Legal

Privacy Policy

Last updated: 22 June 2026 · Effective Date: 22 June 2026 · Version 1.0

About This Policy
Information We Collect
How We Use Your Information
Disclosure of Information
Data Storage and Security
Data Retention
Your Rights (Australia)
Your Rights (UK / EU — GDPR)
Cookies and Tracking
Third-Party Services
International Transfers
Children
Contact and Complaints

1. About This Policy

Vestinit Ventures Australia Pty Ltd ACN 123 456 789 ("Vestinit", "we", "us" or "our") operates the Vestinit Ventures platform at vestinit.ventures and vestinit.com.au (the "Platform").

This Privacy Policy explains how we collect, use, disclose and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For users in the United Kingdom and European Economic Area, we also comply with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation 2016/679 (EU GDPR) respectively.

By accessing the Platform or providing us with personal information, you consent to the practices described in this policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide Directly

Category	Examples	Purpose
Identity	Full legal name, date of birth, nationality	Account registration, KYC/AML compliance
Contact	Email address, phone number, residential address	Account management, communications, KYC
Identity Documents	Driver's licence number, passport number, document images	Identity verification via Frankie One DVS
Financial	Investor classification, source of funds declarations, investment history	Suitability assessment, regulatory compliance
Professional	Occupation, employer, LinkedIn profile, net assets	Sophisticated investor qualification
Company (Issuers)	Company name, ACN/ABN, registered address, director details, financial statements	Listing assessment, due diligence

2.2 Information Collected Automatically

When you use the Platform we may automatically collect: IP address, browser type, device identifiers, pages visited, time spent on pages, referring URLs and similar technical data. We use cookies and similar technologies as described in Section 9.

2.3 Information from Third Parties

We may receive information about you from identity verification providers (Frankie One), payment processors, publicly available registers (ASIC, PPSR), credit reporting bodies and professional references you provide.

3. How We Use Your Information

We use personal information only for the purposes for which it was collected or directly related purposes, including:

Creating and managing your account on the Platform
Verifying your identity and completing KYC/AML checks as required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
Assessing your eligibility as a sophisticated, wholesale or retail investor under the Corporations Act 2001 (Cth)
Presenting investment opportunities that may be appropriate to your investor profile
Processing expressions of interest and facilitating introductions to issuers and licensed financial services providers
Sending transactional communications (NDA confirmations, account updates, deal notifications)
Sending marketing communications where you have opted in (you may opt out at any time)
Maintaining records required by applicable law
Improving the Platform and our services
Detecting and preventing fraud, money laundering and other unlawful activity
Complying with legal obligations and responding to lawful requests from regulatory authorities

4. Disclosure of Information

We do not sell personal information. We may disclose your information to:

Identity Verification Providers — Frankie One Pty Ltd and the Document Verification Service (DVS) operated by the Australian Attorney-General's Department, for identity verification
Licensed Financial Services Partners — where you have expressed interest in a particular opportunity and a licensed AFS licensee or authorised representative is involved in its execution
Issuers and Deal Sponsors — limited information (name, investor classification, contact details) shared only after you have executed a deal-specific NDA
Technology Service Providers — hosting, email delivery (e.g. SendGrid), analytics, customer support tools, operating under appropriate data processing agreements
Professional Advisers — lawyers, accountants and auditors under confidentiality obligations
Regulatory Authorities — ASIC, AUSTRAC, AFCA, Australian Taxation Office, and equivalent UK/EU regulators, where required by law
Successors — in connection with a merger, acquisition or sale of assets, subject to confidentiality obligations

All third parties are required to handle your information in accordance with applicable privacy laws and our instructions.

5. Data Storage and Security

Personal information is stored on servers located in Australia and/or the United States (AWS infrastructure). We implement appropriate technical and organisational measures to protect your data, including:

256-bit SSL/TLS encryption in transit
Encryption at rest for sensitive fields
Role-based access controls
Multi-factor authentication for staff access
Regular security assessments

No transmission over the internet is 100% secure. While we take all reasonable steps to protect your information, we cannot guarantee absolute security.

6. Data Retention

Data Type	Retention Period	Reason
KYC / identity documents	7 years after account closure	AML/CTF Act obligations
Investment records and expressions of interest	7 years after transaction	Corporations Act, tax law
NDA records	Duration of NDA + 2 years	Contractual obligations
Account information	7 years after account closure	Legal and regulatory compliance
Marketing preferences	Until opt-out or account closure	Consent management
Server logs	12 months	Security and fraud prevention

After the applicable retention period, personal information is securely deleted or de-identified.

7. Your Rights (Australia)

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

Access — request access to personal information we hold about you
Correction — request correction of inaccurate or incomplete information
Complaint — lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have interfered with your privacy

To exercise these rights, contact us at privacy@vestinit.ventures. We will respond within 30 days.

8. Your Rights (UK / EU — GDPR)

If you are located in the United Kingdom or European Economic Area, you have additional rights under the UK GDPR / EU GDPR:

Right to access — obtain a copy of your personal data
Right to rectification — correct inaccurate data
Right to erasure ("right to be forgotten") — request deletion, subject to legal retention requirements
Right to restrict processing — limit how we use your data in certain circumstances
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interests or for direct marketing
Rights related to automated decision-making — not to be subject to solely automated decisions with significant effects

Our lawful bases for processing under GDPR are: (a) performance of a contract, (b) compliance with legal obligations, (c) legitimate interests, and (d) consent (for marketing communications). To exercise your rights or lodge a complaint, contact privacy@vestinit.ventures or contact your national data protection authority.

9. Cookies and Tracking

We use cookies and similar technologies on the Platform. Please refer to our Cookie Policy for full details. In summary:

Essential cookies — required for the Platform to function (authentication sessions, security tokens). Cannot be disabled.
Functional cookies — remember your preferences (theme, language). Can be disabled.
Analytics cookies — help us understand how the Platform is used (e.g. Google Analytics with IP anonymisation). Can be disabled.
Marketing cookies — used only where you have provided explicit consent.

10. Third-Party Services

The Platform may contain links to third-party websites or services. This policy does not apply to those services. We are not responsible for the privacy practices of third parties. You should review their policies before providing personal information.

11. International Transfers

We may transfer personal information to service providers located outside Australia, including the United States (AWS), United Kingdom and European Union. Where we transfer personal information internationally, we take steps to ensure recipients are bound by privacy obligations comparable to those in Australia, including through contractual clauses or adequacy decisions.

For transfers to the UK/EU from outside those jurisdictions, we rely on standard contractual clauses (SCCs) approved by the European Commission and UK Information Commissioner's Office (ICO).

12. Children

The Platform is not directed at persons under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a child under 18, please contact us immediately and we will delete it.

13. Contact and Complaints

Privacy Officer
Vestinit Ventures Australia Pty Ltd
Level 1, 9–13 Bronte Road, Bondi Junction NSW 2022
Email: privacy@vestinit.ventures

We will acknowledge receipt of your enquiry within 5 business days and respond substantively within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

This Privacy Policy may be updated from time to time. Material changes will be notified by email and/or a notice on the Platform. The current version is always available at this URL.