Australia Privacy Requirements

Introduction
Chargebee is committed to our customer’s success, including compliance with applicable privacy laws in Australia. Compliance to Privacy regulations requires a close partnership between Chargebee and our customers in their use of our services. The following is a brief summary of how Chargebee addresses the requirements of the data privacy laws in Australia.
Australian Privacy Laws
In Australia, privacy is regulated at both the Commonwealth (or federal) level and at the state and territorial level. The Privacy Act 1988 (Cth) (the “Privacy Act”) sets forth the Commonwealth’s standards for the collection, use, disclosure, and protection of “personal information” and applies to most private sector organizations operating in Australia or engaging in conduct that has an Australian link.
In particular, the Privacy Act uses the 13 Australian Privacy Principles (the “APPs”) to set standards for considering, collecting, dealing with, and maintaining the integrity of personal information. For more information regarding the APPs and the Privacy Act, see the Australian Government website at www.oaic.gov.au.
Chargebee’s Compliance with Australian Privacy Laws
Data protection is at the core of Chargebee’s business and something that Chargebee takes very seriously. Chargebee remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high-level summary of Chargebee’s compliance with the key areas of the Privacy Act (including each of the 13 APPs) :
  • Chargebee will only retain, disclose, store, or use personal information for the purpose of performing the services within the boundaries of the law or as specified in the written contracts with our customers or for the purposes described in our Privacy Policy.
  • Chargebee has taken reasonable steps to protect personal information it retains, discloses, stores, or uses from (i) misuse, interference, and loss; and (ii) unauthorized access, modification, or disclosure
  • Chargebee may appoint certain third parties (‘Sub-processor’) who may assist in our customers by delivering their products and/or services as part of the Services. We contract directly with the Sub-processors for the provision of their products and/or services and Chargebee shall be responsible for the performance of any of its sub-processors. Please refer here for sub-processor details.
  • Chargebee will make available to its customers any information reasonably necessary for our customers to demonstrate their compliance with the Act or the Privacy Act (as applicable).
  • Chargebee shall take reasonable steps to address requests from individuals for access and correction.
  • Chargebee has implemented ‘Privacy by Design’ and below are a few features which will help you to align with Data protection requirements.
    • Chargebee has a Consent Management feature that provides powerful ways to capture consent from your customers and manage collected consent information.
    • Personal Data Management helps you align Chargebee with your customer data retention policies. This feature allows you to configure Chargebee to delete PII for customers who no longer use your services.
    • The Import and Export feature allows you the right to portability of all the information that we process on your behalf.
  • Chargebee expects that its customers will inform their Australian data subjects about their collection of personal information in accordance with the Act or the Privacy Act (as applicable), including without limitation (i) informing individuals of the fact that personal information is being collected as well as what kinds of personal information is being collected and held; (ii) the purpose for which the personal information has been or will be collected; (iii) the manner in which personal information will be collected and held (including the name and address of the processing entity); (iv) the intended recipients of the personal information (including location if they are overseas); (v) consequences to the individual if the information is not provided (e.g., loss of service); (vi) the individual’s rights of access and correction and how they can be exercised; and (vii) how an individual can report a privacy breach.
Principle Title Purpose
APP 1 Open and transparent management of personal information Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
APP 2 Anonymity and pseudonymity Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
APP 3 Collection of solicited personal information Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information.
APP 4 Dealing with unsolicited personal information Outlines how APP entities must deal with unsolicited personal information.
APP 5 Notification of the collection of personal information Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters.
APP 6 Use or disclosure of personal information Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
APP 7 Direct marketing An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 Cross-border disclosure of personal information Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
APP 9 Adoption, use or disclosure of government related identifiers Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
APP 10 Quality of personal information An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 Security of personal information An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12 Access to personal information Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 Correction of personal information Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.