Privacy Policy & Complaints Handling

Privacy Policy

1. INTRODUCTION

This policy was last updated on 24.11.25.

1.1 About this policy

(a) This Privacy Policy (“this Policy”) is the official privacy policy of PRD CORPORATE PTY LTD ACN 007 628 588 domiciled in Australia and having head office Level 30, Grosvenor Place, 225 George Street, Sydney NSW 2000, and any of its wholly owned subsidiaries and business divisions of the Australian franchise network known as PRD Pty Ltd (the “Network”).

(b) This Policy is also adopted by all local offices and franchisees of the Network (“Local Offices”).

(c) If this Policy has been referenced on a website pertaining by a company or business entity that is part of or associated with the Network, this Policy applies to all information collected and used by that entity also.

(d) In this Policy, a reference to “PRD Pty Ltd” or “we”, “us” or “our” includes any entity referenced in paragraphs (a) - (c) above except where expressly excluded.

(e) This Policy is drafted as a group policy with the intention that all Local Offices within the Network will follow the same policies and procedures. To the extent permitted by law, PRD Corporate Pty Ltd ACN 007 628 588 (“Head Office”) does not accept liability, vicariously or otherwise, for the actions of any Local Office or any person who is not an employee of the Head Office.

1.2 Relationship with Privacy Act and other Laws

(a) This Policy is intended to comply with the Privacy Act 1988 (Cth) (the “Act”) to ensure PRD Pty Ltd’s compliance with its obligations under the Act, including the Australian Privacy Principles (the “APPs”), if applicable to PRD Pty Ltd. This Policy is not otherwise an ‘opt-in’ under section 6EA of the Act.

(b) For the purpose of interpretation of this Policy any terms in this Policy defined in the Act have the same meaning as defined in the Act.

(c) To the extent that PRD Pty Ltd may from time to time be the subject of privacy laws of nations other than Australia, this Policy extends to information collected by us from overseas entities but does not limit our obligations under any other laws.

1.3 What this Policy provides

(a) In this Policy we explain how and why we collect personal information about individuals as defined in the Act (“Personal Information”), how we use such information within our business, and what controls individuals have over our collection and use of information about them.

(b) This Policy is relevant to individuals who are current and former customers, as well as other individuals that we deal with in connection with the goods and services we provide or information we collect from customers and other persons.

1.4 Our commitment

We value your privacy and are committed to complying with laws that deal with how businesses may collect, hold and use Personal Information about individuals, and to protecting and safeguarding the privacy of individuals when they deal with us, including the Act and the APPs if applicable.

2. COLLECTION OF INFORMATION

2.1 Type of information collected

(a) Some information provided to us by clients, customers and other parties might be considered private or personal. However, without such information we would not be able to carry on our business activities and provide our services. We will only collect such Personal Information if it is necessary for one of our functions or activities.

(b) The kinds of Personal Information that we may collect and hold in respect of individuals may include:

(i) names;

(ii) addresses and contact details;

(iii) identification information;

(iv) financial information, including information about transactions and trading history; and

(v) information about credit history.

2.2 Situations where information is collected

Personal information may be collected in the following situations by PRD Pty Ltd:

(a) if an individual contacts us, we may keep a record of that communication or correspondence;

(b) if an individual submits an application or curriculum vitae or another form required to be completed by an individual to enable and/or facilitate services and/or employment to be provided by us;

(c) when applying for and/or establishing and/or accessing an account with us or ordering products or commissioning services from us;

(d) when conducting certain types of transactions such as cheque or credit card purchases or refunds;

(e) when an individual submits their contact details to be included on our mailing lists;

(f) when an order is placed with us to purchase goods or services we may require individuals to provide us with contact information including name, address, telephone number or email address and financial information (such as credit card details) for the purposes of processing and fulfilling such an order or providing the service;

(g) when CCTV footage is recorded at any of our premises; and

(h) when telephone or video conversations are recorded, including for training purposes.

2.3 Manner of collection

(a) At or before the time the Personal Information about an individual is collected by us, we will take reasonable steps to ensure that the individual is made aware of who we are, the fact that the individual is able to gain access to the information held about the individual, the purpose of the collection, the type(s) of organisations to which we may usually disclose the information collected about the individual, any laws requiring the collection of the information and the main consequences if all or part of the information is not collected.

(b) We usually collect Personal Information about individuals directly from the individual. However, sometimes we may need to collect Personal Information about individuals from third parties for the purposes described below in this Policy. The circumstances in which we may need to do this include, for example, where we need information from a third party to assist us to process an application or an order (such as to verify information an individual has provided or to assess the individual’s circumstances) or to assist us to locate or communicate with the individual.

2.4 How information may be held

(a) PRD Pty Ltd may hold Personal Information about an individual in physical form or in electronic form on our systems or the systems of our IT service providers.

(b) The Personal Information that we hold about individuals is protected by physical, electronic, and procedural safeguards and we also require our service providers that hold and process such information on our behalf to follow appropriate standards of security and confidentiality. Any Personal Information we collect from an individual or about an individual is kept securely and held on secure servers in controlled facilities.

(c) PRD Pty Ltd takes other technical and organisational measures to protect the Personal Information of individuals from misuse, loss or disclosure. These include:

(i) training of staff and others who work for PRD Pty Ltd on how to handle Personal Information appropriately; and

(ii) restricting of access to what is necessary for specific job functions;

(iii) regularly updating its software and hardware including passwords and permissions; and

(iv) employing the use of firewall and cyber security technology to avoid unauthorised access to our systems and data.

2.5 Period of retention of information

(a) PRD Pty Ltd may retain Personal Information collected or provided to us including:

(i) telephone recordings of calls to our hotlines and contact numbers;

(ii) CCTV security footage from our business premises; and

(iii) client files including individuals’ Personal Information, contact information, financial and transactional information;

to enable us to verify transactions and customer details and to retain adequate records for legal and accounting purposes.

(b) PRD Pty Ltd will retain Personal Information collected for such minimum or maximum periods as it is required by law depending on the type of information collected. But for any minimum or maximum periods of retention required by law, we will safely destroy Personal Information once it is no longer required.

3. USE AND DISCLOSURE OF PERSONAL INFORMATION

3.1 Purposes of collection

(a) PRD Pty Ltd may, as permitted by law, use or disclose Personal Information held about an individual as permitted by law and for the business purposes for which it is collected (e.g. provision of our services, including administration of our services, notifications about changes to our services, record-keeping following termination of our services and technical maintenance), that is, to carry on our business activities and provide services to our customers.

(b) We may also use such information about individuals for a purpose related to the primary purpose of collection and where the individual would reasonably expect that we would use the information in such a way. This information is only disclosed to persons outside our business in the circumstances set out in this Policy or as otherwise notified at the time of collection of the information.

(i) processing an application or product order or service request (including verifying a person's identity for these purposes);

(ii) managing our products and services or other relationships and arrangements, including processing receipts, payments and invoices;

(iii) assessing and monitoring credit worthiness;

(iv) detecting and preventing fraud and other risks to us and our customers;

(v) responding to inquiries about applications, accounts or other products, services or arrangements;

(vi) understanding our customers' needs and developing and offering products and services to meet those needs;

(vii) researching and developing our products and services and maintaining and developing our systems and infrastructure (including undertaking testing);

(viii) ensuring workplace health and safety and productivity of employees at our workplace premises;

(ix) dealing with complaints;

(x) meeting legal and regulatory requirements, for example various Australian laws may expressly require us to collect/and or disclose Personal Information about individuals, or we may need to do so in order to be able to comply with other obligations under those laws; and

(xi) enforcing our rights, including undertaking debt collection activities and legal proceedings.

3.2 Additional disclosure situations

In addition to the above, we are permitted to use or disclose Personal Information held about individuals:

(a) where the individual has consented to the use or disclosure;

(b) where we reasonably believe that the use or disclosure is necessary to lessen or prevent a serious, immediate threat to someone's health or safety or the public's health or safety;

(c) where we reasonably suspect that unlawful activity has been, is being, or may be engaged in, and the use or disclosure is a necessary part of our investigation or in reporting the matter to the relevant authorities;

(d) where such use or disclosure is required under or authorised by law (for example, to comply with a subpoena, a warrant or other order of a court or legal process);

(e) where we reasonably believe that the use or disclosure is necessary for prevention, investigation, prosecution and punishment of crimes or wrongdoings, or the preparation for, and conduct of, proceedings before any court or tribunal or the implementation of the orders of a court or tribunal by or on behalf of an enforcement body; and

(f) where a customer (being the individual or related to the individual) has requested a service to be provided by us and we are required to disclose the information to a third party in order to facilitate the provision of the service. In most, if not all cases, any such disclosure will be with the consent of the individual.

3.3 Third parties to whom information may be disclosed

Third parties to whom we may disclose Personal Information about individuals in accordance with our business purposes set out above may include:

(a) our legal advisors;

(b) our financial and accounting advisors;

(d) regulatory bodies in Australia;

(e) participants in financial and payment systems, such as banks, credit providers, and credit card associations;

(f) guarantors and security providers associated with individuals;

(g) debt collectors;

(h) cloud information storage providers; and

(i) other trade suppliers.

3.4 Use of Personal Information by third parties

PRD Pty Ltd, subject to having complied with its obligations under this Policy, makes no warranty in relation to, and will not be liable for, any misuse or loss of Personal Information by third parties to whom we are authorised to provide Personal Information under this Policy.

4. USE OF AUTOMATED DECISION MAKING TOOLS (ADM)

4.1 We do not use ADM

PRD Pty Ltd does not presently use computer programs to make decisions using Personal Information of individuals that could reasonably be expected to significantly affect the rights or interests of individuals.

5. DIRECT MARKETING

5.1 We may carry out direct marketing

As part of PRD Pty Ltd’s functions and business activities and to promote the services we can provide to our customers, we may be permitted to use Personal Information about individuals that individuals have provided to us for the purposes of direct marketing. Direct marketing includes, but is not limited to, sending information to and/or contacting individuals in relation to promotions relating to us.

5.2 Opting out of direct marketing

(a) All recipients, including individuals, can opt out of receiving direct marketing communications by sending an email to our National Privacy Officer, at the email address shown in the ‘Contacting us’ section of this Policy.

(b) In any direct marketing communication we remind recipients of their right to opt out of receiving direct marketing communications.

5.3 Third party marketing

PRD Pty Ltd does not engage in the practice of selling client information for marketing purposes, but does not warrant that third parties who receive Personal Information of its clients will not undertake marketing activities with that information. If you experience harassment or spamming from a third party that we have engaged with, please let us know, and we will endeavour to take such action as is reasonably possible for us to take.

6. ANONYMITY AND PSEUDONYMITY

Individuals would generally have the option of dealing with us anonymously. However, this only applies where it is not impracticable for us to deal with individuals acting anonymously or under a pseudonym. For example, individuals making general enquiries of PRD Pty Ltd may do so anonymously or under a pseudonym. However, if the dealing with us is for us to supply goods and services and/or to enter into contractual relations (such as a commercial credit account) with a customer that is the individual or is associated with the individual, then it is impractical for such individuals to deal with us on an anonymous basis or under a pseudonym.

7. WEBSITE AND LINKS

7.1 Our websites

PRD Pty Ltd advertises and carries on business through its website that may be reached at www.prd.com.au.

7.2 Website terms and conditions

(a) Our website collects Personal Information pursuant to this Policy except as otherwise stated on the website.

(b) The website may display additional terms and conditions for access and use of the website which apply in addition to this Policy.

7.3 Cookies

(a) PRD Pty Ltd collects information from its website and any software applications using IP files or “cookies”.

(b) Cookies are small text files sent by us to your computer or mobile device, which enable features, functionalities and allow the websites or applications, among other things, store and retrieve information about the number of visits, browsing habits of the user or your device and, depending on the information they contain and the way you use your device, can be used to recognize the user.

(c) Some cookies are associated with your account and personal data to remember that you are logged in and which workspaces you are logged into. Other cookies are not tied to your account but are unique and allow us to carry out analytics and customization, among other similar things.

(d) PRD Pty Ltd will generally use cookies for the following purposes:

(i) Authentication of your account or browser for safer or faster access or retrieval of your personal information and preferences;

(ii) Security and functionalities including support security features and detect malicious activity;

(iii) Personalisation, preferences, features and services including denoting the language that your prefer, help complete forms more easily and provide customised content; and

(iv) Marketing performance, analytics, and market research to helps us understand and improve our products and services and customise them to our customers.

(e) PRD Pty Ltd may also use social cookies and pixels to enable you to share our content with your friends and networks and to create links between your visit to our website and a third party which may subsequently be used for analytical and advertising purposes.

(f) Not all cookies will come from our websites and can come from external sources, including by partners services such as Google, Meta etc. to follow your activity across our and various other websites and applications.

(g) Cookies may remain active for various durations ranging from:

(i) session cookies - active during the session only and expire when you close your browser; and

(ii) persistent cookies – cookies that remain on your hard drive until you erase your hard drive or your browser does, depending on the cookie’s expiration date.

(h) We will typically ensure our cookies have an expiry date of 12 months and not longer, but please be aware that we may need to retain data from certain cookies for any possible legal claims up to the claim limitation period. Furthermore, when a cookie has expired, we may renew it if you agree to its use once more.

(i) Depending on your consent to the use of certain cookies, the data gathered via cookies may be shared with selected partners and service providers who assist us with various functions, such as website analytics, advertising, and improving user experience. Refer to clause 9 of this Policy concerning transfer of data overseas.

(j) You can stop your browser receiving or accepting cookies at any time, this is typically done by either:

(i) Managing cookie preferences – via the cookie banner or through the settings panel of our website or your browser; or

(ii) Disabling cookies – via your browser. Please refer to your specific browser’s instructions.

However, please note that the use of cookies is in some cases necessary for certain functions on our websites to work properly, and therefore we cannot assure you that you will be able to access and enjoy all functions of our website without the use of cookies.

7.4 Third party links

Our website may contain links to other websites and those third party websites may collect Personal Information about individuals. We are not responsible for the privacy practices of other businesses or the content of websites that are linked to our website. We encourage users to be aware when they leave our website and to read the privacy statements of each and every website they frequent.

8. SECURITY AND STORAGE OF INFORMATION

8.1 Our commitment

PRD Pty Ltd places a great importance on the security of all information associated with our clients and others who deal with us. We have security measures in place to reasonably protect against the loss, misuse, unauthorised access and alteration of Personal Information and other data under our control.

8.2 Security and storage methods

(a) All Personal Information and other data held is kept securely and that which is held electronically is held on secure servers in controlled facilities.

(b) Information stored within our computer systems or by our agents who provide electronic storage facilities can only be accessed by those entrusted with authority and computer network password sanctions.

(c) We consult with IT service providers to implement reasonable levels of firewall, malware detection and data security procedures.

8.3 Electronic transmissions

No data transmission over the internet can be guaranteed to be absolutely secure. As a result, whilst we strive to protect users' Personal Information, we cannot ensure or warrant the security of any information transmitted to it or from its online products or services, and users do so at their own risk. Once we receive a transmission, we make every effort to ensure the security of such transmission on our systems.

8.4 Banking information and payment requests

(a) We will never email you or telephone you requesting your credit card or bank account details except in connection with a purchase that you are making by email or telephone.

(b) In all cases, if you receive a communication purported to be from us requesting payment or banking information, we recommend that you separately contact us via our publicly available telephone contact details to verify the authenticity of the request.

8.5 Data security and data breach

PRD Pty Ltd has developed a data security policy and data breach response plan which ensures compliance with the mandatory notification requirements of Part IIIC of the Act. Each Local Office and the Head Office follow this policy concerning monitoring, identifying, notifying and otherwise addressing possible data breaches within the Network. This policy is not a public policy and is available upon request if authorised to be disclosed by the National Privacy Officer.

9. TRANSFER OF INFORMATION OVERSEA

9.1 Use of cloud services

PRD Pty Ltd may utilise local and overseas cloud services for the purpose of storing information. Your Credit Information may be disclosed to our cloud service provider for that purpose. While our cloud service providers are located in Australia, the country location of our cloud service providers may periodically change.

9.2 Data transfer to overseas recipients

(a) Some of the third parties to whom we may disclose your Personal Information as outlined in section 3.3 of this Policy may be located overseas. In addition, we may co-operate with overseas entities in the delivery of goods and services for our clients.

(b) Subject to paragraph (d) below, we take reasonable steps to ensure that overseas recipients of your Personal Information do not breach the Australian Privacy Principles. This is usually done by PRD Pty Ltd requiring that our overseas recipients comply with the Act and this Policy.

(c) In some cases, we will disclose Personal Information to overseas recipients that we reasonably believe, or which are determined by Government declaration, to be situated in a country or subject to a binding scheme (“Whitelisted Countries and Schemes”):

(i) having the effect of protecting Personal Information about individuals in a way that, overall, is at least substantially similar to the way the Australian Privacy Principles protect the information; and

(ii) having mechanism that the individual can access to take action to enforce protection.

You agree that we may disclose your Personal Information to entities in Whitelisted Countries and Schemes subject to any pre-requisites set by legislation, and in such case we will not be obliged to take reasonable steps to ensure that these overseas recipients comply with the Act and the Australian Privacy Principles.

(d) In any case, by agreeing to this Policy, you agree to the disclosure of your Personal Information to entities outside of Australia including those listed above and that, subject to our compliance with our obligations under the Act, we will not be liable to you for any breach of the Act, including any misuse or loss of your Personal Information by these overseas recipients.

10. SENSITIVE INFORMATION

10.1 What is Sensitive Information

The Act considers Sensitive Information any Personal Information that relates to or includes racial or ethnic origin, political opinions, membership of a political association, religious beliefs, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practice, criminal record, health or genetic information, biometric information used for biometric verification or identification (“Sensitive Information”).

10.2 Collection and disclosure of Sensitive Information

(a) We do not usually collect Sensitive Information.

(b) If we need to collect Sensitive Information, we will inform you and request your consent by:

(i) requesting the information from you in a written form or written request; or

(ii) informing you and requesting your consent to obtain Sensitive Information regarding you from another party.

(d) We will not:

(i) collect Sensitive Information except when reasonably necessary for one or more of our functions and activities;

(ii) use or disclose the Sensitive Information for secondary purposes to the primary purpose of collection unless the secondary purpose is directly related to the primary purpose of collection and within a reasonable expectation of use; or

(iii) use or disclose the Sensitive Information for direct marketing purposes unless you have consented to the use for this purpose.

11. CREDIT INFORMATION AND CREDIT REPORTING

11.1 Application

(a) This section 11 of this Policy outlines additional information for the purposes of Part IIIA of the Act and the Credit Reporting Code (“Code”).

(b) Personal Information relating to individuals which PRD Pty Ltd may collect may include credit information and credit eligibility information about individuals as defined by the Act (“Credit Information”). This information may be collected, held and used by PRD Pty Ltd in its activities as a credit provider and also in its activities as an agent for other credit providers.

(c) In this additional section we explain how and why we collect Credit Information about individuals, how we use such information within PRD Pty Ltd, and what controls individuals have over our collection and use of information about them.

(d) This additional section is relevant to individuals who are current and former credit customers, as well as other individuals that PRD Pty Ltd deals with in connection with credit we provide to our credit customers (for instance, such individuals may be guarantors or directors of corporate customers) or information we collect on behalf of other credit providers in PRD Pty Ltd’s capacity as an agent for such credit providers.

11.2 Type of information collected

PRD Pty Ltd collects, holds and uses various types of credit-related information about individuals, which information includes:

(a) identification information such as current and prior names and addresses, age, contact details and driver's licence number;

(b) applications for credit (including the name of each relevant credit provider), the type and amount of that credit and the fact PRD Pty Ltd has accessed Credit Information to assess a relevant application for its business services or processing a credit application as an agent for another credit provider;

(c) PRD Pty Ltd and other credit providers are or have been a provider of credit to an individual (or an entity associated with an individual) and the type, characteristics and maximum amount of credit that have been provided or will be provided;

(d) the date that any credit contract between PRD Pty Ltd or other credit providers and an individual was entered into and the date that it comes to an end;

(e) payments owed to PRD Pty Ltd or another credit provider, in connection with credit provided to an individual (or an entity associated with an individual) or in relation to which an individual is a guarantor (and, if there is subsequently paid any such overdue payment, the fact of that payment);

(f) whether in the opinion of PRD Pty Ltd or another credit provider an individual has committed a serious credit infringement;

(g) whether an individual has entered into arrangements with PRD Pty Ltd or other credit providers in connection with credit provided to the individual (or an entity associated with the individual);

(h) court proceedings information, personal insolvency information and credit-related publicly available information;

(i) scores, ratings, summaries, evaluations and other information relating to an individual’s credit worthiness which is derived by PRD Pty Ltd or its agents wholly or by Credit Reporting Bodies (“CRBs”) partly on the basis of the information above; and

(j) certain administrative information relating to credit, such as account and customer numbers.

While the Act uses a variety of terms to refer to such information as referred to above, for ease of understanding and reading this policy, such information is referred to hereinafter as "Credit Information".

11.3 Manner of collection

(a) Credit information may be collected by PRD Pty Ltd in a number of ways including:

(i) being provided by an individual directly to PRD Pty Ltd or by persons acting on behalf of the individual (such as on applications or other forms and via our PRD Pty Ltd Service);

(ii) being provided by CRBs and/or other credit providers and/or trade suppliers with the consent of the individual;

(iii) being information provided by the individual on an application for credit with another credit provider, in circumstances where PRD Pty Ltd acts as that credit provider’s agent;

(iv) being information that is in the public domain; and

(v) being information that is derived by PRD Pty Ltd from an individual’s usage and (where applicable) trade on and transactional history on any account (of the individual or of an entity associated with the individual) held within PRD Pty Ltd.

(b) At or before the time any Credit Information is collected by PRD Pty Ltd about an individual, we will take reasonable steps to ensure that the individual is made aware of who we are, the fact that the individual is able to gain access to the information held about the individual, the purpose of the collection, the type(s) of entities to which we usually disclose such information collected about the individuals, any laws requiring the collection of the information and the main consequences for the individual if all or part of the information is not collected.

11.4 How information may be held

PRD Pty Ltd may hold Credit Information and store it in the same manner as other information under this Policy.

11.5 Use and Disclosure of Credit Information

PRD Pty Ltd may, as permitted by law, collect, hold, use or disclose Credit Information held about an individual for the purposes for which such information is collected. These purposes include:

(a) to form decisions as to whether to provide an individual, or an entity associated with an individual, with credit or to accept an individual as a guarantor;

(b) to make assessments relating to an individual’s credit worthiness which are used by PRD Pty Ltd ongoing decision-making processes regarding provision of credit and the amount of such credit;

(c) to assist an individual or entity associated with the individual in completing a credit application with other credit providers, in circumstances where PRD Pty Ltd acts as the credit provider’s agent;

(d) to participate in the exchange of Credit Information with other credit providers including obtaining from and providing information to CRBs and other credit providers and/or trade suppliers as permitted by Part IIIA of the Act and the CR Code;

(e) to assist an individual or entity associated with the individual to avoid defaulting on credit-related obligations to PRD Pty Ltd or other credit providers;

(f) to undertake debt recovery and enforcement activities, including in relation to guarantors, and to deal with serious credit infringements;

(g) to deal with complaints and meet legal and regulatory requirements; and

(h) to assist other credit providers to do the same.

11.6 Other permitted disclosure

(a) Some Credit Information may only be used or disclosed under the Act for some of the above purposes or in some particular circumstances.

(b) Generally, PRD Pty Ltd will be permitted to use or disclose Credit Information held about an individual where the individual has consented to the use or disclosure.

(c) PRD Pty Ltd may disclose Credit Information to a CRB and/or other credit providers about an individual for such purposes as set out above and as permitted by the Act. For example, PRD Pty Ltd may be permitted to disclose Credit Information to a CRB in such circumstances as where the individual has consented to the disclosure or where the individual has failed to meet payment obligations in relation to credit provided by PRD Pty Ltd or if the individual has committed a serious credit infringement. Similarly, PRD Pty Ltd will generally be permitted to disclose Credit Information to another credit provider about an individual where the individual has consented to such disclosure.

11.7 Credit Reporting Bodies

(a) Part IIIA of the Act outlines:

(i) the types of Personal Information that credit providers can disclose to a credit reporting body (CRB), for the purpose of that information being included in an individual’s credit report;

(ii) what entities can handle that information, and

(iii) the purposes for which that information may be handled.

(b) CRBs may include Credit Information provided by PRD Pty Ltd in reports provided to other credit providers to assist such other credit providers to assess the individual’s credit worthiness.

(c) Presently PRD Pty Ltd does not share Credit Information with any CRB. PRD Pty Ltd may, in the future, disclose Credit Information to a CRB, but prior to disclosing any Credit Information about individuals to any other CRB, PRD Pty Ltd will amend its Credit Reporting Privacy Policy to set out the name and contact details of any such other CRB and will post a notification of the change to the Credit Reporting Privacy Policy on PRD Pty Ltd’s website.

(d) It is important to note that individuals have certain rights in respect of CRBs and the information a CRB holds about the individual and those rights include:

(i) Opting out of direct marketing pre-screenings – A CRB may use an individual’s Credit Information to assist a credit provider to market to that individual by pre-screening the individual for direct marketing by the credit provider. This process is known as a "pre-screening". If an individual does not want a CRB to use that individual’s information for the purpose of pre-screening, the individual has the right under the Act to contact the CRB to request that they exclude the individual from such processes.

(ii) If an individual is a victim of fraud (including identity-related fraud) – An individual is entitled under the Act to request that a CRB not use or disclose credit reporting information they hold about the individual in circumstances where the individual reasonably believes that they have been or are likely to be a victim of fraud, including identity-related fraud. The period while this applies is called a "ban period". An individual can make such a request to any CRB, including those listed above.

12. ACCESS TO AND CORRECTION OF PERSONAL INFORMATION

12.1 Our commitment

PRD Pty Ltd is committed to and takes all reasonable steps in respect of maintaining accurate, timely, relevant, complete and appropriate information about our customers, clients and website users.

12.2 Appointment of Privacy Officers

(a) Each Local Office has appointed a person to act as local privacy officer for the Local Office.

(b) The Head Office has appointed the National Privacy Officer to act as privacy officer for the Network.

12.3 Access to information

(a) Any individual may request access to Personal Information about them held by PRD Pty Ltd. Such a request may be made to the relevant Local Office via the local privacy officer or to our National Privacy Officer, at the contact details set out in the ‘Contacting us’ section of this Policy.

(b) We will respond to any requests for access or correction within a reasonable time of receipt of the request, but by no later than 30 days of the request being received.

(c) Please note that we do require that, as part of any request by an individual for access to Personal Information, the individual verify their identity so that we may be satisfied that the request for access is being made by the individual concerned.

(d) Please note that we are not required to give an individual access to Personal Information in circumstances where:

(i) we reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or

(ii) giving access would have an unreasonable impact on the privacy of other individuals; or

(iii) the request for access is frivolous or vexatious; or

(iv) the information relates to existing or anticipated legal proceedings between us and the individual, and would not be accessible by the process of discovery in those proceedings; or

(v) giving access would reveal the intentions of PRD Pty Ltd in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(vi) giving access would be unlawful; or

(vii) denying access is required or authorised by or under an Australian law or a court/tribunal order; or

(viii) both of the following apply:

(A) we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in;

(B) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or

(ix) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

(x) giving access would reveal evaluative information generated within PRD Pty Ltd in connection with a commercially sensitive decision-making process.

(e) If we refuse to provide an individual with access to their Personal Information or to correct the Personal Information held by us about them, then we will provide reasons for such refusal. Such reasons will set out the grounds for refusal, the mechanisms available to complain about the refusal and any other matters that are required by the Act.

12.4 Correction of Information

(a) Inaccurate information will be corrected upon receiving advice to this effect. To ensure confidentiality, details of an individual’s Personal Information will only be passed on to the individual if we are satisfied that the information relates to the individual.

(b) From time to time, and having regard to the purpose of the collection and use of Personal Information about individuals, we may contact individuals to seek confirmation that the Personal Information provided to us by the individual is accurate, up-to-date and complete.

13. COMPLAINTS

13.1 Making a complaint

If an individual has a complaint about this Policy or our collection, use or safe disposal or destruction of Personal Information about the individual, any such complaint may be directed in the relevant Local Office or may be directed directly to our National Privacy Officer at the contact details set out in the ‘Contacting us’ section of this Policy.

13.2 Investigation and Resolution Procedure

(a) PRD Pty Ltd has a Complaints Handling Policy which may be viewed at www.prd.com.au which outlines the way in which we manage complaints that we receive.

(b) Generally:

(i) we will acknowledge receipt of a complaint within 3 working days;

(ii) we aim to resolve complaints within 30 days;

(iii) there is a specified method of escalation of complaints from Local Offices to Head Office where appropriate; and

(iv) if a complainant is not satisfied with the outcome of our internal complaints procedure in respect of our privacy practices, then the complainant may refer their complaint to the Office of the Australian Information Commissioner (“OAIC”). The website for the OAIC is: www.oaic.gov.au.

14. CHANGES TO POLICY

If we decide to, or are required to change this Policy, we will notify you of any such amendments on our website and post changes on our Privacy Policy webpage so that users may always be aware of what information is collected by us, how it is used, and the way in which information may be disclosed. As a result, please refer back to this Policy regularly to review any amendments.

15. CONTACTING US

15.1 Contacting us – Local Offices

For concerns, complaints or further information regarding your information collected by a Local Office or use of your information by a Local Office, you may wish to contact the Local Office directly via its publicly available details.

15.2 Contacting us – Head Office

For concerns, complaints or further information regarding this
Policy and our policies and procedures regarding privacy and data security as a Network, please contact us at the following address:

The National Privacy Officer – PRD Pty Ltd

Address for postage: GPO Box 2750, Brisbane QLD 4001

Telephone: +61 07 3229 3344

Email: admin@prd.com.au

15.3 Contacting the OAIC

If you are not satisfied with our response to your enquiry and for more information on privacy legislation, please visit the website of the Office of the Australian Information Commissioner at www.oaic.gov.au.

Complaints Handling Policy

1. INTRODUCTION

1.1 About this Policy

(a) This Complaints Handling Policy (“this Policy”) is the official complaints handling policy of PRD CORPORATE PTY LTD ACN 007 628 588 domiciled in Australia and having head office Level 30, Grosvenor Place, 225 George Street, Sydney NSW 2000 and any of its wholly owned subsidiaries and business divisions of the Australian franchise network known as PRD Pty Ltd (the “Network”)

(b) This Policy is also adopted by each local office and franchisee of the Network (“Local Offices”).

(d) In this Policy, a reference to “PRD Pty Ltd” or “we”, “us” or “our” includes any entity referenced in paragraphs (a) - (c) above except where expressly excluded.

1.2 Objectives and purposes of Complaints Handling Policy

(a) PRD Pty Ltd is committed to delivering high quality services and products to those who deal with it. We are committed to understanding and responding to the needs and concerns of our customers and clients.

(b) The aim of this Policy is to provide guidance as to the manner in which Local Offices and Head Office receive and handle complaints made to them in respect of their business activities and dealings with their staff, customers and other parties.

(c) The objective of this Policy is to assist us in dealing with and resolving complaints in an efficient, effective and professional manner.

1.3 Background

In creating this Policy, PRD Pty Ltd have sought to ensure that our complaint handling procedures across the Network accord with relevant legal requirements and best practice. In particular, this Policy has been created to satisfy the requirements of AS ISO 10002-2022 – Guidelines for complaint management in organisations.

1.4 What is a Complaint?

(a) AS ISO 10002-2022, defines a complaint as follows:

“An expression of dissatisfaction made to or about an organisation, related to its products, services, staff or the handling of a complaint, where a response or resolution is explicitly or implicitly expected or legally required.”

(b) We adopt that definition of “complaint” for the purposes of this Policy.

(c) Any person or entity who is dissatisfied with a product or service provided by us for any reason, may contact us to complain. A complaint may be made in writing or verbally.

(d) Certain types of “complaints” may be by way of negative feedback, which may not require a resolution or any response. Whilst we acknowledge this type of feedback can be useful and valuable, this Policy does not apply to such feedback as such feedback does not fall under the definition of a complaint as set out above.

2. GUIDING PRINCIPLES FOR EFFECTIVE HANDLING OF COMPLAINTS

PRD Pty Ltd abides by the guiding principles as set out in section 5 of AS ISO 10002-2022 for effective handling of complaints.

The guiding principles set out in section 5 of AS ISO 10002-2022 are as follows:

3. COMPLAINTS HANDLING

3.1 How may a complaint be made

(a) Where possible, complaints should be made in writing so that the details of the complaint are clear and complete and so that we may more effectively deal with the complaint.

(b) A complaint may be directed to a Local Office via the Local Office’s general email which will appear as the words ‘admin’ followed by the domain pertaining to the PRD Pty Ltd office. For example admin@prd.com.au

(c) Local Offices are required to appoint a Local Complaints Officer being a designated person within the Local Office to consider and review complaints.

(d) A person may otherwise direct a complaint directly to the National Complaints Officer:

The National Complaints Officer – PRD Pty Ltd

Address for postage: GPO Box 2750, Brisbane QLD 4001

Telephone: +61 07 3229 3344

Email: admin@prd.com.au

(e) Complaints relating to privacy of information or data breaches may be directed to the National Privacy Officer at:

The National Privacy Officer – PRD Pty Ltd

Address for postage: GPO Box 2750, Brisbane QLD 4001

Telephone: +61 07 3229 3344

Email: admin@prd.com.au

3.2 Information to be provided when making a complaint

When making a complaint, please provide the following information:

(a) your name, the organisation you are from (if applicable), your position and contact details;

(b) your relationship with us;

(c) the name of any contact person within PRD Pty Ltd you dealt with and which Local Office they were located (if applicable);

(d) details of the complaint (including when the conduct giving rise to the complaint occurred);

(e) details of any persons or persons of the company or local office within PRD Pty Ltd involved (if applicable); and

(f) copies of any documentation that supports the complaint.

3.3 Help with making a complaint

If you require any assistance in formulating or lodging a complaint, please contact the National Complaints Officer at the contact details set out above.

3.4 Resolution time frames

(a) We will acknowledge receipt of a complaint within three (3) working days of receipt.

(b) We will endeavor to respond in full to the complaint within thirty (30) days of receiving the complaint. However, this may not be possible in all instances. Where time to deal with a complaint will exceed thirty (30) days, we will contact the complainant to inform of the reasons for the delay and indicate when we expect to be in a position to complete our review of the complaint.

(c) Generally, the more information a complainant provides in a complaint, the less time will likely be required for us to review and respond to the complaint.

(d) We appreciate that our response to a complaint may not resolve the complaint for the complainant, and that resolution may take longer. We will work with the complainant to progress the complaint in an efficient and time effective manner.

3.5 Review and Escalation Procedures

We will follow the following procedure for review and escalation of complaints:

(a) For complaints made to a Local Office:

(i) If the complaint relates to a local issue, or local matter that can reasonably be addressed at local level:

(A) The complaint will be acknowledged, assessed and responded to by the Local Complaints Officer appointed by the Local Office.

(B) Unless the Local Complaints Officer is the nominated managing principal of the Local Office, if the complaint is not resolved to the satisfaction of the complainant within the 30 day time frame or if the complainant requests, the complaint will be referred to the Local Office managing principal.

(C) If following referral to the Local Office managing principal, the complaint is still not resolved within 30 days of referral or if the complainant requests, the complaint will be referred to the National Complaints Officer.

(ii) If the complaint relates to a Network wide issue that cannot appropriately be dealt with locally, the complaint must be acknowledged and then immediately referred to for assessment and response by the National Complaints Officer.

(iii) If the complaint relates to a serious breach of privacy (including any data breach that may be a notifiable data breach pursuant to PRD Pty Ltd’s Data Security and Data Breach Response Policy), or if the complainant requests this, the complaint must be acknowledged and then immediately referred to for assessment and response by the National Privacy Officer.

(b) For complaints made or referred to the National Complaints Officer:

(i) The National Complaints Officer will review, assess and respond to the complaint.

(ii) Unless the National Complaints Officer is also the Managing Director of PRD Pty Ltd, if the complaint is not resolved to the satisfaction of the complainant within the 30 day time frame, the complaint will be referred to the Managing Director.

(iii) If following referral to the Managing Director, the complaint is still not resolved within 30 days of referral, the complaint will be referred to the full Board of Directors of PRD Pty Ltd.

(i) The National Privacy Officer will review, assess and respond to the complaint.

(ii) Unless the National Privacy Officer is also the Managing Director of Head Office, if the complaint is not resolved to the satisfaction of the complainant within the 30 day time frame or if the complainant requests, the complaint will be referred to the Managing Director.

(iii) If following referral to the Managing Director, the complaint is still not resolved within 30 days of referral, the complaint will be referred to the full Board of Directors of Head Office.

3.6 Your rights in the complaints process

Complainants have the right to enquire as to the status of their complaint by contacting the staff member or representative of PRD Pty Ltd who has been identified to the complainant as handling the complaint, or if response is not adequate, the National Complaints Officer.

3.7 Method of assessment and response

(a) When assessing a complaint, we will give consideration to all relevant matters including considering its severity, likely impact on the complainant, and if any legal requirements apply, for example:

(i) complaints of a workplace health and safety nature necessitate consideration of our obligations for workplace health and safety; and

(ii) complaints that may be subject to insurance coverage necessitate consideration of the insurer’s requirements.

(b) Once we have completed our assessment of the complaint, we will provide the complainant with a written response.

(d) Our initial written response may state that we have elected to open a formal investigation into the subject matter of the complaint, or that the complaint relates to a matter which is already under formal investigation, in which case a formal response will be provided on conclusion of the investigation.

3.8 Internal review

(a) If the complainant is dissatisfied with our response, the complainant has a right to ask for the response to be re-considered by escalation in accordance with the procedures outlined in clause 3.5.

(b) Such a request should be made in writing to the person presently handling the complaint, with copy, where referral is requested to the National Complaints Officer or the National Privacy Officer, to that person via the contact details in clause 3.1 of this Policy.

3.9 External review

(a) If a complainant remains dissatisfied with the manner in which the complaint has been handled following internal review and escalation, the complainant may have a right to refer the complaint to some other external resolution body.

(b) Complaints relating to privacy of information may be referred to the Office of the Australian Information Commissioner at www.oiac.gov.au.

4. QUALITY ASSURANCE

4.1 Periodic investigation

Complaints referred to the National Complaints Officer and National Privacy Officer will be audited and analyzed at regular intervals to identify any recurring or systemic problems. If any such problems are identified, we will consider what actions we need to take to address any such problems and improve our internal systems.

4.2 Review of procedures

Our complaints handling process will be reviewed periodically in order to enhance our delivery of efficient and effective outcomes in respect of complaints received.

4.3 Training

We carry out complaints handling training at all levels of the Network to ensure complaints are addressed in conformity with this Policy.

5. TREATMENT OF COMPLAINT INFORMATION

5.1 Records of complaints

We will create a record of complaints we receive, this record may include information such as:

(a) the complainant’s contact information;

(b) the original complaint received and any associated information, including the issues raised by the complainant and the outcome sought;

(c) any other information obtained or support requirements utilized to properly assess and respond to the matter including expert reports and third party evidence obtained; and

(d) our response and other information concerning the outcome of the complaint, including its accepted resolution (if resolved), any grounds for dismissal of the complaint (if dismissed) or any referral to an external dispute resolution system (if applicable).

5.2 Confidentiality and privacy of complaint information

(a) Generally speaking, we will (1) collect (2) hold (3) disclose and (4) de-identify or destroy all information concerning a complaint including records of complaints in accordance with our Privacy Policy available at: www.prd.com.au

(b) Some complaints may necessitate a higher degree of confidentiality than that set out in our Privacy Policy, in which case we will apply our judgement as to the additional privacy measures, including internal communication barriers, that should be applied consistent with (1) any fiduciary duties we may have (2) any additional lawful requirements applicable to the complaint and (3) good practice. We will also have regard to any confidentiality request made by the complainant.

6 BREACHES OF PRIVACY

6.1 Privacy Policy

If the nature of your complaint relates to the privacy of your information with PRD Pty Ltd we invite you to view our Privacy Policy which contains additional provisions regarding how we maintain privacy of data within our Network and how you may have access to or correct information we have collected concerning you. Our Privacy Policy is available at: www.prd.com.au

6.2 Data Breach Response Plan

If we become aware that we have suffered unauthorized access, misuse or misplacement of our client’s information, rest assured that we have a data breach response plan in place to address data breaches that includes compliance with the steps necessary under the Privacy Act 1988 (Cth). Concerns and enquiries regarding possible data breaches may be directed to the National Privacy Officer directly, as outlined in clause 0.

7. INTERNAL COMPLAINTS AND WHISTLEBLOWER POLICY

7.1 Internal complaints to be addressed under HR policy

This Policy relates to complaints concerning PRD Pty Ltd’s products and services and its engagements with third parties. Complaints concerning human resources matters or internal Local Office matters should addressed consistent with our HR policy available to staff internally.

7.2 Whistleblowers

(a) Persons making a complaint in the nature of a whistleblower complaint by an ‘eligible whistleblower’ as defined in the Corporations Act 2001 (Cth) have additional protections under that Act.

(b) Generally, an eligible whistleblower is a person who is a current or former employee, person who has supplied goods and services or other associate of PRD Pty Ltd or a spouse, relative or dependent of such person. Eligible whistleblowers do not generally include competitors, customers and clients.

(c) A whistleblower complaint relates to misconduct or an improper state of affairs or circumstances including an allegation of breach of (1) the Corporations Act (2) financial sector laws enforced by ASIC or APRA (3) an offence against another Commonwealth law that is punishable by imprisonment for a period of 12 months; or (4) represents a danger to the public or the financial system.

(d) PRD Pty Ltd will observe the protections available to eligible whistleblowers under the Corporations Act, which include:

(i) keeping the complainant’s information and information leading to their identification confidential.

(ii) not taking administrative or disciplinary action against the complainant; and

(iii) not take any other action to cause the complainant detriment.

(e) More information concerning whistleblower action may be from time to time contained in our internal policies available to staff members.