Privacy

VendorPanel Pty Ltd ABN 68 129 460 751 of Level 4, 446 Collins Street, Melbourne VIC 3000 Australia (we, us or our) is committed to protecting the personal information we collect from you.

Subject to exceptions, the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) govern the handling of personal information in Australia. If you are located in or are a citizen of the European Union, you may have additional rights under the European Union General Data Protection Regulation (GDPR). If you are located in another jurisdiction, additional local requirements will comply. In addition to the above, we also comply with the Australian Spam Act 2003 (Spam Act), which deals with restrictions on sending unsolicited emails.

This policy sets out how we will manage your personal information. We continually strive to implement new technologies and processes to better protect you, your privacy and your use of our services. As a result, changes to this Policy may be made by us from time to time. In no event will these changes result in the degradation of any of the security measures designed to protect you from unauthorised disclosure, as such measures are described in this Policy.

As part of our services, we connect buyers and suppliers of products and services. This inherently means that contact details of members will be provided to other members under specific circumstances as confirmed and authorised by you or by accepting our terms and conditions of use during the registration process. As such, we engage with personal information in two capacities. First, as a primary collector if, for example, you are our customer, a representative of a customer or if you visit our website. Second, as a service provider to buyers and suppliers using our services who are the primary collector if, for example, you are our customer, a representative of a customer or if you visit our website. Second, as a service provider to buyers and suppliers using our services who are the primary collector but where we may host this information on our website or disclose this information in the provision of the services that we provide.

As a primary collector, we may collect information from you:

• if you visit our website as a visitor (Visitor);
• if you are a supplier or a buyer and you sign up to become our customer (Customer);
• when you use our services as invited by one of our Customers or a representative of our Customer (User),

or as otherwise necessary to maintain your relationship with us.

As a service provider, we have access to your personal information if it is collected and generated by our Customers or Users and is uploaded by our Customers or Users onto our platform. This personal information is not collected by us but is contained on our platform and forms part of the information that is made available on the platform to our Customers and Users.

We treat personal information differently depending on whether we hold it in our capacity as a primary collector or as a service provider. In this Policy, when we talk about collecting personal information from you as a Visitor, Customer or User, we call this ‘User Provided Information’, and when we talk about personal information hosted on our platform and uploaded by our Customers, we call this ‘Customer Generated Information’’.

Types of information collected

User Provided Information If you are our Customer or a User, we may collect and hold personal information that can identify you and is relevant to providing you with our services. In particular, we may collect:

• identity data including your name, company name and username or similar identifier;
• contact data including your contact details such as your billing and delivery address, email address and telephone number;
• financial data including banking, credit card, or other payment information;
• transaction data including details about payments to and from you and other details of products and services you have purchased from us;
• technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website;
• profile data including your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
• usage data including information about how you use our website, products and services; and
• marketing and communications data including your preferences in receiving marketing from us and our third parties and your communication preferences.

If you are a Visitor to our website, the information that we collect about you will likely be limited to identity data that you disclose to us, technical data, usage data and marketing and communication data.

Customer Generated Information

We may access or receive certain pieces of Customer Generated Information as necessary to provide our services to our Users and Customers. We may also receive access to Customer Generated Information included in communications with our Customers on our website.

Purpose of collection

The personal information that we collect and hold about you depends on your interaction with us.

User Provided Information

We will generally collect, use and hold User Personal Information if it is reasonably necessary for or directly related to the performance of our functions and activities and for the purposes of:

providing services to you or our organisation;

providing you with promotional material and information about other services that we, our related entities and other organisations that we have affiliations with, offer that may be of interest to you;

facilitating our internal business operations, including the fulfilment of any legal requirements; and

analysing our Customer and User needs with a view to developing new or improved services.

Customer Generated Information

We process Customer Generated Information for the purposes of facilitating the proper use of our website and services by our Users and Customers. We will not typically review, share, distribute, print, or reference this personal information except as provided in our terms and conditions, or as may be required by law. Customer Generated Information may at times be viewed or accessed only for the purpose of resolving a problem, support issue, or suspected violation of our terms and conditions, or as may be required by law. We may also use Customer Generated Information to provide promotional material and information about other services that we, our related entities and other organisations that we have affiliations with, offer that may be of interest to you.

Non-personally identifiable information

We may also track and analyse non-personally identifiable aggregated information from both Customer Generated Information and User Provided Information to create trend data of the platform activity and improve the quality of the services we provide.

Method of collection

User Personal Information

User Personal Information will generally be collected directly from you through the use of any of our standard forms, over the internet, via email, through a telephone conversation with you, or in person. There may, however, be some instances where personal information about
you will be collected indirectly because it is unreasonable or impractical to collect personal information directly from you. We will usually notify you about these instances in advance, or where that is not possible, as soon as reasonably practicable after the information has been
collected.

Customer Generated Information

We receive Customer Generated Information through our operation and management of our website and the provision of our services. We do not notify you of this collection directly, because it is not practicable for us to do so. In the circumstances of our relationship with you,
we rely on our Customers to notify you that they may use services like ours.

Quality, accuracy, and integrity of any information

User Personal Information

You are responsible for the quality, accuracy, and integrity of any information provided in your account details or profile or use of our services. If the personal information you provide to us is incomplete or inaccurate, we may be unable to provide you or your organisation
with the services you, or they, are seeking. You can update your personal information at any time by logging onto our website and editing your account information and profile. We may still however store previously recorded data in archive for record keeping, security and audit
purposes. You can view your updated profile at any time to confirm your edits have been made.

Customer Generated Information

If your personal information is contained in any Customer Generated Information, you should contact our relevant Customer if there is an issue with the quality, accuracy or integrity of your personal information. If you do not provide your information to them, they may not be
able to provide their services to you.

Internet users

If you access our website, we may collect additional personal information about you in the form of your IP address and domain name.

When you interact with our website we strive to make that experience easy and meaningful. When you come to our website, our server sends a cookie to your computer. Cookies are files that browsers place on a computer's hard drive and are used to tell us whether you have
visited our website previously. Standing alone, cookies do not identify you personally, they merely recognise your browser. Unless you choose to identify yourself to us either by responding to a promotional offer, opening an account, requesting a call back, or submitting
feedback or a question, you remain anonymous. There are two types of cookies: session and persistent-based. Session cookies exist only during an online session. They disappear from your computer when you close your browser software or turn off your computer. Persistent
cookies remain on your computer after you've closed your browser or turned off your computer. They include such information as a unique identifier for your browser.

We use session cookies containing encrypted information to allow the system to uniquely identify you while you are logged in. This information allows us to process your online transactions and requests. Session cookies help us make sure you are who you say you are
after you have logged in and are required in order to use our applications and services. We use persistent cookies that only we can read and use to identify the fact that you use or are a prior visitor to the website (whatever the case may be). We are especially careful about
the security and confidentiality of the information stored in persistent cookies. For example, we do not store account numbers or passwords in persistent cookies. If you disable your browser’s ability to accept cookies you will be able to browse our website but will not
be able to successfully use all of our services.

We may from time to time engage third parties to track and analyse non-personally identifiable usage and volume statistical information from visitors to our website to help us administer our website and improve its quality. Such third parties may use cookies to help track visitor behaviour. Such cookies will not be used to associate individual website visitors to any personally identifiable information. All data collected by such third parties on our behalf is used only to provide us with information on site usage and is not shared with any other third
parties.

Third party sites

Our website contains links to other websites. We are not responsible for the privacy practices or the content of these other websites. You will need to check the policy statement of these other websites to understand their policies. If you access a linked website you may be
disclosing your personal information. It is your responsibility to keep such information private and confidential.

Use and disclosure

We will only use your personal information when the law allows us to. Generally we only use or disclose User Personal Information for the purposes for which it was collected (as set out above). We may use or disclose personal information for secondary purposes where it would
be reasonable to expect us to do so, and that secondary purpose is related (or directly related in the case of sensitive information) to the primary purpose.

Marketing

We may use your personal information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you. You may receive marketing communications from us if you
have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

We will get your express opt-in consent before we share your personal information with any third party for marketing purposes. You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time. Where you opt out of receiving
these marketing messages, this will not apply to personal information provided to us as a result of a service purchase, warranty registration, product/service experience or other transactions.

Disclosure of personal information overseas

We are not likely to disclose your personal information overseas, except as permitted by the Privacy Act or, if applicable the GDPR, unless we otherwise advise you in writing. If we do transfer your personal information overseas, we ensure a similar degree of protection is
afforded to it as set out in this privacy policy or otherwise required by law.

Security

We store your personal information in different ways, including in paper and in electronic form. The security of your personal information is important to us. We take all reasonable measures to ensure that your personal information is stored safely to protect it from interference, misuse, loss, unauthorised access, modification or disclosure, including electronic and physical security measures. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to
know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data Retention

We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Typically, all personal information will be retained
for so long as the active account linked to that personal information remains operational.

We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we
process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Where we anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, we may use this information indefinitely without further notice to you.

Access and correction

You may access the personal information we hold about you, upon making a written request. We will respond to your request within a reasonable period. We may charge you a reasonable fee for processing your request (but not for making the request for access).

We may decline a request for access to personal information in circumstances prescribed by the Privacy Act or, if applicable the GDPR, and if we do, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to provide those
reasons).

If, upon receiving access to your personal information or at any other time, you believe the personal information we hold about you is inaccurate, incomplete or out of date, please notify us immediately. We will take reasonable steps to correct the information so that it is
accurate, complete and up to date. If your personal information is contained in Customer Generated Information we may refer your request on to our relevant Customer.

If we refuse to correct your personal information, we will give you a written notice that sets out our reasons for our refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.

GDPR Compliance

If your personal information is governed by the GDPR, you may have additional rights as set out below:

(a) Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you
have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

(b) Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your
fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

(c) Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios:

(i) If you want us to establish the information’s accuracy.
(ii) Where our use of the information is unlawful but you do not want us to erase it.
(iii) Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims.
(iv) You have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

(d) Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

(e) Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to
provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Complaints and feedback

If you wish to make a complaint about a breach of the Privacy Act, the APPs, the GDPR, the Spam Act or a privacy law that applies to us, please contact us using the details below and we will take reasonable steps to investigate the complaint and respond to you.

If you have any queries or concerns about our privacy policy or the way we handle your personal information, please contact our privacy officer at:

Street address:
Level 4, 446 Collins Street, Melbourne VIC 3000 Australia

Email address:
info@vendorpanel.com

Website:
www.vendorpanel.com

For more information about privacy in general, you can visit the Office of the Information Commissioner’s website at www.oaic.gov.au.

If you wish to make a complaint about the collection, use or disclosure of your personal information, please contact our privacy officer, and we will work with you to resolve the issue.

If after this process you are not satisfied with our response, where you are located in Australia you can submit a complaint to the Office of the Information Commissioner. To lodge a complaint, visit the ‘Complaints’ section of the Information Commissioner’s website, located
at www.oaic.gov.au/privacy/privacy-complaints to obtain the relevant complaint forms, or contact the Information Commissioner’s office.

If you are located in or are a citizen of another country you may have certain additional rights to make a complaint to the privacy regulator in your home state.

We are not required to appoint a Data Protection Officer under the GDPR.