Privacy Policy

BackPocket Technologies Pty Ltd (ACN 646 493 432) trading as BACKPOCKET APP of Level 1, 530 Little Collins Street Melbourne VIC 3000 ("we", "us" or "our") and our operation of the Platform, comprising of https://backpocket.au/, https://backpocket.tech/, https://revw.biz and mobile applications (collectively, the "Platform") is committed to respecting your privacy.

This privacy policy sets outs out how we collect, use, process, store, share and disclose your Personal Information on our Platform ("Privacy Policy"). You can view our terms and conditions (https://backpocket.au/terms) and contact us at info@backpocket.au.

We are committed to protecting your privacy and respecting and upholding your rights under the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) (as amended from time to time), the General Data Protection Regulation (EU) 2016/679 (the "GDPR"), and, where applicable, the UK GDPR and the Data Protection Act 2018 (collectively, "Privacy Laws"). We are a data controller for the purposes of the GDPR. We ensure that we will take all necessary and reasonable steps to comply with the relevant Privacy Laws and to deal with inquiries or complaints from individuals about compliance with the relevant Privacy Laws. We implement appropriate technical and organisational measures to protect Personal Information, as required under the Privacy Laws.

By accessing and using our Platform, products and services, you freely and expressly consent to the collection, use, processing, storage and disclosure of Personal Information by us as set out in this Privacy Policy.

1. Your Information

We will collect Personal Information on our Platform only by lawful and fair means and not in an unreasonably intrusive way. Generally, we will collect Personal Information directly from you, and only to the extent necessary to provide our services requested by you and to carry out our administrative functions or as required by a relevant Privacy Law.

We will not collect sensitive personal information (as defined under the relevant Privacy Laws) from you. We ask that you do not send us, or do not disclose, any sensitive personally identifiable information (such as information related to racial or ethnic origin, religion or other beliefs, health, criminal background or trade union membership) on or through the Platform or otherwise. If, contrary to this request, you do provide any sensitive personal information, in doing so you consent to us collecting and handling that information in accordance with this Privacy Policy.

We may also collect Personal Information from you when you enter a draw for the randomly generated opportunity to buy a product displayed on the Platform ("Draw"), fill in an application form, communicate with us, visit our Platform, provide us with feedback, complete online surveys or participate in competitions. We may collect Personal Information about you that you have provided to our business partners or from third parties and in respect of which you have given the third-party permission to share with us.

If you use a pseudonym when dealing with us or you do not provide identifiable information to us, we may not be able to provide you with any or all of our services as requested. If you wish to remain anonymous when you use our Platform, do not sign into it or provide any information that might identify you.

We require individuals to provide accurate, up to date and complete Personal Information at the time it is collected.

2. Information we may collect about you

Personal information is any information relating to an identified or identifiable natural person ("Personal Information"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Stripe and Outseta are online payment systems that are used to process payments on the Platform. Personal Information will be collected from you for the purpose of processing such payments.

3. What is our legal basis?

Under the GDPR, we must have a legal basis to process Personal Information collected from individuals residing in the European Union. We rely on several legal bases to process your Personal Information, including:

• where it is necessary to provide you with access to, and use of, our products, services and Platform;

• for our legitimate interests to provide, operate and improve our products, services or Platform;

• where you have freely and expressly consented to the processing of your Personal Information by us, which you may withdraw at any time; or

• where we are under a legal obligation to process your Personal Information.

4. How your information is used

We use, process and disclose your Personal Information for the purposes for which the information is collected, or for a directly related purpose, including (but not limited to):

• providing our Platform, products and services to you;

• administering, protecting, improving or optimising our Platform, products and services (including performing data analytics, conducting research and for advertising and marketing purposes);

• creating industry reports from de-identified data;

• verifying your age;

• billing you via Stripe;

• informing you about our Platform, Draws, products, services, rewards, surveys, contests, or other promotional activities or events sponsored or managed by us or our business partners;

• managing event registration and attendance;

• responding to any inquiries or comments that you submit to us, including providing support;

• conducting Draws;

• verifying your identity;

• any other purpose you have consented to; and

• any use which is required or authorised by a relevant Privacy Law.

Where we:

• have your express consent (which you may withdraw at any time by contacting us in writing at info@backpocket.au);

• have a legal basis; or

• are otherwise permitted by relevant Privacy Laws,

we may use and process your Personal Information to send you information about products and services we believe are suited to you and your interests or we may invite you to attend special events.

We do not make decisions about you that are based solely on automated processing and that have legal or similarly significant effects on you, without your knowledge and, where required by law, your consent.

At any time, you may opt out of receiving direct marketing communications from us. Unless you opt out, your consent to receive direct marketing communications from us and to the handling of your Personal Information as detailed above will continue. You can opt out by following the unsubscribe instructions included in the relevant marketing communication, or by contacting us in writing at info@backpocket.au.

4A. Online advertising, analytics and advanced matching

We use a combination of online advertising and analytics tools on the Platform to understand how users interact with our content, measure the performance of our marketing and improve the relevance of our advertising. These tools include:

• Meta Pixel (including "Automatic Advanced Matching"); and • Google tools such as Google Ads, Google Analytics 4 ("GA4") and Google Tag Manager.

These tools may use cookies, tags, pixels and similar technologies to collect information about your use of the Platform and the websites and services you visit, including your IP address, device information, browser type, pages viewed, actions taken (for example, form submissions, bookings or purchases) and the time and date of those actions.

Where permitted by relevant Privacy Laws, we may also send certain Personal Information that you have already provided to us to our advertising partners in a protected form so that it can be matched to users of their services and used for advertising and measurement purposes.

In particular:

(a) Meta Pixel and Automatic Advanced Matching

We use Meta Pixel (provided by Meta Platforms, Inc., Meta Platforms Ireland Limited and their related entities) on the Platform. Where permitted by relevant Privacy Laws, we may enable the "Automatic Advanced Matching" feature. This means that, in addition to cookies and similar technologies, we may send the following categories of Personal Information that you have already provided to us to Meta in a protected (hashed) form:

• your email address; • your phone number; • your first and last name; • your city, state and ZIP/postal code; • your country; and • an internal identifier that we allocate to you (for example, a customer or account ID) ("External ID").

Before this information is sent to Meta, it is transformed on your device using a one-way cryptographic hashing function, and Meta receives only the hashed values. Meta uses this information to:

• measure and attribute the performance of our advertising campaigns; • create and improve audiences for our advertising (including retargeting people who have visited the Platform); and • optimise delivery of our ads to people who are more likely to be interested in our products and services.

We do not use this feature to send your date of birth or gender to Meta. We also do not send Meta any sensitive information (such as health, financial or government identifier data) via this feature, and we have implemented measures to prevent such information being included in the data we share.

You can learn more about how Meta uses data from its partners here:

• Meta Pixel – Advanced Matching documentation: https://developers.facebook.com/docs/meta-pixel/advanced/advanced-matching/ • Meta Privacy Policy: https://www.facebook.com/privacy/policy

(b) Google Ads, Google Analytics and enhanced conversions

We use Google Ads, GA4 and related Google technologies (including the Google tag and Google Tag Manager) to help us measure the effectiveness of our advertising and understand how users interact with the Platform.

These tools may collect information such as your IP address, device identifiers, browser information, pages visited, actions taken on the Platform and the time and date of those actions. Google may also receive certain identifiers associated with our ads (for example Google click identifiers) so that we can measure which ads lead to visits, enquiries or conversions on the Platform.

Where we enable Google's "enhanced conversions" or similar advanced measurement features, and where permitted by relevant Privacy Laws, we may also send certain Personal Information you have already provided to us to Google in a protected (hashed) form, such as:

• your email address; • your phone number; and • elements of your postal address (for example, country and postcode),

so that Google can match conversions on our Platform back to our ads and improve our reporting and optimisation. This information is normalised and hashed before it is sent to Google in accordance with Google's requirements.

We do not send Google any sensitive information (such as health, financial or government identifier data) for enhanced conversions or similar features, and we have implemented measures to prevent such information being included in the data we share.

You can learn more about how Google collects and uses data here:

• Google Analytics – Data privacy and security: https://support.google.com/analytics/answer/10089681 • Google Ads – Enhanced conversions and customer data: https://support.google.com/google-ads/answer/9888656 • Google Privacy Policy: https://policies.google.com/privacy

(c) Your choices

You can control how cookies and similar technologies are used by adjusting your browser or device settings (for example, by blocking or deleting cookies), which may affect how some of these tools operate on the Platform. You can also manage how Meta and Google use information about your activity for advertising purposes via your account settings on their services.

Where required by relevant Privacy Laws, we will only use these tools, and share Personal Information with these partners in the protected (hashed) form described above, if we have a valid legal basis to do so (for example, your consent or our legitimate interests, as described in this Privacy Policy).

In addition, we configure these tools so that they are not used at all for users we reasonably believe are located in the European Economic Area (EEA) or the United Kingdom (UK), based on their IP address or similar location signals. This means that, for those users, we do not use Meta Pixel, Google Ads, GA4 or similar tools on the Platform.

These location‑based measures are not perfect, and may not work in all cases (for example, where a user uses a VPN or other technology that obscures their location). However, we take reasonable steps to implement these controls in accordance with the relevant Privacy Laws.

5. Disclosure of Personal Information

We may disclose your Personal Information to:

• third-parties we ordinarily engage from time to time to perform functions on our behalf for the above purposes;

• any person or entity to whom you have expressly consented to us disclosing your Personal Information to;

• our external business advisors, auditors, lawyers, insurers and financiers;

• our payment processing service provider Stripe; and

• any person or entity to whom we are required or authorised to disclose your Personal Information to in accordance with the relevant Privacy Laws.

If we no longer need your Personal Information for any of the purposes set out in this Privacy Policy, or as otherwise required by the relevant Privacy Laws, we will take such steps as are reasonable in the circumstances to destroy your Personal Information or to de-identify it.

For the purposes described in this Privacy Policy (including Section 4A (Online advertising, analytics and advanced matching)), we may also disclose or make available certain Personal Information (including hashed identifiers such as your email address, phone number, name, city, state, ZIP/postal code, country and External ID) to our advertising and analytics partners, such as Meta Platforms, Inc., Meta Platforms Ireland Limited, Google LLC, Google Ireland Limited and their related entities. These recipients may be located outside Australia and the European Economic Area, including in the United States of America and other countries whose laws may not be recognised by the EU Commission as providing an adequate level of protection for Personal Information. We take steps reasonably necessary to ensure that such disclosures are made in accordance with the relevant Privacy Laws, including by using appropriate contractual and other safeguards where required.

6. Cookies

We use cookies, web beacons and similar technologies (collectively "Cookies") on our Platform.

Cookies are small files that can be stored on and accessed from a user's device when the user accesses a Platform. They enable authorised web servers to recognise you across different Platforms, services, devices and browsing sessions.

We use different types of Cookies on the Platform:

• Strictly necessary Cookies: These Cookies are required for the operation of the Platform and to enable you to move around and use its features (for example, to keep you logged in, remember items in a cart, or provide security features).

• Functional Cookies: These Cookies help us remember your preferences (such as language or region) and improve your experience.

• Analytics and advertising Cookies: These Cookies help us understand how the Platform is used and measure and improve the performance of our marketing campaigns. As described in Section 4A, these may be set in connection with tools such as Meta Pixel and Google Ads/Google Analytics.

We use Cookies to enable users to access and use our Platform and services, including to:

• identify users of our Platform and services;

• tailoring the content on our Platform, such as adapting to your region and language needs;

• process user requests;

• improve user experience;

• remember user preferences on our Platform;

• monitor the use of our Platform and for analysis of our user base;

• facilitate communication with users;

• control access to certain content on our Platform; and

• protect our Site.

The data collected through Cookies will not be kept for longer than is necessary to fulfil the purposes mentioned above. We will handle any Personal Information collected by Cookies in the same way that we handle all other Personal Information.

You can delete and refuse to accept browser Cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of the Platform.

In addition:

• we only use analytics and advertising Cookies where we have a valid legal basis to do so (for example, where required by law, your consent); and

• we configure our analytics and advertising tools so that they are not used at all for users we reasonably believe are located in the European Economic Area (EEA) or the United Kingdom (UK), based on their IP address or similar location signals, as described in Section 4A.

Unless you have adjusted your browser setting so that it will refuse Cookies, our system will issue strictly necessary Cookies when you direct your browser to our Platform. We may also use Cookies and similar technologies in connection with the third party advertising and analytics tools described in Section 4A (Online advertising, analytics and advanced matching).

7. BackPocket Platform

When transmitting Personal Information from your computer to our Platform, you must keep in mind that the transmission of information over the internet is not always completely secure or error-free. Other than liability that cannot lawfully be excluded, we will not be liable in any way in relation to any breach of security or any unintended loss or disclosure of that information.

Children

Our Platform and Services are intended for use in accordance with the age and legal capacity requirements set out in our Terms and Conditions. If we become aware that we have collected Personal Information from a person who is not permitted to use the Platform under our Terms and Conditions, we will take reasonable steps to delete that information and, where applicable, close their Account.

8. Data Storage

We may hold your Personal Information in either electronic or hard copy. We take reasonable steps to protect your Personal Information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your Personal Information.

For example, our services and data are hosted with reputable third party providers (including, for example, cloud hosting, database and content management providers such as Vercel, Supabase and Sanity, and our payment services provider Stripe) that implement industry‑standard security measures. All data sent to and from BackPocket is encrypted in transit using strong encryption (for example, TLS with 256‑bit encryption).

We are also constantly updating and innovating to enhance our protection mechanisms. Where we enhance or update our Platform, we will attempt to do so without interrupting our services to you. We will also ensure that we provide you with an update via an email where changes are made to our Platform.

However, we cannot guarantee the security of any Personal Information transmitted over the internet and therefore you disclose information and Personal Information to us at your own risk. We will not be liable for any unauthorised access, modification or disclosure, or misuse of your Personal Information.

We may disclose your Personal Information to third party recipients such as our payment processing provider Stripe and Retailers located in or outside of the European Economic Area and Australia in order to provide our services to you and enable the Retailer to deliver products to you. As at the date of this Privacy Policy, such third-party recipients ("Recipients") are located in countries including the United Kingdom, United States of America, Australia and other countries whose laws may not be recognised by the EU Commission as providing an adequate level of protection to Personal Information.

When entering into a transaction with us, you acknowledge that your Personal Information may be disclosed or transferred to such Recipients for the purposes described in this Privacy Policy. Where required by the relevant Privacy Laws, we will only make such transfers where we have a valid legal basis (for example, your consent, our legitimate interests or the performance of a contract with you). We will take steps reasonably necessary to ensure your Personal Information is treated securely and in accordance with this Privacy Policy. We use reasonable endeavours to ensure that each Recipient receiving your Personal Information is bound by the relevant Privacy Laws (including the standard contractual clauses approved by the European Commission). The standard contractual clauses are available on the European Commission's Platform at https://ec.europa.eu/info/law/law-topic/data-protection_en.

9. Access to information

Under the GDPR, an individual residing in the European Union has enhanced privacy rights, including the right to:

• require us to correct any Personal Information held about you that is inaccurate or incomplete;

• require the deletion of Personal Information concerning you in certain situations;

• data portability for Personal Information you provide to us;

• object or withdraw your consent at any time to the processing of your Personal Information;

• object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you; or

• otherwise restrict our processing of your Personal Information in certain circumstances.

Subject to some exceptions provided by the relevant Privacy Laws, you may request access to your Personal Information in our customer account database, or seek correction of it, by contacting us. See Section 11: Contact information. Should we decline you access to your Personal Information, we will provide a written explanation setting out our reasons for doing so.

We may charge a reasonable fee that is not excessive to cover the charges of retrieving your Personal Information from our customer account database. We will not charge you for making the request.

If you believe that we hold Personal Information about you that is not accurate, complete or up-to-date then you may request that your Personal Information be amended. We will respond to your request to correct your Personal Information within a reasonable timeframe and you will not be charged a fee for correcting your Personal Information.

If we no longer need your Personal Information for any of the purposes set out in this Privacy Policy, or as otherwise required by the relevant Privacy Laws, we will take such steps as are reasonable in the circumstances to destroy your Personal Information or to de-identify it.

10. Third Party Sites

The Platform may contain links to other third-party websites, including social media networks. This Privacy Policy applies solely to information collected by us on our Platform.

11. Contact information

If you require further information regarding our Privacy Policy or wish to make a privacy complaint, please contact us in writing at info@backpocket.au.

12. Notices and Revisions

We reserve the right to modify this Privacy Policy in whole or in part from time to time without notice. Non-material changes and clarifications will take immediate effect, and material changes will take effect 30 days after the posting of the amended Privacy Policy on the Platform.

13. Enforcement

We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personally identifiable information that cannot be resolved between us and the individual.

Dated: 27 January 2026