Background
TMS owns and manages the Powered by Jumbo ("PBJ") software platform, which is the medium through which a range of lottery-based gaming activities are conducted by lottery operator Clients (the Service).
PBJ uses Personal Information and data to provide, and improve, the Service.
TMS is committed to the protection of the Personal Information and Personal Data of individuals, and is bound by various privacy laws as applicable to the Client’s jurisdiction.
Purpose of the Privacy Policy
To ensure that TMS protects the Customers' privacy in accordance with the Australian Privacy Principles (APPs), TMS is committed to ensuring the collection, accuracy, storage, security, use, disclosure and destruction of Personal Information through PBJ is compliant with the APPs.
This Privacy Policy describes TMS’ policies and procedures on the collection, use and disclosure of Customer information when Customers use the Service, and tells Customers about their privacy rights.
By using the Service, the Customer agrees to the collection and use of information in accordance with this Privacy Policy, and the Client agrees to maintain the Customer information in accordance with this Privacy Policy.
Interpretation and Definitions
The capitalised words have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
- Customer means a customer of the Client, being the individual accessing or using the Service.
Under GDPR (General Data Protection Regulation), Customer can be referred to as the Data Subject or as the User, as the individual using the Service. - Clients refers to lottery operator Clients who have contracted with TMS to use the PBJ platform to run their lottery.
For the purpose of the GDPR, the Client is the Data Controller. - Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
- Account means a unique account created for the Customer to access the Service or parts of the Service.
- Website refers to the Powered By Jumbo platform and website as personalised for the Client.
- Service refers to the Website and lottery entry transactions.
- Country refers to Australia, where the Client is based in Australia.
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Client and TMS to facilitate the Service, to provide the Service on behalf of the Client, to perform services related to the Service or to assist the Client in analyzing how the Service is used.
For the purpose of the GDPR, Service Providers are considered Data Processors. - Third-party Social Media Service refers to any website or any social network website through which a Customer can log in or create an Account to use the Service.
- Personal Data and Personal Information is any information that relates to an identified or identifiable individual. It is any information that identifies a Customer, or by which a Customer’s identity can be reasonably determined.
For the purposes for GDPR, Personal Data means any information relating to the Customer such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. - Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
- Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to the Client as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
- Customer means a customer of the Client, being the individual accessing or using the Service.
Collection of Customer Information
Customer Personal Information is collected for the primary purpose of administering the lottery-based gaming activities, ensuring that Customers who win prizes receive their winnings, and improving service levels for the Customers of our Clients.
Personal Information is collected from Customers in the following ways:
- Through the Client-personalized Powered by Jumbo website and app;
- Communications between the Customer and the Client (such as email, fax, letter, phone);
- Transaction records relating to the purchase of lottery products and services; and
- Third parties such as affiliates, suppliers, including lottery-based game suppliers, or their representatives.
The Personal Information that is collected on the PBJ platform may include:
Personal Data
While using the Service, Clients may ask Customers to provide certain personally identifiable information that can be used to contact or identify the Customer. Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Phone number
- Address, State, Province, ZIP/Postal code, City
- Bank account and credit card information in order to pay for products and/or services within the Service
- Usage Data
When Customers pay for products and services via bank transfer, Clients may ask Customers to provide information to facilitate this transaction and to verify identity. Such information may include, without limitation:
- Date of birth
- Passport or National ID card
- Bank card statement
- Other information linking Customer to an address
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of the Service that the Customer visits, the time and date of visits, the time spent on those pages, unique device identifiers and other diagnostic data.
When Customers access the Service by or through a mobile device, the Service may collect certain information automatically, including, but not limited to, the type of mobile device Customers use, Customer mobile device unique ID, the IP address of the Customer’s mobile device, the Customer’s mobile operating system, the type of mobile Internet browser the Customer uses, unique device identifiers and other diagnostic data.
The Service may also collect information that the Customer browser sends whenever the Customer visits the Service, or when Customers access the Service by or through a mobile device.
'Cookies'
'Cookies' are alphanumeric identifiers that are placed on the Customer’s computer's hard drive through the web browser.
Powered by Jumbo uses ‘Cookies’ to enable our system to recognise the Customer’s browser, and maintain purchasing details in Customer’s shopping basket, and remembers Customer’s preferences to provide a personalised experience in line with Customer’s settings.
PBJ uses Cookies and similar tracking technologies to track the activity on the Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze the Service.
Customers can instruct their browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if a Customer does not accept Cookies, the Customer may not be able to use some parts of the Service.
Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on the Customer’s personal computer or mobile device even when offline, while Session Cookies are deleted as soon as the Customer closes their web browser.
The Service uses both session and persistent Cookies for the purposes set out below:
Use of Customer Information
The Client may use Customer Personal Information for the following purposes:
- To provide and maintain the Service: including to monitor the usage of the Service.
- To manage the Customer Account: to manage the Customer’s registration as a user of the Service. The Personal Data Customers provide can give Customers access to different functionalities of the Service that are available to Customers as a registered user.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services Customers have purchased through the Service.
- To contact Customers: To contact Customers by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- To provide Customers: with news, special offers and general information about other products, services and events, which the Client may offer that are similar to those that the Customer has already purchased, or enquired about, unless the Customer has opted not to receive such information.
- To manage Customer requests: To attend and manage Customer requests to the Client.
Personal Information Security
TMS is committed to the protection of Customers’ Personal Information from unauthorized access. The PBJ platform uses a range of security mechanisms and procedures to protect the Personal Information it holds about our Clients and their Customers.
TMS makes all reasonable efforts to ensure Personal Information is stored securely both in electronic and physical forms, and complies with the APPs.
Website pages from which Customers may provide Personal Information are encrypted through a password protected portal using 128 bit SSL encryption. However, there may be risks associated when transferring Customer Personal Information from other internet facilities or by email.
Personal Information that is no longer required will be destroyed in accordance with the legislation and APPs.
Disclosure of Personal Information and Third Party Access
Powered by Jumbo uses third party software to perform certain services on the website and mobile app.
Customer Personal Information may be used by the Client or TMS to:
- Verify name, age, address and identity;
- Provide Customers with lottery-based gaming products and services;
- Record and register Customer’s lottery purchases and other transactions, and manage the Customer account;
- Notify Customers of, and provide them with, any lottery winnings;
- Inform Customers of ways the Services provided could be improved;
- Research and develop the Services;
- Maintain and develop the business systems and infrastructure, including testing and upgrading of these systems;
- Address any query, feedback or complaints Customers may have; and
- Contact Customers for any other reason.
Clients may disclose Customer information to:
- its lottery-based game suppliers, their auditors, and/or their regulators;
- the Customer’s authorised representative (e.g. legal advisers) but only upon receipt of written authorisation;
- Unrelated third parties to enable outsourcing of relevant functions relating to the provision of lottery-based gaming and marketing products and services and only for the primary purpose of providing those functions;
- Professional advisers including but not limited to accountants, auditors and legal advisers; and
- Courts, Government and regulatory authorities as required or authorised by law.
TMS may share the Personal Information in the following situations:
- With Service Providers: TMS may share Customer Personal Information with Service Providers to monitor and analyze the use of the Service, or for payment processing.
- With Affiliates: TMS may share Customer Personal Information with affiliates, in which case TMS will require those affiliates honour this Privacy Policy. Affiliates include TMS’ parent company and any other subsidiaries, joint venture partners, or other companies that TMS control, or that are under common control with TMS.
- With other users: when Customers share Personal Information, or otherwise interact in the public areas with other users, such information may be viewed by all users, and may be publicly distributed outside. If Customers interact with other users, or register through a Third-Party Social Media Service, contacts on the Third-Party Social Media Service may see the Customer’s name, profile, pictures and description of Customer’s activity.
Any such third party will not be permitted to re-sell, use or share the data provided, without the Client’s or TMS' permission.
Data Retention and Security
The Client will retain the Customer Personal Information only for as long as is necessary for the purposes set out in this Privacy Policy. TMS will retain and use Customer Personal Information to the extent necessary to comply with legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
TMS will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of the Service, or where TMS is legally obligated to retain this data for longer time periods.
TMS will be liable to The Client for any loss, corruption, misuse, interference, unauthorised access, modification, or disclosure of The Client’s data through the use of the PBJ platform, limited to where TMS has exercised data security and data management procedures in accordance with best practices in the information technology industry.
TMS will, at all times, ensure its systems are compliant with best practices consistent with the NIST Cybersecurity Framework, the PCI standard and any other applicable standards and obligations.
If a Security Breach occurs, or is suspected to have occurred, TMS will:
- Conduct an investigation as to the reasons for the security breach;
- Use all reasonable efforts to prevent, contain, mitigate and remediate the impact of the security breach;
- Notify the Client as soon as reasonably practical of the actual or suspected security breach;
- Provide a written report to the Client regarding the actual or suspected security breach;
- Collect and preserve all evidence concerning the actual or suspected security breach; and
- Keep the details of the suspected or actual security breach confidential.
Data Processing and Cross-border Transfers
Customer information, including Personal Information, is processed at the Client’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of the Customer’s state, province, country or other governmental jurisdiction where the data protection laws may differ than those from the Customer’s jurisdiction.
By providing Personal Information to Clients and TMS, Customers consent to this Privacy Policy, and the transfer to overseas recipients. Customers also consent to any such third party storing Personal Information.
TMS will take all steps reasonably necessary to ensure that Customer information is treated securely and in accordance with this Privacy Policy, and no transfer of Customer Personal Information will take place to an organization or a country unless there are adequate controls in place including the security of the data and other Personal Information.
Where TMS does provide Personal Information to overseas recipients, TMS will take reasonable steps to ensure that the overseas recipients undertake to protect Customer’s privacy. However, by consenting to such disclosure, Customers acknowledge that TMS will not be accountable under the Privacy Act for any breach of privacy by the overseas recipient, nor will Customers be able to seek redress under the Privacy Act for any use or breach by the overseas recipient.
Access to Personal Information
Customers have the right under the Privacy Act 1988 to seek access to the Personal Information held by Clients about the Customer. If Customers wish to exercise this right, or if Customers believe that the information is incorrect, incomplete or out-of-date, Customers should either correct/update the information through the Website by logging into "My Account" using their username and password, or contact the Client.
All requests to access Personal Information must be made in writing or by email and addressed to the Privacy Officer of the Client.
Inquiries and Complaints
For Customers in Australia, information about the Privacy Act 1988 and the Australian Privacy Principles is available from the Office of the Australian Information Commissioner.
If Customers have a complaint regarding the Client’s management of Customer Personal Information, or wish to correct information held by the Client, or require further information, Customers should contact the Client.
If Customers are not satisfied with the outcome of the Customer complaint, Customers may refer the Customer complaint to the Office of the Australian Information Commissioner by contacting 1300 363 992 or by visiting the website www.oaic.gov.au.
Changes to the Privacy Policy
TMS reserves the right to make changes to this Privacy Policy. Any changes made to the Privacy Policy in the future will be posted on this page and such changes will become effective upon posting of the revised Privacy Policy. If TMS makes any material or substantial changes to this Privacy Policy TMS will use reasonable endeavours to inform Clients and Customers by email, or other agreed communications channels.
GDPR Privacy for EU Customers
Legal Basis for Processing Personal Data under GDPR
The Client may process Personal Data under the following conditions:
- Consent: Customers have given their consent for processing Personal Data for one or more specific purposes.
- Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with the Customer and/or for any pre-contractual obligations thereof.
- Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Client is subject.
- Vital interests: Processing Personal Data is necessary in order to protect Customer’s vital interests or of another natural person.
- Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Client.
- Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Client.
In any case, the Client will help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Customer Rights under the GDPR
The Client undertakes to respect the confidentiality of Customer Personal Data and to guarantee Customers can exercise their rights.
Customers have the right under this Privacy Policy, and by law if the Customer is within the EU, to:
- Request access to Personal Data. The right to access, update or delete the information the Client has. Whenever made possible, Customers can access, update or request deletion of Personal Data directly within the Account settings section. This also enables Customers to receive a copy of the Personal Data the Client holds.
- Request correction of the Personal Data. Customers have the right to have any incomplete or inaccurate information the Clients holds corrected.
- Object to processing of Personal Data. This right exists where the Client is relying on a legitimate interest as the legal basis for processing and there is something about the Customer’s particular situation, which makes the Customer want to object to the Client’s processing of Personal Data on this ground. Customers also have the right to object where the Client is processing Personal Data for direct marketing purposes.
- Request erasure of Your Personal Data. Customers have the right to ask the Client and TMS to delete or remove Personal Data when there is no good reason for the Client to continue processing it.
- Request the transfer of Personal Data. The Client will provide to the Customer, or to a third-party chosen by the Customer, the Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which the Customer initially provided consent for the Client to use or where the Client used the information to perform a contract with the Customer.
- Withdraw consent. Customers have the right to withdraw their consent on using their Personal Data. If Customers withdraw consent, the Client may not be able to provide the Customer with access to certain specific functionalities of the Service.
Exercising of Your GDPR Data Protection Rights
Customers may exercise rights of access, rectification, cancellation and opposition by contacting the Client. Please note that Clients may ask the Customer to verify their identity before responding to such requests.
Customers have the right to complain to a Data Protection Authority about the Client’s collection and use of their Personal Data. For more information, if Customers are in the European Economic Area (EEA), please contact the local data protection authority in the EEA.
Contact Details
TMS Global Service Pty Ltd
Postal Address
GPO Box 2397
Melbourne
Victoria 3001
Australia+61 3 9321 2888 (phone)
+61 3 9321 2801 (fax)
1800 774 137privacy@tmsglobal.com.au
28 May 2020