FACS Reporting Service
Privacy Policy

Who are we?

GCS Agile Pty Ltd (ABN 61 104 639 063) (we or us) is a provider of seamless technology services to its financial services clients. The services we provide through our website www.crs-fatca-reporting.com.au (the Website) are designed to generate electronic reports (from data uploaded by our clients) in a format complying with international tax reporting requirements (Compliance Reports). These services (Services) involve the processing and storage of data about a company or individual – which may include your personal information.

Protecting your privacy

We are committed to respecting your privacy. We handle personal information in accordance with the Australian Privacy Principles in the Privacy Act 1988 (Cth). We’d like you to understand how we collect, handle and use your personal information in providing the Services and operating this Website – so this privacy policy sets out:

  • The personal information we collect through our Website and in providing the Services;
  • Why we collect it;
  • What we do with it and how we secure it; and
  • How you can access and update it, or complain about our handling of it.

If you represent a client of ours using the Services (Client), then:

  • this policy should be read with the Terms of Use for our Website (see www.crs-fatca-reporting.com.au/facs/terms.html); and
  • in using the Services in that capacity, you (as a Client Representative) consent to us collecting, using and disclosing your personal information in accordance with this policy.

We may change this policy at any time by posting the amended policy on this Website. We will make every effort to notify you by email, or notice on the Website, if the changes are significant, but you should also check the Website regularly to ensure that you are aware of any changes to this policy.

What personal information do we collect?

Personal information includes information or an opinion about an identifiable individual. In providing the Services to our Clients, we may collect the following types of personal information about you:

  • your name;
  • your date of birth;
  • your geographical location, IP address used to connect to the internet, connection information like browser type and version, your operating system and platform, a unique reference number linked to the data you enter on our system, login details, and your activity on our Website, including pages you visit, searches / downloads you make and the date and time at which you do so;
  • if you are a customer of our Client (Client Customer), your bank account details, income balances, address, residence details, connections with other countries where you may be tax resident, transaction values, taxation details (including your Tax Identification/File Numbers), and accounting and financial information;
  • if you are a Client Representative:
    • your contact information, like your telephone number, mail or email address;
    • the name of the Client you represent and your position with that Client;
    • the Services we have provided or are to provide to you/the Client, including any further information we need in order to do so;
  • any other information relating to you that you provide to us, including information provided through the Services or customer surveys; and
  • any other personal information that we may need to assist in your dealings with us.

Please note that any credit card details used to pay for the Services are not stored by us and cannot be accessed by our personnel. Those details are encrypted and securely stored by National Australia Bank Limited (NAB), our payment processor, through its NAB Transact Direct Post service. NAB’s privacy policy at https://www.nab.com.au/common/privacy-policy applies to NAB’s handling of this information and it is not covered by this privacy policy.

How do we collect personal information?

We may collect personal information about you when:

  • you (as a Client Representative) enquire about using, register to use, or in fact use, the Services or this Website;
  • a Client Representative uses the Services, including by uploading information to the Website, to generate a report which concerns you (as a Client Customer);
  • you contact our support team; or
  • you visit our Website.

We will only ask for your personal information from you directly, unless you are a Client Customer – in which case our Client has undertaken to us (in the Terms of Use) that you have consented to the Client providing us with your personal information for the purposes set out in (and subject to) this policy.

If you (as a Client Representative) provide personal information to us about a Client Customer or any other another person, you must:

  • ensure that they have authorised you to provide that information to us, so that we can use and disclose it for the purposes described in this policy, without having to take any further steps required by applicable privacy laws; and
  • take reasonable steps to ensure they are aware of and consent to the matters set out in this policy, including that their personal information is being collected, the purposes for which it is being collected, the intended recipients of that information, the person's right to access that information, our identity, and how to contact us;
  • you have provided them with a copy of this policy;
  • if we request, help us with any requests by that person to access or update their personal information entered into the Services.

You can choose not to provide your personal information to us, but if you are Client Representative, that will make us unable to provide the Services to you.

What about cookies?

Information may also be collected and stored when you interact with our Website. In particular, we may use cookies, web beacons and other mechanisms to monitor usage of the Website to improve its content and usability.

A cookie is a packet of information sent by a server to an Internet browser and then returned by the browser each time it accesses the server. Cookies are used to remember visitors within a session and to facilitate transaction functions. You can deactivate cookies through your browser, but this may interfere with this Website’s performance.

Web beacons (also known as web bugs, pixel tags or clear GIFs) are transparent graphic images on a web site. They are typically used by a third party to monitor the activity of a site. Information collected by web beacons may include the Internet Protocol address of the computer that retrieved the image or the time the web beacon was viewed and for how long.

Why do we collect, use and disclose personal information?

We may collect, store, use and disclose your personal information to:

  • verify your identity – including if you seek support in relation to the Services;
  • administer the Services and the Website – including assisting to resolve technical support issues or other issues relating to the Services;
  • provide the Services (including Compliance Reports) to Client Representatives and Clients (of whom you may be a Client Customer), and store such Compliance Reports for such Clients;
  • enable you (as a Client Representative) to access and use the Services;
  • notify you of changes to the Services, this policy or the Terms of Use;
  • communicate with you, respond to queries you may make and provide any information you request;
  • send you support and other administrative messages including reminders, notices, updates or security alerts;
  • send you marketing information or other information that you may find of interest;
  • update the personal information collected; and
  • comply with laws and resolve any disputes relating to this policy or the Terms of Use.

We store all personal information collected by us through this Website or the Services, using Amazon Web Services (AWS) hosting services. Such information is stored only in AWS data centres located in Sydney, Australia and is not transferred overseas.

We retain your personal information only for so long as required for the above purposes. You acknowledge that we may need to keep some of your personal information for a period required by law, including under corporations, money laundering, and financial reporting legislation.

To whom do we disclose your personal information?

We may disclose your personal information for the purposes described in this policy to:

  • our personnel and related bodies corporate;
  • third party suppliers and service providers who help us to run and maintain our systems and business so that we can operate this Website and provide the Services – for example, website and database hosting providers (including AWS) and businesses which assist us in communications about, or monitoring, this Website;
  • our professional advisers;
  • our current or future agents and business partners;
  • anyone to whom any of our assets or businesses are transferred;
  • specific third parties you authorise to receive information held by us; and/or
  • other persons (including government agencies, regulatory bodies and law enforcement agencies) as required or allowed by law – for example, in order to comply with any court orders, subpoenas, or other legal process or investigation, including by tax authorities, if such disclosure is required by law. Where possible and appropriate, we will notify you if we are required by law to disclose your personal information.

As mentioned, details of any credit card nominated/used by you to pay for the Services are supplied direct to our payment processor, NAB. We do not receive or store such information.

Security of your personal information

We hold your personal information in electronic form. We engage AWS to store your information securely. AWS provides a network of secure data centres and takes very seriously the confidentiality, integrity, and availability of customer data and the maintenance of customer trust and confidence. For more details of AWS's security processes, please refer to the AWS Security White Paper and the AWS Security Web Pages. The IT infrastructure used by AWS is designed and managed in alignment with security best practices including (among other standards), SOC1, SOC 2, SOC3, ISAE 3402, PCI DSS Level 1, the EU Model Clauses and ISO 27001.

NAB, as our third party payment processing provider (who holds your credit card details used to pay for the Services), also treats security of personal information with the utmost importance and maintains PCI DSS Compliance and compliance with a range of other industry best practice security standards. See www.nab.com.au for more details.

Otherwise, we are committed to protecting the security of your information and we take all reasonable steps to protect it from misuse, interference and loss and unauthorised access, modification or disclosure. We apply safeguards at a physical, administrative, personnel and technical level to protect your information, including using strong encryption.

We cannot, however, guarantee that your information will be secure at all times, as the Internet is not a secure environment. You therefore transmit personal information over the Internet at your own risk and should only upload personal information to the Services from within a secure environment. If you are a Client Representative, you must also ensure that you keep your log-in credentials (including user name and password) safe and secure. You must notify us as soon as possible if you become aware of any misuse of those credentials, and immediately change them (which you may do when you are logged in).

We will notify you as soon as reasonably possible if we discover a security breach which causes your personal information to be lost or stolen, or accessed, used, disclosed, copied, modified, or disposed of by any unauthorised person or in any unauthorised way.

Disclosure of personal information outside Australia

We do not disclose your personal information outside Australia.

Links to other websites

Our Website may contain links to other websites, which are provided for your convenience only. We do not endorse (and are not responsible or liable for) the operation of, or security measures applied to, those websites. If you choose to access them, you do so at your own risk and subject to the relevant third party’s terms and conditions and privacy policies.

Accessing and correcting your personal information

You must ensure that personal information you provide to us is accurate, complete and current. If you are a Client Representative, you can access and update some of your personal information through the "Account" page when logged into the Website. You may also request access to information we hold about you, or request that we update or correct it, by sending a written request (see our contact details below).

We will process your request as soon as practicable, so long as we are not prevented from doing so by legal impediments. If we cannot process your request (or do so promptly), we will tell you why. For example, if you are a Client Customer, we may need to liaise with the relevant Client to verify the updates. We may also need to verify your identity when you request access or updates to your personal information.

Sometimes, we may not be able to provide you with access to all of your personal information. If that’s the case, we will again tell you why.

Opting out of mailing lists

We may send you notices, alerts, marketing material, service updates, administrative messages, and other information from time to time in relation to the Services. You can opt out of communications that are not important to our ability to provide the Services, by following the instructions in the communication, or contacting us (see our contact details below).

Notifying us of a Privacy Breach

To report an actual or suspected privacy breach, or to lodge a complaint about our handling of your personal information, please provide full details (along with any supporting documentation and your full contact details) using our contact details below.

We will take all reasonable steps to:

  • respond to your issue within 10 business days, and
  • investigate and try to resolve your issue within 30 business days or such longer period as is necessary and notified to you.

If you believe we have not resolved your issue satisfactorily, we will inform you of further steps you may take.

Privacy policy enquiries – contact us

If you have any queries about this policy please contact us:

  • by email to facs-info@crs-fatca-reporting.com.au, or
  • by letter to The Privacy Officer, GCS Agile Pty Ltd, Level 10, 461 Bourke St, Melbourne VIC 3000.

Further Privacy Information

For more information about your privacy rights, or protecting / making a complaint regarding your privacy, visit the Office of the Australian Information Commissioner website at https://www.oaic.gov.au/.