Privacy Policy

Document Details

Paid Privacy Policy

1. Who We Are and How to Contact Us

Paid Dot Pty Ltd (ABN 14 642 944 278) (ACN 140 677 792) trading as Paid.inc ('Paid') is an Australian financial services company operating under Australian Financial Services Licence No. 700215. We operate the Paid Platform — a technology-driven payment and contract administration platform for the construction, property development and professional services industry.

Paid is an APP entity under the Privacy Act 1988 (Cth). We are responsible for the personal information we collect, hold, use and disclose.

2. What This Policy Covers

This Privacy Policy applies to all personal information collected, held, used or disclosed by Paid in connection with:

(a) The Paid Platform and all features and functionality available through it;

(b) The Paid Transaction Account and associated financial services provided under AFSL 700215;

(c) Paid's website at www.paid.inc and any associated web properties;

(d) Paid's mobile application;

(e) Paid's marketing, communications and customer support activities; and

(f) Paid's compliance with its obligations under the AML/CTF Act, the Corporations Act, and other applicable legislation.

This Policy applies to all individuals whose personal information Paid collects, including platform users (builders, subcontractors, suppliers, developers, property owners, funders and professional advisers), website visitors, job applicants, and counterparties.

This Policy should be read together with Paid's Service Agreement, Financial Services Guide (FSG), Product Disclosure Statement (PDS), and any collection notices provided at the time personal information is collected. Where there is an inconsistency between this Policy and a specific collection notice, the collection notice prevails to the extent of the inconsistency.

3. What Personal Information We Collect

Paid collects the personal information reasonably necessary to provide the Paid Platform, the Paid Transaction Account, and our related financial services. The types of information we collect depend on who you are and how you interact with us.

3.1 Identity and Contact Information

• Full legal name and preferred name;
• Residential, business and registered address;
• Email address and phone number;
• Date of birth;
• Gender (where voluntarily provided);
• Occupation and employer details; and
• Emergency contact information (where relevant to project access).

3.2 Business and Corporate Information

• Australian Business Number (ABN) and Australian Company Number (ACN);
• Business registration details, trading name and registered business address;
• Director, officer, partner and beneficial ownership information;
• Business licence and trade qualification details; and
• Information about your role in a construction project (builder, subcontractor, developer, funder, owner, adviser).

3.3 Identity Verification Information

• Government-issued identity document details — including Australian passport, driver's licence number and state of issue, and Medicare card details;
• Facial recognition data and biometric matching results (collected through FrankieOne Pty Ltd, see Section 4);
• Identity document images (front and back of identity documents); and
• Results of identity verification checks, including verification status and any flags raised by automated verification systems.

3.4 Financial and Transaction Information

• Bank account details (BSB and account number) used to fund or receive payments through the Paid Transaction Account;
• Transaction history, including amounts, payment dates, counterparties and project references;
• Contract values, progress claim amounts, retention amounts and payment schedules;
• Early release requests and associated documentation;
• Dispute records and resolution outcomes; and
• Credit-related information provided in connection with third-party finance referrals (where applicable).

3.5 Project and Contract Information

• Construction contract details, project names, addresses and descriptions;
• Progress claim documentation, invoices, and supporting materials;
• Geolocated and timestamped photographs and media uploaded in connection with claims;
• Contract approval and variation records; and
• Communications between project parties made through the Paid Platform.

3.6 Device, Technical and Usage Information

• Internet Protocol (IP) address and device identifiers;
• Browser type, version and operating system;
• Pages visited on our website and platform, and the time and duration of visits;
• Login timestamps and session activity;
• Referral URLs and search terms used to find our website; and
• Cookie and tracking data, see Section 13.

3.7 Communications and Support Information

• Communications you send to us, including emails, support tickets, chat messages and complaints;
• Records of phone calls with our team (where calls are recorded); and
• Feedback, survey responses and reviews.

3.8 Marketing and Preference Information

• Marketing communication preferences and opt-out status;
• Attendance at Paid events and webinars; and
• Information about how you heard about Paid.

4. Sensitive Information

Certain categories of personal information are classified as 'sensitive information' under the Privacy Act and are subject to stricter collection and handling obligations. Paid collects the following categories of sensitive information:

4.1 Biometric Information — Collection Notic

Collection Notice — Biometric Information (APP 3 / APP 5)

Paid collects biometric information, including facial recognition data and identity document scans, through its appointed identity verification provider, FrankieOne Pty Ltd.

This information is collected for the purpose of verifying your identity and preventing fraud, as required by the AML/CTF Act 2006 (Cth) and Paid's obligations as a reporting entity under that Act.

Biometric information is sensitive information under s.6 of the Privacy Act 1988 (Cth). By completing the identity verification process on the Paid Platform, you expressly consent to the collection, use and handling of your biometric information for these purposes.

Your biometric data is processed and stored by FrankieOne in accordance with FrankieOne's privacy policy (www.frankieone.com). Paid does not independently store biometric images after verification is complete.

Identity document verification is performed through the Australian Government's Document Verification Service (DVS), administered by the Attorney-General's Department under the Identity Verification Services Act 2023 (Cth). Individuals may find information about the DVS Hub at www.ag.gov.au/dvs.

Biometric information will not be used for any purpose other than identity verification and fraud prevention, unless you provide separate express consent.

You may request access to or correction of your biometric information by contacting our Privacy Officer at contact@paid.inc.

4.2 Government Identifiers

Paid collects government-issued identity information including driver's licence numbers, passport numbers and Medicare card numbers, solely for identity verification purposes. See Section 10 for our obligations regarding government identifiers under APP 9.

4.3 Financial Information

Detailed financial information — including bank account details, transaction records and financial position information — may be sensitive in the context of its collection. Paid collects this information as a necessary part of operating the Paid Transaction Account and providing financial services under its AFSL.

4.4 Other Sensitive Information

Paid does not routinely collect other categories of sensitive information (including health information, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation). Where any such information is incidentally included in documents uploaded to the Paid Platform (for example, in construction site injury reports or employment records), Paid will handle it in accordance with this Policy and the APPs.

5. How We Collect Personal Information

Paid collects personal information in the following ways:

(a) Directly from you: When you register for the Paid Platform, complete your account profile, submit identity verification documents, upload project information, submit progress claims, contact our support team, or communicate with us in any way.

(b) Through the Paid Platform: Transaction data, usage data, device information and communications generated through your use of the Paid Platform and Paid Transaction Account are collected automatically.

(c) Through FrankieOne and Incode: Identity verification data — including biometric matching results and identity document details is collected by FrankieOne Pty Ltd on Paid's behalf. Biometric processing including facial recognition and liveness detection is performed by Incode Technologies Inc as FrankieOne's appointed sub-processor. Identity document details are checked against official government records through the Australian Government's Document Verification Service (DVS). FrankieOne and Incode act as Paid's service providers for these purposes. DVS verification results are used solely for identity verification and AML/CTF compliance and are not used for any other purpose.

(d) From counterparties and project participants: Other parties in your project (such as a developer, builder or subcontractor) may provide information about you when setting up a project, adding you as a counterparty, or submitting claims in which you are involved.

(e) From third parties: Paid may receive information about you from publicly available sources (such as ASIC registers and ABR), credit reporting bodies, government databases (for AML/CTF compliance), and third-party finance or insurance providers where you have been referred or have consented.

(f) From our banking and ADI partners: Information about transactions processed through our banking infrastructure is received from our ADI partners.

(g) Cookies and tracking: When you visit our website or use the Paid Platform, we may collect technical and usage data through cookies and similar technologies. See Section 13.

Where it is reasonable and practicable to do so, Paid will collect personal information directly from the individual concerned. Where Paid collects personal information about an individual from a third party, Paid will take reasonable steps to ensure that the individual is aware of the collection.

6. Why We Collect Personal Information

Paid collects personal information for the following primary and related purposes. Collection for a related purpose is permitted under APP 6 as it falls within the reasonable expectations of individuals using a financial services platform of this nature.

6.1 Primary Purpose

The primary purpose for which Paid collects personal information is to provide the Paid Platform and the Paid Transaction Account — including all financial services offered by Paid under AFSL 700215 — to users and their counterparties. This encompasses the full operation of the platform, from account onboarding through to payment processing, contract administration and account closure.

6.2 Related and Secondary Purposes

Paid also collects and uses personal information for the following purposes, which are directly related to the primary purpose and within the reasonable expectations of users:

(a) Identity verification and AML/CTF compliance: Verifying the identity of users and their associates as required by the AML/CTF Act 2006 (Cth), conducting ongoing customer due diligence, and meeting Paid's obligations as an AUSTRAC reporting entity. This includes collecting, verifying and transmitting originator and beneficiary information in connection with outbound payment transfers as required by the Travel Rule under the AML/CTF Act and applicable AUSTRAC rules. Where Paid processes an outbound transfer to an external bank account, Paid collects and attaches required payer and payee information to the payment message as it passes through the payment transfer chain, and discloses that information to receiving financial institutions as required by law.

(b) Financial services obligations: Meeting Paid's obligations as an AFSL holder under the Corporations Act 2001 (Cth), including client money management, record-keeping, reporting and disclosure obligations.

(c) Fraud detection and platform security: Detecting, investigating and preventing fraud, money laundering, sanctions breaches, unauthorised access and other security incidents.

(d) Regulatory reporting: Complying with mandatory reporting obligations to AUSTRAC, ASIC, APRA, the Australian Taxation Office, and other regulatory bodies.

(e) Dispute resolution: Investigating and resolving complaints and disputes involving platform users, including providing records to AFCA or other dispute resolution bodies.

(f) Platform improvement and product development: Analysing platform usage, user behaviour and operational data to improve the Paid Platform, develop new features and enhance the user experience.

(g) AI and machine learning development: Using de-identified and aggregated platform data to train, test and improve AI and machine learning models used in or on behalf of Paid's products and services. See Section 11.

(h) Marketing and communications: Communicating with users about Paid's products, services, events, industry news and regulatory updates. See Section 12.

(i) Legal and contractual obligations: Enforcing the Paid Service Agreement, responding to legal claims, and protecting Paid's legal rights and interests.

(j) Risk management: Assessing and managing credit, operational, regulatory, reputational and fraud risks associated with the Paid Platform and Paid's business.

7. How We Use Personal Information

The following table summarises the key ways Paid uses personal information, by information type. All use is consistent with the purposes set out in Section 6.

8. When We Disclose Personal Information

Paid discloses personal information only as necessary for the purposes described in this Policy or as required or permitted by law. The following sets out the key categories of disclosure.

8.1 Disclosure to Service Providers

Paid engages third-party service providers to assist in operating the Paid Platform and delivering our services. These providers may have access to personal information as part of the services they provide to Paid. Key service providers include:

All service providers that handle personal information on Paid's behalf are required by contract to handle that information consistently with the Australian Privacy Principles, maintain appropriate security standards, and use the information only for the specific purpose for which it was disclosed.

8.2 Disclosure to Platform Counterparties

As part of the normal operation of the Paid Platform, certain personal information is disclosed to other parties within your project — for example, a builder will see the name and contact details of their subcontractors, and a developer will see the identity of the parties to contracts funded through their account. This disclosure is inherent in the nature of a collaborative project payment platform and is within the reasonable expectations of users. Paid limits counterparty disclosure to information necessary for the specific project and contractual relationship.

8.3 Disclosure for Regulatory and Legal Purposes

Paid may disclose personal information without your consent where required or authorised by law, including:

(a) AUSTRAC: Paid is required by the AML/CTF Act to submit Threshold Transaction Reports (TTRs), Suspicious Matter Reports (SMRs) and other mandatory reports to AUSTRAC. These disclosures are made without notifying you, as required by law.

(b) ASIC: Paid may be required to provide information to ASIC in connection with regulatory investigations, licence obligations or ASIC's supervisory functions.

(c) Courts and tribunals: Paid may disclose personal information in response to court orders, subpoenas, or as required in legal proceedings.

(d) AFCA: Paid may disclose information to AFCA in connection with a complaint you have lodged or that involves you.

(e) Law enforcement: Paid may disclose personal information to law enforcement agencies where required or authorised by law in connection with criminal investigations or proceedings.

(f) Other regulators: Paid may disclose information to APRA, the ATO, AUSTRAC or other regulatory bodies as required by their respective regulatory frameworks.

8.4 Disclosure in Connection with Business Transactions

If Paid enters into a merger, acquisition, asset sale, restructure or similar corporate transaction, personal information held by Paid may be disclosed to prospective purchasers or transaction parties as part of due diligence, and transferred to a successor entity as part of the transaction. Paid will take reasonable steps to ensure that any successor entity is bound by obligations equivalent to those in this Policy.

8.5 Referrals to Third-Party Providers

Where you consent to a referral to a third-party finance provider, insurance provider or professional services firm, Paid may disclose personal information necessary to facilitate that referral. The extent of disclosure is limited to what is necessary for the referral, and you will be informed of what information is being shared at the time of the referral.

8.6 What We Do Not Do

Paid does not sell, rent or trade individually identifiable personal information to third parties for their own independent commercial purposes. Paid's commercial use of platform data is limited to de-identified and aggregated data, see Section 11.

9. Overseas Disclosure

Some of Paid's service providers and sub-processors operate outside Australia. Personal information may be disclosed to overseas recipients in the following circumstances:

(a) FrankieOne: FrankieOne Pty Ltd may use sub-processors located outside Australia in connection with identity verification services. Please refer to FrankieOne's privacy policy at www.frankieone.com for details of the countries involved and the protections in place.

(b) Cloud infrastructure: Paid's platform data is hosted on cloud infrastructure that may include servers located overseas. Paid selects cloud providers that maintain security standards equivalent to those required under Australian law.

(c) Other service providers: Paid may engage service providers with offshore operations for functions including communications, analytics and support. Where this occurs, Paid takes the steps described in clause (d) below.

(d) Protections: Before disclosing personal information to an overseas recipient, Paid takes reasonable steps, in accordance with APP 8.1 to ensure that the overseas recipient does not breach the APPs in relation to that information. These steps include: binding contractual obligations requiring APP-equivalent protections; conducting due diligence on the recipient's security and privacy practices; and restricting disclosure to jurisdictions with comparable privacy frameworks where practicable.

By using the Paid Platform and accepting the Service Agreement, you acknowledge that your personal information may be transferred to and processed in countries outside Australia. Where Paid takes the steps described in clause (d) above, APP 8.1 is satisfied and you will not have direct rights against the overseas recipient under the Privacy Act. Paid remains accountable for the recipient's handling of your information.

Where Paid relies on your consent for an overseas disclosure under APP 8.2, that consent will be sought separately and specifically.

10. Government Identifiers

Paid collects government identifiers, including driver's licence numbers, passport numbers, Medicare card numbers, ABNs and ACNs, solely for the purpose of verifying your identity and complying with Paid's obligations under the AML/CTF Act and other applicable law.

Consistent with APP 9, Paid will not:

(a) Adopt a government identifier as its own identifier for an individual;

(b) Use or disclose a government identifier other than for the purpose for which it was collected, or as required or authorised by law; or

(c) Use or disclose a government identifier for the purpose of unlawfully accessing a government database.

Where government identifier information is obtained through the Australian Government's Document Verification Service (DVS), Paid is additionally bound by the obligations in its DVS Business User Participation Agreement with the Attorney-General's Department. Consistent with those obligations, Paid will not use DVS-sourced identification information including Information Match Results for data profiling, behavioural tracking, analytics, AI or machine learning development, industry benchmarking, marketing, advertising or market research. DVS-sourced identification information is used solely for identity verification and AML/CTF compliance. This exclusion applies regardless of the de-identification provisions in Section 11, DVS Information Match Results are excluded from Paid's Platform Data framework entirely.

Information obtained through the Document Verification Service, including Information Match Results, will not be used for data profiling, marketing, advertising, market research, or any purpose other than identity verification and AML/CTF compliance, consistent with Paid's obligations under the DVS Business User Participation Agreement.

11. De-Identified and Aggregated Data

Paid applies de-identification techniques to personal information derived from platform activity to produce aggregated data sets that cannot reasonably identify any individual ('Platform Data'). Paid uses Platform Data for commercial purposes, including:

(a) Developing and improving the Paid Platform and its features;

(b) Training and testing artificial intelligence and machine learning models developed or operated by or on behalf of Paid;

(c) Industry benchmarking, research and market analytics;

(d) Fraud detection, payment risk assessment and compliance analytics; and

(e) Providing aggregated and anonymised insights to industry bodies, government agencies and commercial partners.

De-identified Platform Data is not personal information for the purposes of the Privacy Act. Paid's use of Platform Data for commercial purposes does not constitute a use or disclosure of personal information under the APPs.

The licence to use Platform Data for these purposes is granted under the Paid Service Agreement. Paid ensures that de-identification is performed to a standard that eliminates any reasonable likelihood of re-identification before any commercial use.

Paid does not sell individually identifiable personal information to third parties for their own independent commercial purposes.

12. Direct Marketing

Paid may use your personal information to communicate with you about:

(a) Service communications: Information directly related to your account, transactions, platform features, regulatory changes, and compliance matters. These are service communications, not direct marketing, and are sent regardless of your marketing preferences.

(b) Direct marketing: Information about Paid's products, services, events, industry news and promotional offers — sent where you have consented or where Paid has a reasonable basis under the Spam Act 2003 (Cth) to send commercial electronic messages.

Your Right to Opt Out

You may opt out of receiving direct marketing communications from Paid at any time by:

• Clicking the 'unsubscribe' link in any marketing email;
• Emailing contact@paid.inc with the subject line 'UNSUBSCRIBE'; or
• Updating your communication preferences through the Paid Platform.
  

Paid will action opt-out requests within 5 Business Days. Opting out of direct marketing does not affect service communications, which are necessary for the operation of your account.

Paid does not disclose personal information to third parties for the purpose of allowing those third parties to send direct marketing to you, unless you have provided express consent.

13. Cookies, tracking and Digital Analytics

13.1 What We Collect

When you visit www.paid.inc or use the Paid Platform, Paid and its third-party analytics providers may use cookies, web beacons, pixel tags, log files and similar tracking technologies to collect device and usage information as described in Section 3.6.

13.2 Types of Cookies

13.3 Managing Cookies

You can manage cookie preferences through the cookie settings tool available on our website. You can also configure your browser to refuse some or all cookies. Note that disabling essential cookies will impair your ability to use the Paid Platform.

Paid uses Google Analytics and may use other third-party analytics services. These providers may collect technical and usage data subject to their own privacy policies. Paid does not control the privacy practices of third-party analytics providers and encourages you to review their policies.

14. How We Protect Personal Information

Paid takes reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure, consistent with its obligations under APP 11.

14.1 Technical Safeguards

• Encryption of data in transit (TLS/HTTPS) and at rest;
• Multi-factor authentication for platform access;
• Role-based access controls restricting access to personal information to authorised personnel;
• Regular penetration testing and vulnerability assessments;
• Automated monitoring for suspicious access and anomalous activity; and
• Secure cloud infrastructure with enterprise-grade security certifications.

14.2 Organisational Safeguards

• Privacy and security training for all Paid staff with access to personal information;
• Confidentiality obligations in employment and contractor agreements;
• Internal privacy policies and procedures consistent with this Privacy Policy;
• A designated Privacy Officer responsible for privacy compliance; and
• Regular review of privacy and security practices.

14.3 Third-Party Security

Paid requires all third-party service providers that handle personal information on Paid's behalf to maintain security standards that are at least equivalent to those maintained by Paid. Service provider security obligations are included in contractual arrangements with those providers.

No method of data transmission or storage is completely secure. While Paid takes reasonable steps to protect your information, Paid cannot guarantee that personal information will be secure in all circumstances. If you become aware of any security concern relating to your Paid account, contact us immediately at contact@paid.inc.

15. Data Retention and Destruction

Paid retains personal information for as long as necessary for the purposes for which it was collected, subject to applicable legal retention obligations. The following retention periods apply:

When personal information is no longer required and there is no legal obligation to retain it, Paid will take reasonable steps to de-identify or securely destroy that information. Where personal information is held by third-party service providers, Paid will require those providers to de-identify or destroy the information in accordance with equivalent standards.

16. Notifiable Data Breaches

Paid is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). The NDB scheme requires Paid to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches.

16.1 What Is an Eligible Data Breach?

An eligible data breach occurs when:

(a) There is unauthorised access to, or unauthorised disclosure of, personal information held by Paid, or personal information is lost in circumstances where unauthorised access or disclosure is likely to occur; AND

(b) A reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to any of the individuals whose information is involved.

16.2 Paid's Response Process

When Paid becomes aware of a suspected eligible data breach, Paid will:

(a) Promptly assess whether the incident constitutes an eligible data breach, Paid has 30 days from becoming aware of the suspected breach to complete this assessment;

(b) Where an eligible data breach is confirmed, notify the OAIC as soon as practicable; and

(c) Notify affected individuals as soon as practicable, either directly or by publishing a statement on its website (www.paid.inc), depending on the circumstances and the OAIC's guidance.

16.3 Scope of Liability

Notification under the NDB scheme is a regulatory obligation and does not constitute an admission of liability by Paid. Paid's liability in connection with a data breach is governed by the Service Agreement and applicable law. To the extent permitted by law, Paid's liability for loss or damage arising from a data breach is limited as set out in the Service Agreement.

16.4 Reporting a Security Concern

If you believe your Paid account or personal information may have been compromised, contact Paid's Privacy Officer immediately at contact@paid.inc. Paid will investigate and respond as quickly as practicable.

17. Your Rights – Access and Correction

17.1 Right to Access

Under APP 12, you have the right to request access to personal information that Paid holds about you. Paid will respond to access requests within 30 days of receipt.

To make an access request, contact Paid's Privacy Officer at contact@paid.inc with the subject line 'PRIVACY ACCESS REQUEST'. Paid may require you to verify your identity before processing a request.

17.2 Grounds to Refuse Access

Paid may refuse access to personal information, or limit the scope of access, in the following circumstances:

(a) Providing access would pose a serious and imminent threat to the life, health or safety of any individual;

(b) Providing access would have an unreasonable impact on the privacy of another individual;

(c) The request is frivolous or vexatious;

(d) The information relates to anticipated or existing legal proceedings between Paid and the requesting individual, and the information would not be discoverable in those proceedings;

(e) Providing access would reveal the intentions of Paid in relation to negotiations, in a way that would prejudice those negotiations;

(f) Providing access would be unlawful — for example, where information is subject to legal professional privilege, AML/CTF tipping-off restrictions, or a court order;

(g) Denying access is required or authorised by law; or

(h) Paid has reason to suspect that unlawful activity or misconduct of a serious nature has been, is being or may be engaged in, and providing access would be likely to prejudice the taking of appropriate action.

Where Paid refuses or limits access, Paid will give you written notice explaining the reasons for the refusal (to the extent permitted by law) and the mechanisms available to you to complain about the refusal.

17.3 Fees for Access

Paid does not charge a fee for making an access request. However, where complying with an access request involves significant cost or effort, Paid may charge a reasonable fee to cover the cost of locating, retrieving and providing the requested information. Any applicable fee will be notified to you before it is charged.

17.4 Right to Correction

Under APP 13, if you believe that personal information Paid holds about you is inaccurate, out of date, incomplete, irrelevant or misleading, you have the right to request that Paid correct it.

To request a correction, contact Paid's Privacy Officer at contact@paid.inc with the subject line 'PRIVACY CORRECTION REQUEST'. Paid will respond within 30 days. If Paid makes a correction, it will take reasonable steps to notify any third parties to which the incorrect information was disclosed.

17.5 Grounds to Refuse Correction

Paid may refuse to correct personal information if Paid is satisfied that the information is accurate, up to date, complete, relevant and not misleading. Where Paid refuses a correction request, Paid will give you written notice with reasons and information about how to complain.

18. Anonymity and Pseudonymity

Under APP 2, individuals must generally have the option to interact with Paid anonymously or using a pseudonym, where this is lawful and practicable.

However, due to Paid's obligations as an AFSL holder and AUSTRAC reporting entity, it is not practicable for Paid to provide services anonymously or pseudonymously. Identity verification is a mandatory precondition for accessing the Paid Transaction Account and all payment features. Paid cannot accept anonymous or pseudonymous users for regulated financial services.

Visitors to Paid's public website (www.paid.inc) may browse without providing personal information, subject to the cookie and tracking data collected under Section 13.

19. Complaints

19.1 Complaints to Paid

If you have a complaint about how Paid has handled your personal information, or if you believe Paid has breached the Privacy Act or this Privacy Policy, contact our Privacy Officer:

(a) Email: contact@paid.inc (subject line: 'PRIVACY COMPLAINT')

(b) Post: Privacy Officer, Paid Dot Pty Ltd, 1/88 Langridge Street, Collingwood VIC 3066

Paid will acknowledge your complaint within 5 Business Days and aim to resolve it within 30 days. Where a complaint is complex or requires investigation of third-party conduct, Paid will keep you informed of progress and provide a substantive response as soon as practicable.

19.2 Escalation to the OAIC

External Complaint — Office of the Australian Information Commissioner (OAIC)

If you are not satisfied with Paid's response to your privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Website: www.oaic.gov.au

Phone: 1300 363 992

Post: GPO Box 5218, Sydney NSW 2001

The OAIC can investigate complaints about alleged breaches of the Privacy Act 1988 (Cth) and the Australian Privacy Principles. There is no charge for lodging a complaint with the OAIC.

Time limits apply, you generally must lodge a complaint with the OAIC within 60 days of becoming aware of the act or practice complained of. Contact the OAIC for current time limit information.

20. Changes to This Policy

Paid may update this Privacy Policy from time to time as our services evolve, as privacy law changes, or as our data practices change. The current version of this Policy is always available at www.paid.inc/privacy.

Where a change to this Policy is material, particularly where it affects the way we use or disclose personal information in a way that is less favourable to individuals, Paid will notify affected individuals by email or through the Paid Platform at least 30 days before the change takes effect, where practicable.

Where a change is required immediately to comply with a law, regulatory direction or court order, Paid may update this Policy with immediate effect, with notification as soon as practicable.

21. Glossary

End of Privacy Policy

Paid Dot Pty Ltd (ABN 14 642 944 278) | AFSL 700215 | Version 1.0

contact@paid.inc | www.paid.inc/privacy | 1/88 Langridge Street, Collingwood VIC 3066