Privacy Policy

Privacy Policy
1. Who we are and what we do

Xyst, we and us refers to Xyst Ltd in relation to our Yardstick suite of products and services. Our Yardstick services are globally available including in European countries. We consider the privacy and online security of you, our Yardstick Users, to be of utmost importance.

Services include Yardstick Parks, Facilities and Roads benchmarking, parks and facilities user surveys and any other product or service available through member subscription to the https://www.yardstick.global website. “You” and “your” refers to both Direct Service Users and Indirect Users, unless otherwise specified.

This Privacy Policy is intended to help you to understand how and what personal information we collect, use and disclose when you use our Services.

We will not use or share your information with anyone except as described in this Privacy Policy.

By using the Services you agree to the collection and use of information in accordance with this policy.


2. Who we collect personal data from

We collect personal data from two separate groups of people:

Direct Service Users – we collect personal data from member organisations and their individual representatives for communication, and to facilitate and administer use of our Services through the Yardstick website.

Indirect Users – we collect personal data from Parks and Facilities User Survey respondents when they are responding to intercept and online surveys about parks and recreation facilities. This personal data is aggregated and anonymised for reporting.

The information we collect, how we use it and who we share it with varies slightly between Direct and Indirect Users. In general however:

  • we don’t collect personal data that we don’t need to be able to provide our Services;
  • we don’t share personal data unless we need to so we can provide our Services;

Indirect Users may choose not to provide identifiable personal data.

3. What information we collect

Information you provide to us
While using our Services, we may ask Direct Service Users to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to, your email address, name, phone number, employer and other information (“Personal Information”). We collect this information for the purpose of providing the Services, identifying and communicating with you, responding to your requests/inquiries, servicing your purchase orders, and improving our services.

Indirect Users may be asked to provide personal and demographic information including name, gender, email address, phone number, age and ethnicity. We collect this information for the purpose of providing the Service to our Direct Service Users. Demographic data is aggregated and analysed to compare the survey sample with the general population. Personal data may be collected for auditing purposes or to allow contact where a prize is offered for participation. Indirect Users are given the option to not provide this information.

Information you provide by communicating with us
We may collect Personal Information from Direct Service Users such as email address, phone number or mailing address when you choose to request information about our Services, request to receive customer or technical support, or otherwise communicate with us.

Content you provide using our products
The Services include the Yardstick products you use, where we collect and store content that you post, send, receive and share. This content includes Indirect User responses to online questionnaires and online and intercept surveys.

What we collect automatically when you use the services
We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.

Your use of the services
We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use and the links you click on.

Device and connection information
We collect information that your browser sends whenever you visit our Service (“Log Data”). This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.

Unique Identifiers
We use unique identifiers such as cookies, e-mail or your pseudonymised customer ID to track individual usage behavior on our Service, such as the length of time spent on a particular page and the pages viewed during a particular log-in period. Unique identifiers collect information about a user’s use of our Service on an individual basis.

Cookies
Like many websites and mobile application operators, we collect certain information through the use of “cookies,” which are small text files that are saved by your browser when you access our Service. Cookies can either be “session cookies” or “persistent cookies”. Session cookies are temporary cookies that are stored on your device while you are visiting our Website or using our Service, whereas “persistent cookies” are stored on your device for a period of time after you leave our Website or Service. We use persistent cookies to store your preferences so that they are available for the next visit, and to keep a more accurate account of how often you visit our Service, and how your use of the Service varies over time. We also use persistent cookies to measure the effectiveness of advertising efforts. Through these cookies, we may collect information about your online activity after you leave our Service. For more information on cookies, including how to control your cookie settings and preferences, visit http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm, https://ico.org.uk/for-the-public/online/cookies/ and http://www.allaboutcookies.org/

Xyst Partners
We work with a global network of partners who provide marketing, advocacy, administrative, events, training and other services around our products. Some of these partners also help us to market and promote our products, generate leads for us, and resell our products. We receive information from these partners, such as billing information, billing and technical contact information, organisation name, what Yardstick products you have purchased or may be interested in, evaluation information you have provided, what events you have attended, and what country you are in. Our partners are listed here.


4. How we use personal information

To provide the services to you
We acquire, hold, use and process information about Direct Service Users to provide the Services to you, including to process transactions with you, authenticate you when you log in, provide customer support, and operate and maintain the Services.

To communicate with you about the services
We use Direct Service Users’ contact information to send transactional communications via email and within the Services, including confirming your purchases, sending invoices for Services provided, implementing the Services, responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages.

To market, promote and drive engagement with the services
We may use Direct Service Users’ contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, including by email and by displaying Yardstick promotion on other organisations’ websites. These communications are aimed at driving engagement and maximising what you get out of the Services, including information about new features, survey requests, newsletters, and events we think may be of interest to you. We also communicate with you about product offers and promotions. You can control whether you receive these communications.

Research and Development
We may use Personal Information to create non-identifiable information that we may use alone or in the aggregate with information obtained from other sources, in order to help us to optimally deliver our existing products and Services or develop new products and Services. From time to time, Xyst may perform research (online and offline) via surveys. We may engage third party service providers to conduct such surveys on our behalf. All survey responses are voluntary, and the information collected will be used for research and reporting purposes to help us better serve participating organisations by learning more about their needs and the quality of the products and services we provide. The survey responses may be utilised to determine the effectiveness of our Services, various types of communications, advertising campaigns, and/or promotional activities. If an Individual participates in a survey, the information given will be used along with that of other study participants. We may share anonymous Individual and aggregate data for research and analysis purposes.

Customer support
We use Direct Service Users’ information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.

For safety and security
We use information about you where you have given us consent to do so for a specific purpose not listed above.

Legal bases for processing (For EEA Users):
Data protection law in Europe requires a “lawful basis” for collecting and retaining personal information from citizens or residents of the European Economic Area. Our lawful bases include:

  • Performing the contract we have with the member organisation: We need your personal information to be able to deliver our Services to Direct Service Users.
  • Data verification: We need to collect personal information from respondents to Visitor Surveys (Indirect Users) so that survey results may be verified and authenticated, and to identify improper use of the online survey platform.
  • Legitimate interests: This is a technical term in data protection law which essentially means we have a good and fair reason to use your data and we do so in ways which do not hurt your interests and rights. We sometimes require your data to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and to deliver our services to client organisations and that does not materially impact your rights, freedom or interests.

For example, we use identity, device, and location information to prevent fraud and abuse and to keep the Services secure. We may also send you promotional communications about our Services, subject to your right to control whether we do so.


5. Who we share personal information with

Managed Accounts and Administrators
If you register or access the Services using an email address with a domain that is owned by your employer or organisation, and such organisation wishes to create new user accounts or delete redundant accounts, certain information about you including your name, contact details, and past use of your account may become accessible to that organisation’s administrator and other Service users sharing the same domain. If you are an administrator for a particular site or group of users within the Services, we may share your contact information with current or past Service users, for the purpose of facilitating Service-related requests.

Service Providers
We work with third-party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis and other services for us, which may require them to access or use information about you. If a service provider needs to access information about you to perform services on our behalf, they do so under close instruction from us, including policies and procedures designed to protect your information. Service providers that we use are listed here.

Xyst Partners
We work with third parties who provide consulting, sales, and technical services to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to assist with billing and collections, to provide localised support, and to provide customisations. We may also share information with these third parties where you have agreed to that sharing.

Client Organisations
We share the personal data provided by Indirect Users with the Client Organisations (Direct Service Users) that have requested or undertaken the surveys. The Client Organisation can request a data export of survey data for analysis. Personal data may be included in the data export. The personal data is not published in reports, and is not available publicly or to other member organisations.

Compliance with enforcement requests and applicable laws; Enforcement of our rights
In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to

  1. comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements,
  2. enforce our agreements, policies and terms of service,
  3. protect the security or integrity of our products and services,
  4. protect Xyst, our customers or the public from harm or illegal activities, or
  5. respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
     
6. How we store your data and secure it

Data storage and security
We use data hosting service providers in New Zealand and the United States to host the information we collect, and we use technical measures to secure your data.

The security of your Personal Information is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store, in order to protect it from unauthorised access, destruction, use, modification, or disclosure.

However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the Personal Information we have collected from you.

How long we keep your information
How long we keep information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymise your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.

We can delete your account if it remains inactive (i.e. not accessed) for 1 year or longer.

Account information
For Direct Service Users, we will retain your information as long as your account is active, as necessary to provide you with the Services or as otherwise set forth in this Policy. We will also retain and use this information as necessary for the purposes set out in this Policy and to the extent necessary to comply with our legal obligations, resolve disputes, enforce our agreements and protect Xyst legal rights.

Managed Accounts
If the Services are made available to you through an organisation (e.g., your employer), we retain your information as long as required by the administrator of your account.

Marketing information
If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services, such as when you last opened an email from us or ceased using your Xyst account. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

Survey data
For Indirect Users, the personal data we collect from Yardstick User Survey respondents is retained as part of each survey response for as long as Direct Service Users require online access to user survey reports. The personal data is not reported in a way that can allow identification of individuals.

Survey data
For Indirect Users, the personal data we collect from Yardstick User Survey respondents is retained as part of each survey response for as long as Direct Service Users require online access to user survey reports. The personal data is not reported in a way that can allow identification of individuals.

 

7. The choices we offer

You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.

Your Choices
You have the right to request a copy of your information, to object to our use of your information (including for marketing purposes), to request the deletion or restriction of your information, or to request your information in a structured, electronic format. Below, we describe the tools and processes for making these requests.

Access and update your information
Our Services give you limited ability to access and update certain information about you from within the Service. You can access your user information from your account but can only change your name. Your email address is used as your login so can’t be changed.

Deactivate your account
If you no longer wish to use our Services, you or your administrator may be able to deactivate your Services account. If you can deactivate your own account, that setting is available to you in your account settings. Otherwise, please contact your administrator. If you are an administrator and are unable to deactivate an account through your administrator settings, please contact Yardstick support (support@yardstickglobal.org). For more information on how to delete your information, see below.

Request that we stop using your information
In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don’t have the appropriate rights to do so. For example, if you believe a Services account was created for you without your permission or you are no longer an active user, you can request that we delete your account as provided in this policy. Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your information for marketing purposes by contacting us, as provided below. When you make such requests, we may need time to investigate and facilitate your request. If there is delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honored or the dispute is resolved, provided your administrator does not object (where applicable). If you object to information about you being shared with a third-party app, please disable the app or contact your administrator to do so.

Opt-out of communications
You may opt out of receiving promotional communications from us by using the unsubscribe link within each email, updating your email preferences within your Service account settings menu, or by contacting us as provided below to have your contact information removed from our promotional email list or registration database. Even after you opt out from receiving promotional messages from us, you will continue to receive transactional messages from us regarding our Services. You can opt out of some notification messages in your account settings.

Web browser controls
You can prevent the use of certain Tracking Tools, such as cookies, on a device-by-device basis using the controls in your web browser. These controls can be found in the Tools > Internet Options (or similar) menu for your browser, or as otherwise directed by your browser’s support feature. Through your web browser, you may be able to:

Delete existing Tracking Tools
Disable future Tracking Tools

Set your browser to provide you with a warning each time a cookie or certain other Tracking Tools are being set

Send “Do Not Track” signals
Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving marketing from us as described above.


8. How we transfer information we collect internationally

International transfers of information we collect
We collect information globally and primarily store that information in New Zealand and Australia, with backup storage located in the United States. We transfer, process and store your information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing you the Services. Whenever we transfer your information, we take steps to protect it.

Managing privacy under organisation
Many of our products are intended for use by organisations. Where the Services are made available to you through an organisation, that organisation is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to that organisation’s policies. We are not responsible for the privacy or security practices of an administrator’s organisation, which may be different than this policy.

Links to other sites
Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Data Protection Officer
Xyst doesn’t have a Data Protection Officer as

  • we are not a public authority;
  • our core activities don’t consist of large scale systematic monitoring; and
  • we do not collect or process sensitive personal data.

To contact Yardstick support email support@yardstick.global

Data Protection Authority
Subject to applicable law, if you are a citizen or resident of the European Economic Area, you also have the right to (i) object to Xyst’s use of your personal information and (ii) lodge a complaint with your local data protection authority. For a list of DPA’s refer to http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

 

9. How we manage this policy

Enforcement
If you believe for any reason that Xyst has not followed these principles, please contact us at support@yardstickglobal.org and Xyst will act promptly to investigate, correct as appropriate, and advise you of the correction. Please identify the issue as a Privacy Policy concern in your communication to Xyst.

Changes to this privacy policy
This Privacy Policy is effective as of May 25th 2018 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically. Your continued use of the Services after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.

 

10. Contact Us

If you have any questions about this Privacy Policy, please contact us.