Privacy Policy

Last updated September 2025

About This Policy

The Privacy Act 1988 (“Privacy Act”) requires entities bound by the Australian Privacy Principles (“APPs”) to have a privacy policy. This privacy policy outlines the personal information handling practices of Pritech Pty Ltd (“Company”).

This policy is written in simple language. We may modify or amend this Privacy Policy from time to time, as we alter the way we use information, new features are added to our website, or the legislation changes. To let you know when we make change to this Privacy Policy, we will amend the revision date at the top of our Privacy Policy.

Therefore, we encourage you to periodically review this Privacy Policy to be informed about how we are protecting your information.

What Is Personal Information?

Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.

Personal information may include:

• an individual’s name, signature, address, phone number or date of birth;
• sensitive information;
• credit information;
• employee record information;
• photographs;
• internet protocol (IP) addresses;
• voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique); and
• location information from a mobile device (because it can reveal user activity patterns and habits)

Personal information may also include ‘sensitive information’.

What is Sensitive Information?

Sensitive information is personal information that includes information or an opinion about an individual’s:

• racial or ethnic origin;
• political opinions or associations;
• religious or philosophical beliefs;
• trade union membership or associations;
• sexual orientation or practices;
• criminal record;
• health or genetic information; and
• some aspects of biometric information.

Sensitive information may be required to be collected in some circumstances. the Company will only collect sensitive information if it is necessary for business purposes. The Company will generally only collect sensitive information with your consent (unless otherwise permitted or required by law).

All information collected will be used and disclosed by the Company only in accordance with this policy and the law. The Company will take reasonable steps to ensure that all personal information is held securely.

Collection of Personal Information

The Company collects personal information that is reasonably necessary for one or more of its functions or

activities or if the Company has received consent to collect the information. If the Company collects sensitive

information, the Company must also have obtained consent in addition to the collection being reasonably necessary. The main way the Company collects personal information about you is when you provide it.

The Company collects and stores data on the following individuals and entities in accordance with the APPs:

• employees of the Company;
• clients of the Company;
• potential clients of the Company; and
• suppliers to the Company

The type of information that the Company collects and holds may depend on an individual’s relationship with the Company.

How the Company Collects and Holds Personal Information

The Company (and the employees acting on the Company’s behalf) must collect personal information only by lawful and fair means.

The Company may collect personal information in a number of ways, including without limitation:

• through application forms (e.g. job applications, VIP and loyalty program applications);
• by email or other written mechanisms;
• over a telephone call;
• in person;
• through transactions;
• through the Company website;
• through lawful surveillance means such as a surveillance camera;
• by technology that is used to support communications between individuals and the Company;
• through publicly available information sources (which may include telephone directories, the internet and social media sites); and
• direct marketing database providers.

When the Company collects personal information about an individual through publicly available information sources, it will manage such information in accordance with the APPs.

At or before the time or, if it is not reasonably practicable, as soon as practicable after, the Company collects personal information, the Company must take such steps as are reasonable in the circumstances to either notify the individual or otherwise ensure that the individual is made aware of the following:

• the identity and contact details of the Company;
• that the Company has collected personal information from someone other than the individual or if the individual is unaware that such information has been collected;
• that collection of personal information is required by Australian law, if it is;
• the purpose for which the Company collects the personal information;
• the consequences if the Company does not collect some or all of the personal information;
• any other third party to which the Company may disclose the personal information collected by the Company;
• the Company’s privacy policy contains information about how an individual may access and seek correction of personal information held by the Company and how an individual may complain about a breach of the APPs; and
• whether the Company is likely to disclose personal information to overseas recipients, and the countries in which those recipients are likely to be located.

Indirect Collection

The Company may also collect personal and sensitive information about an individual indirectly, for example, through a third-party such as a referral.

Surveillance

The Company may collect, use and disclose your personal information, including CCTV video and still images, in line with the Privacy Act, State and Territory workplace surveillance laws and any other relevant legislation as applicable.

Unsolicited personal information

Unsolicited personal information is personal information that the Company receives which it did not solicit. Unless the Company determines that it could have collected the personal information in line with the APPs or the information is contained within a Commonwealth record, it must destroy the information to ensure it is de-identified unless the Company determines that it is acceptable for the Company to have collected the personal information.

Information Provided by a Third Party

As part of the recruitment process, where relevant, and with the candidate’s consent, the Company may seek information about a candidate through a third-party such as a recruitment service provider or a former employer.

With the candidate’s consent, the Company may also seek information regarding:

• prior employment history through reference checks;
• eligibility to work in Australia through a visa status check;
• educational qualifications by requesting confirmation of qualifications or results from an academic institution;
• interview records and details of any pre-employment assessments, including aptitude or other psychometric testing; and
• ability to perform the inherent requirements of the role, through medical and other allied health professionals, or criminal history check and/or working with children check.

The Company may also access personal information through publicly available networking sites such as Facebook or LinkedIn.

Information Collected Through the Company’s Website

The Company’s public website, www.pritech.com.au, is hosted in Australia. There are a number of ways in which the Company collects information through its website, including via numerous online tools, including:

• cookies;
• Google Analytics;
• Google reCAPTCHA;
• Microsoft Bookings; and
• Social Networking Services.

Cookies

Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to improve the website user’s experience.

Most browsers allow the user to choose whether to accept cookies or not. If a user does not want cookies placed on their computer, they must set their browser preferences to reject all cookies before accessing the Company’s website. It is important to note, however, that some data may still be collected separately by tools such as Google Analytics, even though the user has set their browser preferences to reject all cookies.

The information collected about the user using cookies will not ordinarily be personal information, because the user will not be identified or reasonably identifiable to the Company from it.

Google Analytics

The Company uses Google Analytics as a website analytics tool to collect data about how you interact with the Company’s website, including:

• your apps, browsers and devices;
• your activity; and
• your location information.

For further information, refer to Google’s Privacy Policy.

Google reCAPTCHA

The Company uses Google reCAPTCHA (version 3) as a means to eliminate spam attacks and be able to distinguish users from bots. The tool may collect data about how you interact with the website’s smart forms, including:

• mouse movements;
• device IP address;
• date and time when pages were accessed;
• device type, operating system and browser information;
• device screen size; and
• geographic location (city).

This information will be stored on Google’s servers outside of Australia. Content that you enter in the Company’s web forms will not be collected through the use of this tool.

For further information, refer to Google’s Coud Data Processing Addendum and Google’s Privacy Policy.

Microsoft Bookings

The Company uses Microsoft Bookings to facilitate consultation scheduling. When a user schedules a consultation, personal information such as the user’s name, email address, address, phone number and any other information that the user provides may be collected.

For further information, refer to Microsoft’s Privacy Statement.

Social Networking Services

The Company uses Facebook, Instagram, YouTube and LinkedIn to communicate with the public. When a user

communicates with the Company using these services, the Company collects the personal information that the user

provides to it by engaging in that communication.

Facebook, Instagram, YouTube and LinkedIn each have their own privacy policies.

Handling of Personal Information Relating to Vulnerable Individuals

While the Company does not directly collect personal information from individuals who may be considered vulnerable, it provides services to clients that support such individuals. Therefore, in the course of delivering these services, the Company may, by extension, have access to systems that contain personal information about vulnerable persons.

Procedures and Safeguards

All access to systems containing personal information is governed by the Company’s Information Security Policy, which incorporates internal systems and procedures designed to ensure compliance with the Privacy Act and the APPs.

These systems and procedures include, but are not limited to:

• role-based access controls and multi-factor authentication;
• secure credential management and encryption protocols;
• employee training on privacy obligations and ethical conduct;
• logging and monitoring of system access; and
• incident response protocols in the event of unauthorised access or data breach.

The Company undertakes periodic reviews of its privacy and security practices to ensure ongoing compliance with applicable legislation and regulatory guidance.

How Personal Information is Stored

The Company follows ISO 27001 principles and other industry standards with regards to information management practices. All applications have auditing and breach minimisation principles in place, and all use of the applications is in line with the Essential Eight principles.

The Company stores data using third-party storage providers, or software that uses third-party storage providers.

Combining or Linking Personal Information

The Company collects personal information across multiple platforms to support its service delivery, billing, and operational functions. While these systems may exchange data, the Company does not routinely combine or link personal information to create unified profiles unless necessary for business operations and in accordance with the Australian Privacy Principles.

What Information the Company Collects

The Company may collect personal information about customers necessary for business operations and in accordance with the APPs, including, but not limited to:

• name;
• business name;
• address;
• email address;
• phone number;
• credit card number, expiry data, and CVC; and
• banking details.

Use and Disclosure of Personal Information

The main purposes for which the Company may use and/or disclose personal information may include, but are not limited to:

• to establish, maintain and manage relationships, including to serve functions such as recruitment, payroll, appraisals, and any disciplinary action (including any termination of any employment or engagement) and managing employees’ work and any claim in relation to any injuries or illnesses;
• to assess or respond to claims, complaints, or conduct, or co-operate with investigations when required;
• to obtain professional services as required including legal, human resources, industrial relations, accounting and insurance services;
• work-related administrative purposes;
• to finalise the terms of a contract, including pay rates;
• to confirm eligibility to work in Australia;
• to carry out a contract including, where relevant, its termination;
• to pay and provide other benefits in accordance with a contract;
• to make travel bookings on an individual’s behalf;
• to allow you access to the Company’s buildings, and to ensure the security of Company buildings, confidential information and other Company property;
• to reimburse expenses claimed;
• to operate any share scheme including the granting of share options;
• to operate schemes relating to sick leave, maternity leave, paternity leave, adoption leave, and parental leave;
• deducting and paying appropriate tax and superannuation contributions;
• to monitor and protect workplace health and safety;
• to provide a reference upon request from another employer;
• for direct marketing purposes (see Direct Marke<ng);
• monitoring compliance with Company policies and The Company’s contractual obligations;
• to comply with all applicable law;
• to liaise with any insurers in respect of any insurance policies that relate to you;
• running the Company business and planning for the future;
• the prevention and detection of fraud or other criminal offences;
• to defend the Company in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure;
• otherwise as permitted or required by law; or
• otherwise with your consent.

The Company may also collect, hold, use and/or disclose personal information if an individual consents or if required or authorised under law.

Artificial Intelligence

The Company may use automated decision-making technologies, including Artificial Intelligence (“AI”) systems, to assist with tasks such as content creation, internal workflows or data analysis. These tools may process limited personal information.

The Company will ensure that any use or disclosure of personal information will align with the APPs, including the principles of transparency, purpose limitation, and data minimisation.

Where automated systems are used in decision-making that may materially affect individuals, human review will be maintained where required.

Direct marketing

The Company may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing (for example, advising a customer about new goods and/or services being offered by the Company). All direct marketing activities will be conducted in accordance with the Do Not Call Register Act 2006 (Cth) Spam Act 2003 (Cth) (“Spam Act”).

The Company may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.

Overseas Disclosure

The Company may share personal information with employees located in countries outside of Australia, where some employees may be based. The Company will not share personal information with any entities based outside of Australia.

Where personal information is transmitted between systems, including those accessed by personnel located overseas, the Company ensures that such disclosures are managed in accordance with the APPs.

Do Not Call Register and Spam Act

The Company will meet the requirements of the Do Not Call Register (“DNCR”) and the Spam Act as set out below.

Do Not Call Register

The Company cannot make direct telemarketing calls to a number listed on the DNCR unless the individual has consented.

The company must ensure that all agreements for the purpose of making telemarketing calls include an express provision that requires compliance with the DNCR Act.

Any telemarketing activities will be conducted in accordance with the Telecommunications (Telemarketing and Research Calls) Industry Standard 2017.

Spam Act

Any direct marketing activities using a commercial electronic message, such as an email, instant message, SMS or

MMS, will be conducted in accordance with the Spam Act. This requires:

• commercial electronic messages to be sent with the consent of the recipient
• accurate sender identification including the sender’s contact information
• a functional unsubscribe mechanism

A partial exemption from these requirements applies with respect to certain messages (such as messages of a factual nature only, without a commercial element).

Disclosure of Personal Information

The Company may disclose personal information for any of the purposes for which it is was collected, or where it is under a legal duty to do so.

Disclosure will usually be internally and to related entities or to third parties such as contracted service suppliers.

If an employee discloses personal information to a third party in accordance with this policy, the employee must take steps as are reasonable in the circumstances to ensure that the third party does not breach the APPs in relation to the information.

Access to Personal Information

If the Company holds personal information about an individual, the individual may request access to that information by putting the request in writing and sending it to the Privacy Officer.

The Company will respond to any request within a reasonable period (within 30 days), and a charge may apply for giving access to the personal information where the Company incurs any unreasonable costs in providing the personal information.

There are certain circumstances in which the Company may refuse to grant an individual access to personal information. In such situations the Company will provide the individual with written notice that sets out:

• the reasons for the refusal; and
• the mechanisms available to you to make a complaint.

If you would like to make an enquiry or complaint about how the Company has handled your personal information, of if you wish to request access or correction to your personal information, or if you have questions or comments

about this privacy policy, you can contact:

Name: Privacy Officer

Phone number: (03) 6235 5022

Email address: privacy@pritech.com.au

Mailing address: 213a Campbell Street, North Hobart, TAS, 7000

Correction of Personal Information

If the Company holds personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, it must take steps as are reasonable to correct the information.

If the Company holds personal information and an individual makes a request in writing addressed to the Privacy Officer to correct the information, the Company must take steps as are reasonable to correct the information and the Company will respond to any request within a reasonable period.

There are certain circumstances in which the Company may refuse to correct the personal information. In such situations the Company will give the individual written notice that sets out:

• the reasons for the refusal; and
• the mechanisms available to the individual to make a complaint.

If the Company corrects personal information that it has previously supplied to a third party and an individual requests the Company to notify the third party of the correction, the Company will take such steps as are reasonable to give that notification unless impracticable or unlawful to do so.

Integrity and Security of Personal Information

The Company will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that it collects is accurate, up-to-date and complete.

Employees must take steps as are reasonable in the circumstances to protect the personal information from misuse, interference, loss and from unauthorised access, modification or disclosure.

If the Company holds personal information and it no longer needs the information for any purpose for which the information may be used or disclosed and the information is not contained in any Commonwealth record and the Company is not required by law to retain the information, it will take such steps as are reasonable in the circumstances to destroy the information or to ensure it is de-identified.

Anonymity and Pseudonymity

Individuals have the option of not identifying themself, or using a pseudonym, when dealing with the Company in relation to a particular matter. This does not apply:

• where the Company is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or
• where it is impracticable for the Company to deal with individuals who have not identified themselves or who have used a pseudonym.

However, in some cases if an individual does not provide the Company with the personal information when requested, the Company may not be able to respond to the request or provide you with the goods or services that you are requesting.

Destruction and De-identification of Personal Information

The Company takes reasonable steps to destroy or de-identify personal information once it’s no longer required for any lawful purpose, unless retention is mandated by law or contractual obligation.

Digital Data

The Company employs secure and auditable methods for the deletion of digital records:

• Standard deletion protocols are used for routine data removal, including confirmation prompts and system-level purging.
• Locally stored media (e.g. hard drives) are subject to Department of Defence (DoD) standard wiping procedures, involving multiple overwrite passes to render data irretrievable.
• Encrypted backups are stored in segmented chunks with encryption keys protected by multi-factor authentication and vault access controls. Once a client is offboarded, backups are deleted following formal written confirmation from the client, upon which the deletion is irreversible.
• Backups are retained until a formal offboarding procedure is initiated. The system confirms deletion through multiple prompts and ensures data in unrecoverable post-deletion.

All deletion activities are logged, and where applicable, verified by authorised personnel.

Physical Records

The Company does not maintain permanent physical records. Any paperwork created during the course of a business day is shredded at the end of each business day using industrial shredders located at each office site.

De-identification Practices

Where destruction is not feasible or required, the Company may de-identify personal information by:

• removing or obfuscating direct identifiers;
• ensuring that remaining data cannot be reasonably identified; and
• applying technical and organisational safeguards to prevent re-identification.

De-identification is conducted in accordance with the APPs.

Complaints

Individuals have a right to complain about the Company’s handling of personal information if the individual believes the Company has breached the APPs.

Complaints will be dealt with in accordance with the Company’s complaints procedure and the Company will provide a response within a reasonable period.

Individuals who are dissatisfied with the Company’s response to a complaint, or who do not receive a response to a complaint within a reasonable period, may refer the complaint to the Office of the Australian Information Commissioner.