Virax Biolabs Privacy Notice

Effective date: 29 January 2024

 

This Virax Biolabs Privacy Notice describes how we collect and process personal information in relation to our Virax Biolabs Group website and software Services (together “Virax”).

We offer our Services to customers either directly or via our authorized partners. Where we refer to customers in this notice, we also mean our partners and their customers.

If European Union (“EU”), United Kingdom (“UK”) or Swiss data protection law applies to the processing of Service Data relating to you, you can review the European Privacy Standards and GDPR section below to learn more about your rights and Virax’s compliance with these laws.

 

Service Data we collect

 

Virax processes Customer Data, Partner Data and Service Data to provide our Services. This privacy notice applies solely to Service Data and does not apply to Customer Data or Partner Data. We explain what we mean by Service Data below.

Customer Data and Partner Data are defined in Agreements with our customers covering our Services, and represent the data that you and our customers provide for processing in our Services. For more information about how we process Customer Data and Partner Data, please contact [email protected].

Service Data is the personal information that Virax collects or generates during the provision and administration of our Services and related technical support, excluding our Customer Data and Partner Data.

Service Data consists of:

  • Account information – we collect the data that you or your organisation provide when creating an account for our Services or entering into a contract with us (username, names, contact details and job titles)
  • Service payments and transactions – we keep reasonable business records of charges, payments, and billing details and issues.
  • Service settings and configurations – we record your configuration and settings, including resource identifiers and attributes, and service and security settings for data and other resources.
  • Technical and operational details of your usage of our Services – we collect information about usage, operational status, software errors and crash reports, authentication details, quality and performance metrics, and other technical details necessary for us to operate and maintain our Services and related software. This information includes device identifiers, identifiers from cookies or tokens, and IP addresses.
  • Your direct communications – we keep records of your communications and interactions with us and our partners (for example, when you provide feedback, ask questions or seek technical support).

Why we process Service Data

 

Virax processes Service Data for the following purposes:

  • Provide our Services you request – we use Service Data primarily to deliver our Services that you and our customers request. This includes processing Service Data as needed to conduct checks before extending credit to certain customers, to bill for our Services used, to ensure those services are delivered or working as intended, to detect and avoid outages or other technical problems, and to secure your data and services.
  • Make recommendations to optimize use of our Services – we use Service Data to provide you and our customers with recommendations (for example, suggesting ways to better secure your account or data, reduce service charges or improve performance, or optimize your configurations), and providing information about new or related products and features. We also evaluate your responses to our recommendations and other feedback (if you choose to provide it).
  • Maintain and improve our Services – we evaluate Service Data to help us improve the performance and functionality of our Services. As we improve our Services for you, this will improve them for our customers, and vice versa.
  • Provide and improve other services you request – we use Service Data to deliver and improve other services that you and our customers request, including Virax or third-party services that are enabled via our Services, administrative consoles, application programming interfaces (APIs) or command line interfaces (CLIs).
  • Assist you – we use Service Data to provide technical support for our Services that you and our customers request, and to assess whether we have met your needs. We also use Service Data to improve our technical support, inform you and our customers about updates to our Services and send other notifications relating to our Services.
  • Protect you, our users, customers, the public, and Virax – we use Service Data to detect, prevent and respond to fraud, abuse, security risks, and technical issues that could harm you, other users, our customers, the public, or Virax. This helps make our services safer, more reliable, and more secure.
  • Comply with legal obligations – we use Service Data to comply with our legal obligations (for example, where we’re responding to legal process or an enforceable governmental request, or meeting our financial record-keeping obligations).

To achieve these processing purposes, we use algorithms to recognize patterns in Service Data, manual review of Service Data (such as when you interact directly with our billing or support teams), aggregation or anonymization of Service Data to eliminate personal information, and combination of Service Data with information from other Virax products and services. We also use Service Data for internal reporting and analysis of applicable product and business operations.

 

Where Service Data is stored

 

Our Services are provided on Cloud servers around the world. Service Data may be processed on servers located outside of the country where our users and customers are located because Service Data is typically processed by centralized or regionalized operations like billing, support, and security.

Regardless of where Service Data is processed, we apply the same protections described in this Privacy Notice. When transferring Service Data outside of the European Economic Area, the UK or Switzerland, we comply with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

How we secure Service Data

We build our Services with strong security features to protect your data. The insights we gain from providing our services help us detect and automatically block security threats from ever reaching you.

We work hard to protect the Service Data we hold from unauthorized access, alteration, disclosure, or destruction, including by:

  • Encrypting Service Data at rest and while in transit between our facilities.
  • Regularly reviewing our Service Data collection, storage, and processing practices, including our physical security measures, to prevent unauthorized access to our systems; and
  • Restricting access to Service Data to Virax employees, contractors, and agents who need it in order to process Service Data for us. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

How we share Service Data

 

We instruct our affiliates to process Service Data for the purposes listed under “why we process Service Data” above, in compliance with this Privacy Notice and appropriate confidentiality and security measures.

We do not share Service Data with companies, organizations, or individuals outside of Virax except in the following cases:

  • When you procure third-party services We share Service Data outside of Virax when you or our customer choose(s) to procure a third-party service through our Services Platform, or use a third-party application that requests access to your Service Data.
  • With your consent We’ll share Service Data outside of Virax where we have obtained your consent.
  • With your administrators and authorized resellers. When you use our Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain Service Data. F or example, they may be able to:
    — View account and billing information, activity and statistics
    — Change your account password
    — Suspend or terminate your account access
    — Access your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request
    — Restrict your ability to delete or edit your information or your privacy settings
  • For external processing We do not sell your Service Data to any third parties. We share Service Data with trusted third party providers to process it for us as we instruct them and in compliance with this Privacy Notice and appropriate confidentiality and security measures. In particular, we share Service Data with our third party providers when you request technical support services (we share the information you provide in the support ticket, and those providers may communicate with you or your administrator in that ticket, including providing updates and closing the ticket) and professional services (we share your contact details to enable communication and collaboration).
  • For legal reasons We share Service Data outside of Virax when we have a good-faith belief that access to, or disclosure that Service Data is reasonably necessary to:
    — Comply with applicable law, regulation, legal process, or enforceable governmental request.
    — Enforce applicable agreements, including investigation of potential violations.
    — Detect, prevent, or otherwise address fraud, security, or technical issues.
    — Protect against harm to the rights, property or safety of Virax, our customers, users, and the public as required or permitted by law.
    If Virax is involved in a reorganization, merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of Service Data and give affected users notice before Service Data becomes subject to a different privacy policy.

Access to Service Data

Your organization may allow you to access and export your data in order to back it up or transfer it to a service outside of Virax. Our Services enable you to directly access and download the data you have stored in the services, as further described in our Agreement with your organization and related guidelines that explain how you or your organization may use various tools to access, control, and export your data.

You and your organization’s administrator can access several types of Service Data directly from our Services, including your account information, billing contact information, payment and transaction information, as well as product and communication settings and configurations. If you’re otherwise unable to access your Service Data, you can always request it through our Services Platform or via email [email protected]

Retention and Deletion of Services Data

We retain Service Data for different periods of time depending on the type of data, how we use it, and how you configure your settings. When we no longer need Service Data, we delete or anonymize it.

For each type of Service Data and processing operation, we set retention timeframes based on the purposes for which we process it, and ensure that the Service Data is kept for no longer than necessary. We retain most types of Service Data for a set period of up to 180 days (the exact number depends on the specific type of data). However, some Service Data may be kept for longer periods where there is a business need. We generally have longer retention periods (which can be over a year) for Service Data that is kept for the following purposes:

  • Security, fraud and abuse prevention – we retain Service Data when it is necessary to protect against fraudulent attempts to gain access to user accounts, or to investigate violations of our applicable Services agreements. Usually, the Service Data retained where there is reason to suspect fraud or abuse would include device identifiers, identifiers from cookies or tokens, and IP addresses, as well as log data about usage of our Services.
  • Complying with legal or regulatory requirements – we retain Service Data when required by an enforceable legal process, such as when Virax receives a lawful subpoena.
  • Complying with tax, accounting or financial requirements – when Virax processes a payment for you, or when you make a payment to Virax, we retain Service Data about those transactions (including billing information), typically for a minimum of five years, as required for tax or accounting purposes, or to comply with applicable financial regulations. At the end of the applicable retention period, we follow detailed protocols to make sure that the Service Data is securely and completely deleted from our active systems (the servers Virax uses to run applications and store data) or retained only in anonymized form. After completion of these steps, copies of Service Data will remain for a limited period in our encrypted backup systems (which we maintain to protect Service Data from accidental or malicious deletion and for outage and disaster recovery purposes), before being overwritten by new backup copies.

European Privacy Standards and GDPR

Exercising your data protection rights

If EU, UK or Swiss data protection law applies to the processing of Service Data relating to you, you have certain rights, including the rights to access, correct, delete and export your Service Data, and to object to or request that we restrict processing of your Service Data.

Virax Biolabs (UK) Limited (UK registration 13630639) will be the data controller responsible for your Service Data. However, where our customer has entered into an agreement covering our Services with a different Virax affiliate, that affiliate will be the data controller responsible for processing your Service Data in connection with billing for our Services only.

If you want to exercise your data protection rights with regard to Service Data we process in accordance with this Privacy Notice, and you are not able to do so via the tools available to you or your organization’s administrator, you can contact [email protected].

You can always contact your local data protection authority if you have concerns regarding your rights under local law.

Our legal grounds for processing Service Data

Where necessary for our legitimate interests in:

  • Fulfilling the contractual obligations which we owe to our customer to provide our Services.
  • Offering the best service we can, and ensuring our customers know how to get the most out of our Services.
  • Continuing to improve our Services to meet our customers’ needs.
  • Protecting against harm to the rights, property and safety of Virax, and where necessary for Virax’s and third parties’ legitimate interests to protect against harm to our users, our customers and the public, including criminal acts and rights violations. When we have a legal obligation to do so. For example, where we’re responding to legal process or an enforceable governmental request, or retaining information relating to your purchases and communications to meet our record-keeping obligations.

Contact Information

If you have any questions about this Virax Privacy Notice or privacy practices, please contact our Privacy and Data Protection Officer [email protected].

Updates to this Privacy Notice

We may update this Privacy Notice from time to time. We will not make any significant changes without notifying you in advance by posting a prominent notice on this page describing the changes or by sending you a direct communication. We encourage you to regularly review this Privacy Notice, and we will always indicate the date the last changes were published.