KADDIM PTY LTD — PRIVACY POLICY
Last updated: March 2026

INTRODUCTION

1.1 This Privacy Policy applies to kaddim.com, beta.kaddim.com, and all services we provide ("our Services").
1.2 In this policy, "we" (or "us" / "our") means KADDIM PTY LTD (ACN 639 897 028), a company incorporated in Australia.
1.3 We respect your right to privacy and are committed to safeguarding the privacy of our customers, their clients, and website visitors. We adhere to the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) ("Privacy Act"), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth). This policy sets out how we collect, hold, use, and disclose your personal information.
1.4 The Kaddim platform operates as a hosted document collection and management service on behalf of organisations ("Customers"). Kaddim acts as the data processor of personal information collected and processed through the Platform. Any organisation that invites you to use our Services (the "Customer") is the data controller and determines the purposes and means of processing your personal information. If you have been invited to use Kaddim by an organisation, please contact that organisation directly if you have questions about how your personal information is being used.
1.5 This policy should be read alongside our Terms and Conditions, which govern your use of the Platform.


DEFINED TERMS

2.1 "Personal information" is defined in section 6(1) of the Privacy Act 1988 (Cth) as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
2.2 "Sensitive information" is a subset of personal information and includes information about an individual's racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health information, and biometric data.
2.3 Financial information (such as payslips, bank statements, and tax returns) is not classified as "sensitive information" under the Privacy Act, but is treated as high-risk personal information. We apply the same level of protection to financial information as we do to sensitive information.
2.4 "Processing" means any operation performed on personal information, including collection, storage, use, disclosure, modification, and deletion.
2.5 "Content" means any documents, files, data, information, or materials uploaded to, stored on, transmitted through, or otherwise processed by the Platform, including personal information contained therein.
2.6 "Customer" means the organisation that has registered for an account on the Platform and on whose behalf personal information is collected.
2.7 "End-Client" means any individual who interacts with the Platform at the invitation of a Customer, including the Customer's clients who upload documents or provide information.
2.8 "AI Features" means features of the Platform that use artificial intelligence or machine learning technologies, including the AI-powered file renaming feature.


WHAT PERSONAL INFORMATION WE COLLECT

3.1 We collect different types of personal information depending on how you interact with the Platform.
If you are a Customer (broker/organisation):
(a) Information you provide when registering for an account, including your name, email address, phone number, company name, company address, company email, and company phone number.
(b) Payment information processed through our payment provider (Stripe). We do not store your full credit card details on our servers.
(c) Information generated through your use of the Platform, including usage data, preferences, and settings.
(d) Communications you send to us, including support requests.
If you are an End-Client (invited by a Customer):
(e) Information you provide when responding to a Customer's request, including your name, email address, and phone number.
(f) Content you upload to the Platform, including personal documents such as payslips, bank statements, identification documents, tax returns, and any other documents requested by the Customer. This Content may contain sensitive personal and financial information.
(g) Metadata associated with your documents, including file names, file types, file sizes, and upload timestamps.
If you visit our website:
(h) Technical information collected automatically, including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views, and website navigation paths. We collect this information using cookies and similar technologies (see Section 12).
3.2 We do not intentionally collect sensitive information unless it is contained within Content uploaded by or on behalf of a Customer. Where sensitive information is contained in Content, we process it solely on behalf of the Customer and in accordance with this policy.


HOW WE COLLECT PERSONAL INFORMATION

4.1 We collect personal information: (a) directly from you, when you register for an account, upload Content, submit forms, or communicate with us; (b) from Customers, when they provide information about their End-Clients or upload Content on their behalf; (c) from End-Clients, when they upload documents or provide information through the Platform at a Customer's invitation; (d) automatically, through cookies and similar technologies when you visit our website or use the Platform; and (e) from third-party sources, where necessary to provide or improve our Services.
4.2 If you are an End-Client uploading documents to the Platform, you are providing personal information directly to Kaddim. A brief collection notice will be displayed at the point of upload. However, the Customer who invited you remains the data controller and is responsible for informing you about the purposes and scope of the collection.
4.3 Before disclosing to us the personal information of another person, you must obtain that person's consent to both the disclosure and the processing of that personal information in accordance with this policy. This applies to all Content containing personal information of third parties. Customers are responsible for ensuring that their End-Clients are informed about the collection and processing of their personal information through the Platform, including the use of AI Features.


HOW WE USE PERSONAL INFORMATION

5.1 We use personal information for the following purposes:
(a) To provide, operate, and maintain the Platform and Services.
(b) To process Content on behalf of Customers, including through AI Features (see Section 6).
(c) To manage Customer accounts, process payments, and administer subscriptions.
(d) To communicate with you about the Services, including sending service-related notifications, updates, and support responses.
(e) To improve the Platform, including by analysing usage patterns and identifying areas for enhancement.
(f) To comply with our legal obligations, including under the Privacy Act, taxation laws, and other applicable legislation.
(g) To establish, exercise, or defend our legal rights.
5.2 We will only use Content as strictly necessary to provide the Services to the Customer. We will not view, access, or use Content for our own purposes, except as required to deliver the Services (including AI Features) or as required by law.
5.3 We may contact Customers by telephone, email, SMS, or mail for service-related communications. We will not send marketing communications without the Customer's consent, and the Customer may opt out of marketing communications at any time.


AI FEATURES AND AUTOMATED PROCESSING

6.1 The Platform includes AI Features that use artificial intelligence technologies to assist with document management. Current AI Features include automated file renaming, which analyses the contents of uploaded documents to suggest appropriate file names.
6.2 To deliver AI Features, the contents of uploaded documents (which may include personal information) are transmitted to our AI service provider, Google LLC, via the Google Vertex AI platform, for processing.
6.3 Our AI service provider operates under a zero data retention policy. This means: (a) document contents transmitted for AI processing are not stored or retained by Google after processing is complete; (b) document contents are not used by Google to train, improve, or develop its AI models; and (c) processing is performed in accordance with Google's Data Processing Addendum.
6.4 AI Features may produce outputs that are inaccurate, incomplete, or unreliable. We do not warrant the accuracy of any AI-generated output. Users are solely responsible for reviewing and verifying AI-generated outputs before relying on them. AI Features do not constitute legal, financial, taxation, or any other form of professional advice.
6.5 We may introduce additional AI Features from time to time. Where new AI Features involve materially different processing of personal information, we will update this Privacy Policy and notify Customers in accordance with our Terms and Conditions.


DISCLOSURE OF PERSONAL INFORMATION

7.1 We may disclose personal information to the following categories of recipients:
(a) Our employees, officers, and contractors, to the extent necessary to provide the Services.
(b) Our Sub-Processors and service providers, including: cloud infrastructure providers (which may include Google Cloud Platform, Amazon Web Services, and Digital Ocean); AI service providers (Google LLC via Vertex AI, for AI Features); payment processing providers (Stripe, for payment processing); email and communication service providers (for transactional notifications); and analytics providers (for website analytics and service improvement).
(c) Our professional advisers, including lawyers, accountants, and insurers.
(d) Law enforcement agencies, regulatory bodies, or courts, where required or authorised by law.
(e) A prospective purchaser or successor of all or a substantial part of our business, in the event of a sale, merger, or restructuring, provided that the recipient agrees to be bound by obligations no less protective than those in this policy.
7.2 We will not, without your express consent, supply your personal information to any third party for the purpose of their or any other third party's direct marketing.
7.3 The categories of our Sub-Processors are set out in this Privacy Policy. For further detail, please contact support@kaddim.com. We will update this policy when Sub-Processors materially change.


CROSS-BORDER DATA TRANSFERS

8.1 Our primary infrastructure is located in Australia. However, in the course of delivering the Services, personal information may be transferred to or processed in countries outside Australia in the following circumstances:
(a) AI processing via Google Vertex AI may involve data being processed in jurisdictions where Google operates its infrastructure.
(b) Some of our Sub-Processors and service providers may operate infrastructure or have personnel in countries outside Australia.
8.2 Where personal information is transferred outside Australia, we take reasonable steps to ensure that the overseas recipient handles the information in a manner consistent with the APPs, including by: (a) selecting reputable service providers with publicly available data processing terms and privacy commitments that are consistent with the APPs; and (b) reviewing the recipient's published privacy and security practices.
8.3 Where it is not practicable to specify all countries in which personal information may be processed, we will provide information about the general regions involved upon request.
8.4 If you would like further information about the countries in which your personal information may be processed, please contact us at support@kaddim.com.


DATA RETENTION AND DELETION

9.1 We retain personal information only for as long as is reasonably necessary for the purposes set out in this policy, or as required by applicable law.
9.2 Our general retention periods are as follows:
(a) Customer account data (name, email, company details): retained for the duration of the Customer's subscription, plus ninety (90) days after termination.
(b) Content (documents, files, and associated metadata): retained for the duration of the Customer's subscription. Upon termination, the Customer has thirty (30) days to request an export. Content is permanently deleted within ninety (90) days of termination.
(c) AI processing data: not retained. Our AI service provider operates under a zero data retention policy.
(d) Payment records: retained as required by applicable taxation law (currently seven years under Australian tax law).
(e) Support correspondence: retained for up to twenty-four (24) months after the last communication, unless related to an ongoing dispute or legal matter.
9.3 We may also retain personal information: (a) to the extent required by applicable law; (b) where we reasonably believe the information may be relevant to ongoing or prospective legal proceedings; or (c) to establish, exercise, or defend our legal rights.
9.4 When personal information is no longer required, we will take reasonable steps to securely destroy or de-identify it.


SECURITY OF PERSONAL INFORMATION

10.1 We take the security of personal information seriously. In accordance with Australian Privacy Principle 11 and the Privacy Act 1988 (Cth), we implement appropriate technical and organisational measures to protect personal information against unauthorised access, modification, disclosure, loss, misuse, or destruction.
10.2 Our security measures include: (a) encryption of data in transit and at rest; (b) access controls and authentication mechanisms; (c) regular security assessments and monitoring; (d) staff training on data protection and security practices; and (e) contractual security requirements imposed on Sub-Processors.
10.3 You acknowledge that the transmission of information over the internet carries inherent risks, and we cannot guarantee the absolute security of data transmitted to or from the Platform.
10.4 You are responsible for keeping your account credentials confidential and for notifying us immediately if you become aware of any unauthorised access to your account.


DATA BREACH NOTIFICATION

11.1 In accordance with Part IIIC of the Privacy Act 1988 (Cth) (the Notifiable Data Breaches scheme), if we become aware of a data breach that is likely to result in serious harm to any individual, we will: (a) take immediate steps to contain and remediate the breach; (b) assess whether the breach is an "eligible data breach" under the Privacy Act; (c) notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law; and (d) where the breach involves Customer Personal Information, notify the affected Customer without undue delay, and in any event within seventy-two (72) hours, to enable the Customer to meet its own notification obligations.
11.2 We use reasonable endeavours to maintain documented procedures for identifying, containing, assessing, and responding to data breaches.


COOKIES AND WEBSITE TRACKING

12.1 When you visit our website or use the Platform, we may use cookies and similar technologies to collect information about your browsing activity.
12.2 We use the following types of cookies:
(a) Essential cookies: necessary for the Platform to function, including session management and authentication. These cannot be disabled.
(b) Analytics cookies: used to understand how visitors interact with our website and to improve the user experience. We use Google Analytics for this purpose. Google Analytics collects information such as pages visited, time on site, and referral sources. This information is aggregated and anonymised where possible.
(c) Functional cookies: used to remember your preferences and settings.
12.3 You can manage your cookie preferences through your browser settings. Disabling non-essential cookies may affect your experience of the Platform. For more information about how Google processes data through Google Analytics, visit Google's privacy policy.
12.4 Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any third-party website you visit.


YOUR RIGHTS

13.1 Under the Privacy Act, you have the following rights in relation to your personal information held by us:
(a) Access: you may request access to the personal information we hold about you.
(b) Correction: you may request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
(c) Deletion: you may request, on reasonable grounds, that we delete your personal information. We will comply with such requests unless we are required or authorised by law to retain the information, or the information is necessary for an ongoing legitimate purpose.
(d) Restriction: you may request, on reasonable grounds, that we restrict the processing of your personal information.
(e) Withdrawal of consent: where our processing of your personal information is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
13.2 To exercise any of these rights, please contact us at support@kaddim.com. We will endeavour to respond to your request within a reasonable timeframe. We may need to verify your identity before processing your request.
13.3 If you are an End-Client and your personal information was provided to us by a Customer, we may need to refer your request to the Customer. We will assist the Customer in responding to your request to the extent reasonably practicable.
13.4 There is no fee for making a request or for us to comply with a request, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee.


COMPLAINTS

14.1 If you believe we have breached your privacy or have not handled your personal information in accordance with this policy or the APPs, you may lodge a complaint with us.
14.2 To lodge a complaint, please contact us at: Email: support@kaddim.com. Please include a detailed description of your complaint and any supporting information.
14.3 We will acknowledge your complaint and will investigate and respond within a reasonable timeframe. If the matter is complex, we may notify you that we need additional time.
14.4 If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Details are available at www.oaic.gov.au.


CHILDREN'S PRIVACY

15.1 The Platform and our Services are designed for use by businesses and individuals over the age of eighteen (18). We do not knowingly collect personal information from individuals under the age of eighteen.
15.2 If we become aware that we have inadvertently collected personal information from an individual under the age of eighteen without appropriate consent, we will take reasonable steps to delete that information promptly.


AMENDMENTS TO THIS POLICY

16.1 We may amend this policy from time to time by publishing an updated version on our website.
16.2 For material changes to this policy (including changes to how we use personal information, the introduction of new AI Features, or changes to our Sub-Processors), we will notify Customers by email within a reasonable timeframe before the changes take effect.
16.3 For minor changes (including clarifications, corrections, or formatting updates), we will publish the updated policy on our website.
16.4 We encourage you to review this policy periodically to stay informed about how we protect your personal information.


CONTACT US

17.1 If you have any questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, please contact us at:
Privacy and Support Contact
KADDIM PTY LTD
Email: support@kaddim.com


GOVERNING LAW

18.1 This policy is governed by the laws of New South Wales, Australia. You submit to the jurisdiction of the courts of New South Wales, Australia, in relation to any dispute arising under or in connection with this policy.

KADDIM PTY LTD — ACN 639 897 028