Your Privacy Matters

This Privacy Policy explains how SpenVest Pty Ltd handles personal information in connection with the SpenVest website, merchant onboarding, customer-facing features, merchant-facing features, and related services. We aim to handle personal information transparently, lawfully, and consistently with Australian privacy requirements, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles where they apply. By interacting with SpenVest, you acknowledge this Privacy Policy.

SpenVest Pty Ltd operates SpenVest. SpenVest is a behavioural commerce, rewards, and merchant growth platform designed to help merchants configure and operate promotional reward programs and help customers view reward progress, merchant-issued promotional value, and related platform activity. You can contact us using the details at the end of this Privacy Policy.

Depending on how you interact with SpenVest, we may collect:

• name
• business name
• job title or role
• email address
• phone number
• address or business location
• merchant onboarding information
• account credentials and verification-related information
• support and communication records
• device, browser, network, and usage information
• website activity and technical logs
• transaction-linked reward and eligibility records
• merchant program configuration and redemption records
• other information you provide to us voluntarily

We do not intend to collect sensitive information unless it is reasonably necessary and lawful to do so, or you consent, or another legal basis applies. We do not describe Smart Value Credits (SVC) as cash or deposit value. Where SVC-related records exist, they are handled as promotional reward and redemption records within the software workflow.

We may collect personal information:

• directly from you when you complete forms, request access, create an account, contact us, or otherwise interact with the Services
• from merchants, integration partners, or service providers where reasonably necessary to operate the platform
• automatically through website, device, analytics, security, and log technologies
• through onboarding, support, fraud prevention, verification, or operational workflows

Where practicable, we will collect personal information directly from you. In some cases we may collect it from another person or system where that is reasonably necessary for the Services.

We may collect, hold, use, and disclose personal information to:

• provide and operate the Services
• assess eligibility for access, onboarding, merchant participation, or related services
• create, administer, secure, and support accounts
• provide customer-facing and merchant-facing product features
• process and display reward, threshold, eligibility, and redemption records
• operate merchant-issued Smart Value Credits (SVC) and related promotional workflows
• communicate with you about onboarding, support, security, legal, operational, and service matters
• improve the Services, user experience, product design, and system performance
• perform analytics, troubleshooting, quality assurance, and fraud detection
• enforce our terms, protect rights and safety, and comply with legal obligations

We generally use or disclose personal information for the purpose for which it was collected, or for related purposes you would reasonably expect, or where consent or another lawful basis applies.

Where SpenVest is used to support merchant reward programs, we may process:

• merchant program settings
• threshold rules
• transaction-linked eligibility information
• issued promotional value records
• SVC balance and redemption records
• campaign usage and reporting information

This information is used to operate the software, present reward status, support redemptions, maintain reporting, and improve the platform.

• SVC records are treated as promotional store credit records under merchant rules.
• SpenVest tracks balances, eligibility, and redemption events as software records.
• SpenVest does not provide financial custody of client funds merely by tracking SVC-related data.

### Refund and adjustment data Where a refund or return is processed, SpenVest may collect and process refund transaction identifiers, refund amounts, timestamps, and the link between the refund and the original qualifying transaction. This data is used to reverse or adjust SVC, recalculate threshold progress, apply internal offsets where SVC has already been redeemed, and maintain accurate audit records. Adjustment records are retained as part of the SVC ledger for reconciliation, fraud prevention, and reporting purposes.

SpenVest provides a Loyalty Cards Wallet feature that allows customers to store and display existing third-party loyalty and membership cards within the SpenVest app for convenience at checkout. Information collected When you add a loyalty card, we may collect and store:

• loyalty program name
• store or merchant name
• card number or barcode value
• optional card nickname
• timestamps related to when the card was added or updated

Purpose of collection Loyalty card information is stored solely for display and convenience purposes within SpenVest. It is used to allow you to view your saved cards and display barcodes at checkout without carrying physical cards. What SpenVest does not do with loyalty card data

• SpenVest does not access, retrieve, or sync loyalty points, balances, or rewards from third-party loyalty programs.
• SpenVest does not connect to, authenticate with, or transmit data to third-party loyalty program providers.
• SpenVest does not track or record how, when, or whether loyalty cards are used at external merchants.
• SpenVest does not validate card numbers or barcodes against third-party systems.

Data control You can edit or delete any stored loyalty card at any time. When you delete a card, the associated information is removed from your account. Data storage Loyalty card data is stored using reasonable technical safeguards consistent with how other account data is protected. No security measure is absolute, and we cannot guarantee that stored data will never be subject to unauthorised access. Data sharing Loyalty card data is not shared with third-party loyalty program providers. It may be disclosed only in the limited circumstances described in Section 9 of this Privacy Policy (Disclosure of personal information).

We may use cookies and similar technologies to:

• keep the website and platform functioning
• improve performance and reliability
• remember preferences or session states
• protect security and detect abuse
• measure usage and improve product experience

If we use analytics or other tracking technologies, we aim to do so transparently and for legitimate operational purposes. You can usually control cookies through your browser settings, although disabling some technologies may affect site functionality.

We may send marketing or promotional communications where permitted by law. If we send commercial electronic messages regulated by Australian spam law, we aim to provide:

• appropriate consent where required
• clear sender identification
• a functional unsubscribe facility

You can opt out of marketing communications at any time using the unsubscribe option in the message or by contacting us. Service, security, legal, and transactional messages may still be sent where reasonably necessary even if you opt out of marketing communications.

We may disclose personal information to:

• our employees, contractors, and related service personnel
• hosting, infrastructure, analytics, communications, and security providers
• merchant partners, integration partners, or operational service providers where reasonably necessary
• professional advisers, insurers, auditors, and legal representatives
• regulators, courts, law enforcement, or government agencies where required or authorised by law

We take reasonable steps to ensure recipients only receive the information reasonably necessary for their role.

Some service providers or infrastructure may be located outside Australia or may store or process information outside Australia. Where overseas disclosure occurs, we aim to take reasonable steps to ensure the information is handled consistently with applicable privacy requirements. However, cross-border data handling may involve jurisdictions with different privacy regimes.

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, unauthorised disclosure, and unauthorised modification. These measures may include:

• access controls
• encryption or secure transport measures where appropriate
• authentication and credential controls
• logging, monitoring, and security review processes
• internal access limitation on a need-to-know basis

No security control is perfect, and we cannot guarantee absolute security.

We keep personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, for legal and operational requirements, for dispute handling, fraud prevention, and record-keeping, or as otherwise required or permitted by law. When personal information is no longer required, we aim to destroy it or de-identify it where lawful and reasonable.

You may request access to personal information we hold about you and request correction of information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We may need to verify your identity before responding. We may refuse access or correction in some circumstances permitted by law, but if we do so we will generally explain why unless we are not required to.

Where lawful and practicable, you may interact with us anonymously or using a pseudonym. In many cases this will not be practical because we may need identifying information to provide support, operate accounts, assess onboarding, investigate incidents, or comply with legal obligations.

If we become aware of a data breach involving personal information, we will investigate and respond in accordance with our legal obligations and internal processes. Where Australian notifiable data breach requirements apply and an eligible data breach is likely to result in serious harm, affected individuals and the Office of the Australian Information Commissioner may need to be notified.

If you have a privacy complaint, please contact us first and provide enough detail for us to investigate. We will try to respond within a reasonable period. If you are not satisfied with our response and Australian privacy law applies, you may be able to make a complaint to the Office of the Australian Information Commissioner.

We may update this Privacy Policy from time to time to reflect changes to the Services, legal requirements, operational practices, or product development. The latest version will be made available on our website.

SpenVest Pty Ltd Email: info@spenvest.com.au Website: https://spenvest.com