Privacy Policy

SHAPE Global Ltd cares about your privacy and wants you to be familiar with how we collect, use, and disclose information. This Privacy Policy ("Policy") describes our practices in terms of collection and processing of your personal and special category (sensitive) data that you provide when you use our "SHAPE Service" ("Service").

This Policy also explains how and why we collect your data, what we do with it, and your rights regarding your data. Please keep in mind that this Policy does not constitute a contractual document. Hence, no obligations are created on either party beyond those which already exist under data protection laws.

Who are we?

SHAPE GLOBAL Pty Ltd, is the “Data Controller” responsible for the processing of your “personal and special category (sensitive) data” ("data"). In this Privacy Policy, "we", "our", or "us" refers to SHAPE GLOBAL Ltd. "You" and “your" refers to you.

SHAPE Service

The SHAPE Service provides a comprehensive online employee productivity survey for large and small organisations, accessed using a modern browser via the internet. You may also use compatible mobile devices to complete the survey, view results, and access many additional features. This service is provided to you as part of an arrangement we have entered into with your employer.

Data collected outside of Service

We are committed to providing you with a high-quality service. To achieve this, we collect and analyse accumulated information of visitors who visit This information includes browsers and devices you use to access this website, and referring URLs. We collect this information to improve our website and Service for all our users. We do not collect any personal information when you browse this website except information you provide in the Contact Form, although the technical data is collected to facilitate the transaction, this may include your IP address.

When we connect with you through social media, we will collect personal data you make available through existing and future social media channels within the public domain.

Data collected in-Service

How do we collect data?

We collect data in a variety of ways, including:

  • From you directly
  • Through execution of the Service
  • Through customer support
  • Through and related websites that provide access to the Service

We collect and retain the data you provide in the Contact Form on

What data do we collect?

We collect the following data about you:

  • Data you provide;
    We collect data when you submit the Contact Form on, and when you onboard the Service and complete the survey. If you use customer support, provide feedback on the Service, or respond to our marketing emails, we shall record and retain the communication in writing. And of course, the data you provide in answering the questions within the Service.
    During survey completion, we collect personal data, such as your name and email address, and sensitive data, such as health status. We will request your consent prior to collecting sensitive data.
  • Data we automatically collect from your use of the Service;
    We track your usage of the Service and collect data on date, time, location, frequency, and duration of usage. We retain technical information about your computer or mobile device for system administration and analysis, including your IP address, URL clickstreams, unique device identifiers, operating system, and network and browser type to ensure our service meets the needs of the technology you use.

How do we use your data?

Our legal basis for collecting and using data depends on the data concerned and the specific context in which we collect it. When collecting sensitive personal data we will ask for your specific consent; when we process limited personal data we will do so under legitimate business purposes part of the service we provide your employer.

Data you provide. The data you provide is used in the following ways:
  • anonymised, aggregated and used for our business purposes; or
  • processed and converted into reports and data analysis; or
  • numerical scores that inform you of your productivity and performance, and how you compare with other employees. We aggregate and anonymise your data when sharing with any audience, and shall seek your approval to waive your anonymity if there is a possibility of identification; or
  • research purposes for general product development and improvement with our academic and research partners; or
  • ability to present you with appropriate and relevant information and guidance on how to improve your productivity at work; or
  • for advertising, marketing and public relations activities. We shall always request your consent to send you marketing communications, and you may opt-out of this whenever you wish; or
  • to carry out client communication, service, billing and administration; or
  • to gather feedback on the Service and to help us evaluate and improve the Service; or
  • to notify you about changes to the Service, including informing you about new versions, features, functionality, and service offerings; or
  • for user administration, including the processing of enquires, correspondence, concerns or complaints you have raised.
The data we automatically collect is used in the following ways:
  • to execute and upgrade the Service and improve user experience, including ensuring that content is presented effectively for you and for your computer; or
  • for internal operations, including troubleshooting, testing, research, statistical and survey purposes; or
  • to keep the Service safe and secure.
The data we collect outside the Service is used in the following ways:
  • for evaluation, maintenance and development of our website
  • For evaluation and optimisation of our Service.

We shall use your data for the above purposes if we deem this to be necessary for our legitimate interests and to perform our contractual obligations with your employer, as part of the service we provide directly to your employer to enable and support its workforce.

Regardless of the above categories it may also be necessary for us to process your data, where appropriate and in accordance with local laws and requirements, in connection with exercising or defending legal claims. This may arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.

We shall not reveal your identity to your employer other than in exceptional circumstances, as explained further below in the section entitled "Data disclosure".

Retaining your data

Your data shall be retained for two years after the date your company completes their contract with us. After two years your data shall be anonymised, i.e. stripped of personally identifiable information (PII), aggregated, and used for our business purposes. This aggregated non-identifiable data may be stored for an extended period.

Data disclosure

We may disclose your data (to any of our employees, officers, agents, suppliers or subcontractors) insofar as reasonably necessary for the purposes as set out in this Policy. Please note this would be in exceptional circumstances.

In addition, we may disclose your personal information:

  • to IT service providers who manage our IT and back office systems and communications networks to the extent that we are required to do so by law; or
  • in connection with any legal proceedings or prospective legal proceedings; or
  • in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk); or
  • to the purchaser (or prospective purchaser) of any business or asset which we are (or are contemplating) selling; or
  • to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that data where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that data.
  • Except as provided in this Policy, we shall not provide your data to third parties.
Data security

We have implemented appropriate technical and organisation measures to protect the data we receive from you through your use of the Service. We also follow accepted industry standards to protect the data submitted to us, both during transmission and once we receive it using reasonable organisational, technical, and administrative measures designed to protect personal information under our control.

Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you have with us has been compromised), please immediately notify us using the website “Contact Us” function, or see contact details below.

The password issued to you for your profile must be treated as sensitive and confidential information. You are responsible for keeping your password safe. In the event that a profile or password is suspected to have been compromised, you are responsible for reporting the incident to us immediately and change all passwords.


As required by law we will seek consent to process Special Category Personal Data or where we wish to contact you to conduct marketing, promotional and informational activities or market research and conduct direct marketing. When processing your Personal Data we are likely to rely on Legitimate Business Interests as the legal basis for processing, or we may consider this a contractual obligation with your organisation.

Your Rights under the EU General Data Protection Regulation

When using the Service and submitting data to us, you have certain rights under the General Data Protection Regulation ("GDPR") and other laws. SHAPE adheres to the Data Protection Act 2018 which is the UK’s implementation of GDPR. Depending on the legal basis for processing your data, you may have some or all of the following rights:

  • The right to be informed
    You have the right to be informed about the data we collect from you, and how we process it.
  • The right of access
    You have the right to get confirmation that your data is being processed and have the ability to access your data.
  • The right to rectification
    You have the right to have your data corrected if it is inaccurate or incomplete.
  • The right to erasure (right to be forgotten)
    You have the right to request the removal or deletion of your data if there is no compelling reason for us to continue processing it.
  • The right to restrict processing
    You have a right to ‘block’ or restrict the processing of your data. When your data is restricted, we are permitted to store your data, but not to process it further.
  • The right to data portability
    You have the right to request and get your data that you provided to us and use it for your own purposes. We shall provide your data to you within 30 days of your request. To request your data, go the SHAPE Menu and follow the instructions to get your Personal Data File. To request your data, please contact us through SHAPE customer support.
  • The right to object
    You have the right to object to us processing your data for the following reasons:
    • Processing was based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); or
    • Direct marketing (including profiling), noting that we need to send transactional communications, as defined by EU GDPR Article 6(1), as part of our delivery of contracted services to your employer; or
    • Processing for purposes of scientific/historical research and statistics.
  • Rights in relation to automated decision-making and profiling
    • Automated individual decision-making and profiling
      You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
    • Filing a complaint with authorities
      You have the right to file a complaint with supervisory authorities if your data has not been processed in compliance with GDPR. If the supervisory authorities fail to address your complaint properly, you may have the right to a judicial remedy.
  • Complaints and inquiries

    In compliance with the US-EU and Swiss-US Privacy Shield Principles, we commit to resolve complaints about your privacy, our collection or use of your data, and any other issues you may face while consuming the Service. We invite you to e-mail us with inquiries, suggestions and complaints at:


    Cookies are most commonly used to track website activity. When you visit our website, the server gives you a cookie that acts as your identification card. You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our website. Unless you have adjusted your browser setting so that it will refuse cookies, our system shall issue cookies when you log on to our site.

    The Cookies SHAPE use are Technical Cookies and Functional Cookies which track IP address, URL clickstreams, unique device identifiers, operating system, and network and browser type. We do not apply marketing cookies for this service. By not accepting technical and functional cookies the service provided may be affected.

    International data transfers

    We are a global business. Data may be stored and processed in any country where we have operations or where we engage service providers. Service providers are limited to technical support and technical infrastructure, where we have entered into appropriate arrangements for transfer with those third-party service providers. Therefore, we may transfer data that we maintain about you to recipients in countries other than the country in which the data was originally collected, including to the United States. Those countries may have data protection rules that are different from those of your country. However, we have taken appropriate steps to ensure that any such transfers comply with applicable data protection laws and that your data remains protected to the standards described in this Policy. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your data, but only with appropriate authority.

    If you are located in the European Economic Area (EEA) or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of your data to the US.

    Some non-European Economic Area (EEA) countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards, (the full list of these countries is available here (link is external) For transfers from the EEA to countries not considered adequate by the European Commission, we have ensured that adequate measures are in place, including by ensuring that the recipient is bound by EU Standard Contractual Clauses, EU-US Privacy Shield Certification, or an EU-approved code of conduct or certification, to protect your Personal Information.

    SHAPE complies with the Office of the Australian Information Commissioner (OAIC) in relation to cross-border data flows outlined in Chapter 8/APP 8, whereby an APP entity may disclose personal information to an overseas recipient who is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially to the way APPs protect the information.

    Changes to this Policy

    As we develop new products and services, deploy new technologies and develop new uses of information, we review and update this Policy to reflect these changes. In addition, from time to time we make organisational, stylistic and grammatical changes to present our practices in a way that makes this Policy easy to read. Any changes shall be made without prior notice and updated on this webpage.

    Use by Minors

    While we acknowledge some organisations may employ persons younger than the age of 18, the Service is not directed to individuals under the age of 18.

    Lodging a complaint with the Regulator

    Relevant EEA Regulator Contact: You may lodge a complaint with a supervisory authority competent for your country or region. Please click here (link is external) for contact information for such authorities.

    Relevant non-EEA Regulator Contact:
    Australia - Privacy Commissioner –
    Japan - Personal Information Protection Commission:
    New Zealand – The Privacy Commissioner’s Officer
    South Africa –
    USA – The FTC has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas;


    If you have any questions regarding this Policy, please write to us at

    Revised Feb 2021