Privacy Policy

Dated 27 October 2021

Introduction

545490 Pty Ltd, ABN 83 648 605 225 trading as Karta Co (Karta), and all its related companies, are committed to protecting your privacy. We maintain robust physical, electronic, and procedural safeguards to protect personal information. This Privacy Policy applies to the Karta website, our mobile applications and products and services, and governs data collection and usage. We adopted this Privacy Policy (“Policy”) to manage personal information in an open and transparent manner.

We are bound by the Privacy Act 1988 (Cth) (‘Privacy Act’) and will protect your personal information we collect from you, or that you provide to us, in accordance with the Australian Privacy Principles. These principles govern how we collect, use, store and disclose your personal information, as well as how we ensure the quality and security of your personal information.

What is personal information?

Personal information includes any information or opinion, about an identified individual or an individual who can be reasonably identified from their information.

Personal Information may include the following:
a. name
b. address
c. telephone number
d. email address
e. date of birth
f. gender
g. marital status
h. occupation
i. bank account details
j. contact details
k. any other information we consider necessary to carry out our functions and activities.

These principles govern how we collect, use, store and disclose your personal information,as well as how we ensure the quality and security of your personal information.

How do we collect personal information?

We are a program manager of non-reloadable prepaid card products and services in Australia, and our main functions and activities we perform as a program manager includes but is not limited to:

• Card issuing, payment clearing and settlement.
• Platform Hosting and transaction processing;
• Application support and development;
• Program maintenance and reporting;
• Account managementservices;
• Cardholder and Card Program Sponsor customer service; and
• Fraud and transaction monitoring.

We rarely have direct contact with the individual cardholder, and we may need to collect personal information about you from other people or organisations. This may happen without your direct involvement. For instance, we may collect personal information about you from other organisations, who jointly with us, provide products or services to you.

The circumstances in which we will collect personal information about you, as thecardholder, includes when:

• you contact us; or
• you register or apply for a Card; or
• you use a Card for transactions and balance enquiries.

What personal information do we collect?

We collect and/or record the following types of personal information:

• The personal information you have provided us through our online card activation process including:
• your organisations details obtained via company searches;
• e-mail address;
• name;
• home or work address; and
• telephone number.
There is also information about your computer hardware and software that is automatically collected by us. This information can include:
• your IP address;
• browser type;
• domain names;
• access times; and
• Information we receive from third parties including card program sponsors, credit bureaus and information services and aggregation businesses, regarding verification of identification details

Throughout the life of your product or service, we may collect and hold additional personal information about you. This could include transaction information or making a record of queries or complaints you make.

For what purposes do we collect, store, use, and disclose personal information?

The main reason we collect, use, store and disclose personal information is to provide you with products and services.

This includes:

• checking whether you are eligible for the product or service;
• providing the product or service; and
• assisting you with your inquiries or concerns.

We may also collect, use, and exchange your information so that we can:

• establish your identity;
• manage our risks and help identify and investigate illegal activity, such as fraud;
• contact you;
• comply with our legal obligations and assist government and law enforcement agencies or regulators;
• conduct research and training; or
• provide general statistics regarding use of our website.

We encourage you to review the privacy statements of websites you choose to link to, and from us so that you can understand how those websites collect, use and share your information.

We are not responsible for the privacy statements or other content on websites outside of our website.

We only retain personal data for so long as it is necessary in accordance with the time frames stipulated in the laws that impact us, such as privacy, AML/CTF and tax laws. For example, we may require your personal information to be collected and verified under the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (Cth).

Is the information disclosed to third parties?

We may disclose your personal information to third parties:

• who are service providers, contractors, or card program sponsors of ours;
• to facilitate the operation of the card and the completion and settlement of transactions using the card;
• for anti-money laundering and counter-terrorism financing requirements, the detection of crime, legislative and compliance regulations, and fraud prevention purposes; and
• when required or allowed by law.

When your personal information is shared with service providers or contractors, it will only be to the extent reasonably necessary for the purpose of the services they are contracted to provide

When your personal information is shared with program sponsors, it will only be to the extent reasonably necessary for the purpose of performing any necessary cardholder customer support, conducting statistical analysis, improving their product, services, and practices.

We may also disclose Personal Information to other third parties in circumstances where:

• We must fulfil our legal obligations (for example, disclosure to Australian (and international)enforcement bodies such as the Australian Securities and Investments Commission (ASIC),the Australian Taxation Office (ATO), the Australian Transaction Reports and Analysis Centre (AUSTRAC) or the Courts);

• It is in the public interest (that is, to protect our interests or where we have a duty to the public to disclose, or where it is necessary in proceedings before a court or tribunal) and where a crime or fraud is committed or is suspected; or

• It can be reasonably inferred from the circumstances that the Cardholder has consented to their Personal Information being disclosed to a third party.

We do not use or disclose the Personal Information for any other purpose unless one of the following applies:

• The individual has consented;

• The individual would reasonably expect us to use or disclose the Personal Information for a purpose that is related to the primary purpose; or

• Use or disclosure is required under Australian law.

As a matter of course, we do not disclose personal information to overseas recipients. If this position changes, we will only send your personal information outside Australia, where, for example:

• You have requested or consented to us sending your Personal Information;

• We outsource a function or service to an overseas contractor with whom we have a contractual relationship; and

We will not send your personal information outside Australia unless it is authorised by law, and we are satisfied that the recipient of the Personal Information has adequate data protection arrangements in place.

Where we disclose Personal Information about an individual to a recipient who is not in Australia, we must ensure that the overseas recipient does not breach the Australian Privacy Principles.

We will continue to keep your personal information as is reasonably necessary, for the purposes mentioned above, after the expiry of the Card.

We do not collect, use, or disclose sensitive personal information, such as race, religion, or political affiliations.

Your consent is important

We may require your consent to use and/or disclose your information in particular ways.

We need your consent if we use your information for a purpose that is not related to thepurpose for which we collected your information in the first instance.

Depending on the circumstances, this consent may be express (for example, you expresslyagree to the specific use of your information by ticking a box) or implied by some action you

take or do not take (for example your agreement is implied by the fact that you have agreed to your product terms and conditions which contains information about the use of disclosure).

Do we collect personal information electronically?

Each time you visit our website, we collect information about your use of the website, which may include the following:

• The date and time of visits;

• Which pages are viewed;

• How users navigate through the site and interact with pages;

• Information about the device used to visit our website; and

• IP addresses.

This information is obtained using google analytics. Our website does not use cookies or collect personal information or data.

Security of your Personal Information

We protect your personal information from unauthorised access, misuse, and disclosure. With regard to personal information security, our focus is to ensure we are taking reasonable steps to protect personal information from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure.

Our security safeguards include taking reasonable steps to destroy or de-identify personal information it holds where:

1. we no longer need the personal information for any purpose for which the information may be used or disclosed by us; and
2. the information is not contained in a Commonwealth record; and
3. we not required to retain that information under an Australian law, or a Court/Tribunal Order.

System security

When you transact with us, we encrypt data sent from your computer to our systems. Where appropriate, we have firewalls, password protection, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses accessing our systems.

When personal information is transmitted to other websites, it is protected by encryption, such as the Secure Socket Layer (SSL) protocol. We also limit access by requiring the use of passwords

Destroying data when no longer required

Where practical, we keep information only for as long as required (for example, to meet legal requirements or our internal needs) and take reasonable steps to destroy or de-identify personal information.

Payment Card Industry (PCI) Data Security Standard (DSS)

The PCI Data Security Standard represents a common set of industry tools andmeasurements to help ensure the safe handling of sensitive information.

The standard provides an actionable framework for developing a robust account data security process – including preventing, detecting, and reacting to security incidents

Training and education

We train and provide refreshers to our staff of their privacy obligations regarding your personal information. We specifically cover how we can collect, use, store and disclose personal information, and how we can handle personal information in day-to-day work in away that complies with the Privacy Act and the Australian Privacy Principles. It also covers agency obligations around storing personal information in a secure manner, the retention of personal information and destroying and/or de-identifying personal information. This allows us to educate our staff on identifying safe personal information handling practices

Protecting your privacy

You can help us to protect your privacy by observing our security requirements andcontacting us immediately if your contact details change.

We require you to keep your personal identification number (PIN), passwords and access codes confidential and secure at all times. This means that you should not disclose you PIN, passwords, or access codes to any other person. You should also contact us immediately if you believe that your PIN, passwords, or access codes may have been compromised or if you would like to change your PIN or password.

Access to your personal information

You are entitled to ask us to supply you with any personal information that we hold about you. You must submit your request in writing to the appropriate address as below:

Privacy Officer

Our privacy officer is contactable at privacy@545490.co.

We maintain the quality of your personal information by taking reasonable steps to ensure that the information collected, used, and disclosed is accurate, complete, and up to date. Alternatively, you may also update your personal information at any time by contacting us on1300 54 54 90 or by emailing kyc@545490.co directly.

How to make a complaint

If you wish to resolve an issue about the way in which we manage your personal information or any other matters, please contact us directly on 1300 54 54 90. If you are not satisfied with our response or would like to make a complaint, please ask to speak to our Complaints Officer.

We will let you know if we need any further information from you to assist in investigating and resolving your complaint. We aim to resolve complaints as quickly as possible. We strive to resolve complaints within five business days, but some complaints take longer to resolve. If your complaint is taking longer, we will let you know what is happening and a date by which you can reasonably expect a response.

If you are not satisfied with our response or prefer to raise a complaint with our Privacy Officer directly, please email privacy@545490.co.

If you have followed these steps and are still not satisfied with the outcome, you can contact the relevant external body.

Office of the Australian Information Commissioner

GPO Box 5218 Sydney NSW 2001

(p) 1300 363 992

(e) enquiries@oaic.gov.au

(w) www.oaic.gov.au

Changes to this Statement

From time to time it may be necessary for us to review and revise our privacy policy to reflect company, client and regulatory feedback. We encourage you to periodically review the website and the Privacy Policy to be informed of how we are protecting your information. We will publish the updated version on our website and by continuing to deal with us, we confirm that you accept this Privacy Policy as it applies at that point in time. Alternatively, if you would like a copy of this Privacy Policy, please contact us.