PRIVACY & SAFETY

•

PERSONAL INFORMATION, SECURITY & ACCESS

1. About

TomKat Global Solutions Pty Ltd (ABN 95 630 878 045) and our Related Bodies Corporate (as defined in the Corporations Act 2001 (Cth)) (“TomKat”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal information.

This Privacy Policy explains how TomKat collects, stores, uses, discloses, and manages your personal information (as defined in paragraph 2) in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

If you are a resident of the European Economic Area or the United Kingdom, and we collect your personal data (as defined in paragraph 14), then we also comply with the General Data Protection Regulation (GDPR).

2. What is personal information?

Personal information means any information or an opinion about an identified individual, or an individual that is reasonably identifiable, whether or not the information or opinion is true or recorded in a material form.

3. What kinds of personal information do we collect?

We collect personal information that is reasonably necessary for our functions and services. This may include:

Directly Provided Data

Identity & Contact Data: Full name, email address, phone number, the company you work for, and your business or delivery address;
Transactional Data: Records of purchases, app usage, box scans, and interactions, transaction sales information such as credit or debit card details, billing address, billing contacts, and other details of services you receive from us; and
Photos or Documents: Images or media submitted via the app (e.g. package condition reports);
Communications Data: such as feedback, survey entries, chat, email or call history, and any information you provide to us in the course of your enquiry, or in your dealings with us; and

Automatically Collected Data

Technical Data: IP address, device information, browser type, website usage data;
Location Data: GPS coordinates (when enabled in the KoolPak app);
Usage Data: Logs of NFC scans, feature use, app diagnostics; and
Cookies & Analytics: Activity from web forms, embedded third-party tools (e.g. Google Analytics, Meta Pixel).

We do not collect sensitive information (such as health information, racial or ethnic origin or political opinions, membership of political organization, religious beliefs or affiliations, trade union membership details, or biometric information that is used for the purposes of automated biometric verification or biometric identification or biometric templates) unless required by law or with your explicit consent.

4. How do we collect your information?

a. Collection generally
We may collect these types of personal information either directly from you, automatically, or from third parties, when required to do so by law, or from our own records of your use of our services.
We collect your personal information directly from you when you:
• submit information via forms in the KoolPak mobile app or website;
• interact with our customer support or social media channels;
• send us correspondence by e-mail or in writing;
• deal with us over the telephone or in person;
• contact our customer support;
• place an order through our website or mobile app; or
• use features such as GPS, NFC scanning, or photo uploads in the app.
We may also collect your personal information from publicly available records or third-party services with your consent.

b. Cookies
We may use "cookies", traffic measurement software or similar technologies to collect data. Most cookies will only collect de-identified personal information. For example, if you click "Remember me" when you log in to our website, a cookie will store your session ID to maintain the session.
However, some cookies do collect personal information. Cookies or other similar technologies may collect the following information from users:
• your IP address;
• the operating system and Internet browser software you are currently using;
• browsing activity;
• search terms used;
• preferences;
• session details;
• the data you download and the time you download it; and
• device information.
If you do not want information to be collected through the use of cookies or traffic measurement software, your device and/or browser may enable you to delete or "turn off" cookies or some of the measurement software features. However, some or all parts of our platform may not function correctly if such features are disabled.
c. Unsolicited personal information
In the event we inadvertently collect personal information from you, or a third party, in circumstances where we have not requested or solicited that information (known as unsolicited information), and it is determined by TomKat (in its absolute discretion) that the personal information is not required, we will take reasonable steps to destroy the information or deidentify that information.

5. How do we use your personal information?

a. Generally

We use your personal information to operate our services, and to manage our relationship with you. Otherwise, we will only use your personal information for:

the purpose for which it was collected (as detailed in this policy or as explained to you when we collect your personal information); and
related purposes, where permitted by law.

At or around the time we collect personal information from you, we will endeavour to provide you with a notice which details how we will use and disclose that personal information.

We may use your personal information for the following purposes:

to supply our products and services to you, including but not limited to:
- Tracking and monitoring KoolPak box usage and sustainability impact;
- Documenting conditions of delivery to reduce food packaging waste
- Communicating with you and providing technical or service support
- Analysing and improving app functionality and logistics performance;
to send you operational updates, surveys, or promotional content (with opt-out option);
to comply with any legal obligations, law, regulation, court order or other legal process;
to conduct our business activities;
to respond to requests and enquiries;
to verify your identity;
to contact individuals, via email, regular mail, telephone or otherwise;
to investigate incidents (including potential incidents) which occur on or at our premises;
direct marketing and business development purposes;
to audit and monitor our services;
to undertake research and to develop and improve our products, services, security and content;
to protect our rights and property;
for security, risk management and occupational health and safety purposes; and
to investigate or report suspected unlawful activity.

If we collect your personal information for any other purpose, we will generally notify you of that purpose at the time we collect the information.

b. Anonymity and pseudonymity

Given the nature of our products and services, it is not practical for us to permit individuals to deal with us on an anonymous basis or through the use of a pseudonym. Generally, your personal information is required in order to provide you with our products and services or to resolve any issue you may have.

c. Government related identifiers

TomKat does not use any government related identifiers, such as passport number or driver's licence number, as its own identifier of any individual. TomKat will not use or disclose any government related identifiers other than in accordance with the Privacy Act.

d. Deidentified data

You consent to us using and disclosing your de-identified data (information that no longer identifies you) for any purpose including without limitation statistical analysis, product or service development, marketing and business planning or any other commercial purpose. We undertake reasonable technical measures to ensure so that this data cannot be re-identified.

e. Automated decision-making systems

We do not use your personal information for profiling or automated decision-making by a computer program or artificial intelligence.

6. Direct Marketing

a. Consent
We and our carefully selected business partners may send you direct marketing communications and information about our services. This may take the form of emails, SMS, mail or other forms of communication. You give your express and informed consent to us using your personal information in relation to direct marketing and sales as set out in this policy.
b. Opting out of direct marketing communications
To opt out of receiving direct marketing communications from us, or to request that we do not disclose any of your personal information for the purpose of facilitating direct marketing by other organisations, please notify our Privacy Officer in writing and we will take reasonable steps to remove you from our marketing database.

7. How do we disclose your personal information?

There will be situations where we need to share your personal information with third parties. We may disclose your personal information for the purposes described in this Privacy Policy to:

Internal teams and contractors, including our employees and related bodies corporate (e.g. for customer support, technical operations);
Service providers, including web hosting, cloud platforms, and analytics vendors, our suppliers and providers for our business or in connection with providing our products and services to you;
Professional advisers, dealers and agents;
Payment systems operators, including merchants for receiving card payments;
Our business partners, agents and collaborators;
Other persons, including government agencies, regulatory bodies and law enforcement agencies, where we think it is necessary to: comply with applicable laws or regulations; exercise, establish or defend our legal rights; or protect your interests or those of any other person. Where possible and appropriate, we will notify you of this type of disclosure.

We do not sell or rent personal data.

8. Overseas disclosure of personal information

Any personal information collected and held by us may be disclosed or transferred to, and held at, a destination outside of Australia. For example, we currently use third party service providers and infrastructure located in the United States of America, the European Union, the United Kingdom, Chile, Ireland, Israel, Japan, Netherlands, Singapore and Taiwan.

These countries may have privacy laws that are different to the laws that apply in your country of residence. When we transfer data to another country, we put safeguards in place to protect your personal information.

9. How we protect your personal information

We may hold your personal information in either electronic or hard copy form. We use a variety of physical and electronic security measures to keep your personal information secure from misuse, interference, loss or unauthorised use or disclosure. For example, we implement the following reasonable and robust safeguards to protect your personal information:

SSL encryption for data transmission;
Encrypted and secured storage platforms;
Role-based access control and staff training;
Regular security audits and vulnerability scans; and
Data minimisation and lifecycle controls.

All of our employees are also bound to keep your personal information secure and treat it as confidential. However, we cannot guarantee the security of your personal information.

10. Retention and destruction of personal information

We retain personal information only as long as necessary to:

fulfil our services; and
comply with our ongoing business needs and legal obligations.

When no longer needed, we will securely destroy or de-identify your personal information.

11. Your Rights to access and correct your personal information

You have the right to:

Correct inaccurate, incomplete, or outdated data;
Withdraw consent (e.g. for location tracking or marketing communications).

If you think that any personal information we hold about you is inaccurate, please contact us and we will take reasonable steps to ensure that it is corrected. This is especially important for information we need to communicate with you (e.g., a change in name, email address, or phone number).

Subject to certain exceptions permitted by law, you also have the right to:

Request a copy of your personal information we hold;
Request deletion or restriction of your personal information we hold;
Object to our continued processing of your personal information.

To exercise the rights described above, please contact us using the details in Section 15. We may need to verify your identity when you make any requests in relation to your personal information.

Sometimes, we may not be able to provide you with access to all of your personal information and, where this is the case, we will tell you why.

12. Complaints and dispute resolution

If you have concerns about our privacy practices:

Please contact us in writing (see Section 15) with a clear explanation of the issue.
We will investigate and respond within a reasonable timeframe.
If you are not satisfied, you may escalate the matter to the Office of the Australian Information Commissioner (OAIC) at:

Website: www.oaic.gov.au
Phone: 1300 363 992 (Australia)
Address: GPO Box 5218, Sydney NSW 2001
Email: enquiries@oaic.gov.au

13. Policy Changes

This Privacy Policy may be updated periodically. The current version will always be available at our official website KoolPak Box or in the KoolPak app. We encourage you to review this policy from time to time.

14. Additional information if you are in the EEA or UK

If you are a resident of the European Economic Area (EEA) or United Kingdom (UK) for the purposes of the GDPR, then this section applies to you in relation to the personal information we process under this policy.

For avoidance of doubt:

where this section 14 applies, any reference to personal information in this Privacy Policy is a reference to Personal Data; and
this section will not apply if you reside outside the EEA or UK (as applicable).

Definitions

In this section 14:

"GDPR" means:
- when used in the context of United Kingdom residents, means the UK General Data Protection Regulation as implemented by the Data Protection Act 2018 (UK); and
- when used in the context of European Union residents, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 for the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC; and
the terms "Controller", "Data Subject", "Personal Data", "Processing" and "Supervisory Authority" have the meaning given to those respective terms under the GDPR, and their corresponding terms will be construed accordingly.

Your rights as a Data Subject

As a Controller, we have implemented appropriate technical and organisational measures to ensure Processing is performed in accordance with the GDPR.

In addition to your rights of access and correction as set out above, as a Data Subject you:

Access: you may request access to any Personal Data we hold about you and information regarding our Processing of your Personal Data (including the purpose of processing, data retention period, and categories of data involved).
Rectification: you may ask us to correct or update any of the Personal Data we hold about you.
Erasure: You may request for the deletion of your Personal Data if we no longer require your data for the purpose for which it was collected, or if you withdraw your consent to Processing of your Personal Data and we have Processed your Personal Data without legitimate grounds.
Restriction: you may ask us to restrict the processing of your Personal Data, if:
- you are contesting the accuracy of the Personal Data and you enable the Controller to verify the accuracy of your data;
- the Processing of your Personal Data is unlawful and you oppose the erasure of your data, but request a restriction instead;
- the Controller no longer needs to process the Personal Data, but you require the Personal Data for legal proceedings; or
- you have objected to Processing pursuant to Article 21(1) of the GDPR;
Objection: you may object to our Processing of your Personal Data under certain conditions.
Data Portability: you may request for us to:
- provide you your Personal Data in a machine-readable format; or
- transfer any Personal Data we hold about you to you or a nominated third party.

How to exercise your Data Subject rights

If you wish to exercise any of your Data Subject Rights, please contact us using the details set out above.

Complaints to a Supervisory Authority

If you have any concerns or complaints regarding our Processing of your Personal Data or the exercising of your Data Subject rights, you may contact a Supervisory Authority.