Privacy Policy

This Privacy Policy explains how we collect, use, store, disclose and protect personal information when: • Your organisation or you as an individual ("Customer") use our application and related services (the "Service"); and • Individual users authorised by a Customer ("Users") access or interact with the Service. This Policy is designed to comply with: • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs); and • (Where applicable) the EU/UK General Data Protection Regulation (GDPR). This Privacy Policy forms a key part of our information security and SOC 2 compliance framework. If you do not agree with this Policy, you should not use the Service.

This Policy applies to: • Customers: Business entities and individual customers that subscribe to, license or trial the Service. • Users: Individuals who access the Service under a Customer account (for example, employees, contractors, or the Customer themselves where they are an individual). • Website visitors and others who interact with us (for example, via support channels or marketing pages). This Policy does not apply to: • Third-party websites, apps or services that we do not own or control; or • Personal information collected by Customers outside the Service. Customers (including individual Customers) remain responsible for ensuring that their own collection and use of personal information (including what they upload into the Service) complies with applicable laws.

For the purposes of this Policy: • "Customer" means any business entity or individual that enters into an agreement with us to use the Service (including on a trial basis). • "Personal Information" / "Personal Data" means information about an identifiable individual or an individual who is reasonably identifiable (as defined under the Privacy Act and/or GDPR). • "Customer Personal Data" means Personal Information that Customers or Users submit to, or generate in, the Service. • "Operational Data" means the data you capture, store or manage in the Service about your products, inventory, pricing, transactions, or other business or personal operations. Some Operational Data may include Personal Information (for example, a person's name in a note or label). • "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion. • "Sub-processor" means a third-party service provider that processes Customer Personal Data on our behalf.

Depending on the context, we act as: 1. Data Controller (or "APP entity") for: • Customer account details (for both business and individual Customers); • Contact details for Customer representatives and prospective customers; • Our own marketing, analytics and operational data about use of the Service; and • Records required to meet our legal and regulatory obligations. 2. Data Processor (under GDPR) for Customer Personal Data within Operational Data, where: • The Customer decides what data to collect and upload; • We process that data only on the Customer's documented instructions (for example, via configuration, API calls, and in-app actions); and • We implement technical and organisational measures to protect that data as required by Article 28 GDPR and the APPs. If there is any inconsistency between this Policy and a signed Data Processing Agreement (DPA) with a Customer, the DPA will prevail to the extent of the inconsistency.

We only collect information that is reasonably necessary to operate, secure, and improve the Service. 5.1 Customer Information Information provided when a Customer (business or individual) signs up or manages their account, for example: • Legal entity or individual name (and, where relevant, trading name and ABN/ACN); • Business or mailing address and billing details; • Primary and secondary contacts (name, role, email, phone); • Subscription, billing and payment information. 5.2 User Information Information about individual Users authorised by a Customer, such as: • Name and contact details (for example, email address); • Usernames, user IDs, and authentication identifiers; • Role, permissions, and access groups; • Activity and audit logs relating to use of the Service. 5.3 Product & Operational Data Data entered or ingested into the Service by or on behalf of a Customer, which may include (depending on configuration): • Product catalogue data (for example, product names, SKUs, categories, attributes); • Inventory, stock movements, counts, and valuation data; • Pricing, promotions, and transactional or order-related information; • Tags, notes, comments, labels, or other metadata created by Users. This data is generally business or operational data. However, it may occasionally contain Personal Information (for example, a person's name or email address in a note). Where it does, we treat it as Customer Personal Data. 5.4 PII within Operational Data To the extent Operational Data contains Personal Information (for example, a person's name on a label): • The Customer is the controller of that Personal Information (under GDPR); and • We act as the processor, handling it only as directed by the Customer and in accordance with this Policy and any applicable DPA. 5.5 Technical & Usage Data We automatically collect limited technical data when you use the Service, such as: • IP address, device and browser type, operating system; • Access times, pages viewed, and actions taken in the Service; • System performance metrics, error logs and diagnostic information; • Identifiers associated with cookies, SDKs or other tracking technologies. We use this information primarily to operate, secure, and improve the Service (see Section 7).

Where the GDPR applies, we rely on one or more of the following legal bases: Performance of a contract (Art. 6(1)(b)) To provide, maintain and support the Service under our agreement with the Customer (whether the Customer is a business or an individual). Compliance with legal obligations (Art. 6(1)(c)) To meet our obligations under tax, accounting, privacy, security and other laws. Legitimate interests (Art. 6(1)(f)) To operate and improve the Service, secure our systems, prevent fraud and abuse, respond to enquiries, and conduct internal analytics—balanced against your rights and expectations. Consent (Art. 6(1)(a)) Where required by law (for example, certain marketing communications or non-essential cookies), we will rely on your consent. You may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal. When we act as a processor on behalf of a Customer, the Customer is responsible for identifying and documenting the appropriate legal basis for processing Customer Personal Data.

We use the information described above for the following purposes: 7.1 To Provide and Operate the Service • Authenticating Users and managing access control; • Hosting, processing and analysing Customer and Operational Data as configured by the Customer; • Managing accounts, subscriptions, billing and Customer support; • Providing integrations and features requested by the Customer. 7.2 To Maintain Security and Integrity • Monitoring for suspicious or unauthorised activity; • Preventing, detecting and investigating fraud, abuse or security incidents; • Enforcing our acceptable use, security and access policies; • Supporting our SOC 2 controls and internal governance. 7.3 To Communicate with You • Sending administrative notifications (for example, login alerts, security notices, system updates); • Responding to enquiries and support requests; • Providing important information about changes to the Service or this Policy. 7.4 To Improve the Service • Analysing aggregated and de-identified usage trends; • Developing new features and enhancements; • Conducting product research and performance tuning. We use aggregated and/or de-identified data where possible so that individuals cannot reasonably be identified. 7.5 Marketing (Optional) Where permitted by law, we may use your contact details to: • Send you product updates, newsletters or invitations to events; • Share content that may be relevant to your use of the Service. You can opt-out of such communications at any time by using the unsubscribe link in our emails or by contacting us (see Section 16). Transactional and service-related messages are not considered "marketing" and you may not be able to opt out of them while your account is active.

We do not sell, rent or trade Personal Information. We may disclose Personal Information in the following circumstances: 8.1 Sub-Processors We use carefully selected third-party service providers ("Sub-processors") to help us deliver the Service. These may include, for example: • Cloud infrastructure and storage (for example, Google Cloud Platform); • AI and search services (for example, Google AI / Gemini, Algolia); • Logging, monitoring and analytics tools; • Payment and billing providers; • Customer support platforms. Each Sub-processor is engaged under a written agreement that requires them to: • Use Personal Information only for the purpose of providing services to us; and • Implement appropriate technical and organisational security measures. We maintain an up-to-date list of our core Sub-processors, which is available upon request. We may update this list from time to time. Where required, we will notify Customers in advance of material changes to Sub-processors that process Customer Personal Data. If a Customer reasonably objects on data protection grounds, we will work with the Customer in good faith to address the objection or provide alternatives, as set out in the DPA or our agreement. 8.2 Other Disclosures We may also disclose Personal Information: • To professional advisers (for example, lawyers, auditors, insurers) under confidentiality obligations; • Where required by law, court order, or regulatory authority (including the OAIC and EU/UK Supervisory Authorities); • To investigate suspected fraud, security incidents or violations of our Terms of Use; • In connection with a merger, acquisition, financing or sale of all or part of our business (in which case we will take reasonable steps to ensure your Personal Information remains protected and provide notice where required by law).

Our Sub-processors and infrastructure providers may process Personal Information in countries other than the one in which it was collected. This may include, for example, the United States, European Union, United Kingdom and other regions where our providers operate data centres. 9.1 Australian Privacy Principles (APP 8) Where we disclose Personal Information to overseas recipients, we take reasonable steps to ensure they will handle the information in a manner consistent with the APPs. These steps may include: • Entering into contracts that require overseas recipients to handle Personal Information in accordance with Australian privacy requirements; and • Assessing the privacy and security practices of key Sub-processors. 9.2 GDPR International Transfers (Articles 44–49) For Personal Data subject to the GDPR that is transferred to a country outside the EEA/UK: • We will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection, or • Implement appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms. Customers may request further details of our international transfer mechanisms by contacting us (see Section 16).

10.1 Security Measures We implement appropriate technical and organisational measures to protect Personal Information against unauthorised access, loss, misuse, alteration or disclosure, including: • Data encryption in transit (for example, TLS) and at rest (using our cloud provider's default encryption); • Access controls and role-based permissions; • Network and application security measures; • Logging, monitoring and alerting; • Regular security reviews and vulnerability assessments. No system can be guaranteed 100% secure. However, we continuously work to protect information in line with industry best practice and our SOC 2 framework. 10.2 Data Storage & Residency To the extent commercially and technically feasible, Customer and User data is stored and processed within a designated geographic region (for example, Australia). Some supporting services and backups may operate in multiple regions as part of our high-availability and disaster recovery design. Details of your selected region may be agreed in your Customer agreement or DPA.

We retain Personal Information only for as long as reasonably necessary to: • Provide and support the Service; • Comply with our legal and regulatory obligations; • Resolve disputes and enforce our agreements; and • Maintain appropriate business and financial records. In general: • Customer account and billing records are retained for the duration of the Customer's subscription and for a period afterwards as required for tax, accounting and audit purposes. • Customer Personal Data within the Service is retained for as long as the Customer's account is active. After account closure, we will delete or de-identify Customer Personal Data within a reasonable period, subject to legal retention requirements and technical limitations of backups and archives. • System logs and security records may be retained for a longer period where reasonably necessary for security, fraud prevention or legal purposes. We maintain an internal Data Retention Policy that sets out more detailed retention periods for specific categories of data.

We use cookies and similar technologies (such as SDKs, pixels and local storage) in connection with the Service and our website. 12.1 Types of Cookies We Use • Strictly necessary cookies: Required for the Service to function (for example, to keep you logged in or to manage session security). • Performance and analytics cookies: Help us understand how the Service is used, so we can improve performance and usability (for example, usage metrics, error monitoring). • Preference cookies: Remember your settings and preferences (for example, language, layout). We do not use cookies for interest-based advertising within the Service unless explicitly stated and consented to. 12.2 Managing Cookies & Consent Where required by law, we will only place non-essential cookies with your consent. You can: • Manage or withdraw consent through our cookie banner or preference centre (where available); and • Adjust your browser settings to block or delete cookies. Please note: some features of the Service may not function properly if cookies are disabled.

The Service is intended for use by adults, whether they are acting on behalf of a business or as individual Customers managing their own data. It is not directed to children. We do not knowingly collect Personal Information from individuals under the age of 16. If you are a parent or guardian and believe that your child has provided us with Personal Information, please contact us using the details below. If we discover that we have collected Personal Information from a child without appropriate consent, we will take steps to delete that information promptly. Customers (including individual Customers) are responsible for ensuring that any authorised Users are of an appropriate age and that any use of the Service by minors complies with applicable laws.

Subject to certain conditions and exceptions, individuals have the following rights in relation to their Personal Information: 14.1 Access & Correction (APP 12 & 13) You may request: • Confirmation as to whether we hold Personal Information about you; and • Access to, or correction of, that Personal Information. Where we act as a processor on behalf of a Customer, we may refer your request to the relevant Customer (the controller) and support them in responding. 14.2 GDPR Rights (Where Applicable) For Personal Data subject to the GDPR, you may also have the right to: • Data portability – to receive Personal Data you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller. • Erasure ("right to be forgotten") – to request deletion of Personal Data in certain circumstances, subject to our legal obligations and retention requirements. • Restriction of processing – to request that we restrict the processing of your Personal Data in certain circumstances. • Object to processing – to object, on grounds relating to your particular situation, to our processing of your Personal Data where we rely on legitimate interests. • Withdraw consent – where processing is based on consent, to withdraw that consent at any time. 14.3 Exercising Your Rights & Complaints To exercise any of the above rights, or to make a complaint about how we handle Personal Information, please contact us using the details in Section 16. If you are not satisfied with our response, you may also have the right to contact your local supervisory authority, such as: • The Office of the Australian Information Commissioner (OAIC); and/or • The relevant EU/UK data protection authority (for GDPR matters).

In the event of a data breach involving Personal Information that is likely to result in serious harm (under the Notifiable Data Breaches scheme in Australia) or a risk to the rights and freedoms of individuals (under GDPR Article 33/34), we will: • Take immediate steps to contain and assess the breach; • Notify affected Customers without undue delay; • Where required, notify relevant regulatory authorities (for example, OAIC or EU/UK supervisory authorities); and • Provide information about the nature of the breach, the data involved (to the extent known), and the steps taken or planned to address it. We may also notify affected individuals directly where required by law or where we consider it appropriate.

We may update this Privacy Policy from time to time to reflect changes in: • Our Service and internal practices; • Legal and regulatory requirements; or • Industry standards and guidance. We will post the updated Policy with a new "Last Updated" date. For material changes, we will provide additional notice to Customers (for example, by email or in-app notification). Continued use of the Service after the updated Policy becomes effective will constitute acceptance of the changes.

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your rights, please contact: