Last updated: 1 July 2024

1.     Purpose of policy


1.1       On The Run Pty Ltd (ACN 638 356 466) and its related entities (OTR, we, us, our) value your privacy.  This Policy sets out how your personal information is collected, used, and disclosed by the following entities in our group:

(a)       On The Run Pty Ltd;

(b)       Viva Energy Retail SMGB Pty Ltd;

(c)       DF Wholesalers Pty Ltd;

(d)       OTR Grocery Retailing Pty Ltd;

(e)       Doughboys Manufacturing SA Pty Ltd;

(f)         Doughboys Developments SA Pty Ltd;

(g)       OTR (HJ Franchising) Pty Ltd;

(h)       OTR (SW Franchising) Pty Ltd;

(i)        OTR (Oporto SA) Pty Ltd;

(j)        Mehico Pty Ltd;

(k)       Diamond Products Pty Ltd;

(l)        Mogas Regional Pty Ltd;

(m)     Mogas Holdings Pty Ltd;

(n)       Reliable Petroleum Pty Ltd; and

(o)       Directhaul Pty Ltd.

1.2     The Websites and Apps covered by this Policy include:

(b)     krispykremesa.com.au;

(c)     smokemart.com.au;

(d)     giftbox.com.au;

(e)     mogasregional.com.au;

(f)      reliablepetroleum.com.au;

(g)     directhaul.com.au;

(h)     OTR App;

(i)      OTR EV App; and

(j)      Mogas App.

1.3    We will update this Policy from time to time.  The current version will always be available at otr.com.au.  If we change this Policy in any material way, we will post a notice on our Websites and Apps (as relevant) along with the updated Policy.  We may also contact you via your contact information we hold on file, for example by email or some other equivalent measure.  You may also obtain a copy of the current version of our Policy by contacting us at any time.

1.4     We encourage you to read this Policy each time you deal with us so that you are aware of any changes made to it.

1.5     In this Policy, we use the term:

(a)     ‘physical customers’ to refer to individuals who visit us at our consumer retail stores, whether or not they receive goods and services from our consumer retail stores;

(b)     ‘online customers’ to refer to individuals who use our Websites and Apps to view our goods and services, and who receive goods and services from us via our retail Website and Apps;

(c)     ‘commercial customers’ to refer to individuals who purchase commercial and wholesale goods and services from us or who borrow commercial plant and equipment from us, and individuals at businesses who purchase commercial and wholesale goods or services from us;

(d)     ‘suppliers’ to refer to individuals who provide us with goods or services, and individuals at businesses who provide us with goods or services;

(e)     ‘participants’ to refer to individuals who participate in competitions we hold or attend events we hold;

(f)      ‘members’ to refer to individuals who join any of our membership programs or clubs;

(g)     ‘users’ to refer to individuals who subscribe to our newsletters, engage with us on social media platforms, or who enquire about our goods and services via electronic means; and

(h)     ‘applicants’ to refer to individuals who apply for employment or other engagement with us.

1.6     In some circumstances, you may belong to more than one of these groups, and multiple sections of this Policy will then apply to you.

What is Personal Information, and what do we collect?


2.1    Personal Information is any information or opinion about you that identifies you or is capable of identifying you, even if the information is not true, and whether or not it is in physical form.

2.2    Sensitive Information is a subset of Personal Information and includes information or opinion about such things as an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information, and biometric information (that is, data derived from your physical characteristics, such as a fingerprint) and biometric templates (that is, a stored digital template of biometric information, such as a fingerprint or retina scan).

2.3    The kinds of Personal Information we collect about you depends on our relationship with you, and we limit the information we collect to what is reasonably necessary for one or more of our functions or activities.  Generally, we will collect your name, commentary or opinion about you, and other information relevant to providing you with the information, goods and services you or someone on your behalf are seeking.

2.4    If you are a physical customer: we may also collect CCTV images and audio of you, your vehicle and your vehicle’s registration number. We will only collect your name and contact details if you provide them to us in relation to a query or complaint.  Identifiable transaction details are collected by third party payment gateways and are not stored by us.  We may collect Sensitive Information from you in the form of a biometric template of your face, collected via CCTV images and used in conjunction with facial recognition technology.

2.5    If you are an online customer: we may also collect your contact details, email address, payment details, delivery address and instructions, details related to your online shopping experience, and information about your use of our Website and Apps and the device you are using (including numbers that identify your device, IP address, geographic location of your IP address, and of your device where that is relevant to the goods, services and information we are providing, cookie information, and user preferences).  You may choose to enable or disable information you share with us via the Website or App in your browser or device settings.  Disabling the sharing of some information may affect your ability to use certain features of the Website or App, and your user experience generally.

2.6    If you are a commercial customer: we may also collect your contact details, ABN (if applicable), business name, information about your role, and your date of birth and drivers licence (for sole trader and partnership borrowers of our equipment, for the purpose of registering our security interest on the PPSR).

2.7    If you are a supplier: we will also collect your contact details, ABN, business name, bank account details (for payment of your invoices), and information about your role.

2.8    If you are a participant: we will generally only collect your name and contact details, however some competitions, surveys, market research and events we run require us to collect additional information about you, for example, participating in events with catering may require you to provide us with your dietary requirements.  We will notify you at the time if we need to collect more information, and the reasons for collecting it.

2.9    If you are a member: we will also collect your contact details, information contained in your membership application, and information related to your member interactions with us;

2.10   If you are a user: we may also collect your email address, social media account name and contact details, any images or videos shared with us via social media, details of your enquiries and feedback, and information about your interaction with us through social media.

2.11 If you are an applicant: depending on your potential or actual position with us, we will also generally collect your Personal Information contained within an application and CV/resume, employment history, personal information derived from a reference, personal information derived from an interview, personal information derived through testing (including psychometric or aptitude testing), licences and other certificates and qualifications, and information included in a passport, birth certificate, visa or other documentation demonstrating your right to work in Australia.

2.12 We support your ability to make decisions about the Personal Information you provide to us, however if you choose not to provide us with the information requested, or it is incomplete or inaccurate, we may not be able to provide you with the information, goods and services you are seeking.  If you are an applicant, refusal to provide personal information may mean we are unable to process your application.

How we collect Personal Information


3.1    We will generally collect Personal Information directly from you when you interact with us, such as in person, by email, by phone, by enquiry or feedback form, or via our Website and Apps, social media channels, interviews (via any method), any of our standard forms (including application forms, membership forms, etc), contract negotiation, our employment and engagement application process, our surveys (where applicable), registration and attendance at our events, facilities and accommodation, or any other means when you provide us with your Personal Information.

3.2    We may also need to collect Personal Information about you from third parties from time to time where it is necessary for us to do so and it is unreasonable or impractical to collect directly from you, where you have consented to us doing so, or where we are otherwise required to or authorised to by law.  Those third parties include:

(a)   if you are a supplier or commercial customer: publicly available records such as the Australian Securities Investment Commission, Australian Business Register, Australian Financial Security Authority (PPSR), and land titles offices;

(b)    if you are a physical customer or online customer: third party payment gateways, law enforcement agencies, and licence plate recognition providers;

(c)    if you are an online customer or user: technology service providers and social media platforms;

(d)    if you are an applicant: referees when they provide references, academic institutions or training and certification providers, providers of licence and background-checking services, recruiters and other service providers who assist in the engagement process, and other publicly available sources such as social media platforms.

3.3.    Except as otherwise permitted by law, we only collect Sensitive Information about you if you consent to the collection of the information and if it is reasonably necessary for the performance of our functions and activities.  Consent may be implied by the circumstances existing at the time of collection – for example, if you enter one of our physical stores where signs prior to your entry indicate that CCTV is in use, and that facial recognition technology is in use.  There may also be circumstances under which we may collect Sensitive Information without your consent, as required or authorised by law.

3.4     When we collect information from you, we will take reasonable steps to inform you about the purposes for collection, the main consequences if you don’t provide the requested information, the other entities to which we usually disclose the information, and whether we are likely to disclose your information to overseas recipients.

3.5     If you provide us with Personal Information about someone else, you must ensure that you are authorised to disclose that information to us and that, without us taking any further steps required by applicable privacy laws, we may collect, store, use and disclose such information for the purposes described in this Policy.  Where we request you to do so, you must assist us with any requests by the individual to access or update the Personal Information you have collected from them and provided to us.

How we store and protect Personal Information


4.1 We store your Personal Information in different ways, including in paper and electronic form.  We take all reasonable measures to ensure your Personal Information is stored on secure servers (which may be based in Australia or overseas) in a manner that reasonably protects it from interference, misuse and loss and from unauthorised access, modification or disclosure, including electronic and physical security measures, including:

(a)     limiting access to the Personal Information we collect about you;

(b)     only providing access to personal information once proper identification has been given;

(c)     imposing confidentiality requirements on our employees; and

(d)     requiring third party providers to have acceptable security measures to keep Personal Information secure.

4.2    When we no longer need your Personal Information for the purpose for which we collected it, we will take reasonable steps to destroy or permanently de-identify your Personal Information.  However, most of the Personal Information is or will be stored and kept by us for a minimum of seven years (unless legislation requires us to destroy or permanently de-identify it sooner).

4.3    Despite the reasonable steps we take to secure your Personal Information, if you provide any Personal Information to us via our Website, Apps and online services (including email) or if we provide Personal Information to you by such means, the privacy, security and integrity of your Personal Information cannot be guaranteed during its transmission unless we have indicated beforehand that a particular transaction or transmission of information will be protected (for example, by encryption).

Why we collect, hold, use and disclose Personal Information


5.1    The Personal Information we collect and hold about you depends on your interaction with us and our relationship with you.  Generally, we will collect, use, and hold your Personal Information if it is reasonably necessary for or directly related to the performance of our functions and activities, and:

ACCESS YOUR PERSONAL INFORMATION


You are entitled to access your Personal Information. If you want to access your Personal Information please put your request in writing with full name, contact address and telephone details of the person making the request to the Managing Director (see contact details below).

(a)     to facilitate our internal business operations, including:

(i)      establishing our relationship with you;

(ii)     maintaining, managing and developing our relationship with you and communicating with you in the ordinary course of that relationship (including responding to enquiries, information requests, feedback or complaints);

(iii)    updating your Personal Information, including destroying or de-identifying it when it is no longer required;

(iv)    fulfilling our legal requirements;

(v)     analysing our goods and services and customer and supplier needs with a view to developing new or improved goods, services, and business operations;

(vi)    conducting market research, monitoring use of our goods and services, and creating aggregated de-identified data about use of our goods and services, Website and Apps;

(vii)   contacting you to ask about your experiences with, or impressions of, our products or services, or to provide a testimonial for us (where applicable);

(viii)  if you are an online customer or user: streamlining and personalising your experience within our Website and Apps, tailoring our information, goods and services for you, and remarketing (targeting online advertising and direct marketing to you based on your use of our Website and Apps);

(ix)    if you are an applicant: considering your application;

(b)    to provide you with information about other goods and services that we or our related entities and other affiliated organisations offer that may be of interest to you. You may unsubscribe from our mailing/marketing lists at any time by using the unsubscribe feature on any emails we send, or otherwise by contacting us in writing.  We do not use your Sensitive Information for direct marketing purposes; and

(c)    for any other purpose identified at the time of collection.

5.2   We may use Personal Information for secondary purposes where it would be reasonable to expect us to do so, and that secondary purpose is related (or directly related in the case of Sensitive Information) to the primary purpose set out above

Who we disclose Personal Information to


6.1 We generally disclose your Personal Information for the purposes for which it was collected (set out above).  We may disclose Personal Information about you to:

(a)   our related entities within the OTR Group;

(b)   our employees, contractors, consultants, and volunteers who require the information to assist us with the purposes for which it was collected;

(c)   government departments and agencies where required by law;

(d)   third party service providers who assist us in operating our business and providing information, resources, goods and services to you or someone else on your behalf (including marketing campaign providers, market research providers, mail processing providers, printers, IT and technology service providers, recruitment providers, and professional advisers such as lawyers, accountants, and auditors);

(e)   third parties to whom you have agreed we may disclose your information and where the information was collected from you (or from a third party on your behalf) for the purposes of passing it on to the third party; and

(f)    any other entity as otherwise required or authorised by law, including regulatory bodies.

6.2 We may also disclose Personal Information for secondary purposes where it would be reasonable to expect us to do so, and that secondary purpose is related (or directly related in the case of Sensitive Information) to the primary purpose.

6.3 Where we disclose Personal Information to a third party service provider, we take reasonable steps to ensure these service providers have appropriate security for your Personal Information and use it only for the purposes for which it was collected.

6.4    We may expand or reduce our business, and this may involve the sale and/or transfer of control of all or part of our business. Personal Information, where it is relevant to any part of the business for sale and/or transfer, may be disclosed to a proposed new owner or newly controlling entity for their due diligence purposes, and upon completion of a sale or transfer, will be transferred to the new owner or newly controlling party to be used for the purposes for which it was provided.

Overseas disclosure


7.1    We are assisted by a variety of external service providers to operate our business and to provide you or someone else on your behalf with the information, resources, goods and services sought.  Some of these service providers may be located overseas, and while there are too many to expressly name, they include Microsoft located in the United States.

7.2    We take reasonable steps to ensure these service providers have appropriate security for your Personal Information and use it only for the purposes for which it was collected.

Third party websites and advertising


8.2    Our Websites, Apps, and online services (including email messages we send to you) may contain links to other websites maintained by a third party (other services).  Other services may link to our websites and online services.  If you click on a link to another site maintained by a third party they are no longer subject to this Policy.  We are not responsible for the privacy practices of the organisations that operate those other services, and by providing such links we do not endorse or approve the other services.  We have no responsibility for linked websites owned or operated by a third party and provide them solely for your information and convenience.  We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or warranties about their accuracy, content, or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

8.2 We may allow third parties to use cookies or other tracking technologies to collect non-personal information about your use of our Websites and Apps, including your IP address, pages viewed and conversion information.  This information may be used, among other purposes, to deliver advertising targeted to your interests and to better understand the usage and visitation of our Websites, Apps, and other websites tracked by these third parties.  This Policy does not apply to, and we are not responsible for, third party “cookies” or other tracking technologies.  We encourage you to check the privacy policies of advertisers and/or ad services to learn more about their privacy practices.

How you can access correct Personal Information


9.1    You may access the Personal Information we hold about you, subject to certain exceptions.  If you wish to access your Personal Information, please contact us via the below:

Mail:  Privacy Officer, Level 16 720 Bourke Street, Docklands VIC 3008

Email:  [email protected]

Phone: +61 8 8333 5777

9.2    We endeavour to respond within 30 days, but will otherwise respond within a reasonable period.  We may decline a request for access to personal information in circumstances prescribed by the Privacy Act, and if we do, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.

9.3    We will not charge any fee for your access request but may charge an administrative fee for providing a copy of your Personal Information.  We will notify you in advance of any applicable fees.

9.4    In order to protect your Personal Information, we will require identification from you before releasing the requested information.

9.5    If you believe the information we hold about you is incomplete, not up to date, or is inaccurate, please advise us as soon as practicable.  We will take reasonable steps to correct the information if we agree that it is incomplete, out of date, or inaccurate.  We endeavour to process any request within 30 days.

9.6    If we refuse to correct your Personal Information, we will give you a written notice that sets out our reason for our refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.

Complaints


10.1  If you have any queries or concerns about our Privacy Policy, or the way we handle your Personal Information, or you wish to make a complaint about a breach of the Privacy Act or this policy please contact us using the details above and we will take reasonable steps to investigate the complaint and respond to you.

10.2  If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Information Commissioner, Australia.  To lodge a complaint, visit the ‘Complaints’ section of the Information Commissioner’s website, located at http://www.oaic.gov.au/privacy/privacy-complaints, to obtain the relevant complaint forms, or contact the Information Commissioner’s office.