Privacy Policy | Greenhouse

Who we are

Our website address is: https://rewards.vbp.au.

What personal data we collect and why we collect it

This policy sets out how Vital Business Partners ACN 165 837 623 (VBP, We, Us) collects, uses, discloses, retains and
manages your personal information and how we comply with our obligations under the Privacy Act 1988. Unless you
advise us otherwise, you acknowledge and consent to us using your personal information as set out in this Privacy
Policy or as otherwise permitted under the Privacy Act or other law.

1 What personal information do we collect?

(a) When we are contacted or we provide our services, the personal information we collect may include a person’s
name, contact numbers, email address, residential or business address, financial details, insurance details, credit
card details and other personal data. This may include sensitive information (as that term is used in the Privacy
Act).

(b) When our server is accessed, it automatically records information the browser sends when it connects to our
website. This information may include:

(i) the accessing party’s Internet Protocol (IP) address, domain name, browser type and language;

(ii) information about usage and online activities (for example, by way of cookies)
including when our website is accessed, other sites accessed from our website, content upload and download and usage
of the services available on our website; and

(iii) information provided through the use of any downloading facilities on our website
(c) Our website uses cookies. Cookies do not identify you personally, but they may link back to a database record
about you. With most Internet browsers you can erase or block cookies or receive a warning before a cookie is
stored. Refer to your Internet browser instructions for guidance on this.

2 How do we collect personal information?

(a) We collect personal information:

(i) from the individual;

(ii) from you, our clients when we provide services to them. This includes personal information about your customers
and clients (Your Clients);

(iii) via a file-sharing arrangement with a client and when a client provides access to their customer relationship
management (CRM) and software systems and third-party websites to enable us to provide the services;

(iv) when sent to us by email or other communication from third parties;

(v) from publicly available sources of information;

(vi) when we are required to do so by law; and

(vii) from our own records.

(b) We are committed to ensuring the information we have is accurate and up to date. We update personal information
when we are advised there has been a change and at other times as necessary.

3 Provision of personal information to us by you and Your Clients

If you provide us with the personal information of another person (including Your Clients):

(a) you must disclose to that person that you are providing personal information (including sensitive information) to
us and that the information may be disclosed offshore in accordance with clause 7, and

(b) you represent and we accept it on the basis that you represent that Client and authorised to do so and that the
relevant person has consented to the disclosure to us.

4 How we use your personal information

(a) Generally, we will collect, use and hold personal information to:

(i) provide our services, including services involving Your Clients;

(ii) facilitate our internal business operations, including the fulfilment of any legal requirements;

(iii) advise you of additional services or information which may be of interest;

(iv) provide your contact details to our partners who have agreed to provide you with any services;

(v) analyse our services and customer needs with a view to developing and improving existing and new products and
services;

(vi) maintain and update our business infrastructure and systems;

(vii) compile statistical data; and

(viii) promote and advertise our business, products and services.

(b) If we do not collect the personal information we will not be able to provide the services or provide any
assistance requested.

(c) If the personal information provided to us is incomplete or inaccurate, we may be unable to provide our services
or our services may be adversely affected.

5 Disclosing your information

We can disclose personal information we have about you to third parties in certain circumstances including:

(a) if you or Your Client agree to the disclosure;

(b) to employees, contractors and service providers, who assist us in operating our business and providing our
services and those service providers that you require us to work with;

(c) If you or Your Client would reasonably be expected to consent to information of that kind being passed to a third
party;

(d) using it for the purposes we collected for which it was (e.g. to provide our services correspond to a query);

(e) where disclosure is required or permitted by law;

(f) to our related entities;

(g) if disclosure will prevent or lessen a serious and imminent threat to someone’s life or health; or

(h) where it is reasonably necessary for the enforcement of the criminal law, a law imposing a pecuniary penalty or
for the protection of public revenue.

6 Disclosing your information

(a) We provide services to you and Your Clients under our Client Services Agreement. These services are performed by
our related party company incorporated in the Philippines, VBP Back Office Solutions Inc.

(b) The services include:

(i) general administration support;

(ii) updating client databases and client records;

(iii) researching clients’ existing financial products;

(iv) data entry and typing file notes;

(v) preparation of insurance quotes;

(vi) preparation application and lodgement of insurance, superannuation, investment and other product applications;

(vii) following up and organising where applicable medical reports, medical tests and financial reports to provide to
underwriters for new insurance applications; and

(viii) preparation of client review documents, fee disclosure statement disclosure documents.

(c) To provide our services we, including VBP Back Office Solutions Inc., receive personal information from you about
Your Clients. This may include sensitive information.

(d) We have security processes in place for the protection of that personal information, including supervising,
specialist security software, disabling flash drives, training, use of password protection, and investigation
software.

(f) VBP will do all things necessary to ensure that VBP Back Office Solutions Inc., as a recipient of personal
information, is subject to and complies with its obligations under the Privacy Act and Australian Privacy
Principles, which include in particular, Australian Privacy Principle 8 – cross-border disclosure of personal
information.

7 Considerations when you send information to us

(a) While we do all we can to protect your privacy and the privacy of Your Clients, including investing in specialist
security software, no data transfer over the Internet is 100% secure.

(b) If you or Your Clients provide personal information to us electronically, there are ways you and Your Clients can
help maintain the security of the information. These include:

(i) always close your browser when you have finished your user session;

(ii) do not provide personal information by using a public computer;

(iii) never disclosing your user name and password to another person; and

(iv) not sending information to a VBP employee’s email or other web-based mail account, or any other means of
transferring client information other than through file sharing applications (e.g. Dropbox) specifically provided
and approved by VBP.

(c) You are responsible for all actions taken using your username, email or password. If at any time you believe your
username or password has been compromised, change your password and contact us immediately.

(d) If we suspect that there is a data breach leading to the protection of personal information stored or held by us
being compromised, we will implement a data breach response plan, which will include:

(i) notifying you and Your Clients that may be affected by such a breach;

(ii) if necessary, notifying the relevant regulatory authorities of a suspected breach, which may include the Office
of the Australian Information
Commissioner (OAIC) and the Australian Federal Police; and

(iii) undertaking appropriate remedial action, depending on the type, amount and nature of the personal information
that is at risk. In the implementation and carrying out of the data breach response plan, we will refer to the
OAIC’s Data Breach Notification: A Guide to Handling Personal Information Security Breaches publication. Our Privacy
Officer will be primarily responsible for developing and implementing such
response plan and may require the assistance of VBP, its agents and external assistance in doing so, depending on
the nature, extent and impact of the suspected breach.

8 How your information is stored

(a) We take reasonable steps to securely store personal details and information. This includes electronic and
physical security measures.

(b) When the personal information that we collect is no longer required, we destroy or delete it in a secure manner.

9 How you can update, correct, or delete your personal information

(a) You and Your Clients have a right to request access to personal information which we hold about you and Your
Clients and to ask us to correct it if you believe it is inaccurate or out of date.

(b) You and Your Clients may request the source of any information we collect from a third party. We will provide
this at no cost unless, under the Privacy Act or other law, there is a reason for this information being withheld.

(c) You or Your Clients may request access to your personal information or correct any inaccurate or out-of-date
information by contacting our Privacy Officer at contactus@vbp.au.

(d) If there is a reason under the Privacy Act or other law for us not to provide you or Your Clients with
information, we will give you or Your Clients a written notice of refusal setting out:

(i) the reasons for the refusal except to the extent it would be unreasonable to do so; and

(ii) the mechanisms available to you to complain about the refusal.

(e) You or Your Clients should also contact us immediately if:

(i) someone has gained access to you or Your Client’s personal information;

(ii) we have breached our privacy obligations or your or Your Client’s privacy rights in any way; or

(iii) you or Your Clients would like to discuss any issues about our privacy policy.

10 Your authority and opting out

(a) By using our services and providing us with personal information, you consent to us maintaining, using and
disclosing your personal information in the way described in this Privacy Policy.

(b) We do not use the personal information of Your Clients for marketing purposes.

(c) If at any time you no longer wish to receive any additional marketing material from us or do not want your
information disclosed for direct marketing purposes, email contactus@vbp.au and we will remove your details from our
marketing database.

(d) If you close your account or opt-out, we will remove or de-identify personal information as soon as reasonably possible. We may, however, retain personal information for as long as is necessary to comply with any applicable law, for the prevention of fraud, for insurance and governance purposes, in our IT back-up, for the collection of any monies owed and to resolve disputes.

11 Limitation of liability

(a) To the extent permissible by law and subject to our obligations under the Privacy Act, we will not be liable to you or to any third party for any loss or damage (including but not limited to consequential loss or loss of profits) or claim arising from our collection, disclosure, management and use of personal information in accordance with this policy.

(b) Where liability is not able to be excluded by law, to the extent allowed by law and without limiting your rights under Australian Consumer Law, our liability to you in any circumstances will be limited to the re-performance of any services we have provided to you.

(c) Links on our website or websites we set up for you may take you outside our network. These links are provided in good faith. However, we are not responsible for third-party sites and accept no responsibility for the content, accuracy, security or function of third-party sites.

12 Changes to our Privacy Policy and Complaints Handling Procedure

(a) This document sets out our current Privacy Policy.

(b) Our Privacy Policy will be updated from time to time. You should review our Privacy Policy each time you visit our website or provide us with personal information.

(c) If you would like further information on our Privacy Policy, or if you have any concerns or complaints over the protection or the handling of the information you have given to us or that we have collected from others, or if you believe that we have not dealt with your personal information in accordance with an Australian Privacy Principle, please contact our Privacy Officer by email at contactus@vbp.au or by mail to our address at Level 10, 88 Philip Street, SYDNEY NSW 2000, Australia

(d) We endeavour to ensure that any complaints about privacy breaches will be dealt with quickly, seriously and confidentially. To help us investigate your complaint quickly and efficiently we will ask you or Your Client(s):

(i) put your complaint in writing; and

(ii) provide us with your name and contact details, the nature of the complaint, any information that may assist with the complaint, any copies of any
documentation which supports your complaint and the outcome(s) that you seek.

(e) Our Privacy Officer is able to:

(i) acknowledge receipt of and read your complaint;

(ii) investigate your complaint, having regard to the information you have provided us and any other information that may be available, that could
assist us in investigating your complaint, including requesting further information from you;

(iii) notify you of our findings and any actions we may have taken or propose to take in regard to your complaint;

(iv) if possible, discuss options to resolve the problem or dispute arising; and

(v) provide you with information on how to make a complaint to the OAIC if you are unhappy with the outcome of the investigation.

(f) More information about your rights and our obligations with respect to privacy and information on making a privacy complaint are available from the OAIC by:

(i) website – www.oaic.gov.au;

(ii) mail – GPO Box 5218 Sydney NSW 2001; or

(iii) email – enquiries@oaic.gov.au.

Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Additional information

How we protect your data
What data breach procedures we have in place
What third parties we receive data from
What automated decision making and/or profiling we do with user data
Industry regulatory disclosure requirements