The Resilience Box

Privacy Policy

Our commitment to privacy
The Resilience Box Pty Ltd(ACN 636 137 409) and its related companies in Australia (collectively referred to as The Resilience Box) are committed to managing personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and in accordance with other applicable privacy laws.
If you are located:
- in the European Union (“EU”), you have additional rights under the EU General Data Protection Regulation(“GDPR”);
- in the United Kingdom (UK), you have additional rights under the UK General Data Protection Regulation; or
- in California, you have additional rights under the California Consumer Privacy Act (CCPA).
Details of those additional rights and how we address them are set out at the end of our Privacy Policy.
This document sets out our policies for managing your personal information and is referred to as our “Privacy Policy”.
In this Privacy Policy, “we”, “our” and “us” refers to The Resilience Box and “you” refers to any individual about whom we collect personal information and/or sensitive information.
About The Resilience Box
The Resilience Box operates the website app.resiliencebox.com in conjunction with The Resilience Box® digital platform, which includes The Resilience Box® application and provides tools to navigate life’s challenges both inside and outside of work, which you can use to strengthen your resilience and general wellbeing (collectively the Platform). The Platform provides a wide range of DIY learning activities and enables you to make counselling and coaching appointments.
What information does The Resilience Box collect about you?
The personal information that we collect from you will depend on the ways in which you engage with us and/or the Platform.
1. Users of the Platform
  When you register to use the Platform, we collect your name, work email and personal email addresses and phone number.When you use various tools or services which are made available on the Platform, such as completing activities, questionnaires and online assessments or schedule appointments with our psychologists, collected information may include sensitive information, for example, information about your wellbeing, mental health and health concerns. Other information which may be collected includes information recorded in your personal log.
  The Platform utilises software which tracks your use of the Platform, such as the fact sheets and videos you have accessed.
  Our software is able to determine where you are located from the IP address of the device you are using to access the Platform. Our Platform collects this location data.
2. Corporate clients
  When you enquire about our services on behalf of your company or when your company becomes a corporate client of The Resilience Box and you are the key contact, the types of personal information that we collect from you will vary depending on the circumstances of collection and the kind of service that you request from us. Collected information will typically include:
  1. your name, e-mail address, postal address and other work-related contact details;
  2. information about your employer or the organisation that you represent;
  3. your professional details; and
  4. any additional personal information you provide to us, or authorise us to collect, as part of your interaction with us.
3. Other individuals
  We may collect personal information about other individuals who are not users of the Platform and/or corporate clients of The Resilience Box. This may include members of the public who participate in events we are involved with, individual service providers and contractors to The Resilience Box and other individuals who interact with us on a commercial basis.
The kinds of personal information we collect will depend on the capacity in which you are dealing with us. Generally, it would include your name, contact details and information regarding our interactions and transactions with you.
You can always decline to give The Resilience Box any personal information we request, but that may mean that we cannot provide you with some or all of the services you have requested. If you have any concerns about personal information we have requested, please let us know.
How and why does The Resilience Box collect and use your personal information?
The Resilience Box collects personal information which is reasonably necessary to carry out our business, to assess and manage the needs of users of the Platform and our clients and to provide services including the wide range of services made available via the Platform. We may also collect information to fulfil administrative functions associated with these services, for example billing, entering into contracts with you or third parties and managing client relationships.
The purposes for which we usually collect and use personal information depends on the nature of your interaction with us, but may include:
1. Users of the Platform
  Your personal information will be used to:
  1. assist you to monitor and improve your wellbeing and resilience. When you complete various assessments or questionnaires on the Platform, for example, we will provide you with content which is tailored to your assessment responses;
  2. enable you to book and manage psychologist and/or coaching appointments you make using the Platform; and
  3. provide you with online training modules, as well as access to videos and fact sheets.
  Please note that if you are completing a “Daily Mood Check-in” on the Platform and your response is:
  1. “overwhelmed” (level 4)– we will contact you by SMS as soon as possible during business hours to “check-in” on your wellbeing; and
  2. “I’m not coping” (level 5) – as your response causes us concern, we will call you and check-in on your wellbeing, as soon as possible, within business hours.
  Information collected by the software on our Platform, such as details of fact sheets and videos accessed by Platform users, will be utilised in de-identified and aggregated reports, which we provide to our corporate clients so that they may see how our Platform is being used by their employees, for example, which Platform content is the most popular. These reports do not contain personal information.
  If you speak with one of our psychologists by phone or video link, your call/meeting will not be recorded. All text messages and chat room discussions with our psychologists are confidential and password protected.
  In order that we can provide you with our services, the Platform stores information it collects from users, such as search histories, online training which has been completed, assessments and reports, as well as details of appointments scheduled with our psychologist and/or coaches.
2. Corporate Clients and Suppliers
  Your personal information will be used to administer and manage our relationship with your company.
3. Other Uses of Personal Information
  Your personal information may also be used, for example, for the following purposes:
  1. responding to requests for information and other general inquiries;
  2. managing, planning, advertising and administering programs, events, competitions and promotions;
  3. to inform you about our services, including new content and features added to the Platform;
  4. to contact you about upcoming promotions and events in relation to your wellbeing that may interest you;
  5. for internal business and management processes; and
  6. responding to complaints.
  The Resilience Box also collects and uses personal information for market research purposes and for service innovation. While no personal information of users of the Platform will be disclosed to their employers, de-identified and aggregated data, such as statistics, may be provided to our corporate clients and third parties from time to time.
The Resilience Box generally collects personal information directly from you. We may collect and update your personal information via the Platform, over the phone, by email, over the internet or in person.
We may also collect personal information about you from other sources, for example:
1. your employer, if your employer has engaged us to make the Platform available to its workforce;
2. our related companies; and
3. third party suppliers and contractors who assist us to operate our business.
How does The Resilience Box disclose personal information?
1. Users of the Platform
  If you are a registered user of the Platform, we may disclose your personal information to third parties, such as service providers whom we have engaged to provide services on our behalf such as our consulting psychologists or as required by law. If you are an individual subscriber and we provide services to you, we may provide your personal information to our payment processors. Where we consider it necessary, we may disclose your personal information to an emergency service provider, such as an ambulance service, the police or fire brigade.
  Where you provide consent, your personal and/or sensitive information may be disclosed to your treating psychologist or other health professional.
2. Corporate clients
  The purposes for which we may disclose your personal information will depend on the services we are providing you. For example, if you have engaged us to deliver a service, we may disclose information about you to service providers where this is relevant to our services.
3. Disclosure to contractors and other service providers
  The Resilience Box may disclose information to third parties we engage in order to provide our services, including contractors and service providers used for data processing, data analysis, client and user satisfaction surveys, information technology services and support, website maintenance/development, printing, archiving, mail-outs and market research. Information disclosed is limited to the information which is reasonably necessary for these third parties to perform their limited functions for us.
  Personal information may also be shared between related companies of The Resilience Box, located in Australia.
  Third parties to whom we have disclosed your personal information may contact you directly to let you know they have collected your personal information and to give you information about their privacy policies.
4. Disclosure for administration and management
  The Resilience Box will also use and disclose personal information for a range of administrative, management and operational purposes. This includes:
  1. administering billing and payments and debt recovery;
  2. planning, managing, monitoring and evaluating our services;
  3. quality improvement activities;
  4. statistical analysis and reporting using aggregated and de-identified data;
  5. training staff, contractors and other workers;
  6. risk management and management of legal liabilities and claims (for example, liaising with insurers and legal representatives);
  7. responding to enquiries and complaints regarding our services;
  8. obtaining advice from consultants and other professional advisers; and
  9. responding to subpoenas and other legal orders and obligations.
5. Other uses and disclosures
  We may use and disclose your personal information for other purposes explained at the time of collection or otherwise as set out in this Privacy Policy. .
Does The Resilience Box disclose your personal information overseas?
Personal information is not disclosed routinely to overseas recipients.
How does The Resilience Box interact with you via the internet?
You may visit our website (www.resiliencebox.com) without identifying yourself. If you identify yourself (for example, by providing your contact details in an online enquiry), any personal information you provide to us will be managed in accordance with this Privacy Policy.
Our website uses cookies. A “cookie” is a small file stored on your computer or other device's browser, which assists in managing customised settings of the website and delivering content. We collect certain information such as your device type, browser type, IP address, pages you have accessed on our website and on third-party websites. Cookies are used to assist the Platform to remember users.
You can use the settings in your browser to control how your browser deals with cookies. However, in doing so, you may be unable to access certain pages or content on our website.
As stated above, our Platform also tracks how our Platform is utilised, for example, the frequency that content on the Platform is accessed. However, only data which has been de-identified and aggregated (i.e. contains no personal information) is subsequently provided in reports to corporate clients.
The Resilience Box's website may contain links to third-party websites. We are not responsible for the content or privacy practices of websites that are linked to our website.
Our Cookie Policy https://app.resiliencebox.com/cookiescontains information about our use of cookies.
Can you deal with The Resilience Box anonymously?
The Resilience Box will provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us where it is lawful and practicable (for example, when making a general enquiry). Generally, it is not practicable for us to deal with individuals anonymously or pseudonymously on an ongoing basis. If we do not collect personal information about you, you may be unable to utilise the Platform, our services or participate in our events, programs or activities that we may manage or deliver.
How does The Resilience Box hold information?
We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.
Calls and video link meetings between users of the Platform and our psychologists are not recorded. Any texts and chat room discussions between Platform users and psychologists are confidential. Text message details and chat rooms are password protected.
Personal information may be collected in paper-based documents and converted to electronic form for use or storage (with the original paper-based documents either archived or securely destroyed).
The Resilience Box maintains physical security over paper and electronic data stores, such as through locks and security systems at our premises. We also maintain computer and network security, for example, we use firewalls (security measures for the internet) and other security systems such as user identifiers and passwords to control access to our computer systems, as well as double encryption. Our IT systems comply with relevant security standards. Only authorized personnel are permitted to access these systems. Individual login credentials are encrypted.
Digital data, including personal information collected via the Platform, is stored in the Cloud in Australia.
We take steps to destroy or de-identify information that we no longer require.
Does The Resilience Box use or disclose your personal information for direct marketing?
The Resilience Box may use or disclose your personal information for the purpose of informing you about our services, including new content and features added to the Platform. We may also contact you about upcoming promotions and events in relation to your wellbeing that may interest you.
If you do not want to receive direct marketing communications, you can opt-out at any time by contacting us using the contact details below. If you opt-out of receiving marketing material from us, we may still contact you in relation to our ongoing relationship with you.
We do not send your personal information to third parties for direct marketing purposes.
How can you access or seek correction of your personal information?
You are entitled to access your personal information held by The Resilience Box on request. To request access to your personal information, please contact our Privacy Officer using the contact details set out below.
You will not be charged for making a request to access your personal information but you may be charged for the reasonable time and expense incurred in compiling information in response to your request.
We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and letting us know if your personal details change.
However, if you consider any personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your information. Alternatively, you may be able to update your contact information, for example, by logging into your account on the Platform.
We may decline your request to access or correct your personal information in certain circumstances in accordance with the Australian Privacy Principles. If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction (if you ask us to do so).
What should you do if you have a complaint about the handling of your personal information?
You may contact The Resilience Box at any time if you have any questions or concerns about this Privacy Policy or about the way in which your personal information has been handled.
You may make a complaint about privacy to the Privacy Officer using the contact details set out below.
The Privacy Officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint.
Your complaint will then be investigated. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved.
In most cases, we will investigate and respond to a complaint within a reasonable time, usually within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.
If you are not satisfied with our response to your complaint, or you consider that The Resilience Box may have breached the Australian Privacy Principles or the Privacy Act, you may make a complaint to the Office of the Australian Information Commissioner. The Office of the Australian Information Commissioner can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au.

EU and UK Residents

How we use your personal information

We can only collect and use your personal information if we have a valid lawful reason to do so. Our reasons are:

Consent - you have consented to our processing of your personal information for a specific purpose
Contract - we process your personal information to fulfil a contract you have with us or, alternatively, because you have requested us to take specific steps before you enter into a contract with us
Legitimate interests - we process your personal information for our legitimate interests (or a third party’s legitimate interests) unless the legitimate interests are overridden by a good reason to protect your personal information
Legal obligations - we process your personal information in order for us to comply with the law (which does not include complying with contractual obligations)

Personal information uses	Our reasons
To provide and administer our products and services	contract performance legitimate interests (to allow us to perform our obligations and provide the Platform and associated services to you)
For marketing purposes	legitimate interests (in order to market to you) consent (which can be withdrawn at any time)
To manage our relationship with you	consent contract performance legal obligations legitimate interests
To provide customer support	contract performance legal obligation legitimate interests (to allow us to communicate with you in connection with our Platform and associated services)
To comply with our legal obligations	legal obligation legal claims legitimate interests (to cooperate with law enforcement and regulatory authorities)
To prevent and detect fraudulent activity	legal claims legitimate interests (to prevent, detect and take action in response to fraudulent activity, including fraudulent transactions)
To conduct market, consumer and other research	legitimate interest (to ensure that we understand our users’ and clients’ requirements)
To ensure content is relevant	legitimate interests (to allow us to provide you with the content and services on our Platform and website)

Individual Rights

If you are located in the EU or the UK, you have the following additional rights:

The right to information – you can request confirmation about the following: whether your personal information is being processed by us; the purpose of processing; the categories of personal information which are processed; the recipients (or types of recipients) who may receive the personal information; the anticipated retention period of the personal information; and your rights to rectification, erasure, to restrict (or object) to processing and to lodge a complaint with a data protection supervisory authority in the EU or the UK.
The right to object to our processing of your personal information for (i) direct marketing purposes; (ii) for scientific, historical research or statistical purposes; or (iii) where our processing is based on legitimate interest grounds or because it is in the public’s interest. We will respond to your objection request within a month. However, there may be some circumstances where we are not required to stop processing your personal information. If this is the case, we will provide you with a written explanation.
The right to restrict processing – in some circumstances, you can request us to restrict our use of your personal information in which case we will not use or disclose your personal information while it is restricted. We will respond to your restriction request within a month.
The right to erasure – you can request us to erase your personal information where it is no longer required for a purpose for which it was collected or where, for example, you have exercised successfully your right to object to processing. We will respond to your erasure request within a month. However, where there are legal or other reasons for us to retain your personal information, we will provide you with a written explanation.
The right to data portability – you can request us to provide you with a copy of the personal information you have provided to us. We are required to provide it to you in an electronic format that can be reused easily. You can also request us to transfer your personal information in an electronic format to another entity.

You can exercise any of these rights by contacting us using the contact details below.

You also have the right to:

access your personal information and request the correction of your personal information (see 11 above: “How can you access or seek correction of your personal information?”); and
lodge a complaint with a data protection authority if you are unhappy with the outcome of a privacy complaint. See 12 above (‘What should you do if you have a complaint about the handling of your personal information?’ ), whichexplains our complaints handling process.A list of EU protection authorities is available athttps://ec.europa.eu/. The UK data protection authority is the Information Commissioner’s Office (https://ico.org.uk).

California Resident
If you are a resident of the State of California, you may exercise the rights described below. By choosing to exercise your rights as described below, you are declaring that you are a California resident as defined in the CCPA.
1. Right to Know. You have the right to ask us for a copy of your personal information collected over the past 12 months and for information about how we collect, use, disclose, and sell it. We do not share personal information with third parties for their own direct marketing purposes without your permission. Please refer to the following sections of our Privacy Policy for specific information on these matters:
  - 3. What information does The Resilience Box collect about you?
  - 4. How and why does The Resilience Box collect and use your personal information?
  - 5. How does The Resilience Box disclose personal information?
  - 10. Does The Resilience Box use or disclose your personal information for direct marketing?
  - Right to Deletion. You have the right to request us to delete any of your personal information. If we delete your personal information, you will permanently lose access to your personal information and/or your personal log. We may deny your deletion request when permitted by applicable law or 13for business purposes including, without limitation, when personal information is needed to comply with our legal obligations, to meet regulatory requirements, support our business operations, resolve disputes, maintain security or to prevent fraud and abuse. We retain anonymised information after your user account has been closed.
  - Right to Correction. You have the right to update or modify your personal information. If you have a user account, you may update or modify your personal information by accessing your account and editing your account information. If you do not have a user account, then you may request that your personal information be updated by emailing us at: privacy@resiliencebox.com.
  - Right to Opt-Out of the Sale of Your Personal Information.You have the right to ask that we not sell your personal information. We do not sell, in the traditional sense of the word, or rent personal information to third parties for money. We do, however, share your personal information as we have described in this Privacy Policy.
  - Right to Non-Discrimination. We will not discriminate against individuals who exercise their rights under the CCPA.
  - Exercising your Rights. If you wish to exercise any of these rights, please contact us using the contact details below. Before we can process your request, we will need to verify your identity. We reserve the right to deny a request where we are unable to satisfactorily complete this process. If you authorise someone to make a request on your behalf, we may also deny your request if we are unable to verify that the individual making the request is authorised to act on your behalf.
How changes are made to this Privacy Policy?
We may amend this Privacy Policy from time to time. We will publish any changes to the Privacy Policy on the Platform and on our website at app.resiliencebox.com. When material changes are made to our Privacy Policy, we will endeavour to provide you with reasonable notice before the changes take effect.
We encourage you to review the Privacy Policy regularly for updates and amendments.
How can you contact The Resilience Box?

Our contact details are:

The Privacy Officer
The Resilience Box Pty Ltd
PO Box Q197
Queen Victoria Building NSW 1230

Email: privacy@resiliencebox.com
Phone: +61 02 8243 1500

Last Updated: This Privacy Policy was last updated on 28 October2021.