Biometry Privacy Policy

(Last Updated 20 October 2025

1. Application of this Policy

The Policy applies to Biometry Solutions Pty Limited (ACN 670 238 418) (“we”, “us”, “our”).

As an Australian business entity, we are committed to complying with the Privacy Act 1988 (Cth) (“Privacy Act”) as amended from time to time, which includes the Australian Privacy Principles (“APP”). The APP regulates, among other things, the collection, storage, quality, use and disclosure of personal information.

This Privacy Policy outlines the type of personal information we collect, how that information is collected, used, stored and protected, and to whom we disclose personal information.

2. Personal information we collect

Any information or any opinion about an individual who is identified, or is identifiable, is considered to be “personal information”. We collect only information that is necessary for us to provide our products and services, which enable a digitally connected and secure identification process that facilitates the verification of an individual’s identity so as to inhibit fraud, deception and unauthorised dealings. The categories of personal information we collect include an individual’s name, contact details, date of birth, and identity documents details (such as drivers licence, passport), as well as biometric information such as facial and voice details. We also collect information about an individual’s use of our products and services with us and with other organisations.

Because facial and voice recognition details are “sensitive information” as defined under the Privacy Act, we may use that information only for identity verification purposes and we must obtain the individual’s consent to collect, store and disclose that information for that purpose. We also have an obligation to utilise a high form of security to protect that information from unlawful or unauthorised use and disclosure.

We do not collect any other “sensitive information” or Tax File Numbers.

In most cases we will receive personal information only from the individual to whom it relates, either through web browser-based applications, Android™ based application or iOS™-based applications which have been integrated by our Clients into their Customer facing environments. Our Clients will obtain their Customer’s consent to collect their personal information and provide it to us for processing on their behalf.

We may also seek to verify the personal information by accessing the individual’s personal information on various government systems such as the Document Verification Service and the Face Verification Service or from other organisations such as credit reporting agencies, document authentication service providers and other organisations affiliated to Biometry.

3. Why do we collect and use personal information

We collect and use personal information to enable us to provide a digitally connected and secure identification process that facilitates the verification of an individual’s identity so as to inhibit fraud, deception and unauthorised dealings.

We do not use personal information for direct marketing. In order to improve our services, and also for statistical purposes, we may aggregate personal information concerning numerous individuals. But when doing so, we ensure that none of the individuals are identified or identifiable.

To provide our services, we will disclose the personal information to various persons and organisations in Australia, such as banks, credit agencies and verification agencies which the individual has expressly authorised to verify that individual’s identity through our services. We may also be legally obligated to provide the information to various government or regulatory bodies and we may also be required by a court order to disclose certain information. Whenever we are lawfully able to do so, we will seek to notify that individual of our legal obligation to disclose the information.

We will never disclose personal information to other external parties unless we have that Individual’s consent.

We may rely on our clients, who are seeking to verify an individual’s identity, to obtain the individual’s consent for us to disclose that individual’s personal information to them and we will always check to ensure that the client has a documented privacy policy and is contractually obliged to keep the disclosed personal information confidential and to only use it only for the purpose of identity verification.

4. Website

When anyone browses our website, our webservers automatically collect standard information as part of the HTTP web protocol – an IP address, browser type, operating system, access time, referring sites, pages viewed and other anonymous information. We analyse web traffic including, but not limited to, the use of google analytics, to improve our services.

Our website may contain links to other sites operated by third parties. We are not responsible for the privacy practices or the content of such websites. We encourage the reading of the privacy statements in these linked sites, as their privacy policies may differ from ours.

5. Protection of personal information

We regard the security of personal information as very important. We take reasonable steps to protect the information we hold from unauthorised access and we have a number of physical and electronic protection measures in place. These include encryption, firewalls, site monitoring, intrusion detection and video surveillance. The security arrangements are reviewed and tested from time to time.

We restrict access to personal information solely to those of our employees who need to access the information to provide our identity verification services.

Our employees are subject to a Code of Conduct which includes a commitment to maintain the confidentiality of personal information.

If we become aware of a data breach, such as any unauthorised access to, or disclosure of, or loss of, any personal information we hold, we will comply with the provisions of the Notifiable Data Breaches scheme which is set out in the Privacy Act. In such circumstances:

(a) We will promptly assess whether the data breach is one which is likely to result in serious harm to any individuals to whom the information relates.

(b) If we assess there is a likelihood of serious harm to any individuals as a result of any such breach, we will promptly assess what remedial steps can be taken to prevent, contain or mitigate such harm and implement any such steps.

(c) If we are unable to completely remove the likelihood of serious harm to any individuals, we will notify the Office of the Australian Information Commissioner, and place the notification statement on our website, and take steps to notify all individuals that are at risk of suffering serious harm, so that they can take whatever action might be available to them to minimise the harm. We will also notify any entities and agencies which might be relevant to the nature of the breach.

(d) We will notify the individuals directly by email, SMS, fax or post, where we have, or can obtain these contact details, and where we can’t get these contact details, but know of someone else who has them, such as bank, we will request they notify the individuals.

(e) If we are unable to notify any affected individuals directly, we will also publish notifications in newspapers circulating in the area where affected individuals are likely to be located and also direct individuals to the statement on our website.

(f) Our notifications and statement will include our identity and contact details, a description of the data breach, the type of information which has been accessed, disclosed or lost, and recommendations as to what steps individuals can take in response to the breach.

(g) After we have complied with our notification obligations, we will review the breach and take steps to ensure a similar breach is not repeated.

We also ensure our clients are contractually bound to support us in implementing our above obligations wherever necessary. Where we deliver any personal information in the course of our services, we ensure the third parties to whom the personal information is delivered are contractually obligated to notify us of any data breach occurring within their infrastructure and to participate in the above notification obligations to whatever extent is reasonably necessary.

6. Information storage and security

Personal information is stored in our database and archived for a period we determine is necessary for compliance with laws and efficient record keeping. At present this is a minimum of 7 years. No Australian originated personal information is stored or processed or transported outside Australia without consent. Personal information originating from outside of Australia is processed or stored or transported according to the laws from where the information originated.

7. Access to and correction or deletion of personal information

Generally, the personal information we collect, process and hold is data that belongs to the individual that provided the information to us. Accordingly, that individual has the right to access that data.

Also, under APP 12, we are obligated to allow an individual, or that individual’s duly authorised representative, access to that individual’s personal information. The individual may request such access to be provided personally to that individual by contacting us using the contact details specified in section 9 below. In such cases we may charge the individual a non-excessive fee for giving the access.

If an individual whose personal information has been accessed by or on behalf of that individual believes certain information, we hold is inaccurate, that individual or the individual’s representative may ask us to correct the information. We will then, within a reasonable time, take reasonable steps to correct the information, so as to ensure it is accurate, up to date, complete, relevant and not misleading, and we will notify any entities to which we have disclosed the information, unless it’s impracticable or unlawful for us to do so. If for any reason we refuse to correct the information, then we will notify the individual or their representative of that fact and the reasons for our refusal. If the individual disagrees with our decision, that individual may lodge a complaint in the manner set out in Section 9 below (Need to contact us). We will not charge for any correction or investigation into a request.

An individual may, at any time, request us to delete some or all of the information we hold of that information by contacting us in the manner set out in Section 9 below. We will then delete that information unless we are legally obliged to retain it.

8. Changes to this policy

From time to time, it may be necessary for us to review and amend this policy. We reserve the right to amend this policy at any time. The updated policy may be accessed on our website (www.biometrysolutions.com) which should be checked from time to time by anyone who utilises or proposes to utilise our services.

9. Need to contact us

Any questions or inquiries about our Privacy Policy or any complaints about how we have handled personal information or any allegation that we may have breached any Australian Privacy Principle should firstly be directed to:

Privacy and Data Protection Officer
Biometry Solutions Pty Limited
Level 5, 285 George Street
Sydney NSW 2000
Email: [email protected]

If the complainant believes we have not satisfactorily addressed the complaint, that complainant may direct the complaint to the Office of the Australian Information Commissioner by visiting www.oaic.gov.au or by writing to GPO Box 5288 Sydney NSW 2001 or by fax to +61 2 6123 5145 or by completing the appropriate online form on that website.

10. Additional clauses for EEA and UK GDPR and CCPA

10.1. Your specific rights under the EEA/UK GDPR

Where you are either an EEA or UK Resident, you may also have certain specific privacy rights afforded to you by the GDPR.

Our obligations to you in the provision of our services are largely as a Processor. Under the GDPR, you will have the following rights in relation to how we process the personal information we hold about you (your personal data):

(a) Right to request access – by contacting us via our Privacy and Data Protection Officer, you may obtain confirmation from us as to whether or not your personal data is being processed by us, and where that is the case, request access to personal information we hold about you following our process for accessing personal information.
(b) Right to rectification – you have the right to obtain rectification of inaccurate personal data we hold concerning you.
(c) Right to erasure – you have the right to obtain the erasure of personal information we hold about you without undue delay in certain circumstances.
(d) Right to restriction of processing or to object to processing – you may require us to restrict the processing we carry out on personal information we hold about you in certain circumstances or to object to us processing your personal data.
(e) Right to data portability – you have the right to receive a copy of personal information we hold about you in a structured, commonly used, and machine-readable format.
(f) Right to withdraw consent – where you have provided your consent to us to process personal information we hold about you in a certain way, you have the right to withdraw your consent at any time. To learn more, see our Consent Management Policy (available upon request) or contact our Privacy and Data Protection Officer.
(g) Right to lodge a complaint – depending on the type of complaint, you may lodge a complaint through our Privacy and Data Protection Officer and with the relevant data protection or supervisory authority in the EU. A list of the EU data protection authorities can be found at Data Protection Authorities – European Commission (europa.eu).
We will not charge you a fee if you wish to exercise any of your rights, except where we are permitted to do so by the EEA/UK GDPR. To exercise the above rights or to learn more about your rights under the EEA/UK GDPR, please contact our Privacy and Data Protection Officer

10.2. Your specific rights under the California Consumer Privacy Act of 2018 (CCPA) and The California Privacy Rights Act 2020 (CPRA)

Where you are a Californian Resident, you may also have certain specific privacy rights afforded to you by Californian Privacy legislation, which includes:
a) Right to Know/ Access : which entails your right to disclosure of what / how we collect, use, disclose, sell or share your Personal Data (to the extent permitted by applicable law).
b) Right to Opt-out of the Sale or Sharing of your Personal Information to Third Parties , where the business sells or shares personal data with contractors, service providers and other third parties. This will specifically relate to your Right to Opt-out of behavioural advertising.
c) Right to Know and Opt-out of Automated Decision-Making Technology : Specifically, this right includes the Right to Know/Access knowledge about automated decision making, how the automated decision technologies work and what their probable outcomes are in relation to your Personal Information, allowing you to exercise your Right to Opt-out of Automated Inferences (e.g. in profiling for targeted, behavioural advertisement online).
d) Right to Limit Use and Disclosure of Sensitive Personal Information : allowing you to restrict our use and disclosure of any sensitive personal information we may hold about you. This includes consumer’s account log-in details; financial account, debit card, or credit card number in combination with a security or access code, password, or credentials; social security number, driver’s license, state ID card, or passport number; precise geo-location; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email and text messages unless the business is the intended recipient of the communications; genetic data and biometric data; health, sex life or sexual orientation. The restriction applies to certain secondary purposes to third-parties for cross-context behavioural advertising .
e) Right to Correction/ Rectification : If you find that we hold inaccurate personal data about you, you have the right to have it corrected/ rectified.
f) Right to Request Deletion of your personal information collected or maintained by us, which extends to notifying any service providers, contractors third parties to delete as well.
g) Right to not receive discriminatory treatment by the business for the exercise of your privacy rights conferred by the Californian Privacy legislation.
h) Right to designate an authorised agent to make a verifiable request under the CCPA on your behalf to us with a copy of your power-of-attorney document granting that right.
To exercise the above rights, please contact our Privacy and Data Protection Officer. To learn more about your rights under the CCPA and CPRA contact us, the Office of the Attorney General (OAG), or the California Privacy Protection Agency (CPPA).

Sources:

[1] CPRA 1798.110: Consumers’ Right to Know What Personal Information is Being Collected. Right to Access Personal Information

[1] Note: We do not sell the personal information of Californian citizens/data subjects- nb. 1798.115. Consumers’ Right to Know What Personal Information is Sold or Shared and to Whom

[1] As above

[1] CPRA 1798.120

[1] CPRA Position does not apply to non-personalised advertising that is defined as a business purpose.

[1] CPRA 1798.130

[1] CPRA 1798.121: Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information

[1] CPRA 1798.140 Definitions: (L) Sensitive Personal Information

[1] Cross-context behavioural advertising means the targeting of advertising to a consumer based on the consumer’s personal Information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts. California Privacy Rights Act, §13(k).

[1] CPRA 1798.106.