GDPR

Purpose of this statement

Opsaro is an Australian ITSM consultancy providing HaloITSM implementation, optimisation, reporting, and advisory services.

This statement explains our general approach to GDPR-related privacy considerations. It should be read together with our Privacy Policy.

This page is provided for transparency and general information. It is not a formal legal opinion, certification, or guarantee that every GDPR obligation applies to, or is met by, Opsaro in every circumstance.

When GDPR may be relevant

GDPR or GDPR-style obligations may be relevant where Opsaro handles personal data relating to individuals in the European Economic Area, the United Kingdom, or other jurisdictions with similar privacy frameworks.

This may occur where a client, prospective client, supplier, contact, or website visitor is located in one of those regions, or where a client engagement involves personal data connected to those regions.

The specific obligations that apply depend on the context, the type of data involved, the purpose of processing, the location of the parties, and Opsaro’s role in the relevant activity.

Controller and processor roles

Depending on the context, Opsaro may act as a controller, processor, or service provider for personal data.

For example, Opsaro may act as a controller for information collected through its website, enquiries, marketing, administration, billing, and direct business communications.

In some client engagements, Opsaro may process personal data on behalf of a client when accessing, configuring, reviewing, migrating, or supporting a service management platform or related system. In those cases, the client may remain responsible for determining the purposes and means of processing.

Specific controller, processor, confidentiality, security, and data handling obligations should be confirmed in the relevant proposal, statement of work, data processing agreement, or services agreement where required.

Types of personal data

Depending on the interaction or engagement, Opsaro may handle personal data such as:

• Name, role, organisation, and business contact details
• Website enquiry, email, calendar, meeting, and communication information
• Project, support, ticketing, workflow, reporting, or service management information
• Technical metadata or system information required for implementation or support
• Information reasonably necessary for proposals, service delivery, administration, billing, and record keeping

We aim to avoid collecting unnecessary sensitive personal data unless it is required for a clearly defined purpose and appropriate safeguards are in place.

Lawful basis and purposes

Where GDPR-style requirements apply, personal data should be processed on an appropriate lawful basis. Depending on the context, this may include performance of a contract, steps before entering into a contract, legitimate interests, compliance with legal obligations, consent, or another applicable basis.

We may process personal data for purposes including:

• Responding to enquiries
• Preparing proposals and managing client relationships
• Delivering consulting, implementation, reporting, support, and advisory services
• Managing meetings, communications, administration, and billing
• Improving our website, services, resources, and client experience
• Maintaining security, records, and legal compliance

Individual rights

Depending on the law that applies, individuals may have rights in relation to their personal data. These may include rights to:

• Be informed about how personal data is used
• Request access to personal data
• Request correction of inaccurate or incomplete data
• Request deletion in certain circumstances
• Restrict or object to certain processing
• Request data portability where applicable
• Withdraw consent where processing is based on consent
• Raise a complaint with a relevant data protection authority

To make a privacy request, contact Opsaro using the details below. We may need to verify your identity and the nature of your request before responding.

International transfers

Opsaro operates from Australia and may use cloud-based systems, service providers, communication tools, and business platforms that store or process information in Australia or overseas.

Where GDPR-style requirements apply to an international transfer, appropriate contractual, technical, organisational, or other safeguards may be required depending on the circumstances.

Client-specific transfer requirements should be addressed in the relevant services agreement, data processing agreement, or project documentation where needed.

Subprocessors and service providers

Opsaro may use third-party service providers to support hosting, email, communications, CRM, documentation, project delivery, accounting, security, or related business operations.

Where Opsaro acts as a processor for a client, any subprocessor requirements should be agreed with the client as part of the relevant engagement terms.

Retention

We retain personal data for as long as reasonably necessary for the purpose it was collected, including service delivery, administration, legal, accounting, dispute resolution, security, and legitimate business purposes.

Where personal data is no longer required, we take reasonable steps to delete, de-identify, archive, or otherwise manage it appropriately.

Security measures

Opsaro takes reasonable steps to protect personal data from misuse, interference, loss, unauthorised access, modification, or disclosure.

Measures may include access controls, reputable cloud systems, account security controls, secure communication practices, role-appropriate client system access, and practical information handling procedures.

More information is available in our Security Statement.

Contact

For GDPR-related questions, privacy requests, or data handling enquiries, contact Opsaro.

Email: service@opsaro.com

Please include enough information for us to understand your request, identify the relevant interaction or engagement, and respond appropriately.