Privacy, data handling and AI-use commitments.

SECTION A – INTRODUCTION

1.1 As part of Finlogica AI Pty Ltd’s (“Finlogica”, “we”, “us”, “our”) commitment to maintaining the highest levels of professional integrity and ethical conduct, Finlogica has adopted this Privacy Policy (“Policy”) to manage personal information in an open and transparent manner.

1.2 This Policy is designed to assist Finlogica to comply with the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) in relation to personal information handled by Finlogica.

1.3 Finlogica’s operating model (SaaS to AFSL holders and platforms). Finlogica provides a software-as-a-service solution that empowers AFSL holders, brokers and advice businesses to generate advice documentation for advisers (including Statements of Advice). Finlogica is not an AFSL holder and does not provide financial product advice.

1.4 Core privacy commitments (prominent). (a) No personally identifiable information (PII) is uploaded into external LLMs. Finlogica’s solution is designed so that PII contained in customer data uploads is not transmitted to or processed by third-party Large Language Models (LLMs). (b) Australian data residency. Finlogica stores customer data on Australia-domiciled servers and does not store customer data offshore as part of standard operations. (c) Purpose limitation. Finlogica does not use customer data for any purpose other than providing and supporting the contracted services (including document generation, administration, security, and support). (d) No training or monetisation. Finlogica does not use customer personal information to train third-party AI models, sell datasets, or enable unrelated advertising.

2.1 This Policy applies to Finlogica’s handling of personal information, including personal information relating to: (a) authorised users (e.g., advisers, paraplanners, compliance staff, administrators); (b) prospective customers, business contacts, suppliers, and job applicants; and (c) end clients of Finlogica’s customers where customer data containing end-client personal information is processed or stored within Finlogica’s systems.

2.2 This Policy applies to all Finlogica officers, employees, contractors, and any third parties who handle personal information on Finlogica’s behalf.

SECTION B – Consideration of personal information privacy

4.1 Governance responsibility. Finlogica’s Privacy Officer / Compliance Officer must ensure that at all times the provisions of this Policy are implemented in Finlogica’s day-to-day operations.

4.2 Policy currency and required content. The Privacy Officer / Compliance Officer must ensure this Policy: (a) is current and reflects applicable Australian laws; and (b) contains, at a minimum: (i) the kinds of personal information Finlogica collects and holds; (ii) how Finlogica collects and holds personal information; (iii) the purposes for which Finlogica collects, holds, uses and discloses personal information; (iv) how individuals may complain about a breach of the APPs and how Finlogica will deal with such complaints; and (v) whether Finlogica is likely to disclose personal information to overseas recipients and, if so, relevant countries (where practicable).

4.3 Availability. This Policy is made available free of charge on Finlogica’s website and may be provided in an alternative format upon request, where reasonable.

SECTION C – COLLECTION OF PERSONAL INFORMATION (Solicited personal information)

5.1 Finlogica will not collect personal information (other than sensitive information) unless it is reasonably necessary for one or more of Finlogica’s functions or activities.

5.2 Finlogica’s functions and activities include: (a) providing and administering the Finlogica SaaS services to Customers and authorised users; (b) generating advice documentation outputs based on authorised user instructions; (c) user account management and identity/security controls; (d) customer support, service improvement and incident management; (e) billing, account administration, and contract management; (f) meeting legal and regulatory obligations; and (g) business operations (including supplier management and recruitment).

6.1 Finlogica will not collect sensitive information unless: (a) the individual consents and the information is reasonably necessary for Finlogica’s functions; or (b) collection is required or authorised by law or court/tribunal order; or (c) a permitted general situation or permitted health situation exists under the Privacy Act.

6.2 In practice, sensitive information may arise where Customers or authorised users include it within uploaded documents or advice records. Where sensitive information is handled, Finlogica applies heightened security and access controls proportionate to risk.

7.1 Finlogica collects personal information by lawful and fair means.

7.2 Where practicable, Finlogica collects personal information directly from the relevant individual. However, Finlogica may also collect personal information from a Customer or authorised user where the Customer uses the service to process end-client information for advice documentation purposes.

8.1 Finlogica may collect and hold the following categories:

8.2 Data minimisation. Finlogica designs its service to support minimisation of personal information processing to what is necessary for the contracted service.

9.1 Finlogica collects, holds and uses personal information for purposes including: (a) providing the Finlogica service, including generating documents and maintaining system functionality; (b) verifying user access and administering accounts; (c) preventing, detecting and responding to fraud, security incidents, and misuse; (d) complying with legal obligations (including privacy and security obligations); (e) maintaining audit trails suitable for regulated Customers (including AFSL holders); (f) customer support and service management; and (g) billing and contract administration.

9.2 No unrelated purposes. Finlogica does not use customer personal information for purposes unrelated to providing and supporting the contracted service.

9.3 No external LLM upload of PII. Finlogica’s solution is designed so that personal information is not transmitted to external LLM providers for processing.

SECTION D – COLLECTION OF PERSONAL INFORMATION (Unsolicited personal information)

10.1 If Finlogica receives personal information that it did not solicit, Finlogica will determine within a reasonable period whether it could have collected the information under Section C.

10.2 Finlogica may use or disclose the information only to the extent necessary to make that determination.

10.3 If Finlogica determines it could not have collected the information and the information is not contained in a Commonwealth record, Finlogica will, where lawful and reasonable, destroy or de-identify the information as soon as practicable.

SECTION E – NOTIFICATION OF THE COLLECTION OF PERSONAL INFORMATION

11.1 Finlogica will take reasonable steps to ensure individuals are notified (through this Policy and/or collection notices) of: (a) Finlogica’s identity and contact details; (b) circumstances of collection, including where collection is via a Customer or third party; (c) where collection is required or authorised by law/court order (if applicable); (d) purposes of collection; (e) consequences if information is not collected (where relevant); (f) usual disclosures (including to service providers); (g) access and correction mechanisms; (h) complaints mechanisms; and (i) whether overseas disclosures occur (and countries, where practicable).

11.2 Customer relationship. Where a Customer controls end-client data collection and notices to end clients, Finlogica will support Customers to meet their obligations through contractual terms and technical controls, however Customers remain responsible for their own end-client privacy notices and consent arrangements.

SECTION F – USE OR DISCLOSURE OF PERSONAL INFORMATION

12.1 Finlogica will not use or disclose personal information for a secondary purpose unless: (a) the individual has consented; or (b) the individual would reasonably expect such use/disclosure and it is directly related (for sensitive information) or related (for other personal information) to the primary purpose; or (c) required or authorised by law/court order; or (d) a permitted general situation or enforcement-related activity applies.

12.2 This section does not apply to direct marketing (Section G) or government related identifiers (Section I).

13.1 Finlogica may disclose personal information to: (a) Customers and their authorised users (as directed by access permissions and service functionality); (b) service providers supporting Finlogica operations (e.g., hosting, monitoring, customer support tooling), subject to confidentiality and security obligations; (c) professional advisers (legal, audit, accounting) under confidentiality; (d) regulators, government agencies and law enforcement where required or authorised; and (e) parties involved in corporate transactions (e.g., merger/acquisition) subject to appropriate safeguards.

13.2 No disclosure to external LLMs for PII processing. Finlogica does not disclose customer personal information to external LLM providers for processing.

Finlogica’s “no external LLM PII upload” commitment is reflected by the blocked path.

SECTION G – DIRECT MARKETING

14.1 Finlogica will not use or disclose personal information for direct marketing unless permitted by law and consistent with the APPs.

14.2 Finlogica does not use end-client personal information for direct marketing.

15.1 Where Finlogica engages in direct marketing to business contacts, Finlogica will: (a) provide a clear opt-out mechanism; and (b) action opt-out requests within a reasonable period and free of charge.

16.1 Finlogica will only use or disclose sensitive information for direct marketing where the individual has consented.

17.1 Individuals may request: (a) that Finlogica stop direct marketing communications; and/or (b) the source of the personal information (where applicable), unless impracticable or unreasonable.

SECTION H – CROSS BORDER DISCLOSURE OF PERSONAL INFORMATION

18.1 Finlogica’s standard operating model is to store and process customer data on Australia-domiciled servers. Finlogica does not disclose customer personal information to overseas recipients as part of standard service delivery.

18.2 If Finlogica proposes to disclose personal information overseas in the future, Finlogica will take reasonable steps to ensure the overseas recipient does not breach the APPs (subject to any applicable exceptions) and will update this Policy accordingly.

SECTION I – ADOPTION, USE OR DISCLOSURE OF GOVERNMENT IDENTIFIERS

19.1 Finlogica will not adopt a government related identifier as its own identifier unless required or authorised by law or court/tribunal order.

20.1 Finlogica will only use or disclose government related identifiers where permitted under the Privacy Act, including where reasonably necessary to verify identity or required/authorised by law.

21.1 Finlogica will take reasonable steps to ensure personal information it collects, uses or discloses is accurate, up-to-date, complete and relevant, having regard to the purpose.

21.2 Customers and authorised users remain responsible for the accuracy of end-client information input to the system.

22.1 Finlogica will take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure.

22.2 Controls may include (risk-based): (a) identity and access management; role-based access; least privilege; (b) authentication controls (including MFA where configured); (c) encryption in transit and encryption at rest (where implemented); (d) logging, monitoring and audit trails; (e) vulnerability management and secure change controls; (f) segregation of environments and secure configuration; (g) incident response and escalation procedures; and (h) contractual controls over service providers.

22.3 Finlogica will take reasonable steps to destroy or de-identify personal information it holds where: (a) it is no longer needed for any purpose for which it may be used or disclosed; (b) it is not contained in a Commonwealth record; and (c) Finlogica is not required to retain the information under an Australian law or court/tribunal order.

23.1 Finlogica stores personal information in ways that may include: (a) secure electronic environments located in Australia and operated by Finlogica and/or approved external service providers; and (b) controlled internal business systems (e.g., CRM/ticketing) used to provide support and administer accounts.

23.2 Finlogica maintains governance procedures designed to protect personal information, including staff confidentiality obligations, controlled access, and review of security practices.

SECTION J – ACCESS TO, AND CORRECTION OF, PERSONAL INFORMATION

24.1 Finlogica will provide an individual access to personal information it holds about that individual upon request, within a reasonable period.

24.2 Finlogica will provide access in the manner requested where reasonable and practicable.

24.3 Finlogica does not charge for making an access request and will not impose excessive charges for access.

25.1 Finlogica may refuse access in circumstances permitted by the Privacy Act, including where: (a) access poses a serious threat to life/health/safety; (b) access would unreasonably impact others’ privacy; (c) the request is frivolous or vexatious; (d) the information relates to legal proceedings and is not discoverable; (e) access would prejudice negotiations; (f) access would be unlawful; (g) refusal is required/authorised by law/court order; (h) access would prejudice unlawful activity/misconduct investigations; (i) access would prejudice enforcement activities; or (j) access would reveal evaluative information connected with a commercially sensitive decision-making process.

26.1 If Finlogica refuses access (or refuses the requested manner of access), Finlogica will provide written notice setting out: (a) reasons for refusal (unless unreasonable); (b) complaint mechanisms; and (c) any prescribed matters.

SECTION K – CORRECTION OF PERSONAL INFORMATION

27.1 Finlogica will take reasonable steps to correct personal information it holds where it is satisfied the information is inaccurate, out of date, incomplete, irrelevant or misleading, or where requested by the individual.

27.2 Where Finlogica corrects personal information previously disclosed to another APP entity and the individual requests notification, Finlogica will take reasonable steps to notify the other entity unless impracticable or unlawful.

28.1 If Finlogica refuses a correction request, Finlogica will provide written notice setting out: (a) reasons (unless unreasonable); (b) complaint mechanisms; and (c) any prescribed matters.

29.1 If Finlogica refuses correction and the individual requests that a statement be associated with the information, Finlogica will take reasonable steps to associate the statement so it is apparent to users of the information.

30.1 Finlogica will respond to access/correction/statement requests within a reasonable time and will not charge for making such requests or for corrections/statement associations.

SECTION L – MAKING A PRIVACY COMPLAINT

31.1 Finlogica offers a free internal complaint resolution process. Privacy complaints may be made via:

Email: [email protected]

31.2 Finlogica requests complainants: (a) gather relevant supporting information; (b) contact Finlogica to discuss concerns; and (c) if not resolved, submit the complaint in writing to the Privacy Officer/Complaints Officer.

31.3 Finlogica will acknowledge complaints and aim to provide a written outcome within 30 days, unless an extended timeframe is agreed.

SECTION M – MISCELLANEOUS

32.1 Finlogica maintains processes intended to support compliance with the Notifiable Data Breaches (NDB) scheme. Where an eligible data breach occurs, Finlogica will take steps consistent with the Privacy Act, including assessment and notifications, and will coordinate with affected Customers where relevant.

32.2 Finlogica maintains an incident response plan and processes to support timely escalation, containment, investigation, and regulatory/client communications.

33.1 Breaches of this Policy may result in disciplinary action (including termination for serious breaches) and may also result in legal consequences where conduct is unlawful.

33.2 Staff must report suspected breaches promptly to the Privacy Officer / Compliance Officer.

34.1 The Privacy Officer / Compliance Officer will retain NDB forms and relevant incident records for seven (7) years or as otherwise required by law and Finlogica’s document retention arrangements.

DOCUMENT APPROVAL

This document has been reviewed and approved in accordance with FINLOGICA-GOV-001 Policy Governance Statement.