ACR Business Systems is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information.
We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The NPPs govern the way in which we collect, use, disclose, store, secure and dispose of your Personal Information.
Personal Information is information or an opinion that identifies an individual. Examples of Personal Information we collect include: names, email addresses, phone and location information.
We collect your Personal Information for the primary purpose of providing our services to you, providing information to our clients and marketing. We may also use your Personal Information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure. You may unsubscribe from our mailing/marketing lists at any time by contacting us in writing.
When we collect Personal Information we will, where appropriate and where possible, explain to you why we are collecting the information and how we plan to use it.
Where reasonable and practicable to do so, we will collect your Personal Information only from you. However, in some circumstances we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.
To support the Document Processing System (DPS) within the ACR ERP System, the windows client side application provides a configuration program ("DPS Configuration") that is the launch point for you to add your Google account via OAuth, which occurs outside of the ACR ERP system and within Google's infrastructure (I.e. ACR does not capture nor store your password). This OAuth mechanism will provide a temporary "authorisation code", which is passed directly and immediately from the Google API back to the DPS configuration.
The DPS will then pass this "authorisation code" to the Google API in exchange for two tokens: a "access token" (which expires at defined intervals) and a "request token", the latter of which is used to obtain a new "access token", when the old one expires. Both tokens are stored securely within the DPS and used only to facilitate the subsequent communications with Google Drive APIs on behalf of your Google Account. Like the original "authorisation code", communications containing the "refresh token" and/or "access token" are only between Google and the DPS, and do not pass through any intermediary ACR web servers or websites.
The subsequent communications referred to above, are limited to those required between the DPS and the Google API, in order to support the storage management of your business documents within Google Drive. As such the DPS will be granted access to Read, Create, Modify and Delete any data stored within your Google Drive, however ACR have ensured that the software will only use these privileges for use within the confines of the DPS. That is, we will not interact with files or folders in your Google Drive, which are outside of the root ("home") folder of the DPS.
Your Personal Information may be disclosed in a number of circumstances including the following:
- Third parties where you consent to the use or disclosure; and
- Where required or authorised by law.
Your Personal Information is stored in a manner that reasonably protects it from misuse and loss and from unauthorized access, modification or disclosure.
When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the Personal Information is or will be stored in client files which will be kept by us for a minimum of 7 years.
You may access the Personal Information we hold about you and to update and/or correct it, subject to certain exceptions. If you wish to access your Personal Information, please contact us in writing.
ACR Business Systems will not charge any fee for your access request, but may charge an administrative fee for providing a copy of your Personal Information.
In order to protect your Personal Information we may require identification from you before releasing the requested information.
It is an important to us that your Personal Information is up to date. We will take reasonable steps to make sure that your Personal Information is accurate, complete and up-to-date. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.
This Policy may change from time to time and is available on our website.