Toustone Privacy, Data & Security Policy

Commitment to Protect your Privacy

Toustone respects your privacy and is committed to protecting it.

Our Privacy, Data and Security Policy explains how and why we collect personal information and your business data, what we use it for, and to whom and when we disclose it. We update this policy from time to time, and you should revisit our website regularly to see the latest copy of the Privacy Policy. Any changes will come into effect when the updated Privacy Policy is posted to the website.

In all cases we will treat your personal information and business data with no less protection than that provided for by the Australian Privacy Principles set out under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) and any other privacy laws that are in force in Australia.

How and what Personal Information and Business Data do we collect?

We collect personal information from you when you contact us regarding further information about our services or become a customer of Toustone.

As part of our service, Toustone also collects and stores data about your business via automated data interfaces or manually loaded data for the purpose of business reporting and data analysis.

We may also collect information and data about you from our website but this information will only identify who you are if you provide us with your details (for example, if you provide us with your contact details). When you visit our website our web server collects the following types of information for statistical purposes:

  • Your Internet service provider’s address;
  • The number of users who visit the website;
  • The date and time of each visit;
  • The pages accessed; and
  • The type of browser used.

No attempt is made to indemnify individual users from this information.

Toustone staff will have access to your personal information for the purpose of investigating, evaluating and or responding to an Eligible Data Breach.

Before we disclose your personal information to an overseas recipient such as a data storage facility:

  • who is not in Australia or an external Territory; and
  • who is not the entity or the individual;

We take steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) in relation to your personal information.

Toustone may also issue privacy and collection statements through our website or other points of contact and collection which we will provide at the time of collection with reference to the relevant circumstances of the collection.

Why we collect Personal Information and Business Data and what is it used for?

Toustone collects personal information and data about you and the subjects you may like to receive communications about. We also use the information:

  • registration to use our services;
  • for security and risk management purposes;
  • use of the service;
  • participation in any forums or blogs;
  • contacting the Toustone support team;
  • to enable us to improve the quality of our products and services and to develop additional products and services, and for staff training and quality assurance purposes;
  • marketing analysis.

Toustone may make use of aggregated and non-identifiable business data for the purpose of improving the service. The data will be in no way identifiable to an individual, a company or associated transactions.
Where information is provided with your consent or as required by law to any person or organisation other than Toustone, you accept that the person or organisation may not have privacy policies that are as protective as our Privacy Policies, and you consent to the disclosure of your personal information with that understanding.

You may opt-out of receiving our services at any time simply by submitting a request via our support link or in any way that we notify you in the relevant communication.

How we hold your Personal Information and Data

Toustone and/or its third party suppliers hold your personal information and data on secure enterprise grade servers.

To whom do we disclose the Personal Information and Data?

Other than as we have set out in our Privacy Policy, we will not disclosure your personal information and business data without your prior consent or where we are required to by law.

Third Party Data

If you collate and store personal or commercially sensitive data about or owned by third parties in the Toustone environment, it is your responsibility to ensure that consent is obtained from those third parties. Use of such third party data will be subject to this Privacy Policy.


A cookie is a small piece of computer code which remains on your computer and contains information which helps us identify your browser and previous information viewed in relation to our service.

When you visit our website the cookie records certain details including the date, time and advertising content. None of the information in the cookie contains personally identifiable information about you.

If you do not want us to use cookies then you can easily stop them, or be notified when they are being used, by adopting the appropriate settings on your browser. If you do not allow cookies to be used some or all of our website might not be accessible to you.

Links to Other Web Sites

Our website may include web links to other websites. We are not responsible for the content of those other websites, and do not endorse the products, services or information that is on those websites. If you use those websites you should be aware that they will have different privacy policies and terms and conditions of use, which you should review and agree to prior to using those websites.

Amending, deleting and how you can obtain access to your Personal Information and Business Data

We try to ensure that all information about you that we collect, use or disclose is accurate, complete and up-to-date.

If you want to obtain access to any personal information and data that we hold about you, or believe any of your personal information and data that we hold is inaccurate, incomplete or it is not necessary to hold it, you can contact us and we will use reasonable efforts to provide it and, if required, correct it. We may charge a reasonable fee to cover the costs of providing personal information to you.

You may at any time, request that we delete your personal information from our system. If you need us to delete, correct or amend this data, we will do so within 30 days.

It is your responsibility to monitor and report any accuracy issues with your business data stored in the Toustone environment. If you discover data errors, Toustone will work with you to correct such errors as part of existing support and consulting services.

At any time, you can request a copy of your business data. Toustone will oblige as soon as practical. If you and Toustone cease the hosting agreement, you can request a copy of all data be returned and that all data be deleted from the Toustone environment.

There may be additional charges to facilitate such data copies, which will be advised on a case basis and agreement received from you prior to any work commencing.

Any enquiries should be via e-mail:

Data Ownership

Toustone recognizes that the ownership of your business data at all times remains with you. Access to the data is controlled and authorised by you when you agree to use our services.

Security and Retention Policies

Toustone is committed to ensuring the security of the information we hold about you. We take all reasonable steps to ensure that the information we hold about you is protected from misuse, interference and loss, and from unauthorised access, modification or disclosure. If Toustone no longer needs the information we will take reasonable steps to destroy the information and/or ensure that the information is de-identified.

If you use the Internet to communicate with us, you should be aware of the risks in transmitting information over the Internet. Toustone does not have control over information while in transit over the Internet and we cannot guarantee its security. Any personal information that we no longer require is destroyed. An exception to this may be where records are retained to comply with legal requirements.

Data and Security

Toustone places a large emphasis on the security of personal information and your business data both in storage and during transmission.

Despite all efforts, it is not possible to guarantee 100% security for 100% of the time. Instead, Toustone will take all reasonable efforts to continue to monitor and update security measures as techniques improve and threats are identified.

Location of Data Storage and Backup

Primary data storage is at Amazon data centres in Sydney Australia. Your client transaction data is stored in Amazon’s Redshift environment and is encrypted at rest using the industry-standard AES-256 algorithm.

Disaster Recovery data backups are stored in Amazon facilities in Australia. All backups are encrypted at rest.

Access into this environment is controlled by two factor authentication. Only authorised Toustone personnel have access.

Data Transfer

All communication to and from your web browsers is encrypted using Certified 128-bit SSL Certificates.

Email Broadcasting

The email broadcast functionality offered by Toustone uses Amazon email services located outside of Australia. As email is not a secure medium, you should be aware of the risks related to this broadcast function. Toustone does not have control over information while in transit over the internet / email and we can not guarantee its security.

User Security

Your access to data reporting and analysis within the solutions provided by Toustone is secured by password protected User IDs. Once logged in, your access to information and functionality is governed by membership of appropriate roles. Only authorised users are able to view, edit and administer the system.

It is your responsibility to ensure your users employ appropriate password secrecy measures. You should advise Toustone if you believe that a user ID and password has been compromised.

Physical Security

Toustone servers are located within Amazon’s Sydney based AWS data centre for primary use and for backup purposes. These facilities provide unparalleled levels of security for your client data. For details, see:

Eligible Data Breach

Toustone has procedures in place to ensure that an eligible data breach is identified and dealt with as required by the Privacy Act Notifiable Data Breach scheme. An “Eligible Data Breach” occurs where personal information is lost in circumstances where access to or unauthorised disclosure of the information is likely to occur and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.


If you would like to make a complaint about our collection, use or disclosure of personal information, or if you believe that we have not complied with this Privacy Policy, please contact us at: When contacting us please provide us as much detail as possible in relation to your complaint. We will contact you to discuss any concerns within 48 hours of receiving your e-mail.

We take any data, security or privacy complaint seriously and any complaint will be assessed by an appropriate person with the aim of resolving any issue in a timely and efficient manner.

If you are not satisfied with the outcome of our assessment of your complaint, you may wish to contact the Office of the Australian Information Commissioner.