← Back to Home

Privacy Policy

Our commitment to privacy

We are committed to respecting your privacy and complying with our privacy obligations in accordance with the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth) (the "Privacy Act"). We also comply with the EU General Data Protection Regulation ("GDPR") in relation to all personal data that we collect, hold, disclose and otherwise process, if the personal data is protected by the GDPR ("GDPR Data"). It is our policy to collect and process personal information only in an open, secure and transparent way.

In this Privacy Policy, references to "we", "us" and "our" are references to Arnotts Technology Lawyers Pty Ltd of Level 6, 16 O'Connell Street, Sydney NSW 2000 Australia and references to "FountainPen", "this platform" or "the platform" are to the fountainpen.lawyer product.

About this Privacy Policy

You may only access and use FountainPen if you accept our Terms of Service and this Privacy Policy. By accessing and/or using FountainPen, you confirm that you have read and understand and wholly and unconditionally agree to this Privacy Policy. We may modify and/or replace this Privacy Policy from time to time. We will upload the latest version to this webpage.

If you do not wish to accept this Privacy Policy, you must not access or use FountainPen at any time or for any purpose.

What is personal data and personal information?

In this Privacy Policy, "personal information" has the meaning given to in the Privacy Act or to "personal data" in the GDPR (depending on which law is applicable).

The Privacy Act defines "personal information" as information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.

Article 4(1) of the GDPR defines "personal data" as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Information uploaded to FountainPen

Our policy is only to process personal information via the platform that is required to generate tracked changes and comments in legal documents.

Information entered into FountainPen

When a lawyer uploads a document into FountainPen, the document is sent to a third party artificial intelligence platform and is used to generate a revised document with tracked changes and comments that is supplied to the lawyer.

We don't keep your documents

We don't keep any legal documents that are uploaded into FountainPen. Once the revised document (with proposed tracked changes and comments) is supplied by FountainPen to the lawyer who requested a review of the document by FountainPen, we delete all copies of the document.

Who we share personal information with

We will only disclose personal information that we collect via the platform to third parties as follows:

• To our suppliers who host our files and databases in the cloud – we store backup copies of our computer files, software and databases in the cloud with Amazon Web Services who hosts those files, that software and those databases (including any personal information contained in them);
• When handling claims, legal disputes and complaints – in which case we may disclose your personal information to our insurers, lawyers, accountants and other professional advisors;
• In order to identify our users- when we are contacted with questions or concerns regarding the platform;
• In order to record billing details and process payments from our users – in which case we will provide Clients' bank account and credit card details to our bank and merchant facility providers;
• For professional advice - when providing information to our legal, accounting or financial advisors/representatives or debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
• If we sell the whole or part of our business or merge with another entity – in which case we will provide to the purchaser or other entity the personal information that is the subject of the sale or merger; and
• Where required by law.

We may also provide your personal information to our lawyers, insurers and professional advisors and any court or administrative body, for one or more of the following purposes:

• To obtain or maintain insurance;
• The prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
• To protect or enforce our rights or defend claims;
• Enforcement of our claims against you or third parties;
• The enforcement of laws relating to the confiscation of the proceeds of crime;
• The protection of the public revenue;
• The prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
• The preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of the court or tribunal; and
• Where disclosure is required to protect the safety or vital interests of our employees or users of the platform.

Security

We take reasonable steps to protect personal data that we hold from unauthorised access, modification and disclosure and implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as follows:

• We perform security testing, and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management and firewalls;
• We maintain physical security measures in its buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms;
• We require all of our employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements;
• We carry out security audits of our systems which seek to find and eliminate any potential security risks in electronic and physical infrastructure as soon as possible;
• if appropriate in the circumstances, taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, pseudonymising and/or encrypting personal information;
• We implement passwords and access control procedures into our computer systems;
• We have data backup, archiving and disaster recovery processes in place;
• We have anti-virus and security controls for email and other applicable computer software and systems in place; and
• We have processes in place to ensure integrity and resiliency of systems, servers and personal information.

Despite these security measures, we cannot guarantee the security of personal information.

Contractors and offshore providers

We may transfer your personal information to our contractors and service providers who assist us with hosting, developing and supporting the platform, and to assist us with the operation of our business, where we consider it necessary, provided that we comply with applicable law, including the provisions of Australian Privacy Principle 8 (Cross-border disclosure of personal information), and GDPR (in relation to GDPR Data). The servers that host our platform are located in Australia.

We engage third-party sub-processors in connection with the hosting of the platform and its ancillary services ("Sub-processors"). These Sub-processors may include partners, software developers, subsidiaries, suppliers and hosting providers.

If you use the platform, you are deemed to have given your general written consent and authorisation for us to engage our current Sub-processors.

We have or will enter into a written agreement with our Sub-processors governing the obligations regarding data processing, which will contain provisions that are not less protective that those set out in our Terms of Service, to the extent that such provisions are applicable to the nature of the services provided by the Sub-processors to us.

GDPR offshore transfers

We will not transfer GDPR Data about a person to any country or organisation outside of the European Union, except:

• as reasonably necessary for us to provide or procure the operation of the platform; or
• as instructed by the person.

Unless otherwise agreed in writing, any transfer by us of personal data that a user of the platform uploads and/or enters about a data subject into the platform for us to process on their behalf (which is the subject of the GDPR) outside the European Union will not be carried out unless we have taken such measures as are necessary to ensure the transfer complies with all applicable data protection laws. This may include (without limitation) transferring pursuant to the standard contractual clauses approved by the European Commission (including those clauses annexed to Commission decision of 5 February 2010 (2010/87/EU) as amended or superseded), or transferring to a country or organisation in a country outside the European Union that the European Commission has determined provides adequate protection for personal data.

Retention and de-identification of personal data

We will not keep personal data in a form which permits identification of any person for longer than is necessary for the purposes for which the personal data is processed. We will only process personal data that is entered into the platform, and only thereafter for the purposes of deleting or returning that personal data to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person's vital interests). We will, following your cessation of use of the platform, delete all of the personal data uploaded and/or entered into the platform by you that we hold. Where a user requires that the personal information is to be returned, it will be returned to the user (as applicable) after the end of the provision of services relating to the processing (Processing Conclusion Date) and to the extent feasible, and we will thereafter delete all then remaining existing copies of that personal information in our possession or control as soon as reasonably practicable thereafter, but in any event not more than 30 days after the Processing Conclusion Date, unless applicable law requires us to retain the personal information in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.

Your rights under the GDPR

Subject to the provisions and exceptions set out in the Privacy Act and/or GDPR, you have a number of rights, including:

• The right to be informed;
• The right of access;
• The right to rectification;
• The right to erasure;
• The right to restrict processing;
• The right to data portability;
• The right to object; and
• Rights in relation to automated decision making and profiling.

Please contact us if you wish to opt out of any communications that we send you or if you wish to exercise any of your rights under the GDPR. We will handle all such requests in accordance with our legal obligations.

How to access and correct personal data held by us

Please contact us if you wish to access your personal data that we hold about you, using the details set out at the end of this Privacy Policy. We will handle your request for access to your personal data in accordance with our statutory obligations. To ensure that we only obtain, collect, use and disclose accurate, complete and up to date personal data, we invite you to contact us and inform us if any of your personal details we hold change or if any of the personal data held by us is otherwise incorrect or erroneous. We will provide you (or if you wish, another controller) with a copy of the personal data they we hold about you in a structured, commonly used and machine readable format.

Notifiable data breaches

Since 22 February 2018, data breaches involving personal information governed by the Privacy Act 1988 (Cth) that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner (OAIC), except where limited exceptions apply. For the purposes of the GDPR, certain types of data breaches must also be reported to affected individuals if the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms. In addition, the GDPR requires organisations to report certain types of data breaches to the relevant supervisory authority. We have prepared a response plan for addressing data breaches that may occur and have allocated responsibility for managing breaches to a relevant individual or team. We will notify you of any data breach that may affect you where we are required to do so in accordance with our legal obligations.

Our contact details

The platform is operated by Arnotts Technology Lawyers of Sydney NSW Australia. If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us at the following address:

We will use our best endeavours to resolve any privacy complaint within 10 Business Days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.

If you are not satisfied with the outcome of a complaint you make refer the complaint to the OAIC who can be contacted using the following details:

If you have any complaint relating to GDPR Data, you may lodge a complaint with any relevant supervisory authority.