Privacy policy.

Effective as of 1 October 2021

This policy (‘Privacy Policy’) explains how Thinkly Pty Ltd (ACN 630 683 322) (‘Thinkly’ or ‘us’) seeks to protect the Personal Information of individuals. Thinkly is committed to protecting the safety and security of the Personal Information of individuals whose information Thinkly has access to, including Clients, users of the Thinkly Services and other persons with whom Thinkly interacts (each a ‘User’ or ‘you’).

The Privacy Policy has been developed in accordance with the Privacy Act 1988 (Cth) (‘Act’), including the Australian Privacy Principles.

Under the Act, “Personal Information” is defined as: Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Please read this Privacy Policy carefully in order to understand how your Personal Information is collected, held, used, or otherwise processed by us.

Thinkly reserves the right to make changes or updates to this Privacy Policy from time to time. If this happens we will update this Privacy Policy and notify you of any changes, most likely via email or website. However, you should also periodically check this Privacy Policy for any updates.

1. ABOUT THINKLY

Thinkly is a professional services consultancy assisting organisations in matters including digital, technology and operational strategy. Thinkly provides a variety of strategy services primarily for Australian businesses (collectively ‘Thinkly Services’).

In providing the Thinkly Services, we are sensitive to Users’ concerns about the safety of their Personal Information.

In essence, Thinkly will typically only:

• collect, use or share your Personal Information with your consent (unless it is not reasonable in the circumstances to obtain your consent and it is legally permissible for us to do so) or when required by a legal obligation; and

• interact with your Personal Information in order to: (a) provide you with access to the Thinkly Services, (b) help us improve and develop the Thinkly Services, and (c) meet our obligations in respect of any agreement we have with you.

Thinkly has developed a privacy framework to assist Users, and to comply with privacy legislation and regulations applicable to us and our management of your Personal Information.

2. HOW THINKLY COLLECTS YOUR PERSONAL INFORMATION

Thinkly collects Personal Information from individuals in one of three main ways:

1. Directly from Users, when they interact with Thinkly or the Thinkly Services (e.g instructing Thinkly to provide you with business and commercial finance advice, purchasing or subscribing to a Thinkly product or service, attending an event hosted by Thinkly, applying for employment at Thinkly, or contacting Thinkly with an enquiry, feedback, or otherwise having business dealings with us).

Personal Information refers to information or an opinion about an identified, or reasonably identifiable individual, regardless of the truth of that information/opinion and regardless of whether it is in a recorded form.

2. Passively from Users, when they interact with and use the Thinkly Services (e.g interacting with or subscribing to Thinkly social media accounts or the Thinkly website);

3. From third parties in certain, specific circumstances (e.g. a third party service or platform may provide us with information you have consented to them sharing).

All teams and employees at Thinkly will have shared responsibility of collecting, storing, and using personal information.

The types of Personal Information collected in each situation is discussed further below. 4. WHEN THINKLY COLLECTS INFORMATION FROM USERS AND WHAT WE COLLECT Personal Information collected directly

We collect the following types of Personal Information directly and consensually: • Basic User information, including your name, company name, address, and email; and • User feedback gathered during a testing session, such as questionnaires and online forms.

When a User makes an enquiry or sends us unsolicited feedback we may collect the following types of Personal Information directly and consensually:

• Basic contact information, including your name and email; and

• Feedback information and the details of your interactions with us, including communications with customer support or other Thinkly personnel or other information provided by you regarding your enquiry.

When you respond to a survey we may directly and consensually collect the Personal Information disclaimed on the survey form.

When you make an application for employment at Thinkly, we may collect any Personal Information provided within that application, such as the contents of a personal statement made in support of your application.

Personal Information collected passively

As you interact with digital and interactive services, we may collect the following types of Personal Information about your usage:

• any basic identity information you explicitly provide, such as your name, gender or profession; • any contact information you explicitly provide such as your address, email address and telephone numbers.

• browser information provided by the browser you use to access the Thinkly website, such as cookies;

• web data tracking information, such as the IP address of your machine when connected to the internet and the domain name from which you are accessing the internet;

• the operating system and the browser your computer uses and any search engine you are using;

• the date and time you are visiting our website;

• content that is posted about you by others over our social media accounts; • information about transactions, such as records of your purchases and invoices; and • the URLs of the pages you visit.

Personal Information collected from third parties

In certain specific situations, Thinkly may collect Personal Information about you from third parties. For example, we may collect third party web data tracking information about Thinkly Users. You can generally control the information we receive from these sources by through your browser privacy settings, or through privacy settings on third party services or platforms.

5. WHY THINKLY COLLECTS YOUR PERSONAL INFORMATION AND WHAT WE USE IT FOR

Although Thinkly collects Personal Information from Users in a number of circumstances, Thinkly will only collect this information in order to provide you with access to the Thinkly Services, improve and develop the Thinkly Services, improve the User experience of Thinkly’s products or services, and to meet our obligations in respect of any agreement we have with you. Here are the main ways we use Personal Information to achieve these objectives:

Communicating with Users

Thinkly will use basic User and contact information to communicate with individuals about their feedback or issues with the Thinkly Services.

If Users have consented, Thinkly will also use these types of Personal Information to share relevant news and updates about Thinkly and the Thinkly Services.

Administration and delivery of Thinkly Services

Thinkly will use basic User information to provide you with the baseline experience of the Thinkly Services and related services.

Thinkly may use your personal information to learn more about you and provide you with a personalised and tailored experience when using the Thinkly Services.

Ensuring User safety

Thinkly will also use any type of information collected to prevent and address risks to all Users. Research and development

Thinkly will use the following types of information to develop, test and improve the Thinkly Services:

• Survey and feedback information, as well as any content that is submitted in relation to features of the Thinkly Services;

• Content you submit, either directly through the Thinkly Services or through third party platforms or services;

• Browser and system information; and

• Third party web tracking information.

Together these types of Personal Information are used to provide us with an overview of how the Thinkly Services are being used, any shortcomings it may have, and subsequently to highlight what will be the best means of improving the experience for all Users.

Thinkly’s preference will be to de-identify these types information first, and then use it for this purpose in conjunction with de-identified browser and system information (see section 6 below for an explanation of what we mean by “de-identified”).

Marketing

Where Users have consented, Thinkly will use basic contact and enquiry information to provide Users with relevant marketing materials and offers. Users can always opt out of this through the functionality provided in each marketing communication (e.g. by clicking “unsubscribe” at the bottom of an email).

6. THINKLY’S DISCLOSURE OF PERSONAL INFORMATION

Generally, Thinkly does not disclose Personal Information to any third parties except:

• Service providers Thinkly engages to help us provide and develop the Thinkly services and Thinkly Services (e.g. cloud service providers); and

• Law enforcement agencies, or another party that has a legitimate legal right to access the information.

The above disclosures will only be made in circumstances where the recipient has provided an undertaking that they will maintain the confidentiality of the information and that they recognise the appropriate limitations placed on the use of the information. Disclosures will also always be in accordance with this Privacy Policy.

Overseas Disclosure

Some of the third parties Thinkly discloses Personal Information to may be located overseas from time to time.

As with disclosures to third party service providers, overseas disclosures are always made once Thinkly has taken all reasonable steps to determine the information will be treated at least as favourably under the Act and other applicable privacy laws.

7. THINKLY’S TREATMENT AND STORAGE OF INFORMATION

Thinkly’s general approach

Thinkly will keep your Personal Information confidential and not sell or knowingly divulge User information to any external third parties, unless:

• The disclosure is made in accordance with an agreement on foot with you, or to which you otherwise consented;

• We believe, in good faith, that we are required to share the Personal Information with a third party in order to comply with legitimate legal obligations;

• The disclosure is to a third party processor of Personal Information that acts on our behalf and/or under our instruction in order to enable us to develop and deliver the Thinkly Services (e.g. a cloud service provider or local marketing and development partner);

• Other entities acquire ownership or operation of Thinkly or the Thinkly Services; and/or • We need to protect the safety of Users, and the security of the Thinkly Services.

Users can always refuse or revoke this consent, but sometimes this will affect Thinkly’s ability to provide them with the Thinkly Services and other offerings. Thinkly will advise Users if this is the case.

De-identification

De-identified information refers to information that cannot reasonably be used to identify a particular individual.

De-identified information that will never be able to personally identify particular individuals is referred to as anonymised information (e.g. statistics that show 90% of Users were happy with the Thinkly Services). Additionally, de-identified information that can identify individuals only if it is combined with another, separate piece of information is referred to as pseudonymised information (e.g. ID numbers).

Where possible Thinkly will aim to collect, store and use anonymised information as a first preference, and if not, then pseudonymised information.

However, sometimes it will be impractical for User information to be de-identified or treated in this way, and in this case, Thinkly will continue to use and hold the information in a personally identifiable state. For example, if Thinkly needs to reply to a User enquiry we will have to use the contact information provided.

Security

Thinkly is committed to information security. We will use all reasonable endeavours to keep the Personal Information that we collect, hold and use in a secure environment. All information collected will be classified based on its sensitivity. Security controls and storage of the information will be dependent on the classification.

To this end we have implemented technical, organisational and physical security measures that are designed to protect Personal Information, and to respond appropriately if it is ever breached. For example, all personal information stored digitally is encrypted and all personal information stored in hard copy is stored in a closed locker with a padlock. Thinkly has also developed an extensive Data Breach Response Plan which we use to prepare and respond to data breaches.

When information collected or used by Thinkly is stored on third party service providers (e.g. AWS cloud servers), Thinkly takes reasonable steps to ensure these third parties use industry standard security measures that meet the level of information security Thinkly owes Users.

As part of our privacy framework we endeavour to routinely review these security procedures and consider the appropriateness of new technologies and methods.

With our lawyers, we also train our staff in how to keep your information safe and secure.

Data Breaches

In the circumstances where Thinkly suffers a data breach that contains Personal Information, we will execute our Data Breach Response Plan and endeavour to take all necessary steps to comply with the Notifiable Data Breach Scheme outlined under the Act.

This means we will immediately make an objective assessment of whether a breach of Personal Information is likely to result in serious harm to individuals, and if this is the case, endeavour to notify the affected individual(s) and the Australian Information Commissioner.

8. THINKLY’S RETENTION OF INFORMATION

Thinkly retains Personal Information until it is no longer needed to provide or develop the Thinkly Services.

However, Thinkly will retain:

• Personal Information in circumstances where we have legal and regulatory obligations to do so (e.g. for law enforcement purposes, employment law, corporate or tax record keeping, or where the information is relevant to legitimate legal proceedings); and

• anonymised information for analytic and service development purposes. The information we retain will be handled in accordance with this Privacy Policy. 9. MANAGING PERSONAL INFORMATION YOUR INFORMATION

Accessing and ensuring the accuracy of Personal Information

Thinkly takes reasonable steps to ensure that the Personal Information we collect and hold is accurate, up to date and complete.

Users have a right to access and request the correction of any of Personal Information we hold about them at any time. Any such requests should be made by directly contacting us at the details set out below. Thinkly will grant access to the extent required or authorised by the Act and applicable laws, and will take all reasonable steps to correct the relevant Personal Information where appropriate.

There may be circumstances in which Thinkly cannot provide Users with access to information. We will advise you of these reasons if this is the case.

Contacting Thinkly

Thinkly has appointed a Privacy Officer to be the first point of contact for all privacy related matters and to assist in ensuring our compliance with our privacy obligations.

Privacy Officer

Email: privacy@thinkly.com.au

7 Canonbury Grove

Dulwich Hill NSW 2203

If you have any queries or wish to make a complaint about a breach of this Privacy Policy or the Act you can contact or lodge a complaint to our Privacy Officer using the contact details above. You will need to provide sufficient details regarding your complaint as well as any supporting evidence and/or information.

The Privacy Officer will respond to your query or complaint as quickly as possible. Thinkly will contact you if we require any additional information from you and will notify you in writing (which includes electronic communication via email) of the relevant determination. If you are not satisfied with the determination you can contact us to discuss your concerns or complain to the Australian Privacy Commissioner via www.oaic.gov.au.

This Privacy Policy was last updated on 1 October 2021.