CREDIT REPORTING PRIVACY POLICY OF EMPRESS ATHLETICUS GROUP

1 INTRODUCTION

1.1 About this policy

(a) This Credit Reporting Privacy Policy (“this policy”) is the official credit reporting privacy policy of EMPRESS ATHLETICUS PTY LTD ACN 647 499 447 and any of its wholly owned subsidiaries (hereafter collectively referred to as the “EMPRESS ATHLETICUS Group” or “we”, “us” or “our”) as required by the Privacy Act 1988 (“Act”) and particularly Part IIIA of that Act and the Credit Reporting Code (“CR Code”).

(b) This policy applies to all credit information and credit eligibility information about individuals (“credit information”) collected, held and used by the EMPRESS ATHLETICUS Group in its activities as a credit provider and also in its activities as an agent for other credit providers.

(c) This policy is in addition to EMPRESS ATHLETICUS Group’s standard APP Privacy Policy which may be found here.

1.2 What this policy provides

(a) In this policy we explain how and why we collect credit information about individuals, how we use such information within the EMPRESS ATHLETICUS Group, and what controls individuals have over our collection and use of information about them.

(b) This policy is relevant to individuals who are current and former credit customers, as well as other individuals that the EMPRESS ATHLETICUS Group deals with in connection with credit we provide to our credit customers (for instance, such individuals may be guarantors or directors of corporate customers) or information we collect on behalf of other credit providers in the EMPRESS ATHLETICUS Group’s capacity as an agent for such credit providers.

1.3 Our commitment

The EMPRESS ATHLETICUS Group committed to complying with Commonwealth legislation and regulations (the Act and the CR Code) governing privacy of credit information about individuals by credit providers and to protecting and safeguarding the privacy of individuals when they deal with us.

2 COLLECTION OF INFORMATION AND TYPES OF INFORMATION COLLECTED

2.1 Type of information collected

The EMPRESS ATHLETICUS Group collects, holds and uses various types of credit-related information about individuals, which information includes:

(a) identification information such as current and prior names and addresses, age, contact details and driver's licence number;

(b) applications for credit (including the name of each relevant credit provider), the type and amount of that credit and the fact the EMPRESS ATHLETICUS Group has accessed credit information to assess a relevant application for its business services or processing a credit application as an agent for another credit provider;

(c) that a company within the EMPRESS ATHLETICUS Group and other credit providers are or have been a provider of credit to an individual (or an entity associated with an individual) and the type, characteristics and maximum amount of credit that have been provided or will be provided;

(d) the date that any credit contract between a company within the EMPRESS ATHLETICUS Group or other credit providers and an individual was entered into and the date that it comes to an end;

(e) payments owed to a company within the EMPRESS ATHLETICUS Group or another credit provider, in connection with credit provided to an individual (or an entity associated with an individual) or in relation to which an individual is a guarantor (and, if there is subsequently paid any such overdue payment, the fact of that payment);

(f) whether in the opinion of a company within the EMPRESS ATHLETICUS Group or another credit provider an individual has committed a serious credit infringement;

(g) whether an individual has entered into arrangements with a company within the EMPRESS ATHLETICUS Group or other credit providers in connection with credit provided to the individual (or an entity associated with the individual);

(h) court proceedings information, personal insolvency information and credit-related publicly available information;

(i) scores, ratings, summaries, evaluations and other information relating to an individual’s credit worthiness which is derived by a company within the EMPRESS ATHLETICUS Group or its agents wholly or by Credit Reporting Bodies (“CRBs”) partly on the basis of the information above; and

(j) certain administrative information relating to credit, such as account and customer numbers.

While the Act uses a variety of terms to refer to such information as referred to above, for ease of understanding and reading this policy, such information is referred to hereinafter as "credit information".

2.2 Manner of collection

(a) Credit information may be collected by the EMPRESS ATHLETICUS Group in a number of ways including:

(i) being provided by an individual directly to a company within the EMPRESS ATHLETICUS Group or by persons acting on behalf of the individual (such as on applications or other forms);

(ii) being provided by CRBs and/or other credit providers and/or trade suppliers with the consent of the individual;

(iii) being information provided by the individual on an application for credit with another credit provider, in circumstances where a company within the EMPRESS ATHLETICUS Group acts as that credit provider’s agent;

(iv) being information that is in the public domain; and

(v) being information that is derived by a company within the EMPRESS ATHLETICUS Group from an individual’s usage and (where applicable) trade on and transactional history on any account (of the individual or of an entity associated with the individual) held within the EMPRESS ATHLETICUS Group.

(b) At or before the time any credit information is collected by a company within the EMPRESS ATHLETICUS Group about an individual, we will take reasonable steps to ensure that the individual is made aware of who we are, the fact that the individual is able to gain access to the information held about the individual, the purpose of the collection, the type(s) of entities to which we usually disclose such information collected about the individuals, any laws requiring the collection of the information and the main consequences for the individual if all or part of the information is not collected.

2.3 How information may be held

(a) A company within the EMPRESS ATHLETICUS Group may hold credit information about an individual in physical form or in electronic form on our systems or the systems of the EMPRESS ATHLETICUS Group’s IT service providers.

(b) The credit information that a company within the EMPRESS ATHLETICUS Group holds about individuals is protected by physical, electronic, and procedural safeguards and the EMPRESS ATHLETICUS Group also requires its service providers that hold and process such information on the EMPRESS ATHLETICUS Group’s behalf to follow appropriate standards of security and confidentiality. Any credit information we collect from an individual or about an individual is kept securely and held on secure servers in controlled facilities.

(c) The EMPRESS ATHLETICUS Group trains its staff and others who work for it on how to handle credit information appropriately and the EMPRESS ATHLETICUS Group restricts access to what is necessary for specific job functions.

2.4 Period of retention of information

(a) The EMPRESS ATHLETICUS Group may retain credit information collected or provided to us including:

(i) telephone recordings of calls to our hotlines and contact numbers; and

(ii) client files including individuals’ personal information, contact information, financial and transactional information;

to enable us to verify transactions and customer details and to retain adequate records for legal and accounting purposes.

(b) The EMPRESS ATHLETICUS Group will retain credit information collected for such minimum or maximum periods as it is required by law depending on the type of information collected. But for any minimum or maximum periods of retention required by law, we will safely destroy credit information once it is no longer required.

USE AND DISCLOSURE OF CREDIT INFORMATION

3.1 General Purpose

A company within the EMPRESS ATHLETICUS Group may, as permitted by law, collect, hold, use or disclose credit information held about an individual for the purposes for which such information is collected. These purposes include:

(a) to form decisions as to whether to provide an individual, or an entity associated with an individual, with credit or to accept an individual as a guarantor;

(b) to make assessments relating to an individual’s credit worthiness which are used by a company within the EMPRESS ATHLETICUS Group ongoing decision-making processes regarding provision of credit and the amount of such credit;

(c) to assist an individual or entity associated with the individual in completing a credit application with other credit providers, in circumstances where a company within the EMPRESS ATHLETICUS Group acts as the credit provider’s agent;

(d) to participate in the exchange of credit information with other credit providers including obtaining from and providing information to CRBs and other credit providers and/or trade suppliers as permitted by Part IIIA of the Act and the CR Code;

(e) to assist an individual or entity associated with the individual to avoid defaulting on credit-related obligations to a company within the EMPRESS ATHLETICUS Group or other credit providers;

(f) to undertake debt recovery and enforcement activities, including in relation to guarantors, and to deal with serious credit infringements;

(g) to deal with complaints and meet legal and regulatory requirements; and

(h) to assist other credit providers to do the same.

3.2 Other permitted disclosure

(a) Some credit information may only be used or disclosed under the Act for some of the above purposes or in some particular circumstances.

(b) Generally, the EMPRESS ATHLETICUS Group will be permitted to use or disclose credit information held about an individual where the individual has consented to the use or disclosure.

(c) The EMPRESS ATHLETICUS Group may disclose credit information to a CRB and/or other credit providers about an individual for such purposes as set out above and as permitted by the Act. For example, a company within the EMPRESS ATHLETICUS Group may be permitted to disclose credit information to a CRB in such circumstances as where the individual has consented to the disclosure or where the individual has failed to meet payment obligations in relation to credit provided by a company within the EMPRESS ATHLETICUS Group or if the individual has committed a serious credit infringement. Similarly, a company within the EMPRESS ATHLETICUS Group will generally be permitted to disclose credit information to another credit provider about an individual where the individual has consented to such disclosure.

4 CREDIT REPORTING BODIES (CRBS)

4.1 Use of information by CRBs

(a) Part IIIA of the Act outlines:

(i) the types of personal information that credit providers can disclose to a credit reporting body (CRB), for the purpose of that information being included in an individual’s credit report;

(ii) what entities can handle that information, and

(iii) the purposes for which that information may be handled.

CRBs may include credit information provided by a company within the EMPRESS ATHLETICUS Group in reports provided to other credit providers to assist such other credit providers to assess the individual’s credit worthiness.

4.2 No present use of CRB services

Presently the EMPRESS ATHLETICUS Group does not share credit information with any CRB. A company within the EMPRESS ATHLETICUS Group may, in the future, disclose credit information to a CRB, but prior to disclosing any credit information about individuals to any other CRB, the EMPRESS ATHLETICUS Group will amend its Credit Reporting Privacy Policy to set out the name and contact details of any such other CRB and will post a notification of the change to the Credit Reporting Privacy Policy on the EMPRESS ATHLETICUS Group’s website.

4.3 Rights in relation to CRBs

It is important to note that individuals have certain rights in respect of CRBs and the information a CRB holds about the individual and those rights include:

(a) Opting out of direct marketing pre-screenings – A CRB may use an individual’s credit information to assist a credit provider to market to that individual by pre-screening the individual for direct marketing by the credit provider. This process is known as a "pre-screening". If an individual does not want a CRB to use that individual’s information for the purpose of pre-screening, the individual has the right under the Act to contact the CRB to request that they exclude the individual from such processes.

(b) If an individual is a victim of fraud (including identity-related fraud) – An individual is entitled under the Act to request that a CRB not use or disclose credit reporting information they hold about the individual in circumstances where the individual reasonably believes that they have been or are likely to be a victim of fraud, including identity-related fraud. The period while this applies is called a "ban period". An individual can make such a request to any CRB, including those listed above.

5 DIRECT MARKETING

5.1 We may carry out direct marketing

As part of the EMPRESS ATHLETICUS Group’s functions and business activities and to promote the services we can provide to our customers, including in respect of a company within the EMPRESS ATHLETICUS Group credit-related activities, a company within the EMPRESS ATHLETICUS Group may be permitted to use personal information about individuals that individuals have provided to the EMPRESS ATHLETICUS Group for the purposes of direct marketing. Direct marketing includes, but is not limited to, sending information to and/or contacting individuals in relation to promotions relating to a company within the EMPRESS ATHLETICUS Group.

5.2 Opting out of direct marketing

(a) All recipients, including individuals, can opt out of receiving direct marketing communications by sending an email to the EMPRESS ATHLETICUS Group’s Privacy Officer, at the email address shown in the ‘Contacting us’ section of this Policy.

(b) In any direct marketing communication we remind recipients of their right to opt out of receiving direct marketing communications. Moreover, as a general rule, a credit provider is not permitted to disclose to others credit information about individuals for the purposes of direct marketing.

6 ANONYMITY AND PSEUDONYMITY

Individuals would generally have the option of dealing with a company within the EMPRESS ATHLETICUS Group anonymously. However, this only applies where it is not impracticable for us to deal with individuals acting anonymously or under a pseudonym. For example, individuals making general enquiries of a company within the EMPRESS ATHLETICUS Group may do so anonymously or under a pseudonym. However, if the dealing with us is for us to supply goods and services and/or to enter into contractual relations (such as a commercial credit account) with a customer that is the individual or is associated with the individual or by a company with the EMPRESS ATHLETICUS Group capacity as an agent for other credit providers, then it is impractical for such individuals to deal with a company within the EMPRESS ATHLETICUS Group on an anonymous basis or under a pseudonym.

7 WEBSITE AND LINKS

7.1 EMPRESS ATHLETICUS Group websites

The EMPRESS ATHLETICUS Group advertises and carries on business through a number of websites pertaining to each company within the EMPRESS ATHLETICUS Group, including:

www.empressathleticus.com.au;

and any other website that contains a link to this policy.

7.2 Website terms and conditions

(a) Each website of the EMPRESS ATHLETICUS Group collects personal and credit information pursuant to this policy except as otherwise stated on the website.

(b) A website may display additional terms and conditions for access and use of the website which apply in addition to this policy.

7.3 Cookies

(a) The EMPRESS ATHLETICUS Group collects information from its websites using IP files or “cookies”. When a user visits the EMPRESS ATHLETICUS Group’s websites to read, browse or download information, our system will record/log the user’s IP address (the address which identifies the user’s computer on the internet and which is automatically recognised by our web server), date and time of the visit to our website, the pages viewed and any information downloaded.

(b) Cookie information collected will only be used for the purpose of site analysis and to help us offer improved online services. We may automatically collect non-personal information about users such as the type of Internet browsers used or the website from which the user linked to our websites. Individuals cannot be identified from this information and it is only used to assist us in providing an effective service on our websites.

(c) You can stop your browser receiving or accepting cookies at any time, however the use of cookies is necessary for certain functions on our websites to work properly and therefore we cannot assure you that you will be able to access and enjoy all functions of our website.

7.4 Third party links

Our websites may contain links to other websites and those third party websites may collect personal information about individuals. We are not responsible for the privacy practices of other businesses or the content of websites that are linked to our websites. The EMPRESS ATHLETICUS Group encourage users to be aware when they leave our website and to read the privacy statements of each and every website they frequent.

8 SECURITY AND STORAGE OF INFORMATION

8.1 Our commitment

The EMPRESS ATHLETICUS Group places a great importance on the security of all information associated with our clients and others who deal with us. We have security measures in place to reasonably protect against the loss, misuse, unauthorised access and alteration of credit information and other data under our control.

8.2 Security and storage methods

(a) All credit information and other data held is kept securely and that which is held electronically is held on secure servers in controlled facilities.

(b) Credit information is de-identified or destroyed securely when no longer required by us.

(c) Information stored within the EMPRESS ATHLETICUS Group’s computer systems or by our agents who provide electronic storage facilities can only be accessed by those entrusted with authority and computer network password sanctions.

(d) The EMPRESS ATHLETICUS Group consults with IT service providers to implement reasonable levels of firewall, malware detection and data security procedures.

8.3 Electronic transmissions

No data transmission over the internet can be guaranteed to be absolutely secure. As a result, whilst we strive to protect users' personal information (including credit information), the EMPRESS ATHLETICUS Group cannot ensure or warrant the security of any information transmitted to it or from its online products or services, and users do so at their own risk. Once a company within the EMPRESS ATHLETICUS Group receives a transmission, we make every effort to ensure the security of such transmission on our systems.

8.4 Banking information and payment requests

(a) We will never email you or telephone you requesting your credit card or bank account details except in connection with a purchase that you are making by email or telephone.

(b) In all cases, we recommend that if you receive a communication purported to be from us requesting payment or banking information, we recommend that you separately contact us via our publicly available telephone contact details to verify the authenticity of the request.

8.5 Data breach and response

(a) EMPRESS ATHLETICUS Group has developed a data breach response plan which ensures compliance with the mandatory notification requirements of Part IIIC of the Act.

(b) As part of this plan, EMPRESS ATHLETICUS Group will:

(i) carry out an assessment to determine if the breach is a breach in respect of which notification is required within 30 days of becoming aware or being notified of a data breach; and

(ii) take any immediate remedial action as is reasonable to remedy the breach or stop any furtherance of the breach.

(c) If notification of the breach is required, EMPRESS ATHLETICUS Group will:

(i) provide a statement in relation to the breach to the Office of the Australian Information Commissioner; and

(ii) if it is practical for us to notify affected individuals directly, we will notify any individuals the information of which was subject to the breach and provide them a copy of our statement; or

(iii) if it is impractical for us to notify affected individuals directly, we will publicise the statement on our websites and otherwise act in accordance with the requirements of the Act.

9 TRANSFER OF INFORMATION OVERSEAS

9.1 Use of cloud services

The EMPRESS ATHLETICUS Group may utilise local and overseas cloud services for the purpose of storing information. Your credit information may be disclosed to the EMPRESS ATHLETICUS Group’s cloud service provider for that purpose. While the EMPRESS ATHLETICUS Group’s cloud service providers are located in Australia, the country location of our cloud service providers may periodically change.

9.2 Other disclosures

Except as provided in connection with the use of cloud services, the EMPRESS ATHLETICUS Group are unlikely to disclose credit information of an individual to overseas recipients. Personal information will only be disclosed by a company within the EMPRESS ATHLETICUS Group to overseas recipients in accordance with Australian Privacy Principle 8, such as if the disclosure is required by Australian law.

10 ACCESS TO AND CORRECTION OF PERSONAL INFORMATION

10.1 Our commitment

The EMPRESS ATHLETICUS Group is committed to and takes all reasonable steps in respect of maintaining accurate, timely, relevant, complete and appropriate information about our customers, clients and website users.

10.2 Access to information

(a) Any individual may request access to personal information (including credit information) about them held by the EMPRESS ATHLETICUS Group. Such a request for access to personal information is to be made to the EMPRESS ATHLETICUS Group’s Privacy Officer, whose details are set out below.

(b) A company within the EMPRESS ATHLETICUS Group will respond to any requests for access or correction within a reasonable time of receipt of the request, but by no later than 30 days of the request being received.

(c) Please note that the EMPRESS ATHLETICUS Group do require that, as part of any request by an individual for access to personal information (including credit information), the individual verify their identity so that a company within the EMPRESS ATHLETICUS Group may be satisfied that the request for access is being made by the individual concerned.

(d) Please note that the EMPRESS ATHLETICUS Group is not required to give an individual access to personal information in circumstances where:

(i) the EMPRESS ATHLETICUS Group reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or

(ii) giving access would have an unreasonable impact on the privacy of other individuals; or

(iii) the request for access is frivolous or vexatious; or

(iv) the information relates to existing or anticipated legal proceedings between the EMPRESS ATHLETICUS Group and the individual, and would not be accessible by the process of discovery in those proceedings; or

(v) giving access would reveal the intentions of the EMPRESS ATHLETICUS Group in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(vi) giving access would be unlawful; or

(vii) denying access is required or authorised by or under an Australian law or a court/ tribunal order; or

(viii) both of the following apply:

(A) the EMPRESS ATHLETICUS Group has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the EMPRESS ATHLETICUS Group’s functions or activities has been, is being or may be engaged in;

(B) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or

(ix) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

(x) giving access would reveal evaluative information generated within the EMPRESS ATHLETICUS Group in connection with a commercially sensitive decision-making process.

(e) If we refuse to provide an individual with access to their credit information or to correct the credit information held by us about them, then we will provide reasons for such refusal. Such reasons will set out the grounds for refusal, the mechanisms available to complain about the refusal and any other matters that are required by the Act.

10.3 Correction of Information

(a) Inaccurate information will be corrected upon receiving advice to this effect. To ensure confidentiality, details of an individual’s credit information will only be passed on to the individual if we are satisfied that the information relates to the individual.

(b) From time to time, and having regard to the purpose of the collection and use of credit information about individuals, we may contact individuals to seek confirmation that the personal information provided to us by the individual is accurate, up-to-date and complete.

11 COMPLAINTS

11.1 Making a complaint

If an individual has a complaint about this policy or the EMPRESS ATHLETICUS Group’s collection, use or safe disposal or destruction of credit information about the individual, any complaint should be directed in the first instance to the EMPRESS ATHLETICUS Group’s Privacy Officer at the contact details set out in the ‘Contacting us’ section of this policy.

11.2 Investigation and resolution procedure

(a) Upon receiving a complaint we will, within 7 days, give the complainant written notice acknowledging receipt of the complaint and setting out the process of how we will deal with it.

(b) Unless a longer time is agreed by the complainant, we will investigate the complaint and make a decision within 30 days of receipt of the complaint and communicate the decision to the complainant.

(c) We aim to resolve all complaints within 30 days of receipt. If we cannot resolve a complaint within 30 days we will notify the complainant of the reasons and specify a date when we expect a decision or resolution will be made and seek the complainant’s agreement to extend the 30 period – if the complainant does not agree then we may not be able to resolve the complaint.

(d) It may be necessary (and it may be required by the Act), in order to deal with a complaint, to consult with a third party such as a CRB or another credit provider. Further, if, while a complaint remains unresolved, we are disclosing information subject to the complaint to a third party, we may be required to advise the third party about the complaint.

(e) If we find a complaint is justified we will resolve it and do what is required to rectify any breach. The EMPRESS ATHLETICUS Group are committed to fulfilling its obligations as an APP entity and a credit provider under the Act.

(f) If a complainant is not satisfied with the outcome of the EMPRESS ATHLETICUS Group’s internal complaints procedure in respect of a company within the EMPRESS ATHLETICUS Group privacy practices then the complainant may refer their complaint to the Office of the Australian Information Commissioner (“OAIC”). The website for the OAIC is: www.oaic.gov.au.

11.3 Complaints Handling Policy

EMPRESS ATHLETICUS Group has a broader complaints handling policy which may be viewed here.

12 CHANGES TO POLICY

If the EMPRESS ATHLETICUS Group decide to or are required to change this policy, we will notify you of such amendments on our websites and post changes on this policy webpage so that users may always be aware of what information is collected by us, how it is used and the way in which information may be disclosed. As a result, please refer back to this policy regularly to review any amendments.

13 CONTACTING US

13.1 Contacting us

For concerns, complaints or further information regarding this policy and our policies and procedures regarding privacy and data security, please contact us at the following address:

The Privacy Officer – EMPRESS ATHLETICUS Group
Address for postage: Empress Athleticus Privacy
PO Box 1353
Noosa Heads QLD 4567
Telephone: 1300 367 737 (1300EMPRESS)

Email: hello@empressathleticus.com.au

We will respond to your enquiry as soon as possible.

13.2 Contacting the OAIC

If you are not satisfied with our response to your enquiry and for more information on privacy legislation, please visit the website of the Office of the Australian Information Commissioner at www.oaic.gov.au.