Privacy Statement

Section A – Introduction

1. Introduction

1.1 The information in this document details how we, Alleviare Advisory Pty Ltd (“Alleviare”), comply with the requirements of the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles in protecting the personal information we hold about you.

1.2 Personal information is any information or opinion about you that is capable, or reasonably capable, of identifying you, whether the information or opinion is true or not and is recorded in material form or not.

1.3 Sensitive information includes such things as your racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record, that is also personal information. Your health, genetic and biometric information and biometric templates are also sensitive information.

1.4 We protect your personal and sensitive information in accordance with the Australian Privacy Principles and the Privacy Act.

1.5 We collect personal and/or sensitive information to provide you with the products and services you request as well as information on other products and services offered by or through us. The law requires us to collect personal and/or sensitive information.

1.6 Your personal and/or sensitive information may be used by us to administer our products and services, for prudential and risk management purposes and, unless you tell us otherwise, to provide you with related marketing information. We also use the information we hold to help detect and prevent illegal activity. We cooperate with police and other enforcement bodies as required or allowed by law.

1.7 We disclose relevant personal information to external organisations that help us provide services. These organisations are bound by confidentiality arrangements.

1.8 You can seek access to the personal information we hold about you. If the information we hold about you is inaccurate, incomplete, or outdated, please inform us so that we can correct it. If we deny access to your personal information, we will let you know why. For example, we may give an explanation of a commercially sensitive decision, or give you access to the information through a mutually agreed intermediary, rather than direct access to evaluative information connected with it.

Section B – Collection of Personal Information

2. Why we collect information

2.1 We collect personal information when it is reasonably necessary for one or more of our functions or activities.

2.3 These include:

• (a) providing customers with the products and services they request and, unless they tell us otherwise, to provide information on products and services offered by us and external product and service providers for whom we act as agent. (If you have provided us with your email or mobile phone details, we may provide information to you electronically with respect to those products and services);
• (b) complying with our legal obligations;
• (c) monitoring and evaluating products and services;
• (d) gathering and aggregating information for statistical, prudential, actuarial and research purpose;
• (e) assisting customers with queries; and
• (f) taking measures to detect and prevent frauds.

3. Information we may collect

3.1 The personal and sensitive information we collect generally consists of name, address, date of birth, gender, marital status, occupation, account details, contact details (including telephone, facsimile and e-mail), educational qualifications, and financial information.

3.2 We are required by law to identify you if you are opening a new account or adding a new signatory to an existing account. Anti-money laundering laws require us to sight and record details of certain documents (i.e. photographic and non-photographic documents) in order to meet the standards set under those laws.

3.3 Where it is necessary to do so, we also collect information on individuals such as:

• (a) trustees;
• (b) partners;
• (c) company directors and officers;
• (d) officers of co-operatives and associations;
• (e) customer’s agents;
• (f) beneficial owners of a client; and
• (g) persons dealing with us on a “one-off” basis.

3.4 We may take steps to verify the information we collect; for example, a birth certificate provided as identification, will be sent to our external provider (currently Simple KYC/Green ID) for verification. Simple KYC/Green ID have access to multiple government databases and other databases that will verify the document.

4. How we collect the information

4.1 We only collect personal information about you directly from you (rather than someone else) unless it is unreasonable or impracticable to do so or you have instructed us to liaise with someone else.

5. Information collected from someone else

5.1 If it is impracticable or unreasonable for us to collect the personal information directly from you, we may collect such information from agents, or from your family members or friends. If you are not aware that we have collected the personal information, we will notify you of collection and the circumstances of collection, if we consider it is reasonable to do so.

6. Incomplete or inaccurate information

6.1 We may not be able to provide you with the products or services you are seeking if you provide incomplete or inaccurate information.

7. Consent

7.1 In most cases, before collecting your personal information, we obtain your consent to the purposes for which we intend to use and disclose your personal information.

7.2 If you don’t give us consent, we may not be able to provide you with the products or services you want. This is because we are required to collect this information to provide you advice.

8. Withdrawing consent

8.1 Having provided consent, you are able to withdraw it at any time. To withdraw consent, please contact our office. Please note that withdrawing your consent may lead to us no longer being able to provide you with the product or service you enjoy given that, as mentioned above, it is impracticable for us to treat some customers differently.

9. Sensitive information

9.1 In addition to the above conditions of collecting personal information, we only collect sensitive information about you if we obtain prior consent to the collection of the information or if the collection is required or authorised by law.

10. Dealing with unsolicited personal information

10.1 If we receive personal information that is not solicited by us, we only retain it, if we determine that it is reasonably necessary for one or more of our functions or activities and that you have consented to the information being collected or given the absence of your consent that it was impracticable or unreasonable for us to obtain it under the circumstances.

10.2 If these conditions are not met, we destroy or de-identify the information.

10.3 If such unsolicited information is sensitive information we will obtain your consent to retain it regardless of what the circumstances are.

Section C – Integrity of Your Personal Information

11. Quality of personal information

11.1 We ensure that the personal information we collect and use or disclose is accurate, up to date, complete and relevant.

11.2 Please contact us if any of the details you have provided to us change or if you believe that the information we have about you is not accurate or up to date.

11.3 We may also take steps to update personal information we hold, for example, an address, by collecting personal information from publicly available sources such as telephone directories or electoral rolls.

12. Security of personal information

12.1 We are committed to ensure that we protect any personal information we hold from misuse, interference, loss, unauthorised access, modification and disclosure.

12.2 For this purpose we have a range of practices and policies in place to provide a robust security environment. We ensure the on-going adequacy of these measures by regularly reviewing them.

12.3 Our security measures include, but are not limited to:

• (a) educating our staff as to their obligations with regard to your personal information;
• (b) requiring our staff to use passwords when accessing our systems;
• (c) employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from entering our systems;
• (d) providing secure storage for physical records; and
• (e) employing physical and electronic means such as security gates, security doors and guards (as required) to protect against unauthorised access to buildings.

12.4 Where information we hold is identified as no longer needed for any purpose we ensure it is effectively and securely destroyed, for example, by shredding or pulping in the case of paper records or by deleting electronic records and equipment.

Section D – Use or Disclosure of Personal Information

13. Use or Disclosure

13.1 If we hold personal information about you that was collected for a particular purpose (“the primary purpose”), we do not use or disclose the information for another purpose (“the secondary purpose”) unless:

• (a) We have obtained your consent to use or disclose the information; or
• (b) you would reasonably expect us to use or disclose the information for the secondary purpose and the secondary purpose is:
  • (i) if the information is sensitive – directly related to the primary purpose; or
  • (ii) if the information is not sensitive – related to the primary purpose;
• (c) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
• (d) a permitted general situation exists in relation to the use or disclosure of the information by us; or
• (e) a permitted health situation exists in relation to the use or disclosure of the information by us, in which case we de-identify the information before disclosing it; or
• (f) we reasonably believe that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

13.2 Where we use or disclose personal information in accordance with section 13(1)(e) we keep a copy of this disclosure (e.g.: the email or letter used to do so).

14. Who we may communicate with

14.1 Depending on the product or service you have, the entities we exchange your information with include but are not limited to:

• (a) Other non-related entities that include those registered as an incorporated legal practice in New South Wales Australia which provide legal services to clients, and those that are not registered as an incorporated legal practice in New South Wales Australia or in any other jurisdiction;
• (b) other persons who refer your business to us;
• (c) affiliated product and service providers and external product and service providers for whom we act as agent (so that they may provide you with the product or service you seek or in which you have expressed an interest);
• (d) any person acting on your behalf, including your solicitor, settlement agent, accountant, executor, administrator, trustee, guardian or attorney;
• (e) your referee (to confirm details about you);
• (f) if required or authorised to do so, regulatory bodies and government agencies;
• (g) other organisations who in conjunction with us provide products and services (so that they may provide their products and services to you); and
• (h) professional associations or organisations with whom we conduct an affinity relationship (to verify your membership of those associations or organisations).

14.2 Our use or disclosure of personal information may not be limited to the examples above.

15. Outsourcing

15.1 We disclose personal information when we outsource certain functions, including direct marketing and information technology support. We also seek expert help from time to time to help us improve our systems, products and services.

15.2 In all circumstances where personal information may become known to our contractors, agents and outsourced service providers, there are confidentiality arrangements in place. Contractors, agents and outsourced service providers are not able to use or disclose personal information for any purposes other than our own.

15.3 We take our obligations to protect customer information very seriously we make every effort to deal only with parties who share and demonstrate the same attitude.

16. Disclosure required by law

16.1 We may be required to disclose customer information by law e.g. under Court Orders or Statutory Notices pursuant to taxation or social security laws or under laws relating to sanctions, anti-money laundering or counter terrorism financing.

Section E – Direct Marketing

17. Use or Disclosure

17.1 We only use or disclose the personal information we hold about you for the purpose of direct marketing if we have received the information from you and you have not requested not to receive such information.

17.2 Direct marketing means that we use your personal information to provide you with information on our products and services that may interest you.

17.3 If you wish to opt-out of receiving marketing information altogether, you can:

• (a) click the link provided on any marketing emails sent to you;
• (b) call us on (+61) 0420 744 323; and/or
• (c) write to us at info@alleviaregroup.com.au

Section F – Access to Personal Information

18. Access

18.1 You can request us to provide you with access to the personal information we hold about you.

18.2 Requests for access to limited amounts of personal information, such as checking to see what address or telephone number we have recorded, can generally be handled over the telephone.

18.3 If you would like to request access to more substantial amounts of personal information such as details of what is recorded in your account file, we will require you to complete and sign a “Request for Access to Personal Information” form.

18.4 Following receipt of your request, we provide you with an estimate of the access charge and confirm that you want to proceed.

18.5 We do not charge you for making the request for access, however access charges may apply to cover our costs in locating, collating and explaining the information you request.

18.6 We respond to your request as soon as possible and in the manner requested by you. We endeavour to comply with your request within 14 days of its receipt but, if that deadline cannot be met owing to exceptional circumstances, your request will be dealt with within 30 days. It helps us provide access if you can tell us what you are looking for.

18.7 Your identity is confirmed before access is provided.

19. Exceptions

19.1 In particular circumstances we are permitted by law to deny your request for access or limit the access we provide. We let you know why your request is denied or limited if this is the case. For example, we may give an explanation of a commercially sensitive decision rather than direct access to evaluative information connected with it.

20. Refusal to give access and other means of access

20.1 If we refuse to give access to the personal information or to give access in the manner requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.

20.2 Additionally, we endeavour to give access in a way that meets both yours and our needs.

21. Access to a credit report about you

21.1 You have the right to ask for a copy of any credit report we have obtained about you from a credit-reporting agency. However, as we may not have retained a copy after we have used it in accordance with Part IIIA of the Privacy Act the best means of obtaining an up-to-date copy is to get in touch with the credit-reporting agency direct.

21.2 You have a right to have any inaccuracies corrected or, if there is any dispute as to accuracy, to have a note added to your credit reporting agency file explaining your position.

21.3 If we decline to provide you services wholly or partly because of adverse information on your credit report, the Privacy Act, requires us to tell you of that fact and how you can go about getting a copy of your credit report.

21.4 The major credit-reporting agency in Australia is Equifax, https://www.equifax.com.au/. As the largest agency, it is likely that it will be Equifax that you will need to contact in relation to access to an up-to-date copy of your credit report and any correction of information on your file. You can contact Equifax at https://www.equifax.com.au/contact.

Section G – Correction of Personal Information

22. Correction

22.1 We correct all personal information that we believe to be inaccurate, out of date, incomplete, irrelevant or misleading given the purpose for which that information is held or if you request us to correct the information.

22.2 If we correct your personal information that we previously disclosed to another APP entity you can request us to notify the other APP entity of the correction. Following such a request, we give that notification unless it is impracticable or unlawful to do so.

23. Refusal to correct information

23.1 If we refuse to correct the personal information as requested by you, we give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.

24. Request to associate a statement

24.1 If we refuse to correct the personal information as requested by you, you can request us to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading. We will then associate the statement in such a way that will make the statement apparent to users of the information.

Section H – Contact Us and Complaints

25. Contact

25.1 If you have any questions or would like further information about our privacy and information handling practices, please contact us by:

• (a) Email: info@alleviaregroup.com.au; or
• (b) Phone: (+61) 0420 744 323 or (+44) 07386 806185.

26. Making a privacy complaint

26.1 We offer a free internal complaint resolution scheme to all of our customers. If you have a privacy complaint, please contact us to discuss your concerns.

26.2 To assist us in helping you, we ask you to follow a simple three-step process:

• (a) Gather all supporting documents relating to the complaint.
• (b) Contact us and we will review your situation and if possible resolve your complaint immediately.
• (c) If the matter is not resolved to your satisfaction, please contact our Complaints Officer on (+61) 0420 744 323 or (+44) 07386 806185 or put your complaint in writing and send it to info@alleviaregroup.com.au.

26.3 If you are still not satisfied, you have the right to contact the Office of the Australian Information Commissioner (“OAIC”). You can contact the OAIC to make a query concerning your privacy rights, or to lodge a complaint with the OAIC about how we have handled your personal information. You can contact the OAIC’s hotline on 1300 363 992 or visit their website at www.oaic.gov.au. The OAIC has the power to investigate a complaint and make a determination.

Section I – The Annex portal: scope and defined terms

27. The Annex portal: scope and defined terms

27.1 This part of our Privacy Statement applies to your use of The Annex, the subscription compliance portal operated by Alleviare Advisory Pty Ltd (Alleviare, we, us, our). It is in addition to, and should be read together with, Sections A to H above, which continue to apply.

27.2 In this part:

• Portal means The Annex web application and associated services.
• Subscriber means an individual or organisation that holds an account on the Portal, and you means the individual using it.
• ANN•Emeans the Portal’s in-product AI assistant.
• Generated Documentsmeans compliance documents you create using the Portal’s template and document tools.
• Super Admin means an authorised member of Alleviare staff with oversight access as described in Section K.

Section J – Information we collect through the Portal

28. Information we collect through the Portal

28.1 Account information. When you register we collect your name, email address, and authentication details, and (for team accounts) your organisation and role.

28.2 Content you create or upload. Generated Documents, register and task entries, notes, and other content you create in the Portal.

28.3 Usage and security logs. We log activity for security, oversight, and audit purposes, including the date and time of events, the action taken, and the IP address and device or browser information associated with the request (see also Sections N and Q). These records support our obligations under clause 28.4 and the security of the Portal.

28.4 Consent records. When you accept this Privacy Statement and our Terms and Conditions, we record which version you accepted, the date and time, and your IP address, and retain that record as described in Sections N and Q.

28.5 Email-integration data.If you choose to connect an email account (see Section M), we process email content you direct ANN•E to act on. We handle this data as described in Section M.

Section K – Super Admin oversight of Subscriber content

29. Super Admin oversight of Subscriber content

29.1 To operate, support, and maintain the Portal, an authorised Super Admin may view (on a read-only basis) Subscriber content, including Generated Documents, for the purposes of platform oversight, troubleshooting, and ensuring the integrity and security of the service. Super Admin access is for operational purposes only and does not constitute the provision of advice.

29.2 Every such access is logged (including the staff member, the Subscriber whose content was accessed, and the time) so that the access is traceable and reviewable. Within a team or organisation account, a Team Administrator may also view content generated by members of their organisation.

Section L – Third-party processors and cross-border disclosure

30. Third-party processors and cross-border disclosure

30.1 We use the following third-party service providers (processors) to operate the Portal. Each processes Personal information only as needed to provide its service to us and under contractual obligations of confidentiality and security:

30.2 Cross-border disclosure. Some processors are located outside Australia (see the table above). Where we disclose Personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles (APPs), consistent with APP 8. Error-monitoring data is held in the European Union, a jurisdiction with data-protection laws broadly comparable to Australia’s. We minimise the Personal information disclosed to error monitoring (for example, by not transmitting request credentials, cookies, or query-string content).

30.3 We do not sell your Personal information.

Section M – Email integration (ANN•E)

31. Email integration (ANN•E)

31.1 Connecting a mailbox.You may optionally connect a Gmail or Microsoft 365 mailbox so that ANN•E can help you search, summarise, and draft email. Connecting a mailbox requires your explicit authorisation through the provider’s standard OAuth permission screen, where you can see and approve the access requested before it is granted.

31.2 The access we request.We request only the access ANN•E needs to provide these features:

• Gmail (via the Gmail API): permission to read your messages (gmail.readonly) and to send messages on your behalf (gmail.send).
• Microsoft 365 (via Microsoft Graph): permission to read your mail (Mail.Read), send mail on your behalf (Mail.Send), and maintain access between sessions (offline_access).

31.3 You control access for each session. Connecting a mailbox does not give ANN•E standing access. Each time you sign in, email access starts switched off. You choose, for that session only, whether to allow ANN•E read-only access, read-and-send access, or no access. ANN•E only reads or sends email when you explicitly ask it to within that session, and it never sends a message without first showing you the draft and asking you to confirm. Your per-session choice is held in the session only and is never stored.

31.4 How we handle email content.Email content ANN•E accesses is processed in memory only and is not stored by us, except where you explicitly save a summary or drafted item into your document vault. The only data we retain from a connection are your authorisation tokens, which are stored encrypted (AES-256). You may disconnect a mailbox at any time, which immediately and permanently deletes the stored tokens for that account.

31.5 Google API Services Limited Use.The Portal’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. In particular, we use Gmail data only to provide the user-facing email features described above; we do not transfer or sell this data to third parties; we do not use it for advertising; and no human reads this data except where you direct it, where required for security or to comply with applicable law, or in the limited circumstances permitted by that policy.

Section N – Data residency, retention and security

32. Data residency, retention and security

32.1 Data residency. Subscriber content and account data are hosted in Australia (AWS Asia Pacific (Sydney)).

32.2 Retention. We retain account and consent records, and audit and compliance records, for seven (7) years after the closure of your account, or longer where required by law, after which they are deleted or de-identified.

32.3 Security. We maintain reasonable technical and organisational measures to protect Personal information, including access controls, encryption in transit, row-level access restrictions, audit logging, and error monitoring.

Section O – Your rights

33. Your rights

33.1 Consistent with the APPs, you may request access to, and correction of, the Personal information we hold about you (see also Sections F and G above), and you may request that we delete Personal information we hold about you, subject to our legal retention obligations in clause 32.2.

33.2 Where the EU General Data Protection Regulation applies to our processing of your Personal information, you may also have rights of access, rectification, erasure, restriction, portability, and objection under Articles 15 to 22 of that Regulation.

33.3 To exercise any of these rights, contact us using the details in Section H.

Section P – Notifiable data breaches

34. Notifiable data breaches

34.1 We comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to any individual whose Personal information we hold, and we are unable to prevent that likely harm through remedial action, we will notify the affected individuals and the Office of the Australian Information Commissioner as soon as practicable, as required by that scheme.

Section Q – Consent and acceptance

35. Consent and acceptance

35.1 Your acceptance of this Privacy Statement and our Terms and Conditions is recorded as described in clause 28.4, including the version accepted, the date and time, and the IP address from which acceptance was given.

35.2 If we make a material change to this Privacy Statement, we will update the version and ask you to review and accept the updated version when you next sign in to the Portal.

Section R – Contact

36. Contact

36.1 For questions about this Privacy Statement or to make a privacy request or complaint, contact us using the details in Section H above.