Privacy Policy

Last updated: 4th November 2022

Amstelveen is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information. We value your trust and take our privacy obligations seriously. We have developed this policy to explain how we met these obligations across the services we provide.

We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The APPs govern the way in which we collect, use, disclose, store, secure and dispose of your Personal Information. A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at

1 Definitions

Amstelveen, “we”, “us” and “our” refer to staff or contractors of Amstelveen Pty Ltd.

Anonymous assessments are the default type of assessments created within our iQ service. Assessments can be configured to be either anonymous or via unique link assessments. Anonymous assessments use the same website link for all respondents, with responses stored in a way that cannot be used to directly identify an individual.

Client refers to the person or entity that has contracted Amstelveen to provide services. The Client may be your employer or a sub-group of your employer (such as team, department, etc.).

iQ service means the Amstelveen iQ product, our proprietary platform for conducting organisational surveys for example as part of assessing risk culture.

Organisational Member refers to the individuals listed as key contacts for an organisation in our iQ service. By default, this is the person who signed up for our service on behalf of their organisation. However, this person may be changed or may nominate additional people to act on their behalf in this role. Individuals with this role have access to administer assessments on behalf of their organisation and to review assessment reports.

Personal information is information or an opinion that identifies an individual. Examples of Personal Information include names, email addresses and phone numbers.

Raw data refers to data that has been collected but not processed or presented to convey information or meaning.

Raw response data refers to assessment responses provided by respondents within our iQ service.

System administrator means Amstelveen staff or third party hosting providers that have access to administrative portals or underlying back-end systems and infrastructure.

Unique link assessments are assessments that generate a unique website link for each identified respondent. The purpose is to enable Organisational Members that administer the assessment to track response rates. As such, the stored responses do not directly identify the individual.

2 What information do we collect about you?

The information we collect about you depends on how you interact with us.

Information we collect generally

  • If you visit any of our websites: we may use cookies and track pixels to capture data on how you interact with our websites to optimise security and performance. This data includes information such as your IP address, referral data, page views, timestamps, device, and browser information.
  • If you use our contact form or contact us directly: the data you provide, such as contact information (names, email address and telephone numbers) and the nature of your enquiry.
  • If you apply for a job: contact information as well as your employment history, resume, accreditations, reference checks, criminal record and sanctions status.
  • If you subscribe to our marketing lists: contact information, information about your company (name, industry, location) and your job title.
  • If you provide services to us: we may collect contact and account information from suppliers, contractors and other third-party service providers.
  • If you attend our physical offices or events: your name and contact information may be collected for visitor records and dietary preferences where catering is provided. In some cases, CCTV footage may be recorded for security purposes. We may also take photo, video and audio recordings at events for use in marketing materials.

Information we collect when providing professional services

In the course of providing professional services to clients, we may be provided with personal information or collect information directly from individuals we deal with. This information will vary depending on the nature of our services, but may include names, addresses, telephone numbers, e-mail addresses, job titles and role responsibilities.

We may collect more detailed information, such as financial details or employment records, and in rare cases sensitive information if required to deliver our services or meet our obligations.

This personal information may be collected through various means such as forms, meetings, emails, telephone conversations or by third parties.

Information we collect as part of our iQ service

  • When you sign up and/or are nominated as an Organisational Member: upon sign up or when someone nominates you to administer assessments we collect data including name, contact details, organisation name, organisation description, organisation size and industry.
  • When you are added as a respondent to an assessment: when creating an assessment with unique links to track response rates, an Organisational Member provides us with your first name, last name and e-mail address.
  • When you respond to an assessment with a unique link: the responses you provide, including any demographic data, are collected in a way that is identifiable to you for the purpose of tracking response rates. While system administrators have access to this data, Organisational Member(s) receive only anonymised or aggregate reporting of this data once sufficient responses are received so your responses do not reasonably identifiable to you.
  • When you respond to an assessment with an anonymous link: the responses you provide, including any demographic data, are stored in a way that cannot reasonably be used to identify you unless you provide identifying information in uncontrolled text fields. Organisational Member(s) receive only anonymised or aggregate reporting of data once sufficient responses are received so your responses are not reasonably identifiable to you.
  • When you interact with the service: We may use tracking cookies and collect log data, for example, login timestamps and session times, in order to optimise the security and performance of the service.

Information you provide on social media sites

We use various social media platforms primarily for marketing and recruitment activities. While we are responsible for the content we publish on these social media platforms, we are not responsible for managing the platforms and for the privacy and processing of your data on them. That includes any ‘likes’, ‘comments’, visits or other interactions with our content. You should familiarise yourself with the privacy policies and controls available directly from the social media platform providers.

Collection of sensitive information

Sensitive information is defined in the Privacy Act as including information or opinion about such things as an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.

Generally, we do not intentionally collect sensitive information about either current or prospective clients. However, as the nature of our services is broad and varied, there may be times when this is required. In cases where sensitive information is provided to us, we will take all reasonable steps to ensure that the necessary consent has been obtained and that the data is securely protected.

3 How do we use your personal information?

When we collect Personal Information we will, where appropriate and where possible, explain to you why we are collecting the information and how we plan to use it.

We collect Personal Information for the following primary purposes:

  • To provide products and services to our clients;
  • To maintain contact with past, present and prospective clients and provide thought leadership, information about our services and invitations to events that we believe may be of interest;
  • To enable us to respond to enquiries from individuals;
  • For seeking feedback on the development and improvement of our services;
  • To comply with legal or regulatory obligations;
  • For managing our business such as billing, account keeping, recruitment, employment and security matters; and
  • For other purposes, which we outlined at the time we collected it.

Marketing opt-out

We may, from time to time, collect Personal Information in order to market our services. You may unsubscribe from further marketing material at any time by using the ‘unsubscribe’ function where available in our communications or by contacting us (see section ‎9).

Other usages

In some cases, we may use Personal Information that has been de-identified and/or aggregated, such that an individual can no longer be reasonably identified, for the purposes of data analytics, research and product improvement.

4 Who do we disclose your personal information to?

We do not disclose or sell your Personal Information to third parties for targeted advertising purposes without your consent. We may disclose Personal Information to the following people and companies for the purposes set out in section ‎3:

  • Third parties including subcontractors, suppliers and partners we engage to support the delivery of our services or business operations, such as technology and accounting providers
  • Previous employers and job references if you have applied for a job with us;
  • Law enforcement, regulatory or government agencies or other third parties where required or authorised by law; and
  • Other third parties where you have consented to their use at the time we collected your Personal Information.

In the event we consider disclosing Personal Information for reasons not set out in this policy, we will notify you or seek your consent before disclosure.

5 How do we store and protect your information?

Protection of Personal Information

We use a combination of administrative, technical and organisational measures when storing and processing Personal Information in order to provide reasonable protection from misuse, loss or unauthorised access, modification or disclosure. Such measures include:

  • Education and training of staff so they are aware of procedures to securely handle data;
  • Technical and administrative controls to restrict unauthorised access to data;
  • Technical controls implemented by us and our technology providers, such as encryption, anti-virus, firewalls, logging and monitoring; and
  • Physical security controls such as security access passes, CCTV and locked cabinets.

Retention of Personal Information

When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. Personal Information collected for the purpose of providing our services and managing our business is typically retained for a minimum period of seven (7) years unless a request is made to delete it per section ‎6.

Transfer of information outside of Australia

It is our policy that records containing Personal Information are stored within Australia wherever it is commercially feasible. However, some specialist software applications we use involve the storage and processing of data at overseas locations, including our accounting, customer relationship management and training systems. These locations include, but are not limited to, the United States, Europe and New Zealand.

6 How can you access or correct your personal information?

Making a request

You may request a copy of the Personal Information we hold about you or request that we update or correct it. In some rare cases, we may refuse access to certain information, for example, due to commercial sensitivity or legal reasons. In such a case we will write to you explaining our decision.

You may also request that we delete your Personal Information, in which case we will take reasonable steps to identify and permanently remove it from our systems unless it is required for legal or compliance needs.

To make any of these requests, please see section ‎9 for details on how to contact us.

If you are an Organisational Member in our iQ service, there is also self-service functionality available to access, update or permanently delete the data we hold about you for that service.

Fees and timing

We will not charge any fee for your requests. Please allow up to 28 calendar days for us to process your request.

Proof of identification

In order to protect your Personal Information we may require identification from you before processing your request.

7 How is this policy updated?

This policy may change from time to time to reflect changes to our business, however, the latest version of this policy can be accessed on our website. We will amend the revision date at the top of this page to indicate when we have made changes.

8 How can you make a privacy complaint?

If you are concerned about how we have handled your Personal Information and wish to make a complaint, please contact us using the details provided in section ‎9. We will endeavour to investigate and respond to your complaint within 28 days. If this is not possible, we will contact you with a revised timeline for our full response.

If you are not satisfied with how we have handled your complaint, you can contact the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
1300 363 992

9 How do you contact us?

To make an enquiry or request, raise a complaint or ask a question about our Privacy Policy please contact us at:

Privacy officer
Amstelveen Pty Ltd
Level 11, 570 George Street
Sydney NSW 2000

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?