Your privacy is important, so whether you are new to Operoo or a long-term user, please take the time to get to know our practices – and if you have any questions contact us.
We’ve tried to keep this policy as simple as possible, but if you are not familiar with terms like cookies, IP addresses, pixel tags and browsers, then read about these in our Definitions first.
In short, the Company will NEVER share your data with anyone except the school or other Organisation of which you are a Member, or rent your data to anyone, without your consent.
Information About Us
- If you sign up in Australia, Asia, Africa or Europe, Services are provided by the Company:
Operoo Pty Ltd
Located 25 Gwynne St, Cremorne VIC, 3121, Australia. ABN 74 166 391 993
- If you sign up in the Americas, Services are provided by the Company:
Located 7105 3rd Avenue, Suite 532, Brooklyn, NY, 11209 USA
Operoo will act as the “data processor” with respect to the Personal Information processed when we contract with an Organisation (for example, a school) as our client. We may act as a “data controller” for certain other data collected when you browse our website or for individual Users who sign up for the Community Edition of Operoo.
Information we collect
Personal Information collected from Users
Our Services may be used to collect the following information, which is added and controlled by the User. In each of these cases, the information that is collected may be about the User herself or himself, or it may be about another individual that the User is responsible for, such as their child.
- Health Information. Our Services may collect information for an Individual’s Care Profile, which may be shared with an Organisation as a Medical Form. This may include emergency contacts, medical conditions & disabilities, medical action plans (e.g. asthma or allergy action plan), medications, and other information about an individual defined as “health information”.
- Personal Details. Our Services may collect personal details such as an individual’s name, location, date of birth, nationality, family details and other information defined as “Personal Information” that allows identification of the individual;
- Contact Information. Our Services may collect information such as an individual’s email address, telephone & fax number, usernames, address (residential, business and postal), and other information that allows us to contact the individual;
- Other Information requested by Organisations. Our Services may collect information via eForms that are designed by the Organisation (Customer).
- Other Information added by Users. Our Services may collect any additional information a User chooses to add into Operoo.
- User Correspondence. We may collect any personal correspondence that an individual sends us, or that is sent to us by others (e.g. Users, Customers, business partners, suppliers) about the individual’s activities.
- Information relating to our Sites and Apps. We collect information on how you interact with our Services, such as the IP address from which you access the Services, date and time, information about your browser, operating system and computer or device, pages viewed and items clicked. We may also collect location information, including location information automatically provided by your computer or device. If you are located in the UK or a country covered by the European Union’s General Data Protection Regulation, these types of information may be deemed to be Personal Information,
- Financial Information. Our Services can be used to collect payments. Operoo uses a Third-Party payment gateway to process payments (currently Stripe). If a User chooses to make a payment in Operoo, they can securely store their Credit Card and contact details in that Third-Party payment gateway for future transactions. Operoo Services do not collect or store any Credit Card information.
Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information.
- For more information, please see our Cookies Policy.
Information collected from Organisations:
- Operoo Account Information. The Service may collect information about a Customer (“Organisation”) account including organisation name, logo, organisation contact information including address (physical and website URL), and Super-Admin contact information (including name and email address).
- Financial Information. The Service may collect financial information in order to provide a Customer our Services.
- Member Request Information. The Service requires basic information about Members (e.g. students and/or staff) in order for the Organisation to send and request information. This includes the Member’s name and email address(s) of the User who is responsible for that member.
- Additional Member Information. Organisations can add additional optional information about Members including secondary email address, mobile number, Profile ID (e.g. Student ID, Club Member ID, Employee ID), manual tags, notes and injury reports.
- Groups and eForms. The Service collects and stores any information and settings about Groups and eForms, including Members and communications sent (emails, SMS and push notifications).
- Authorised Supervisors. The Service logs when staff are given Authorised Supervisor access, including which groups, how long for, and if they logged in and accessed any Member records.
- Information sent to us in regards to an Organisation. We may collect any correspondence related to an Organisation from Individuals.
Information automatically collected about Organisations and the Organisation Users
- Usage Information. We collect usage information, some of which may be classified as Personal Information, in regards to any Admin or Authorised Supervisor activity related to our Services, such as the IP address from which you access the Services, date and time, information about your browser, operating system and computer or device, pages viewed and items clicked. We may also collect location information, including location information automatically provided by your computer or device. We also log all information about Groups and eForms, including Members, responses, changes, and communications (email, SMS & push notifications).
How we use information we collect
We must always have a lawful basis for using your personal data. This is legally required under the UK’s Data Protection Law and the GDPR, but we adhere to this principle worldwide. This lawful basis may be because:
- the data is necessary for our performance of a contract with you;
- because you have consented to use of your personal data; or
- because it is in our legitimate business interests to use it. This may be for analysing, optimising and administering the services
The following sections are a summary of the purposes for which your personal data may be used, along with our commitments not to use your personal data in certain ways.
How and Where personal information is used and disclosed
One of Operoo’s core purposes is to help our Customers (Organisations such as schools, clubs, businesses) deliver on their duty of care obligations. Customers do this by using the Services to collect Member’s Personal Information such as emergency contacts, medical conditions, emergency action plans, and consent. The Organisation’s Admins can then make this information available to Authorised Supervisors for the purpose of ensuring they know exactly what to do, who to call, and what to tell paramedics in an emergency (including secure offline access via the Mobile App).
Another core purpose is to allow Organisations to use Operoo to communicate with their Members on a wide variety of non-medical topics. Those communications frequently include Personal Information (at minimum your name or the name of your child, and often other information) as a necessary part of achieving the Organisation’s purposes. When you complete a Care Profile or an eForm using our Service, you will be disclosing that information to the relevant Organisation and you will be enabling that Organisation to use the information that you disclosed.
Other ways we use personal information
- To provide, maintain and improve our Services, which may include:
- The provision of goods and services;
- Verifying an individual’s identity;
- Communications between Users, Organisations and the Company (including email, phone and Live Chat from the Website or Mobile App);
- Analysing trends, administering or optimising the Services, monitoring usage or traffic patterns (including to track users’ movements around the Services);
- Investigating complaints about or made by an individual.
- Making basic account data visible to members of our Operoo support team in any location so that they can provide user support. This includes User/account holder name and email address.
- Other circumstances which we may disclose an individual’s Personal Information:
- If we have reason to suspect that a User is in breach of any Terms of Services, or we have reason to suspect a User has been otherwise engaged in any fraudulent, deceptive or unlawful activity (in which case we may be required disclose that information to a governmental authority); and/or
- As required or permitted by any law.
- In order to sell our business (in that we may need to transfer Personal Information to a new owner). In this case, we will ensure that the new owner has privacy policies consistent with this policy.
Ways in which we will not use your Personal Information
- We will never use Personal Information collected in our Services for any purposes other than making the information available to an authorised Organisation’s Admins and/or Authorised Supervisors, or other Individuals authorised by the User.
- We will never use the Personal Information for any marketing or commercial purposes, and we will maintain all Health Information in the strictest confidence.
- We will not disclose or sell Personal Information to unrelated third parties under any circumstances.
In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected, and with consent from the User. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
Retention of Personal Information
Our Services will retain Personal Information until the User and/or Customer (Organisation) deems it no longer necessary to be kept. Operoo does not automatically delete Personal Information added to Care Profiles by Users because Operoo Care Profiles are fully User controlled. In Community Edition, Users can choose to share Personal Information in Operoo with other Users/Organisations, revoke access to live Care Profiles, and permanently delete their account at any time. If the User shared any eForm response with an Organisation (e.g. Medical form, consent form), the shared eForm response is then controlled by the Organisation. It is the responsibility of the Organisation to delete Personal Information if it is no longer required for compliance or legal reasons.
How and Where Do You Store or Transfer My Personal Information?
- We store your data on secure servers based on your geographic location. For Users in Australia and other countries in the Asia-Pacific region, data is stored in Australia. For Users in North America, data is stored in the United States. For Users in the UK and other countries in Europe, data is stored in Ireland.
- Our Services do not use third-party products to send profile requests and eForms requests to Users.
- The Company does use systems provided by other third-parties (“sub-processors”) to help us run our business and to communicate with Users, Customers and Prospects. The functions for which we use sub-processors that may entail User data consist of:
- Infrastructure for hosting and processing data
- Communication tools used for communicating with Users when providing user support
- Communication tools used by our personnel to communicate internally, for example when troubleshooting an issue raised by a User
- Translation tools, that translate User content between languages
These service providers may be located in the United States of America, Australia, Europe or elsewhere in the world. A list of the third-party sub-processors that we currently use can be found below at the end of this page under the heading Third- Party Subprocessors that we use.
- The Emails we send (like most emails) are sent encrypted; however they are stored on third party systems (e.g. email clients such as gmail/outlook) as clear text. For this reason, emails we send never contain any confidential information such as medical information or contact details.
- Data transfers that originate in the EU or Australia and that are sent to a third party based in a country outside of the EU or Australia will be done using additional data protection mechanisms or steps in place, in line with the applicable data protection law.
User of a standard Operoo Account must be a legal adult
Operoo is designed for Adult Users to share electronic medical and consent forms with Organisations on behalf of themselves or on behalf of Individuals they are responsible for (e.g. their child).
As part of our Terms of Service, children under legal age are not allowed to be a User of a standard Operoo account. The User of a standard Operoo account must be a legal Adult. We do, however, also offer more limited Student User accounts that an Organisation can provide to, and use to communicate with, children under legal age who are part of that Organisation (e.g. a school and its students). Those Student User accounts are designed for sharing only limited types of less sensitive data, and not all Organisations utilize Student User accounts.
A User can only input information on behalf of other adults if they have that Individual’s recorded consent.
Privacy by Default
Operoo sets default privacy settings to the highest level. This means that no other User or Organisation can see any information that Users add into Operoo until the User chooses to share it.
Transparency, Data Subject Rights, and Choice
- Right to be informed. Under privacy laws you have various rights. This policy seeks to inform you of your rights. People also have different views regarding privacy. Our goal is to be clear about what information the Service collects so that you can make meaningful choices about how it is used, exercising those rights and consistent with your own views.
- Providing Access to Information. The Organisation or Organisations that will have access to your Personal Information depends on which edition of Operoo you are using, Community Edition or Group Edition. Most Users use our Group Edition, but if you aren’t sure, ask your Organisation. The following sections outline which Organisation(s) will have access.
- Sharing of Personal Information. Community Edition Users must deliberately share a Care Profile with an Organisation, or submit an eForm response to an Organisation, before that Organisation can see any information. The accounts of Group Edition Users are automatically part of the Organisation that provided their accounts, and their Care Profile and any eForm responses will automatically be shared with the Organisation that provided the account (but not with any other Organisation).
- View, add and edit. Operoo Community Edition is designed to make Users responsible for adding, sharing and updating personal information and active eForm responses. Users may see and edit what current User information is stored in the Care Profile, and see which organisations have access to their Operoo Care Profile. Operoo Group Edition is designed to make the Organisation and/or Parent/Guardian Users responsible for adding, sharing and updating personal information and active eForm responses. The Organisation controls access to the Student Record.
- Revoke access. At any time, Community Edition Users can revoke Organisation (or another User) access to a current Care Profile.
- Data portability. Users can export personal data stored in Operoo in an open standard electronic format (JSON). This includes ‘observed’ data such as Recent Logins, and Registered Devices. Users can also transfer control of Care Profile information to other Operoo Users (e.g. transfer control of their child’s Care Profile to another parent/guardian, or to the child once they become a legal adult).
- The right to erasure. Users have the right to ask an Organisation to delete personal information held on them.
- Permanently delete account. Users can permanently delete their Operoo Account (including all Care Profile information) at any time.
- If a User chooses to permanently delete their account, Operoo will make the User aware of which Organisations have stored shared information, and provide contact details of the Organisation for the User to direct requests for erasure.
- If the Organisation has no grounds to refuse a request to erasure, they must comply without undue delay, and Operoo provides the tools for the Organisation to permanently delete the information about the Member.
- If a User has completed an eForm response for an Organisation, that eForm response is controlled by the Organisation (for example, if a parent completes a consent form for their child to attend an excursion, that consent form and a snapshot of the Care Profile at the time of consent is stored by Operoo on behalf of the Organisation).
- The Organisation has the right to refuse if that personal data is required by the Organisation to comply with its legal obligations or the obligations of an official authority, if the data is necessary for the exercise of legal claims, or is required to adhere to other retention requirements under their own retention policy.
- In some cases you may have the right to restrict (i.e. prevent) the processing of your personal data. You may also have in certain circumstances the right to object to us using your personal data for a particular purpose.
- We do not perform automated decision making or profiling.
- We will direct your data subject request to your Organisation once we receive it, acting in our capacity as data processor for the information.
If Operoo needs to action your data subject request as data controller, we will do so within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request.
- Opt-Outs. Users can “opt-out” of having personal information used for certain purposes. If you opt-out, we may not be able to provide certain features (see section “Opting “IN” or “OUT””).
Opting “IN” or “OUT”
- The Services to store any Personal Information the User chooses to add to their account;
- The Services to send them communications on behalf of an Organisation;
- The Services to send them important notices, such as changes to our terms, conditions and policies. Because this information is important to the individual’s interaction with us, Users may not opt out of receiving these communications if they wish to continue using the Services.
If an individual has set-up an Operoo Account and wants to Opt Out, they can do so by permanently deleting their account.
If an individual has never set-up an Operoo Account and wants to Opt Out of communications from a related Organisation, they can do so by contacting that Organisation, and asking to be excluded. If that is unsuccessful, they should contact us on the details below to action their request.
If an Individual wishes to unsubscribe from any Operoo marketing updates (e.g. new feature updates, webinar invites, etc), they can do so by unsubscribing using the Unsubscribe link in the email or by emailing firstname.lastname@example.org.
Security and Safety of Personal Information
The security of your personal information is important to us. We maintain a variety of appropriate technical and organisational safeguards to protect your personal information. We limit access to Personal Information about you to employees who we believe reasonably need to come into contact with that information to provide Services to you or in order to do their jobs. Further, we have implemented physical, electronic and procedural safeguards designed to protect personal information about you. For more information see our Security Practices.
Operoo uses SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept liability for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.
We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
We are not liable for any loss, damage or claim arising out of another User/Organisation’s use of the Personal information where the User authorised sharing of that Personal Information to that User/Organisation.
Blocking Cookies. Depending on location, users may set their preferences using the consent tool or their browser to block all cookies, including cookies associated with our Services, or to indicate when a cookie is being set by us (see Cookies Policy). However, it is important to remember that many of our Services may not function properly if cookies are disabled. For example, the Services require a Cookie to securely login a User on a registered device
Data Breach Policy
If an individual suspects any misuse or loss of, or unauthorised access to their Personal Information, they should let us know immediately (Contact Us details below).
If we become aware of any unauthorised access to an individual’s Personal Information, we will inform the User and/or Customer at the earliest opportunity as per our Data Breach Policy.
Compliance and cooperation with regulatory authorities
When we receive formal written complaints, we will contact the person who made the complaint to follow up. We will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our Users directly.
Complaints and Disputes
If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the contact details below. If there is a dispute regarding Personal Information, both parties must first attempt to resolve the issue directly between each other.
If we become aware of any unauthorised access to an Individual’s Personal Information, we will inform the User and/or Customer at the earliest opportunity once we have established what was accessed and how it was accessed.
In the event that you are not satisfied with our handling of your complaint, you can refer the complaint to your relevant local authority (e.g. Australian Privacy Commissioner, UK’s Information Commissioner’s Office (ICO)).
Changes to Policy
All correspondence with regards to privacy and security should be addressed to:
The Data Protection Officer
Operoo Pty Ltd
25 Gwynne Street
Cremorne VIC 3121
You may contact the Data Protection Officer by email in the first instance.
Third- Party Subprocessors that we use.
Effective date: 5 March 2021
To support delivery of our Services, Operoo may engage and use data processors (“Sub-processors”) that will have access to certain User data, or that will have access to Customer data but not User data (i.e. data about the Organisation that is our Customer, but not its Members). This page provides important information about the identity and role of each Sub-processor.
Prior to engaging any third-party Sub-processor, we assess their privacy, security and confidentiality practices, and our agreements with these Sub-processors commit them to implementing and maintaining appropriate privacy measures.
The Sub-processors we use fall into three categories: Infrastructure providers, Communications tools, and Translation tools. The ones that we currently use are the following:
We use the following Sub-processors to host and process both User data and Customer data, or to provide other infrastructure that helps with delivery of our Services:
|Entity Name||Type of Sub-processing|
|Amazon Web Services LLC||Cloud Services provider (i.e. hosting and processing data)|
Communications Sub-processors that process User data
We use the following Sub-processors to provide tools either for communicating directly with both Users and Customers, or for communicating internally on matters that may entail both User data and Customer data (for example, one Operoo team member providing a User’s name to another Operoo team member in order to complete a support request).
|Entity Name||Type of Sub-processing|
|Zoho (Support module)||Live chat communications with Users when providing user support, and long-term storage of support case records|
|Google Workspace email||Internal communications regarding support and technical development matters, and to receive and send email communications with Users on support issues|
|Slack||Internal communications regarding support and technical development matters|
|Trello||Internal communications regarding support and technical development matters|
Communications Sub-processors that process Customer data but not User data
We use the following Sub-processors to provide tools for communicating with Customers but not with Users, or for storing and processing information that relates to specific Customers but that does not relate to specific Users:
|Entity Name||Type of Sub-processing|
|Xero||Accounting software, to process account payments|
|Zoho (CRM module and e-signatures module)||Customer Relationship Management software, to manage account information regarding Customers and potential Customers, and to manage and send marketing communications to Customers and prospects (but NOT to end-Users)|
We use the following Sub-processor to provide tools for translating an eForm into a User’s preferred language:
|Entity Name||Type of Sub-processing|
|Google Translate||Translation services|
As our business grows and evolves, the Sub-processors we engage may also change. We will post updates of any material changes here. Please check here regularly for updates.
The Company has taken the Student Privacy Pledge to safeguard student privacy regarding the collection, maintenance, and use of student personal information. The commitments are intended to concisely detail existing federal law and regulatory guidance regarding the collection and handling of student data.