This Privacy Policy was last updated on 15 September 2021

1.       Syndex’s commitment to privacy

1.1      Syndex Limited (company number 5233821), Syndex Pty Ltd (ABN 35 604 484 746) and any of their subsidiaries and affiliates (“Syndex”) is a New Zealand head-quartered organisation that provides services in Australia and New Zealand.

1.2      Syndex is committed to protecting all personal information that we collect, use, disclose and store as part of fulfilling our regulatory and legal obligations. We are committed to protecting personal information and meeting our privacy obligations under any applicable local privacy and data protection laws, including:

           1.2.1      the Australian Privacy Act 1988 (Cth) (“AU Privacy Act”), which include the Australian Privacy Principles; and

           1.2.2     the New Zealand’s Privacy Act 2020

2.       This Privacy Policy

2.1      This document is Syndex’s Privacy Policy ("Policy"), which specifies how and why Syndex collects, uses, discloses and protects personal information.

2.2      In this Policy, "we", "us", and “our” refers to Syndex and "you" refers to any individual about whom we collect personal information.

2.3      We refer to "personal information" (as defined under the AU Privacy Act and NZ Privacy Act) as "Information" in this Policy.

2.4      This Policy sets out how we collect, store, process, use and disclose Information (including Information we collect, and Information submitted to us, whether offline or online). For example, this  include:

            2.4.1     information that we may collect when any customer or individual who is provided access to the Syndex platform (such as an individual investor and or member of a cooperative), either by Syndex or a third party (who we refer to as "Participants") registers on Syndex or utilises the services provided by Syndex;

           2.4.2     information we collect when individuals visit our website or contact us; and

           2.4.3     information that we are provided by entities that are responsible for establishing and issuing a financial product such as fund managers, property syndicators, private companies and other entities (known as “Issuers”), including Information of our Issuers' customers.

2.5     The “Issuers” referred to in paragraph 2.4.4. may also include co-operatives, and their members.

2.6     Other terms and conditions may apply to you such as:

            2.6.1      our Account Holder Rules, available at: https://my.syndex.exchange/AccountHolderRules;

           2.6.2      the privacy terms and conditions contained in our agreement with you; and

           2.6.3      the collection notices and privacy statements which may be provided to you in connection with your use of the Syndex platform.

2.7     We may vary this Policy from time to time, with or without notice to you. However, where we make a material change to this Policy, we will provide notice to you (including by updating our website and, where appropriate, by notifying Participants directly). We recommend you visit this Policy regularly to keep up to date with any changes.

3.       About Syndex

‍3.1        Syndex provides a centrally hosted software as a service (SaaS) platform, which includes
the following “Modules”:

           3.1.1     the Investment Management Module, which provides Issuers with access to, and
management of, their regulated or non-regulated financial products (“issues”) into
which Participants invest (including registry, accounts and trade management);

            3.1.2    the Account Holder Portal Modules, which provides access to, and management
of, investment assets listed on the platform; and

            3.1.3     the Exchange Module, which provides Participants and Issuers with the ability to
trade in issues in the various markets (including the secondary market (between
Participants), and the privacy and public investment opportunities markets).
3.2 The Modules that are available to Participants will depend on the country in which you are
located (and this will impact on the Information that we collect, use and disclose).

4.      What Information does Syndex collect from you and how does it collect this Information?

‍Potential Participants and Participants

‍4.1      By registering on Syndex or utilising the services provided by Syndex, Participants consent
to the collection, use, disclosure, storage, processing, and disclosure of their Information as
part of the registration process. This includes, but is not limited to, disclosure of Information
to third parties for identity verification and customer due diligence ("CDD") purposes in
respect of the requirements under anti-money laundering legislation.

4.2      We may collect Information about Participants when they register or use Syndex’s platform,
and we collect this Information:

            4.2.1      directly from the Participant;

            4.2.2     from the relevant Issuer(s); and/or

            4.2.3     from third parties, in relation to provision of Syndex’s services and where Syndex
reasonably believes the Participant has agreed for their Information to be disclosed
to, and collected and used by, Syndex (for example, data suppliers for bio metric
identification and/or accountants of individual investors or co-operative members).

4.3      This Policy applies to all instances where Information is collected from Participants or from
third parties.

4.4      The types of Information we collect depends on the nature of your interaction with us, but
may include:

             4.4.1      all relevant Information associated with a Participant (such as name, contact
details (e.g. email address, phone and physical address), date of birth, country of
birth, citizenship, and residency);

            4.4.2      bank account number;

            4.4.3      any Information that you provide to us, or authorise us to collect, as part of your
interaction with us (including via communications between the Participant and
Syndex (via writing, email or phone)); and

            4.4.4      online preference information, such as a favourites list, transaction history and
marketing preferences (see further discussion of this below in paragraph 10).
Prospective employees/applicants

Prospective employees/applicants

4.5     We collect Information when recruiting people to work with us, such as your name, title, date
of birth, gender, contact details, qualifications and work history (including references and
other information included in a CV or cover letter as part of the application process).
Generally, we will collect this information directly from you.

4.6     We may also collect your Information from third parties in ways which you would expect (for
example, from recruitment agencies or referees you have nominated). We may collect
additional details such as your tax file number and superannuation information after offering
you a position and other information necessary to conduct background checks to determine
your suitability for certain positions.
‍
4.7      We may also collect relevant information from third party sources such as LinkedIn and other
professional websites.

Shareholders

‍4.8     We (or a share registry provider we may engage) may also collect Information to maintain
shareholder information in accordance with ASX, NZX and other legal requirements, such
as:

            4.8.1      the name of the individual shareholder and any trustee (if applicable);

            4.8.2     personal details relating to any Power of Attorney (e.g. the attorney’s name,
address, occupation, date of birth and phone number);

            4.8.3     bank account details; and

            4.8.4     your SRN or HIN.

4.9     When we collect Information from shareholders, we may also use and disclose it for other
reasons related to your shareholding, such as identity verification, providing shareholder
services, sending you correspondence and documents and responding to complaints or
inquiries. We may also use your information to market our products and services, such as
exclusive shareholder offers, to you.

‍Other individuals

‍4.10    We may collect Information about other individuals. This includes members of the public who
we may interact with and participate in events we are involved with (such as online
networking events); individual service providers and contractors to Syndex; and other
individuals who interact with Syndex on a commercial basis. The kinds of Information we
collect will depend on the capacity in which you are dealing with us. Generally, it would
include your name, contact details, and information regarding our interactions and
transactions with you.

4.11      In some cases you may provide us with Information which relates to another person (for
example, a family member to a family trust). Participants, Issuers and any other third parties
that provide Syndex with Information, agree and warrant that they have authorisation from
the individuals to whom the Information relates in order for Syndex to collect, use, and
disclose, the Information in accordance with this Policy (and have informed them of our
Policy (including the information in our Policy)).

5.        Why does Syndex collect, store, process and use your Information?

‍5.1      Syndex collects Information reasonably necessary to carry out our business, to assess and
manage Participants’ needs, and to provide its services.

5.2     The purposes for which we usually collect, store, process and use Information depends on
the nature of your interaction with us, and the types of services and modules available to
you, but may include (and Participants authorise Syndex to collect, store, process and use
Information) for the purposes of:

            5.2.1      opening, operating, administering and maintaining accounts on Syndex’s platform
and any products or services provided to you by Syndex or Syndex’s related companies (whether incorporated in New Zealand, Australia or elsewhere);

            5.2.2     confirming your identity and address, for example, electronically matching
Information with identification information in third party databases;

            5.2.3     providing you with the use of, and information about, any other of Syndex’s
products and services and products and services of Syndex’s related companies
(whether incorporated or constituted in New Zealand, Australia or elsewhere) (see
further information below in paragraph 9);

            5.2.4     improving our operations, products and services;

            5.2.5     managing our relationship with Participants and Issuers, for example, so we can
respond to Participants' queries;

            5.2.6     monitoring and screening Participants' accounts, products and services for anti-
money laundering and countering financing of terrorism purposes and for fraud and
crime detection purposes; and
‍
            5.2.7     conducting market research, data processing and statistical analysis (including to
improve our understanding of your interests in relation to our offerings);

            5.2.8     maintaining and improving our customer service by monitoring our service for
quality control, quality and training purposes;

            5.      considering job applicants for current and future employment (including for
contractors);

            5.2.10     managing our internal business, in particular financial management, reporting and
accounting; and

            5.2.11      Syndex or its related companies (whether incorporated or constituted in New
Zealand, Australia or elsewhere) complying with legal, regulatory and other requirements (for example, liquidity requirements, and requirements under the AU Privacy Act and the NZ Privacy Act or under specific contractual obligations where we are required to give access to Information we hold to be audited).

5.3      Participants authorise Syndex to obtain, and retain, Information from Syndex’s related companies (whether incorporated or constituted in New Zealand, Australia or elsewhere) or any third parties for the purposes described in paragraph 5.2.

5.4       We may also collect your Information for other reasons, as permitted under the AU Privacy Act and NZ Privacy Act (for example where it is necessary as part of our, or a third party’s, statutory or public functions or because the law permits or requires us to).

6.       Can you deal with Syndex anonymously?

6.1     Syndex will provide individuals with the opportunity of remaining anonymous or using a pseudonym in their dealings with us where it is lawful and practicable (for example, when making a general enquiry).

6.2    Generally it is not practicable for Syndex to deal with individuals anonymously or pseudonymously on an ongoing basis. If we do not collect your Information, this may mean you are unable to register and may not be able to participate in any of Syndex’s markets or use the platform.

7.       How does Syndex disclose your Information?

7.1     The purposes for which we may use and disclose your Information will depend on the reason we are interacting with you. Generally, we will use and disclosure your Information for the purpose for which it collected that information, and otherwise we will use and disclose your Information in accordance with the requirements of the AU Privacy Act, the NZ Privacy Act and any applicable laws.

7.2     Participants agree that we may disclose Participants’ Information to:

            7.2.1     Syndex’s related companies (whether incorporated or constituted in New Zealand, Australia or elsewhere) for the purposes of providing services to, or for, Syndex. We note that where Information is transferred outside New Zealand, those third parties will be subject to privacy laws in their own jurisdiction and those privacy laws may be different to New Zealand and Australian laws (however we will ensure that any transfer of Information overseas complies with applicable privacy laws – please see paragraph 8 for further information on transfer of Information overseas);

            7.2.2    Syndex’s agents and other third parties (whether in New Zealand or overseas) for the purposes of providing services to, or for, Syndex;

            7.2.3    Issuers, our agents and other third parties for identify verification and customer due diligence purposes in respect of the requirements under anti-money laundering legislation;

            7.2.4     any other registries where we are required to do so under the laws, rules or regulations applying to that party;

            7.2.5     any regulator where Syndex is required to do so by law;

            7.2.6     the police, certain governmental agencies, regulators or other financial institutions where Syndex reasonably believes that disclosure will assist the investigation, detection or prevention of fraud or other criminal offences or where we are required by law;

            7.2.7    research firms engaged by Syndex to carry out customer surveys and conduct market research; and

            7.2.8    any other party authorised by the Participant. Use and disclosure for administration and management

7.3     Naturally we will also use and disclose Information for a range of administrative, management and operational purposes in ways that you would expect. This includes:

           7.3.1      administering billing and payments and debt recovery;

           7.3.2     planning, managing, monitoring and evaluating our services;

           7.3.3     quality improvement activities;

           7.3.4     training staff, contractors and other workers;

           7.3.5     risk management and management of legal liabilities and claims (for example, liaising with insurers and legal representatives);

           7.3.6     responding to enquiries and complaints regarding our services;

           7.3.7     obtaining advice from consultants and other professional advisers; and

           7.3.8    responding to subpoenas and other legal orders and obligations.

7.4      We may also use Information to create deidentified data (which is no longer Information). We share this deidentified data we create or otherwise collect with people we do business with such as our advertising and other business partners.

Disclosure to contractors and other service providers

7.5      We may disclose information to third parties we engage in order to provide our services, including contractors and service providers used for data processing, data provision and analysis, customer satisfaction surveys, information technology services and support, payment processing, website (including our platform) maintenance / development, printing, archiving, mail-outs, and market research.

Business sale or corporate transaction

7.6      We may use or disclose your Information with third parties, whether affiliated or unaffiliated, for the purpose of facilitating or implementing a transfer or sale of all or part of our assets or business or if we undergo any other kind of corporate restructure, acquisition or sale. In this context, your Information may be transferred to another entity (or if such a sale, transfer, acquisition or corporate restructure is being contemplated by us).

Other uses and disclosures

7.7       We may use and disclose your Information for other purposes explained at the time of collection (such as in a specific privacy collection statement or notice) or otherwise as set out in this Policy.

8.        Does Syndex transfer your Information overseas?

            8.1     We generally collect Information about you in Australia or New Zealand, and for the purpose of Syndex’s service provision we handle, process and store your information on our proprietary platform, which is hosted on Salesforce infrastructure, which is hosted in Japan.

            8.2     We only ever disclose your Information outside the jurisdiction it was collected where we are permitted to do so under applicable privacy laws. Generally, this means we will take reasonable steps to ensure your Information is treated securely and in accordance with applicable privacy laws.

            8.3     There are other circumstances where we may disclose your Information to an overseas recipient. For example, where you have provided your consent or we are otherwise permitted to do so under the AU Privacy Act, the NZ Privacy Act or other relevant laws.

9.        Does Syndex use or disclose your Information for direct marketing?

9.1       We may use and disclose your Information for the purposes of sending you direct marketing communications and information about our products and services that we consider may be of interest to you, or as otherwise permitted under applicable privacy laws.

9.2      These communications may be sent in various forms, including mail, fax and email, in accordance with applicable marketing laws, such as the New Zealand Unsolicited Electronic Messages Act 2007 and the Australian Spam Act 2003 (Cth).

9.3      In addition, at any time you may opt-out of receiving marketing communications from us by contacting us (see the details below in paragraph 14) or by using opt-out functionalities provided in the marketing communications, and we will then ensure that your name is removed from our mailing list.

9.4       If you opt-out of receiving marketing material from us, we may still contact you in relation to our ongoing relationship with you.

10.       How does Syndex interact with you via the internet?

10.1      You may visit our website without identifying yourself. If you identify yourself (for example, by submitting an inquiry or filling out a form), any Information you provide to us will be managed in accordance with this Policy.

10.2     Syndex may set and access cookies on Participant computers in order to collect nonpersonal information including type of operating system, domain name and IP address. Cookies are small files of data sent by a website to your browser, which may then be stored on your hard drive or device so we can recognise you when you return. The information collected is anonymous and is used for the purpose of understanding Participant behaviour when using the Syndex platform.

11.       How does Syndex hold your Information?

11.1      Syndex will hold Information in accordance with applicable privacy laws. Syndex stores Information via electronic record keeping methods, in secure databases, using Salesforce infrastructure hosted in Japan.

11.2      Syndex usually does not collect Information in hardcopy form. If we do, we convert the paper-based documents to electronic form for use or storage (with the original paper-based documents securely destroyed).

11.3     Syndex takes all reasonable steps to ensure that Information that we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from misuse, interference and loss, and from unauthorised access, modification or disclosure.

11.4     Syndex relies upon the security measures and framework of Salesforce’s infrastructure, including computer and network security; for example, firewalls (security measures for the internet) and other bespoke security systems such as user identifiers and passwords to data and computer systems.

11.5     Our website (including our platform) uses encryption or other technologies to ensure the secure transmission of information via the internet. Notwithstanding our use of encryption or other technologies to ensure secure transmission of information, users of our website (including our platform) are encouraged to exercise care in sending their Information via the internet.

11.6     We will only keep your Information we hold for as long as is necessary for the purposes set out in this Policy or as required to comply with any applicable legal obligations. The retention periods we apply to Information take account of:

            11.6.1     legal and regulatory requirements and guidance;

            11.6.2    limitation periods that apply in respect of taking legal action;

            11.6.3    our ability to defend ourselves against legal claims and complaints;

            11.6.4    good practice; and

            11.6.5    the operational requirements of our business.

11.7      We take steps to destroy or de-identify information that we no longer require or as required by applicable laws.

12.       How can you access or seek correction of your Information?

12.1      You are entitled to access your Information held by Syndex on request. To request access to your Information please contact our Privacy Officer using the contact details set out below in paragraph 14.

12.2      We will take reasonable steps to ensure that the Information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and letting us know if your personal details change.

12.3      However, if you consider any Information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you are entitled to request correction of the information. After receiving a request from you, we will take reasonable steps to correct your information.

12.4      We may decline your request to access or correct your Information in certain circumstances in accordance with the AU Privacy Act or NZ Privacy Act (as applicable). If we do refuse your request, we will provide you with a reason for our decision and, in the case of a request for correction, we will include a statement with your Information about the requested correction.

13.       How can you make a complaint about the handling of your Information?

13.1      You may contact Syndex at any time if you have any questions or concerns about this Policy or about the way in which your Information has been handled.

13.2     You may make a complaint about privacy to the Privacy Officer at the contact details set out below.

13.3     The Privacy Officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally respond to your complaint within a week.

13.4     If your complaint requires more detailed consideration or investigation, we will acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved.

13.5     In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.

13.6     If you are based in Australia and you are not satisfied with our response to your complaint, or you consider that Syndex may have breached the AU Privacy Act (including the Australian Privacy Principles), a complaint may be made to the Office of the Australian Information\ Commissioner. The Office of the Australian Information Commissioner can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au.

13.7     If you are based in New Zealand and you consider that Syndex may have breached the NZ Privacy Act (including the Information Privacy Principles), a complaint may be made to the Office of the Privacy Commissioner. The Office of the Privacy Commissioner can be contacted by telephone on 0800 803 909 or by using the contact details on the website www.privacy.org.nz.

13.8     If you are outside of Australia or New Zealand, you may wish to take your complaint up with the local data protection authority in your jurisdiction.

14.       How can you contact Syndex?

14.1     The contact details for Syndex are:

            Privacy Officer

            Syndex Pty Ltd

            Phone: +64 (0) 9 337 0416 (or, if you are in New Zealand, 0800 796339)

            Email: privacy@syndex.exchange

            Website: https://www.syndex.exchange

            Address: Level 4, 5 High Street, Auckland 1010, New Zealand