not directly marketed to, we are not responsible in instances where a third party directly markets to you from personal information we have Shared with them in the course of providing the Services to you in accordance with our terms of use and this Privacy Policy.

4.    Disclosure

4.1 We do not sell, rent, lease or provide personal information to other entities unless outlined in this Privacy Policy. We may disclose personal information where you have consented or when disclosure is necessary to achieve the purpose for which it was submitted (as outlined above).

4.2 In providing our Services, we may disclose personal information to third parties or organisations that carry out functions on our behalf, provide Services on our behalf or assist us to provide our Services (e.g. business associates, contractors, agents or service providers, including cloud service providers, technology service providers, website hosting companies and website developers). These third parties may change from time to time. In such instances where we disclose your personal information to third parties for processing purposes we will: enter into enter into a written contract with them (including “Australian Standard Clauses”); ensure any processing is done in accordance with our instructions; and is carried out in accordance with appropriate security measures.

4.3 In addition, personal information may be disclosed to third parties in special situations where it is:

  • requested or authorised by law;
  • requested by the Clean Energy Regulator, the statutory authority established to oversee the implementation of the Small-Scale Renewable Energy Scheme or other relevant body/agency directly linked to the primary purpose;
  • required to verify the veracity of product (e.g. companies confirming serial numbers/unique product numbering with manufacturers data sets);
  • requested to investigate an unlawful activity;
  • requested by an enforcement body for investigative activities;
  • in our opinion, necessary to prevent a serious and imminent threat to a person's life, health or safety, or to public health or safety (e.g. “vital interests”); or
  • in our opinion, necessary to identify, contact or bring legal action against anyone damaging, injuring, or interfering (intentionally or unintentionally) with our rights or property, users, or anyone else who could be harmed by such activities.

4.4 You agree that third parties which receive personal information from us in accordance with clause 4.3 above, may use and disclose the personal information subject to their respective privacy policies. While we will endeavour to take reasonable steps to enter into agreements with third parties that collect, store, disclose and retain personal information in accordance with the APPs, we will not be responsible in any way for the disclosure and use of such information by such third parties.

5.    Transborder Storage and Transfer of Personal Information

5.1 Personal information may be stored, processed in or transferred outside of Australia from time to time.

5.2 In Australia, You acknowledge and agree to such international data and information transfers with respect to personal information. Clause 8.1 of the APPs contained in Schedule 1 of the Privacy Act 1988 (Cth) provides that if we disclose personal information about an individual to an overseas recipient, then we must take such steps as are reasonable in the circumstances to ensure the overseas recipient does not breach the APPs in relation to such information. An exception to this is if we obtain your consent. We intend to rely on this exception in the following way. Unless you notify us in writing to the contrary, you will be taken to have consented to the disclosure by us of personal information to overseas recipients on the basis that:

  • clause 8.1 of the APPs will not apply to such disclosure;
  • the individual whose personal information is disclosed will not be able to seek redress under the Privacy Act 1988 (Cth);
  • the overseas recipient may not be subject to any privacy obligations or to any principles similar to the APPs;
  • the individual may not be able to seek redress in the overseas jurisdiction; and
  • the overseas recipient is subject to a foreign law that could compel the disclosure of personal information to a third party, such as an overseas authority.

5.3 From time to time, we may provide third parties, with information in the form of statistical representations about our users collectively and for the purpose of statistical analysis. Where we provide information to third parties for this limited statistical purpose, we will not provide personal information in such a way that your identity may be obtained.

6.    Security and Storage

6.1 We strive to ensure the security, integrity and privacy of personal information submitted to us. We store the personal information securely as appropriate.

6.2          We continually review and update our security measures considering current technologies. We also engage external service providers to provide us and our staff with training and assistance with our internal practices, procedures and systems. Unfortunately, no security measure can be guaranteed to be totally secure. However, we will endeavour to take all reasonable steps to protect the personal information submitted to us. Once we do receive personal information, we will make reasonable efforts to ensure its security on our systems. In addition, our employees and the contractors who provide services related to our information systems are obliged to respect the confidentiality of any personal information held by us. We may engage third parties to process personal information on our behalf and such parties (if the personal information is transferred from the EU to a non-EU member state), in accordance with Articles 24, 25, 28 & 32 of the GDPR:

  • may only process data in accordance with our documented instructions;
  • have committed themselves to the confidentiality of your “personal information”;
  • will not engage another third party to process your “personal information” without our authorisation; and
  • have implemented appropriate technical/organisational measures to ensure a level of security appropriate to the risks of a breach of privacy.

However, we will not be held responsible for events arising from unauthorised access to personal information.

6.3 If you enter personal information on our website, you should exercise due care to safeguard any user names, passwords, identification number, or other special access features associated with your use of the website.

6.4 We retain personal information as long as it is necessary and relevant for our operations and the purposes outlined in this Privacy Policy. After it is no longer necessary for us to retain personal information, we will take reasonable steps to dispose of it in a secure manner by destroying or permanently de-identifying the information.

7.    Data Breaches

7.1 A “data breach” is an unauthorised access or disclosure of your “personal information” or loss of your “personal information”. We use our security and storage measures detailed above to minimise the risk of “data breaches” occurring. We will seek to contain, assess, notify and review a “data breach” promptly in accordance with our “data breach response procedures” detailed below.

7.2 If a “data breach” occurs, the “privacy officer” will

  • take immediate steps to contain any further access/distribution of the affected personal information (e.g. such actions may include: stopping the unauthorised practice, recovering the records or shutting down the system that was breached or where shutting the system down would result in the loss of evidence then revoking/changing computer access privileges or address weaknesses in physical/electronic security);
  • undertake immediate steps to assess:

    • the type of “personal information” involved in the “data breach”;
    • the circumstances of the “data breach”;
    • the nature of harm to affected individuals and whether such harm can be removed by remedial action; and
    • whether such breach is an “eligible data breach” or “data breach”. The “privacy officer” will liaise with the CEO as part of this assessment if they deem it a serious data breach. If necessary, we will procure independent legal advice to assist identify the type of breach as well as other third parties such as data forensic and communications professionals.

  • notify you of an “eligible data breach” or other “data breaches” that we deem serious; and
  • review and learn from the “data breach” to improve our procedures/practices for handling of “personal information”.

7.3 An “eligible data breach” occurs where such breach (in Formbay’s reasonable opinion) is likely (i.e. more probable than not as opposed to possibly) to result in serious harm (e.g. serious physical, psychological, emotional, financial or reputational harm) to any of the individuals who whom the information relates. Some kinds of information are more likely to cause an individual “serious harm” if the breach involves “sensitive information”, medicare cards, drivers licence and passport details, financial information etc.

7.4 In instances involving an “eligible data breach”, we are required to provide a statement to the Australian Information Commissioner notifying them of the “eligible data breach” as soon as practical after we become aware of such data breach and in some instances, advise the appropriate Australian Authority within 72 hours of becoming aware of an “eligible data breach” (i.e. involving a high risk to the rights and freedoms of individuals (Articles 33 & 34 of the GDPR)). If required, we will also notify you of such “eligible data breaches” in relation to your “personal information”.

7.5 If a “data breach” and/or “eligible data breach” occurs and we notify you of such breach, you should look to change your passwords to the compromised online account and be alert to identify fraud/scams.

7.6 We will keep records of all “data breaches” showing how we became aware of the “data breach” and what we did in response to such breaches.

8.    Data Protection Impact Assessment

Whenever we seek to implement new technologies into our Services to make them more efficient for you, we shall consider the nature, scope, context and purposes of the processing, the likely risks involved to you and your personal informationand if we believe there is a “high risk” to your personal information (Article 35 of the GDPR):

8.1 seeking the advice of the Privacy Officer;

8.2 If necessary, seek external advice/assistance;

8.3 conducting an internal data protection impact assessment which shall consider:

  • a description of the processing operations and/or new technology and its purpose;
  • the need for such change and its impact on the processing of personal information;
  • an assessment of the risks to your personal information;
  • any measures envisaged to address any identified risks to your personal information; and
  • if deemed necessary, consult with our client base about such measures.

9.    Cookies

9.1 Cookies are data that a website transfers to an individual's hard drive for record-keeping purposes. Cookies, which are industry standard and are used by most websites, including those operated by us, can facilitate a user's ongoing access to and use of a site. They allow us to ensure a persistent client state and customise the website to your needs. We also send session numbers and keys as Cookies to ensure that your connection, when using our online Services, is kept as secure as possible.

9.2 If you do not want information collected through the use of Cookies, there is a simple procedure in most browsers that allows you to deny or accept the Cookie feature. You should note that Cookies may be necessary to provide you with some features of our on-line services.

10.    Access

10.1 We will endeavour to take all reasonable steps to ensure the personal information we collect is accurate, complete and up to date. If you wish to obtain a copy of the personal information collected by us or you discover that the personal information held about you is:

  • incorrect or
  • you require your personal information to be deleted as you have withdrawn your consent for us to use your personal information or it is no longer necessary for the purpose for which it was collected (Article 17 of the GDPR) or
  • you wish to object to the processing of your personal information (Article 21 of the GDPR)

you may contact us via the contact details provided below to have the information corrected or erased (Articles 16 & 17 of the GDPR) and we shall notify you of such changes if reasonable to do so (Article 19 of the GDPR).

You may also request us to provide to you any personal information we hold of yours in a structured, commonly used, machine-readable format and to transmit that information to another (Article 20 of the GDPR) and/or to request us to restrict the processing of parts of your personal information (e.g. you contest the accuracy of your personal information, there may be a temporary restriction on our ability to process that personal information until we verify the accuracy of your personal information) (Article 18 of the GDPR).

Our objective is to respond to any request within a reasonable timeframe and no later than 30 days. We will endeavour to inform you if this timeframe is not achievable.

10.2 In some circumstances, we may not be able to grant access to personal information. Such circumstances include:

  • providing access is likely to pose a serious threat to the safety of an individual or the public;
  • providing access is likely to unreasonably impact on the privacy of others;
  • the request for access is frivolous or vexatious;
  • providing access would reveal information which relates to existing or anticipated legal proceedings or otherwise impact on any negotiations;
  • providing access is unlawful (including being unlawful as directed by a court or tribunal order) or is likely to impact on actions being taken in relation to alleged unlawful activities relating to our functions and activities; or
  • granting access would impact on a commercially sensitive decision making process.

11.    Links to Other Sites

We provide links to websites outside of our website, as well as to third party websites. These linked sites are not under our control, and we cannot accept responsibility for the conduct of companies linked to our website. Before disclosing personal information on any other website, we advise you to examine the terms and conditions of using that website and its privacy statement.

12.    Questions or Complaints

If you have questions or complaints about this Privacy Policy or our information handling process, please let us know.

Our Australian contact details are:

Privacy Officer
Formbay Trading Pty Ltd
Level 1, 222 Clarence Street
Sydney, NSW, 2000
Australia
Phone: +61 2 90869184
Email: privacy@formbay.com.au

Our EU contact details are: support_eu@formbay.com.au

We take your complaints seriously and will endeavour to review and resolve such complaints within a reasonable timeframe and no later than 30 days. If we are unable to review and resolve your complaint within this timeframe, we will endeavour to contact you within that time to let you know how long it will take to resolve the complaint.

After you have made a formal complaint to us and we have made all reasonable efforts to resolve your complaint, If you believe we have not adequately dealt with your complaint, you may make a complaint to the Privacy Commissioner, whose contact details are found on their website www.oaic.gov.au and/or the UK’s Information Commissioner’s Office at https://ico.org.uk.