Your privacy, handled with care.

1. Introduction and Scope

This organisation (“we,” “us,” “our,” or “the organisation”) is committed to protecting the privacy of individuals whose personal information we collect, hold, use, and disclose in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we manage personal information and sets out your rights regarding that information.

This policy applies to all personal information handled by our organisation in connection with our business activities, including the provision of our products and services through our website and in our dealings with clients, customers, prospective clients, and other individuals.

2. About Our Organisation

Our organisation is an APP entity required to comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth). We conduct business activities across various sectors and provide products and services to assist our clients and customers in achieving their objectives.

3. Anonymity and Pseudonymity APP 2

Where it is lawful and practicable, you may have the option of not identifying yourself or of using a pseudonym when dealing with us. However, in many circumstances involving our business operations, it is not practicable for us to deal with you anonymously or pseudonymously because:

1. we are required under Commonwealth or State laws to verify your identity and collect specific personal information before providing certain products or services;
2. our contractual obligations to suppliers, service providers, and other third parties may require us to collect and verify your personal information;
3. the nature of our services or products requires us to assess your circumstances, requirements, and needs, which can only be achieved through collection of your identified personal information; and
4. third parties we work with may require identified personal information to assess applications and provide services.

Where anonymity or pseudonymity is possible, such as for general enquiries about our services, we will inform you of this option.

4. Collection of Personal Information APP 3 & APP 5

4.1 Types of Personal Information We Collect

We only collect personal information that is reasonably necessary for, or directly related to, our functions and activities as a business organisation. The personal information we collect may include:

1. identification information such as your name, date of birth, address, telephone numbers, email address, and government-issued identification details;
2. business and commercial information including employment details, business relationships, transaction history, preferences, and requirements related to our products and services;
3. sensitive information (where consent is provided or collection is otherwise authorised) such as health information where relevant to our services, membership of professional or trade associations, or other sensitive information directly related to the products or services we provide; and
4. information about your use of our website including IP addresses, browser information, page views, session duration, and cookie data.

4.2 Collection Methods

We collect personal information about you primarily from you directly, including through application forms, questionnaires, interviews, telephone conversations, electronic communications, and our website. We may collect personal information from other sources only where:

1. you have consented to such collection;
2. we are required or authorised by law to do so; or
3. it is unreasonable or impracticable to collect the information directly from you.

Third party sources may include credit reporting agencies, other service providers (where you have engaged multiple providers), employers (for verification purposes), accountants, lawyers, real estate agents, valuers, insurers, government agencies, and publicly available sources.

4.3 Notification of Collection

At or before the time we collect your personal information (or as soon as practicable afterwards), we will take reasonable steps to notify you of our identity and contact details, the purposes for which we are collecting your information, your right to access and correct your information, the consequences if you do not provide the information, the types of organisations to whom we usually disclose information, any likely overseas disclosures, and how to make a complaint.

5. Use and Disclosure of Personal Information APP 6

5.1 Primary Purposes

We use and disclose your personal information for the following primary purposes:

1. assessing your requirements, circumstances, and needs to provide appropriate products, services, and recommendations;
2. processing applications for products and services including any applications to third parties on your behalf;
3. facilitating the provision of products and services by our suppliers, contractors, and service providers;
4. ongoing account administration, customer service, and relationship management;
5. complying with our legal and regulatory obligations under applicable Commonwealth and State laws and regulations; and
6. maintaining our business records and managing our client and customer relationships.

5.2 Secondary Purposes

We may also use and disclose your personal information for related secondary purposes that you would reasonably expect, including conducting assessments and obtaining reports from third parties, verification of information you have provided, internal business processes including staff training and quality assurance, managing complaints and disputes, and exercising our rights under contracts and at law.

5.3 Permitted Situations

We may use and disclose your personal information without your consent where required or authorised by Australian law or court order; for enforcement of the criminal law or protection of public revenue; to assist in locating a missing person; to establish, exercise, or defend a legal claim; where there are reasonable grounds to suspect unlawful activity; to prevent or lessen a serious threat to life, health, or safety; and for research purposes where certain conditions are met.

5.4 Disclosure to Third Parties

We may disclose your personal information to suppliers, contractors, and service providers; product and service providers for processing applications on your behalf; credit reporting agencies; professional service providers including lawyers, accountants, and valuers; government agencies and regulatory bodies as required by law; our related entities, authorised representatives, agents, and business partners; technology service providers; professional indemnity insurers and legal advisors; and potential purchasers or investors in connection with any proposed sale or restructure of our business, subject to appropriate confidentiality arrangements.

6. Direct Marketing APP 7

6.1 Marketing Communications

We may use your personal information to inform you about products, services, and opportunities that we believe may be of interest to you, including new products and services offered by us or our business partners, changes to existing products and services, educational content and updates related to our industry, and invitations to events, seminars, webinars, and other promotional activities.

6.2 Consent and Opt-Out

We will only use your personal information for direct marketing purposes where you have consented to receiving such communications, you would reasonably expect us to use your information for such purposes, or we have otherwise acquired your personal information and you have not made a request not to receive direct marketing communications.

7. Cross-Border Disclosure APP 8

7.1 Overseas Disclosure

We may disclose your personal information to recipients located outside Australia to overseas suppliers or service providers where you have applied for products or services offered by such entities; to our technology service providers who may host data or provide services from servers located overseas; to professional service providers engaged in connection with our business activities located overseas; and where you have requested us to facilitate transactions or provide services involving overseas entities.

7.2 Countries of Disclosure

The countries in which such recipients are likely to be located include the United States of America (for technology services and cloud storage providers), Singapore (for business service providers and technology services), New Zealand (for related entities and service providers), United Kingdom (for professional services and technology providers), European Union countries (for technology and professional services), and other countries as may be required to facilitate specific transactions or services at your request.

7.3 Safeguards for Overseas Disclosure

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles. These steps may include entering into contractual arrangements requiring compliance with privacy principles substantially similar to the APPs, verifying that the overseas recipient is subject to laws providing substantially similar protection, obtaining your explicit consent to the overseas disclosure, or ensuring that the disclosure is required or authorised by Australian law.

8. Government Related Identifiers APP 9

We do not adopt, use, or disclose government related identifiers (such as tax file numbers, Medicare numbers, or driver licence numbers) as our own identifiers for individuals. Where we collect government related identifiers, we do so only as required or authorised by Australian law; for the purposes for which the identifier was assigned; or where reasonably necessary to verify your identity or fulfil our obligations to government agencies.

We implement appropriate safeguards to protect government related identifiers from misuse, interference, and loss, and from unauthorised access, modification, or disclosure.

9. Unsolicited Personal Information APP 4

If we receive unsolicited personal information about you (information we have not requested), we will determine whether we could have collected that information under APP 3 if we had solicited it. If we determine that we could not have collected the information, and it is lawful and reasonable to do so, we will destroy or de-identify the information as soon as practicable unless we are required by law to retain it.

Where we determine that we could have collected the unsolicited information under APP 3, we will handle the information in accordance with this Privacy Policy and notify you in accordance with APP 5 if it is practicable and reasonable to do so.

10. Data Quality APP 10

We take reasonable steps to ensure that the personal information we collect is accurate, up-to-date, and complete. We also take reasonable steps to ensure that personal information we use or disclose is, having regard to the purpose of use or disclosure, accurate, up-to-date, complete, and relevant. To assist us in maintaining accurate records, we encourage you to:

1. provide accurate and complete information when dealing with us;
2. inform us promptly of any changes to your personal information; and
3. notify us if you become aware of any errors in the personal information we hold about you.

11. Data Security APP 11

11.1 Security Measures

We implement technical and organisational measures to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:

1. secure data storage systems with encryption and access controls;
2. regular security assessments and updates to our IT systems;
3. staff training on privacy and security requirements;
4. confidentiality agreements with employees and service providers;
5. secure transmission protocols for electronic communications;
6. physical security measures for paper records and computer systems;
7. regular backup and disaster recovery procedures; and
8. monitoring and logging of access to personal information systems.

11.2 Data Retention and Destruction

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods include:

• Client and customer files: minimum 7 years from when services were last provided or the relationship ended
• Application and transaction records: 7 years from the date of completion or withdrawal
• Taxation and financial records: 7 years from the end of the relevant financial year
• Marketing consent records: until consent is withdrawn plus a reasonable compliance period
• Complaint records: 7 years from the date the complaint was resolved

When personal information is no longer required, we take reasonable steps to destroy or de-identify it in a secure manner.

12. Access to Personal Information APP 12

12.1 Right of Access

You have the right to request access to the personal information we hold about you. Subject to certain exceptions under the Privacy Act, we will provide you with access to your personal information within a reasonable timeframe.

12.2 How to Request Access

To request access to your personal information, please contact our Privacy Officer using the contact details in section 2, specify the personal information you wish to access, provide sufficient information to verify your identity, and specify your preferred method of access (inspection, copy of documents, written summary, etc.).

12.3 Access Procedures

We will acknowledge your access request within 14 days and provide access within 30 days unless we require additional time to locate records or consult with third parties, we need to verify your identity, an exception under the Privacy Act applies, or we require payment of a reasonable charge for providing access.

12.4 Exceptions to Access

We may refuse access to personal information where providing access would pose a serious threat to the life, health, or safety of any individual; have an unreasonable impact on the privacy of others; the request is frivolous or vexatious; the information relates to existing or anticipated legal proceedings; providing access would reveal commercially sensitive information; providing access would be unlawful; or denying access is required or authorised by law. If we refuse your access request, we will provide written reasons and information about how to make a complaint.

13. Correction of Personal Information APP 13

13.1 Right to Correction

You have the right to request correction of personal information we hold about you if you believe it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

13.2 How to Request Correction

To request correction of your personal information, please contact our Privacy Officer using the contact details in section 2, specify the personal information you believe requires correction, explain why you believe the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading, and provide evidence supporting the correction where possible.

13.3 Correction Procedures

We will acknowledge your correction request within 14 days and take reasonable steps to correct the information within 30 days if we are satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading having regard to the purpose for which it is held.

13.4 Notification of Correction

If we correct personal information that we have previously disclosed to another entity, we will take reasonable steps to notify that entity of the correction if you request us to do so.

13.5 Refusal to Correct

If we refuse to correct personal information, we will provide you with written reasons for the refusal; if you request, take reasonable steps to associate with the information a statement that you view it as inaccurate, out-of-date, incomplete, irrelevant, or misleading; and provide information about how to make a complaint about our refusal.

14. Complaints Procedure

14.1 Making a Privacy Complaint

If you believe that we have breached your privacy or handled your personal information inappropriately, you may make a complaint to our Privacy Officer using the contact details in section 2. Your complaint should include your contact details, details of the specific privacy concern or alleged breach, the outcome you are seeking, and any supporting documentation.

14.2 Complaint Handling Process

We will handle your privacy complaint as follows:

• Acknowledgment — We will acknowledge receipt of your complaint within 7 days.
• Investigation — We will investigate your complaint thoroughly and fairly, which may involve consulting with relevant staff members and reviewing relevant records.
• Response — We will respond to your complaint within 30 days (or longer if the matter is complex, in which case we will notify you of the delay).
• Resolution — Our response will outline the outcome of our investigation and any steps we propose to take to resolve the matter.
• Implementation — If we determine that a breach has occurred, we will take appropriate corrective action and implement measures to prevent similar breaches in the future.

14.3 External Complaint Options

If you are not satisfied with our response to your privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

15. Website Privacy

15.1 Cookie Policy

Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyse website usage. Cookies are small text files stored on your device that help us remember your preferences and understand how you use our website.

15.2 Managing Cookies

You can manage cookie preferences through your browser settings. However, disabling certain cookies may affect the functionality of our website.

15.3 Third Party Services

Our website may include links to third-party websites and services. We are not responsible for the privacy practices of these third parties, and we encourage you to review their privacy policies before providing any personal information.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

1. posting the updated policy on our website with the effective date;
2. sending notification to clients and customers via email where we hold current email addresses; and
3. providing notice through other communications where appropriate.

The current version of this Privacy Policy is available on our website and can be requested by contacting us using the details in section 2.

17. Policy Availability

This Privacy Policy is made available on our website and upon request to any individual by contacting us using the details in section 2. We will also provide this Privacy Policy to new clients and customers as part of our onboarding process, and to existing clients and customers upon request or when material changes are made to the policy. We will provide this Privacy Policy free of charge upon request.

18. Effective Date

This Privacy Policy is effective from 24 September 2025 and supersedes all previous versions. This Privacy Policy was last updated on 1 November 2025.

For any questions about this Privacy Policy or our privacy practices, please contact our Privacy Officer using the contact details provided in section 2.