Privacy Policy

2.1 Circumstances of Collection We may collect personal information about you when we deal with each other, including when: • we supply our services; • you apply for a position with us; • you access, use or upload content to websites or applications operated or provided by us (including the website and applications referred to above); • you contact us by any method, such as post, or through our website at www.complaico.com; • you upload compliance policies, procedures, regulatory documents, organisational data, risk assessments, or other compliance-related content to our applications; • you authorise our applications to integrate with or access third-party services, applications or tools (such as document management systems, enterprise resource planning systems, regulatory information databases, communication platforms, cloud storage services); • you input prompts, queries, or other content into our applications; • you subscribe to any of our mailing or contact lists, or otherwise as notified to you from time to time, including in any collection notice. 2.2 Collection via Third Parties We will collect information from a third party where you have authorised our application to integrate with or access a service, application or tool provided by that third party (e.g., document management systems, enterprise resource planning systems, regulatory information databases, communication platforms, cloud storage services), including: • Compliance policies and procedures • Regulatory requirements and frameworks • Organisational data and documentation • Risk assessments and compliance records • Audit trails and compliance evidence • Configuration settings and metadata There may be other occasions when we collect information about you from a third party, including where you have applied for a position with us, such as from a recruitment agency, previous employers and references, and otherwise from our service providers and contractors that perform services for us in connection with our business. We may combine information that we hold about you with other information collected from or held by others (including our related entities, service providers and contractors). We do so as part of our normal business operations. 2.3 Automated Collection We may also collect information through automated means, including through our website and our applications and other methods contemplated further by this privacy policy, including: • your IP address; • the date, time and duration of your visit; • the parts of our website or our applications that you accessed; • your actions on our website or our applications and associated navigation patterns; • the browser, system or device you are using; • usage patterns, compliance assessment activity, and feature utilisation; • performance metrics and error logs. Cookies Consistent with the above, your personal information may be collected through the use of cookies, identifiers or similar technologies used to collect data (Cookies). These are small files placed on your device or computer by our website or our applications which automatically collect information about you without you providing that information to us directly. Most browsers are set by default to accept Cookies. However, if you do not wish to receive any Cookies, you may set your browser to either prompt you whether you wish to accept Cookies on a particular site, or by default reject Cookies. Please note that rejecting Cookies may mean that some or all of the functions on our website or our applications may not be available to you. 2.4 Analytics Information We may also collect information about your use of our website and our applications, including by using third party services, such as Google Analytics. For further information about how Google Analytics works please refer to the following link “How Google uses data when you use our partners’ sites or apps”, (located at https://www.google.com/policies/privacy/partners/). We use analytics to: • Understand how users interact with our services • Identify usage patterns and trends • Improve service performance and user experience • Measure the effectiveness of features • Detect and diagnose technical issues 2.5 Third Party Services and Systems Our website and our applications may contain links or APIs to other websites or third party services or systems, including: • Regulatory information databases and providers • Document management systems • Enterprise resource planning (ERP) systems • Cloud storage providers • Communication and collaboration platforms • Identity and access management services We are not responsible for the privacy practices of those other websites or third party services or systems. We recommend that you review the privacy policies of each website that you visit or third party service or system that you use or access. 2.6 Interacting with Us Anonymously or with a Pseudonym We generally do not permit people to deal with us anonymously or using a pseudonym other than in the context of browsing our website. If you do not provide us with your personal information, we may not be able to provide our services to you or deal with you effectively.

The personal information we collect may vary depending on the nature of your interaction with us, but may include: General Personal Information: • Name, date of birth and contact details (email address, phone number, postal address) • Job title, organisation name, and professional details • Username, password and authentication credentials • Billing and payment information (credit card details, billing address) • Communication preferences and subscription settings Compliance-Related Information: • Compliance policies, procedures and documentation uploaded to our applications • Regulatory frameworks and requirements applicable to your organisation • Risk assessment data and compliance records • Audit trails and compliance evidence • Organisational structure and governance information • Industry sector and regulatory jurisdiction information • Compliance assessment results and gap analyses Usage Information: • Information about how you use our applications and services • Features accessed and usage patterns • Search queries and interaction history • Feedback and support communications • User-generated content and prompts entered into our applications Employment Information: Where you apply for a position with us, we may also collect (including from third parties) sensitive information, including in the context of citizenship, professional history, reference and background checks. We may hold your information for future job opportunities, unless you tell us not to.

4.1 General Use We collect and use your personal information for any purposes not prohibited by law. This includes for the purposes of carrying out the services and related functions and activities (as they are from time to time), as well as assisting entities within our corporate group to carry out their functions and activities. 4.2 Specific Use Without limiting the above, we may use personal information for the purposes for which it was collected, for related purposes which we consider come within your personal expectations, for purposes outlined in this policy, for purposes which you otherwise consent or as otherwise permitted or required by law, including: Service Delivery and Operations: • To provide, operate, maintain and support our website and applications, as well as related services and features • To facilitate integrations between our services and third party services where enabled by subscribers • To create and manage accounts, authenticate users and administer user settings and permissions • To provide customer service and technical support • To process transactions, invoicing and billing • To generate compliance assessments, regulatory mappings, risk scores, and other outputs • To provide regulatory change alerts and compliance notifications Service Improvement and Development: • To enable and improve service functionality, including the development, training, testing and enhancement of features, algorithms (including AI models), compliance rules engines, regulatory interpretation capabilities, and user experience Important limitation on AI training: We only use content marked as confidential, containing sensitive regulatory information, or relating to your specific compliance assessments, findings, or internal policies for service improvement for you individually, and not for our users or our business generally. We will only use de-identified, aggregated, non-confidential content for general enhancements to our algorithms for the benefit of all users or our business more broadly, and such use does not reveal any specific compliance issues, findings, or proprietary methodologies of your organisation • To conduct analytics, research and reporting to improve our services • To measure performance and conduct quality assurance Communications: • To communicate with you about our services, including operational notices, security alerts, updates and administrative messages • To provide regulatory updates and compliance-related notifications • For marketing and promotional purposes (including sending newsletters and information about features, content, events and offers) in accordance with applicable laws and your marketing preferences • To respond to your inquiries and support requests Security and Compliance: • To monitor, detect, prevent and investigate fraud, abuse, security incidents and other harmful activity • To enforce our terms and policies • To verify identity and prevent unauthorised access • To maintain audit logs and compliance records • To comply with our legal and regulatory obligations or as otherwise permitted or required by law • To create de-identified or anonymised data (which we may use for any purpose) 4.3 Examples of Use Some examples of how we may use your personal information are: Service Users: If you subscribe to our services, we use your information to provide compliance automation tools, generate regulatory assessments, provide alerts about regulatory changes affecting your organisation, manage your subscription and billing, provide technical support, and improve our services based on your usage patterns (in a de-identified manner for broader improvements) Job Applicants: If you are an applicant for a position with us, your personal information is used to verify your identity, assess and manage your application and potentially consider your application in the context of any future opportunities. Of course, if you are successful in your application, your information will also be used for the conduct of our business and management of your engagement with us Trial Users: If you register for the free three-month trial of our Regulatory Update Alerts feature (“Trial”), we use your name, email address, organisation details, and selected industry and entity type to: create your Trial account; deliver regulatory update alerts and key impact summaries to you by email during the Trial; and communicate with you about the Trial and, at the end of the Trial period, to contact you regarding options to extend the Trial or to join the waitlist for the full ComplAI product. We do not collect credit card or billing information during the Trial. If you do not convert to a paid subscription, your account information will be retained for 90 days following the end of the Trial period, after which it will be deleted unless you have opted to join the waitlist or otherwise requested to remain in contact with us. Marketing and Inquiries: If you provide your contact details to us in connection with a potential acquisition of our services, other inquiry or to subscribe to a mailing list, we may use those details (including to contact you) in connection with the provision of our services, your inquiry or as part of our mailing list (which may include marketing purposes)

5.1 Disclosure to Third Parties We may disclose your personal information to other entities within our corporate group, for example, in the context of our shared or related interests and operations. We may also disclose information to our shareholders. We may disclose information to third party service providers who help us conduct our business, including: Technology and Infrastructure Providers: • Cloud hosting and storage providers • Database and server management providers • Security and authentication services • API and integration service providers Regulatory and Compliance Data Providers: • Third-party regulatory information database providers • Regulatory change monitoring services • Compliance research and analysis providers Business Services: • Payment processing and billing services • Analytics and data analysis providers • Customer support and help desk platforms • Email and communication service providers • Marketing and customer relationship management platforms Professional Services: • Legal advisors • Auditors and accountants • IT consultants and contractors Recruitment (for Job Applicants): If you are a job applicant, we may disclose your information to your referees and third parties that we use as part of our recruitment process, including recruitment agencies, organisations that conduct competency tests, background assessments or similar, recruitment platform providers and law enforcement agencies (for example, to verify whether or not you have a criminal record). 5.2 Offshoring Some of our service providers are or may be located overseas. Given the number of third party service providers, it is not practical to list all of the countries in which they are located, however they include the United Kingdom, United States, and the European Union, and your personal information may be disclosed to and stored in those locations in connection with our interactions with those third parties and related entities. We take steps to ensure that our overseas service providers handle your personal information in accordance with applicable privacy laws, including through contractual arrangements where appropriate. 5.3 Third Party Integrations Where you authorise our applications to integrate with third party services (such as document management systems, enterprise resource planning systems, cloud storage services), your personal information will be shared with those third party services in accordance with your authorisation and their privacy policies. We are not responsible for the privacy practices of those third party services. 5.4 Other Disclosures We may also disclose your personal information to entities involved in connection with a potential or actual corporate merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets, or other corporate change requiring the transfer of assets, including during the course of any due diligence process, to the purchaser or surviving entity. We may also disclose your personal information: • As required or permitted by law, including to comply with legal obligations, regulatory requirements, court orders, or lawful requests by public authorities • To protect our rights, property, or safety, or the rights, property, or safety of others • To investigate potential violations of our terms of use • To detect, prevent, or address fraud, security, or technical issues

6.1 Access and Correction You may contact us by using the details in section 9 below to request access to the information we hold about you, including for the purpose of correcting or updating that information. We take reasonable steps to ensure that your personal information is accurate, complete, and up-to-date whenever we collect or use it. We may provide this access where required under the Privacy Act 1988 (Cth) or where we otherwise agree. In some circumstances, we may not be able to provide you with access to your personal information, such as where: • Providing access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety • Providing access would have an unreasonable impact on the privacy of others • The request is frivolous or vexatious • The information relates to existing or anticipated legal proceedings • Providing access would be unlawful • Denying access is required or authorised by law • Providing access would prejudice enforcement activities, negotiations, or investigative functions If we deny your request for access, we will provide you with written reasons for the denial (unless it would be unreasonable to do so) and inform you of any complaint mechanisms available. 6.2 Data Portability and Export You may request to export your personal information and compliance data from our applications at any time. We will provide your data in a commonly used, machine-readable format where technically feasible. Please note that some regulatory retention requirements may limit our ability to delete certain compliance-related information even after export.

7.1 Protection Measures We understand the need to protect your personal information. We have put in place security measures designed to help protect your personal information from misuse, loss, and unauthorised access, including: Technical Safeguards: • Encryption of data in transit and at rest • Secure authentication and access controls • Regular security assessments and penetration testing • Intrusion detection and prevention systems • Firewall protection and network security • Secure backup and disaster recovery procedures Organisational Safeguards: • Access controls and role-based permissions • Security awareness training for staff • Confidentiality obligations for employees and contractors • Incident response and breach notification procedures • Regular review and update of security policies • Vendor security assessments and management We select third party technology providers based on rigorous security standards and require them to implement appropriate security measures. However, despite our security measures, we cannot guarantee absolute security. No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. 7.2 Data Storage and Offshoring We primarily store information in servers and facilities in Australia; however, information is also transferred and stored in servers and facilities in the United Kingdom, United States, and the European Union, where our cloud hosting and service providers operate. Important Notice Regarding Offshore Disclosure: You consent to the offshore disclosures contemplated by this privacy policy. You understand that: • We may not be able to, and are not required to take steps to, monitor, control, prevent or determine whether the overseas entities are able to handle your personal information in accordance with the Australian Privacy Principles in the Privacy Act 1988 (Cth) • If an overseas recipient breaches the Australian Privacy Principles, you will not be able to seek redress under the Privacy Act for any mishandling of your personal information by said overseas entities • We take reasonable steps to ensure our overseas service providers comply with applicable privacy laws through contractual arrangements If you do not consent to such offshore disclosure, please do not use our services or provide us with your personal information. 7.3 Retention of Your Personal Information We retain your personal information for as long as necessary to fulfil the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law. Specific Retention Periods: Compliance-Related Content: • Compliance policies, procedures, regulatory documents, risk assessments, audit trails, and similar compliance-related content are retained for a minimum of 7 years from creation or as required by applicable regulatory retention requirements, whichever is longer • You may specify longer retention periods in our applications if required by your industry or regulatory obligations Account Information: • Account registration and billing information is retained for the duration of your subscription plus 7 years for tax and accounting purposes Communications and Support: • Customer support communications are retained for 3 years Marketing Communications: • Marketing preferences and communications are retained until you unsubscribe or request deletion De-identified Data: • De-identified and anonymised data may be retained indefinitely for analytics and service improvement purposes Trial Accounts: • Trial users do not upload compliance-related content to the App, and accordingly the seven-year minimum retention period for compliance-related content does not apply to Trial accounts. Account registration information (name, email, organisation details, industry and entity type) collected during the Trial is retained for 90 days following the end of the Trial period. Where a Trial user elects to join the waitlist for the full ComplAI product or requests a Trial extension, we will retain their contact details and preferences for the purpose of managing their waitlist position and communicating with them about product availability, until they request deletion or unsubscribe. Upon Account Cancellation: • User Content is retained for 90 days to allow for data export and transition • After 90 days, User Content is permanently deleted unless subject to legal hold or regulatory retention requirements • We may continue to retain anonymised, aggregated data that does not identify you or your organisation When we no longer require your information, we take reasonable steps to ensure that your information is destroyed, de-identified, or rendered inaccessible in accordance with our data retention and destruction policies.

8.1 Marketing Communications You may opt out of receiving marketing communications from us at any time by: • Updating your communication preferences via our website at www.complaico.com • Updating your communication preferences in your account settings • Contacting us at our website at www.complaico.com Please note that even if you opt out of marketing communications, we will still send you transactional and service-related communications (such as account notifications, security alerts, and billing information). 8.2 Model Training and Improvement You may opt out of the use of your de-identified content for broader AI model improvement and service enhancement by adjusting your settings in the application. Please note that: • Content relating to your specific compliance assessments and findings will never be used for broader model improvement regardless of this setting • Basic feedback you provide (such as thumbs up/down on outputs) may still be used to improve our services • Aggregated, anonymised usage statistics may still be collected 8.3 Third Party Integrations You may disconnect third party service integrations at any time through your account settings. Note that disconnecting an integration will prevent the application from accessing data from that service but will not delete data previously ingested. 8.4 Account Deletion You may request deletion of your account and associated personal information at any time by visiting www.complaico.com. Please note that: • Compliance-related content may be retained for regulatory retention periods (minimum 7 years) • We may retain certain information where required by law or for legitimate business purposes • Deletion of your account is permanent and cannot be undone

If you have any queries or complaints with regards to our collection, use or management of your personal information, please contact us on our website: www.complaico.com If you make a complaint, we will endeavour to respond within a reasonable time (usually 30 days). Our complaint handling process includes: • Acknowledging your complaint within 5 business days • Investigating the matter • Providing a written response outlining our findings and any corrective action • Working with you to resolve the issue If you are dissatisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner by: • Phone: 1300 363 992 • Email: enquiries@oaic.gov.au • Website: www.oaic.gov.au • Mail: GPO Box 5218, Sydney NSW 2001

The App and its outputs are provided for general information and reference purposes only. They do not constitute, and must not be relied upon as, legal advice, compliance advice, financial product advice, or any other form of professional advice. ALG Pty Ltd t/a ComplAI is not a law firm, legal practitioner, Australian Financial Services Licensee, or registered compliance professional and is not authorised by any legal professional body to provide legal services. The App uses artificial intelligence and machine learning to process personal information and generate outputs. During the free Trial, outputs are limited to regulatory update alerts and key impact summaries. The full ComplAI product additionally generates compliance assessments, organisational impact analyses, redlined document drafts, risk scores, and other compliance outputs. All outputs, whether generated during the Trial or under a paid subscription, AI outputs may not always be accurate, complete, or current. Nothing in the App or its outputs is warranted to be free of errors, and you are responsible for independently verifying any output before acting on it. The App and all outputs are provided on an “as is” and “as available” basis. We expressly disclaim all warranties, whether express or implied, including any implied warranty of merchantability, fitness for a particular purpose, accuracy, or currency, to the maximum extent permitted by law. Your use of information obtained through the App is at your own risk. Nothing in the App creates a solicitor-client relationship, a compliance advisory relationship, or any other professional relationship between you and us. Information submitted to the App is not treated as legally privileged or confidential by reason of its submission alone.

Our services are not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information as soon as practicable. If you believe we have collected information from a child under 18, please notify us immediately via www.complaico.com.

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this privacy policy, we will: • Update the “Last Updated” date at the top of this policy • Provide notice through our website or applications • Notify you by email (if you have provided an email address) at least 30 days before the changes take effect For material changes that affect how we use your personal information, we may seek your consent where required by law We encourage you to review this privacy policy periodically to stay informed about how we protect your information. Your continued use of our services after the effective date of changes to this privacy policy constitutes your acceptance of those changes. If you do not agree to the changes, you should discontinue use of our services and may cancel your account in accordance with our terms of use.

While this privacy policy is designed to comply with Australian privacy laws, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles, if you are located in other jurisdictions, additional rights may apply to you under local privacy laws. For European Users (GDPR): If you are located in the European Economic Area, you may have additional rights under the General Data Protection Regulation (GDPR), including: • Right to data portability • Right to restriction of processing • Right to object to processing • Rights related to automated decision-making For California Users (CCPA): If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). For information about rights specific to your jurisdiction or to exercise such rights, please contact us via www.complaico.com