Privacy Policy

1. About This Policy

Nooriam Group (comprising Nooriam Pty Ltd ACN 654 246 509, Nooriam Sarjana Pty Ltd ACN 666 673 623, and Nooriam Alfareria Pty Ltd ACN 666 513 515, collectively “Nooriam”, “we”, “us”, “our”) is a techno-legal infrastructure company. We build legal infrastructure for the digital economy, including tools and systems for authenticating Nooriam Data Objects, registering and governing AI systems, executing programmable legal instruments, and establishing legally operative records across organisational boundaries. This Privacy Policy explains how we collect, use, disclose, and protect personal information across the Nooriam ecosystem. The Services operate across two access tiers. Certain non-confidential information held in The Registry is publicly accessible without an account. All other Services, including the full Nooriam platform and all transactional and registry management functions, are accessible only to users who hold a verified Nooriam account and are logged in. These account-required Services are collectively referred to as “Nooriam Core”. In this Policy, “Nooriam Data Object” means any data object created, registered, or authenticated through the Nooriam platform, including a Legally Authenticated System (LAS), a Legally Authenticated Dataset (LAD), a Smart Legal Contract (SLC), and any other data object product within the Nooriam ecosystem. This Policy applies to all individuals whose information we hold, whether as public users of The Registry, Nooriam Core users, counterparties, job applicants, or website visitors. Because our products process authenticated personal and legal data as a core function, we treat privacy not as a compliance checkbox but as a foundational design principle. Our Techno-Legal Infrastructure Framework (TLIF) embeds privacy-by-design at the system level, and this Policy reflects those commitments. We review this Policy regularly and revise it as our platform, products, and the applicable law evolve. The current version is published at nooriam.com. Continued use of our services constitutes acceptance of the then-current Policy. We will notify users of material changes by email or prominent website notice at least 30 days before they take effect. Questions about this Policy may be directed to our Privacy Officer at info@nooriam.com. Applicable law: This Policy is primarily governed by the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth). It also addresses obligations under the EU General Data Protection Regulation 2016/679 (GDPR), the UK General Data Protection Regulation and Data Protection Act 2018, the Singapore Personal Data Protection Act 2012 (PDPA), and applicable US state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the CPRA. Where these frameworks impose different standards, we apply the higher standard.

2. Information We Collect

2.1 Information You Provide

We may collect personal information you provide directly, including:

• Identity information: name, title, date of birth, gender, nationality, and government-issued identification documents (passport, drivers licence).
• Contact details: postal address, email address, and telephone numbers.
• Professional information: organisation, occupation, positions held, business interests, and employment history.
• Account credentials: Nooriam username, password, and profile details including profile picture and biography.
• Communications: enquiries, support requests, feedback, and other correspondence.
• Financial information: billing address, bank account details, credit or debit card information, and payment records.
• User-generated content: information, inquiries, feedback, documents, or data you upload or submit to the Nooriam platform, which may include special category data (such as health information, racial or ethnic origin, political opinions, religious beliefs, or biometric data).
• Survey and form responses: information provided through questionnaires, event registration forms, or other structured inputs. You are not obligated to provide personal information. However, withholding information that is necessary for us to perform our services may limit our ability to do so.

2.2 Information We Collect Automatically

When you interact with our website or platform, we collect certain information automatically, including:

• Device and browser information: IP address, device type and identifiers, browser type and version, and operating system.
• Usage data: pages visited, timestamps, referral URLs, resources accessed, session duration, and interaction logs.
• Inferred location: derived from IP address or device signals (not precise geolocation unless separately consented to).
• Authentication and audit logs: records of login events, access actions, and system interactions within the Nooriam platform.

2.3 Information From Third Parties

We may receive personal information from third parties including:

• Your employer, where your employer is a Nooriam customer, counterparty, or data contributor.
• Identity verification providers, credit reporting agencies, and regulatory authorities.
• Government agencies and publicly available records.
• Payment networks and financial institutions.
• Social media account providers, where you connect such accounts to our platform.
• Recruitment agencies and professional references.
• Other Nooriam customers and counterparties in connection with transactions processed through our platform.
• Referral agents and data providers, where sharing is lawful and properly authorised. Where we receive personal information about you from a third party, we will handle it in accordance with this Policy. If you provide us with information about another person, you confirm that you have their authority or consent to do so.

2.4 Data Retention and How Erasure Rights Apply

We retain personal information for as long as is reasonably necessary to fulfil the purpose for which it was collected, to satisfy our legal and regulatory obligations, and to protect the legitimate interests of both Nooriam and our users. We recognise that data held within our platform can carry real and lasting value. Authenticated records and registered Nooriam Data Objects may represent property interests that should not be extinguished easily or prematurely. Accordingly, when we assess any request to delete or remove personal information, we do not treat erasure as an automatic or unconstrained entitlement. We balance the requesting individual’s privacy rights against other interests that the law recognises as legitimate grounds for continued retention. Where deletion of personal information would affect your own property interests or the value of your registered Nooriam Data Objects, we will advise you of this before acting, so that you can make an informed decision. Three specific situations arise in which erasure of personal information either cannot be carried out or can only be carried out in a modified form.

• Multi-party records. Where personal information forms part of a record to which more than one party holds rights, such as a contract, agreement, or jointly registered asset, that record is not solely yours to remove. Other parties to the record may have their own property rights, evidentiary interests, or ongoing legal obligations that depend on the record existing and remaining intact. In those circumstances, we cannot and will not delete or alter a record unilaterally on the request of one party alone. A request to remove your personal information from a multi-party record will be assessed in light of the rights and interests of all parties. Where those rights conflict, resolution may require the agreement of all parties or, in some cases, a court order or other lawful authority. We will communicate this to you clearly when it applies.
• Registry integrity. The Nooriam platform operates, in part, as a registry: an authoritative record of what was registered, by whom, and when. Registered parties may update the publicly visible state of their entries through Nooriam Core at any time, and those updates are reflected immediately in the public-facing record. When an entry is updated, the prior state is preserved alongside the update as part of the permanent history of that entry. Nooriam does not delete registry entries or any part of the historical record of an entry. Where a party wishes to record that an entry is withdrawn, disputed, or superseded, that change is recorded as an update rather than a deletion, and both the prior state and the current state form part of the permanent record.
• Dormant and unclaimed Nooriam Data Objects. Where a user account becomes inactive and no paying party is associated with the account or its assets, those assets enter a dormant state. Nooriam will notify the account holder and allow a period of not less than 90 days to reactivate the account by reinstating a paying subscription. Where reactivation does not occur, the user is deemed to have irrevocably assigned its data rights in the relevant assets to the Trustee of the Nooriam Data Trust, a data stewardship vehicle established by Nooriam to hold and apply such assets for public interest purposes and the sustainability of the Nooriam platform. Nooriam is a beneficiary of the Trust alongside other bodies with a recognised public interest in the Trust’s assets. De-identification and anonymisation techniques are applied before any use or distribution of Trust assets, where consistent with applicable law. Full details are set out in Nooriam’s Terms of Use and data lifecycle policies. We maintain clear internal policies governing the transition of Nooriam Data Objects through active, dormant, and unclaimed states, and will publish summary information about those policies on our website. Where you wish to understand the retention period or data lifecycle applicable to your specific information or registered Nooriam Data Objects or Agents, please contact us.

3. The Registry: Special Considerations

The Registry is Nooriam’s independent legal registry for Data Objects. It is real-time, machine-readable, and legally operative across organisational boundaries. Because The Registry functions as an authoritative legal record, it carries privacy implications that are distinct from those arising in relation to other Nooriam products, and this section addresses those implications directly.

3.1 What The Registry Records

The Registry records the existence, identity, provenance, and status of registered Agents and Nooriam Data Objects. A registration event captures information about what was registered, by whom, and when. This information may include personal information about the registering party, the registered entity, or parties connected to the registered asset. Registration is a deliberate legal act. By registering an asset or Agent through The Registry, the registering party acknowledges that the fact of registration will be recorded as a persistent entry in The Registry.

3.2 Updates Are Permitted. Silent Deletion Is Not.

The Registry is a living record and registered parties can update their entries through Nooriam Core when information changes. Updates to publicly visible registry information are normal, expected, and straightforward. The current public-facing state of an entry always reflects the most recently submitted information. Updates to registry entries do not overwrite or remove prior states. Each update is recorded as a new entry in the history of the relevant record. The current state of an entry reflects the most recent update. The complete history of all prior states, and the dates on which each state was current, is preserved as part of the permanent record. Nooriam does not delete registry entries or any part of the historical record of an entry. The evidentiary and transactional value of The Registry depends on the guarantee that what was registered is recorded and that the record cannot be silently altered after the fact. A registry that permits retroactive removal of entries without trace is not a registry in any legally meaningful sense: it is a mutable database, and its records carry no greater authority than any other editable document. For this reason, Nooriam does not delete registry entries in response to erasure requests, whether under privacy law or otherwise. This position is supported by multiple distinct legal bases. First, all major privacy frameworks include a statutory exception to the right of erasure where processing is necessary for the establishment, exercise, or defence of legal claims, or where retention is required or authorised by law. These exceptions exist precisely because legislatures recognised that the right to erasure cannot be absolute where legal records and obligations are involved. The Australian Privacy Principles, the GDPR (Article 17(3)), the UK GDPR, the Singapore PDPA, and the CCPA each contain equivalent carve-outs. Second, where Nooriam’s registry functions are legally recognised, operate under contractual frameworks that give them legal effect, or are relied upon as authoritative records in legal or commercial transactions, the retention of those records may be independently authorised or required by law. Established legal registries worldwide retain historical records on this basis: the legal and evidentiary value of a registry depends on the integrity and continuity of its records, and applicable legislation governing such registries typically requires that historical records be maintained and prohibits their removal. The same principle applies to any registry that performs a legally operative function, including The Registry. Third, where a registry entry records a transaction or obligation to which more than one party is bound, deletion at the request of one party would directly prejudice the legal rights of the other. Privacy law in all major jurisdictions recognises that an individual’s privacy rights do not override the legitimate legal interests of third parties. Nooriam will continue to develop its formal legal basis for registry retention as The Registry’s role in legally recognised transactions and frameworks matures. In the meantime, the position set out above reflects both current legal authority and the structural requirements of any system that aspires to function as a reliable legal registry.

3.3 How Changes to Registry Entries Work

Where a registered party needs to reflect a change in their entry, whether an update to publicly visible information, a change in status, a transfer, a withdrawal, or a correction, they can make that change through Nooriam Core. The updated information becomes the current public-facing state of the entry. The prior state is preserved in the entry history and remains part of the permanent record. Where a party wishes to record that an entry is disputed or superseded, or where a correction is needed to address inaccurate information rather than simply updated information, contact us at info@nooriam.com. Nooriam will assess the request and record the appropriate change where all parties consent, to rectify technical errors or pursuant to a court order from a court of competent jurisdiction. Counterparties who have relied on the prior state of an entry retain the right to access the historical record.

3.4 Unregistered Agents Do Not Legally Exist

The Registry operates on the principle that if an Agent is not registered, it does not legally exist for the purposes of Nooriam’s authentication framework. Registration is the act that confers legal identity within the Nooriam ecosystem. Personal information processed in connection with registration is therefore integral to the legal existence of the registered entity and cannot be separated from the registration record without destroying the record’s legal meaning. Individuals seeking to exercise data rights in respect of information embedded in a registration entry should contact us to discuss the options available, having regard to this constraint.

3.5 What Is Publicly Visible in The Registry

The Registry distinguishes between information that is publicly visible and information that is held within Nooriam Core. Public users of The Registry, meaning any person accessing The Registry without a Nooriam Core account, can access only a defined non-confidential subset of information about a registered Nooriam Data Object or Agent. This public-facing view consists of descriptor and summary fields that identify and describe the asset at a level sufficient for verification purposes, without exposing the full detail of the underlying record or any confidential information associated with it. Nooriam Core users who are logged in and hold appropriate access permissions may be able to view additional information about assets registered by their organisation or in which they hold a recognised interest, subject to the visibility controls configured for each asset. The specific fields that are publicly visible are either determined by Nooriam as part of the standard registry architecture, or set by the registering party using the visibility controls available within Nooriam Core. Registered parties are responsible for the content of the public-facing fields associated with their assets. By registering an asset and completing any descriptor, title, narrative, or summary fields that are designated as publicly accessible, the registering party consents to that information being visible to any person who accesses The Registry, including persons who do not hold a Nooriam Core account, and accepts responsibility for ensuring that those fields do not contain personal information, confidential material, or any other content that the registering party does not intend to make publicly accessible. This responsibility is not discharged by the fact that Nooriam Core permits information to be entered in those fields: it is the registering party’s obligation to review the content of all public-facing fields before and after registration and to ensure that content accurately reflects what they have chosen to disclose. Nooriam does not review the content of public-facing fields for personal information or confidentiality prior to publication. Where a registering party discovers that a public-facing field contains information they did not intend to make publicly accessible, they should contact us promptly. We will work with the registering party to annotate or update the relevant fields through Nooriam Core, subject to the registry integrity principles described in Section 3.2 and the rights of any other parties to the record. Terms of use: The obligation to ensure that public-facing registry fields do not contain information the registering party does not wish to disclose publicly is a condition of use of The Registry. Users are directed to the Nooriam Terms of Use for the full terms governing this responsibility, including the allocation of liability where a registering party places sensitive or personal information in a public-facing field.

4. How We Use Your Information

We use personal information only for purposes that are lawful, proportionate, and disclosed to you. Our primary purposes are:

4.1 Providing and Administering Services

• Performing our contractual obligations to you or to an entity through whom you access our platform (such as your employer).
• Creating, maintaining, and securing your Nooriam account.
• Verifying your identity and conducting due diligence checks as required by our business processes and applicable law.
• Processing transactions and providing receipts, updates, and notifications.
• Enabling registration and participation in Nooriam events, training, and webinars.

4.2 Platform Development and Improvement

• Improving, developing, and maintaining our platform, products, and services, including through audit, monitoring, and analytics.
• Training and validating our AI governance tools and automated compliance instruments, using de-identified or appropriately consented data only.
• Conducting research and development and compiling statistical and market analysis data.

4.3 Communication and Marketing

• Keeping you informed about Nooriam products, services, and developments that may be relevant to you.
• Sending publications, educational materials, and marketing communications where you are on our mailing list or have otherwise consented.
• Obtaining feedback and opinions about our products and services. You may withdraw consent for marketing communications at any time by contacting us at info@nooriam.com or using the unsubscribe mechanism in any such communication.

4.4 Legal, Regulatory, and Governance Obligations

• Fulfilling our legal, regulatory, accounting, risk management, and professional obligations.
• Protecting, establishing, exercising, or defending legal rights and claims.
• Complying with lawful requests from courts, tribunals, regulatory authorities, and law enforcement agencies.
• Fraud detection, security monitoring, and other protective purposes authorised or required by law.

4.5 Employment and Recruitment

• Administering recruitment processes and, where applicable, managing your employment or contractor engagement with Nooriam.

4.6 Legitimate Interests

We may also process personal information where we have a legitimate interest that is not overridden by your rights and interests. Before relying on this basis, we conduct a balancing assessment. You may contact us to obtain information about these assessments. AI governance note: Where personal information is processed in connection with our AI systems, Smart Compliance Instruments, or automated decision-making tools, we document the processing purpose, data inputs, and any profiling logic as part of our TLIF governance framework. We do not use personal information to train external AI models without separate, specific consent.

5. Disclosure of Personal Information

5.1 Permitted Disclosures

We may share personal information with third parties in the following circumstances:

• Nooriam affiliates: Nooriam Sarjana Pty Ltd, Nooriam Alfareria Pty Ltd, and other entities within the Nooriam Group.
• Service providers: third parties engaged to provide services on our behalf, including identity verification, fraud prevention, payment processing, data storage, web hosting, IT support, marketing, legal, accounting, financial, and auditing services.
• Platform participants: counterparties, customers, and their advisers involved in transactions processed through our platform, to the extent necessary to perform those transactions.
• Professional advisers: lawyers, auditors, insurers, and other advisers bound by confidentiality obligations.
• Technology partners: cloud service providers and other technology organisations, subject to data processing agreements that require appropriate security and privacy standards.
• Research and co-promotional partners: third parties carrying out analysis or co-promotional activities on our behalf, subject to appropriate safeguards.
• Transaction parties: entities involved in a potential or actual merger, acquisition, asset sale, or similar transaction, subject to appropriate confidentiality arrangements.
• Regulatory and legal authorities: courts, tribunals, government agencies, law enforcement bodies, and regulators, where required or authorised by law.

5.2 De-identified and Aggregated Data

We may share de-identified or aggregated data with researchers, potential customers, investors, and transaction counterparties where such data cannot reasonably be used to identify you. This includes data derived from dormant or unclaimed Nooriam Data Objects, as described in Section 2.4.

5.3 International Transfers

Some personal information may be stored with or accessed by service providers located outside Australia or the EEA. Where we transfer personal information internationally, we take steps to ensure it is protected by appropriate safeguards, which may include:

• Contractual protections (including Standard Contractual Clauses approved by the European Commission for EEA transfers, and International Data Transfer Agreements for UK transfers).
• Transfers only to countries or recipients assessed as providing adequate protection.
• Binding corporate rules or other approved transfer mechanisms. Questions about international transfers may be directed to our Privacy Officer at info@nooriam.com.

6. Security

We implement technical, organisational, and physical measures designed to protect personal information against unauthorised access, modification, disclosure, loss, and misuse. These measures include access controls, encryption, audit logging, and regular security reviews. We require all personnel and third-party service providers with access to personal information to be subject to appropriate confidentiality obligations and to maintain security standards commensurate with the sensitivity of the information they handle. Transmission of information over the internet carries inherent risks that we cannot eliminate. By using our services, you acknowledge and accept this. We cannot guarantee or accept liability for data theft or unauthorised access beyond our reasonable control. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), as amended. Where the GDPR or UK GDPR applies, we will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

7. Cookies and Tracking Technologies

Cookies are small text files placed on your device by websites you visit. We use cookies and similar technologies to operate our website, protect it against security threats, and (with your consent) understand how it is used.

7.1 Cookies We Use

• Strictly necessary cookies: required to protect the website against DDoS attacks and to secure user login and form submission processes. These do not require your consent.
• Performance and analytics cookies: used to collect aggregated, anonymised information about how visitors use our website. We deploy these only with your consent, which you may grant or withdraw via the consent manager on our website. We respect Do Not Track signals and will not deploy non-essential cookies where such a signal is detected.

7.2 Managing Cookies

You may remove cookies already stored on your device and prevent new cookies from being set through your browser privacy settings. Note that disabling certain cookies may affect the functionality of our website. Our website may contain links to third-party sites that use their own cookies, over which we have no control. We recommend reviewing the privacy policies of those sites.

8. Your Privacy Rights

Depending on your jurisdiction and the circumstances of our processing, you may have the following rights in relation to your personal information. All rights relating to erasure, deletion, or removal of data are subject to the limitations described in Section 2.4. In particular: where personal information forms part of a multi-party record, erasure cannot be effected unilaterally without the consent of all parties or other lawful authority; and where personal information appears in a registry entry, the historical record of that entry will be preserved, with any change in status noted by annotation rather than deletion. We will always communicate clearly when these limitations apply to a specific request.

8.1 Rights Under Australian Privacy Law

Under the Privacy Act 1988 (Cth) and the Privacy and Other Legislation Amendment Act 2024 (Cth):

• Access: you may request access to the personal information we hold about you.
• Correction: you may ask us to correct inaccurate, incomplete, or outdated information.
• Complaints: you may submit a complaint about our handling of your personal information. If you are not satisfied with our response within 30 days, you may refer your complaint to the OAIC at oaic.gov.au.
• Opt-out of direct marketing: you may withdraw consent to receive marketing communications at any time.
• Notifiable Data Breaches: you have the right to be notified if a data breach is likely to result in serious harm to you.

8.2 Rights Under the EU GDPR (EEA Residents)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation 2016/679:

• Right of access (Article 15): to receive a copy of your personal data and information about how it is processed.
• Right to rectification (Article 16): to have inaccurate or incomplete data corrected.
• Right to erasure (Article 17): to request deletion of your personal data where there is no longer a lawful basis for processing. This right is subject to the statutory exceptions in Article 17(3), including where processing is necessary for the establishment, exercise, or defence of legal claims, and to the limitations described in Section 2.4 of this Policy relating to multi-party records and registry integrity.
• Right to restriction of processing (Article 18): to restrict processing in certain circumstances.
• Right to data portability (Article 20): to receive your personal data in a structured, machine-readable format.
• Right to object (Article 21): to object to processing based on legitimate interests or for direct marketing.
• Rights relating to automated decision-making (Article 22): to not be subject to solely automated decisions that produce significant legal or similarly significant effects, and to request human review of such decisions. We aim to respond to GDPR requests within one month. Supervisory authority: if you are dissatisfied with our response, you may lodge a complaint with your local data protection authority.

8.3 Rights Under UK Privacy Law (UK Residents)

If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to our processing of your personal data. Your rights mirror those set out in Section 8.2, applied under UK law. In addition:

• You may lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
• International transfers of your data to countries outside the UK are governed by UK adequacy regulations or International Data Transfer Agreements (IDTAs).
• We have appointed a UK representative where required under Article 27 of the UK GDPR. Contact details are available on request. We aim to respond to UK GDPR requests within one month of receipt.

8.4 Rights Under Singapore Privacy Law (Singapore Residents)

If you are located in Singapore, the Personal Data Protection Act 2012 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2020, applies to our collection, use, and disclosure of your personal data. Your rights include:

• Access and correction: you may request access to personal data we hold about you and request correction of any data that is inaccurate, incomplete, misleading, or not up to date.
• Withdrawal of consent: you may withdraw consent to the collection, use, or disclosure of your personal data at any time, subject to reasonable notice. Withdrawal may affect our ability to provide services to you.
• Data portability (where applicable): under the PDPA data portability obligation, you may request that we transmit your personal data to another organisation in a commonly used machine-readable format, where technically feasible.
• Do Not Call obligations: where we have your Singapore telephone number, we will comply with Do Not Call Registry obligations before sending unsolicited marketing messages.
• Data breach notification: if a breach of your personal data is likely to cause significant harm, we will notify you and the Personal Data Protection Commission (PDPC) as required. You may also direct complaints to the PDPC at pdpc.gov.sg. We aim to respond to PDPA requests within 30 days.

8.5 Rights Under US Privacy Law (US Residents)

If you are located in the United States, your privacy rights vary by state. We are committed to compliance with applicable US state privacy laws, including the California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020 (CCPA/CPRA), and substantially equivalent legislation in other states where applicable. Where the CCPA/CPRA applies, California residents have the following rights:

• Right to know: to request disclosure of the categories and specific pieces of personal information we have collected, the sources and purposes of collection, and the categories of third parties with whom we share it.
• Right to delete: to request deletion of personal information we have collected from you, subject to the exceptions in the CCPA/CPRA and to the limitations described in Section 2.4 of this Policy, including in respect of multi-party records and registry entries where deletion would affect the rights or interests of other parties.
• Right to correct: to request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell personal information. To the extent we share personal information for cross-context behavioural advertising, you may opt out.
• Right to limit use of sensitive personal information: to limit our use and disclosure of sensitive personal information to purposes reasonably necessary for providing services.
• Right to non-discrimination: exercising your privacy rights will not result in discriminatory treatment. Residents of other US states with enacted privacy legislation (including Virginia, Colorado, Connecticut, Texas, and others) have comparable rights under those frameworks. We honour verifiable consumer requests from residents of any US state with applicable privacy law. To submit a request, contact us at info@nooriam.com or by phone at +61 401 825 175. We will verify your identity before acting on your request and aim to respond within 45 days, with a possible 45-day extension where reasonably necessary.

9. Children

Our platform and services are not directed at individuals under 16 years of age and we do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.

10. Contact and Complaints

If you have questions about this Policy, wish to exercise your rights, or wish to submit a complaint, please contact:

Privacy Officer, Nooriam Group Email: info@nooriam.com Phone: +61 401 825 175 Website: nooriam.com Please allow up to 30 days for requests to be processed (45 days for US requests). If you are not satisfied with our response, you may escalate your complaint to the relevant authority for your jurisdiction:

• Australia: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
• EU: your local data protection authority.
• UK: the Information Commissioner’s Office (ICO) at ico.org.uk.
• Singapore: the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
• United States: the Federal Trade Commission (FTC) or your state Attorney General’s office.

Appendix: Legislative Framework This Policy is informed by the following legislation and frameworks:

• Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs).
• Privacy and Other Legislation Amendment Act 2024 (Cth), including amendments to the Notifiable Data Breaches scheme, the new statutory tort for serious invasions of privacy, and enhanced enforcement provisions.
• General Data Protection Regulation (EU) 2016/679 (GDPR), applicable to personal data of individuals in the EEA.
• UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, applicable to personal data of individuals in the United Kingdom.
• Personal Data Protection Act 2012 (Singapore) (PDPA), as amended, applicable to personal data of individuals in Singapore.
• California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020 (CCPA/CPRA), and substantially equivalent state privacy legislation in other US states.
• Nooriam Techno-Legal Infrastructure Framework (TLIF), which embeds privacy-by-design across our product suite.

This Policy was reviewed and updated in March 2026. It supersedes all prior versions. Nooriam is not a law firm and this Policy does not constitute legal advice. If you require legal advice about your privacy rights, please consult a qualified legal practitioner.