1. Introduction

1.1 Delphi Fintek Pty Ltd (ACN 678 989 092; AUSTRAC DCE Registration No. DCE100891282-001) ("Delphi", "we", "us", "our") is committed to protecting the privacy and security of personal information we hold about you. We comply with the Privacy Act 1988 (Cth) (as amended) and the Australian Privacy Principles (APPs).

1.2 This Privacy Policy explains what personal information we collect, why we collect it, how we use and disclose it, and your rights in relation to that information.

1.3 Where our activities involve persons in the European Union, we have regard to the principles of the General Data Protection Regulation (EU) 2016/679 (GDPR) to the extent applicable.

1.4 By using our services, website, or platform, you acknowledge that you have read and understood this Privacy Policy.

1.5 For privacy enquiries, access or correction requests, or complaints, please contact our Privacy Officer:

• Email: info@delphifintek.com
• Post: Privacy Officer, 11F, 570 George St, Sydney NSW 2000, Australia

2. What Personal Information We Collect

2.1 Identity and Contact Information

When you apply for or use our services, we may collect:

• full legal name, date of birth, gender, and nationality;
• residential and business address;
• email address and telephone number;
• identity documents (passport, driver's licence, or other government-issued ID); and
• occupation, employer details, and source of funds or wealth.

2.2 Financial and Transaction Information

We collect information necessary to provide our digital currency exchange services, including:

• bank account details and financial institution information;
• digital currency wallet addresses and transaction records;
• transaction amounts, dates, and counterparties;
• net assets, annual income, and investment profile information; and
• tax residency details and Taxpayer Identification Numbers (TINs) for CRS and FATCA purposes.

2.3 Compliance Information

As a reporting entity under the AML/CTF Act, we collect information required for customer identification and due diligence (CDD), ongoing monitoring, and regulatory reporting, including:

• beneficial ownership information (individuals holding ≥ 25% of shares or effective control);
• politically exposed person (PEP) status; and
• sanctions screening results.

2.4 Technical and Usage Information

When you use our website or platform, we may automatically collect:

• IP address, device type, operating system, and browser type;
• pages visited, time spent, and clickstream data; and
• cookie data and similar tracking technologies.

2.5 Sensitive Information

We collect sensitive information (as defined under the Privacy Act) only where required by law (for example, for identity verification or AML/CTF compliance) or with your consent. We handle sensitive information with additional care in accordance with APP 3.

3. How We Collect Personal Information

3.1 We collect personal information directly from you when you:

• apply to open an account with us;
• use our services or submit transaction instructions;
• communicate with us by phone, email, or through our platform; or
• complete forms, questionnaires, or surveys we provide.

3.2 We may also collect personal information from third parties, including:

• identity verification and AML/CTF compliance service providers;
• publicly available sources (such as ASIC registers, corporate directories, and sanctions lists);
• referees or business partners; and
• other entities in our corporate group.

3.3 Where we collect personal information about you from a third party, we take reasonable steps to notify you of this collection as soon as practicable, unless it is impracticable or would undermine the purpose of collection.

4. Why We Collect and Use Personal Information

4.1 We collect and use personal information for the following purposes:

• Regulatory compliance — to comply with our obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (as amended), the Anti-Money Laundering and Counter-Terrorism Financing Rules (as amended and in force from time to time), the Privacy Act 1988 (Cth) (as amended), the Corporations Act 2001 (Cth), and other applicable laws;
• Customer identification and due diligence — to verify your identity and conduct ongoing CDD as required by law;
• Service delivery — to establish and manage your account, process transactions, and provide our digital currency exchange services;
• Risk management — to assess and manage AML/CTF, fraud, credit, and operational risk;
• Regulatory reporting — to report to AUSTRAC, ASIC, the Australian Taxation Office (ATO), and other relevant authorities as required by law, including under the Common Reporting Standard (CRS) and FATCA;
• Communications — to send you service-related notices, updates, alerts, and (where consented) marketing communications;
• Legal proceedings — to establish, exercise, or defend legal claims; and
• Internal operations — for audit, training, governance, and business improvement purposes.

4.2 If you do not provide personal information we require, we may be unable to establish or maintain your account or provide the relevant services.

5. Disclosure of Personal Information

5.1 We may disclose personal information to the following categories of recipients:

• Regulatory authorities — AUSTRAC, ASIC, ATO, the Australian Federal Police, or other law enforcement or regulatory bodies with lawful authority;
• Courts and tribunals — as required by law, subpoena, or court order;
• Third-party service providers — including identity verification providers, cloud computing services, IT support, data analytics providers, legal advisers, auditors, and compliance technology providers, under appropriate confidentiality and data protection obligations;
• Our corporate group — related entities of Delphi Fintek Pty Ltd for the purposes set out in this Policy; and
• Counterparties — where disclosure is necessary to complete a transaction you have requested.

5.2 We do not sell personal information to third parties.

5.3 We may disclose personal information to AUSTRAC and other relevant authorities without notifying you, as required or permitted by law (including the tipping-off prohibition under the AML/CTF Act).

6. Cross-Border Disclosure

6.1 Personal information may be transferred to, processed by, or stored in jurisdictions outside Australia, including Singapore, Japan, the People's Republic of China, the British Virgin Islands, and the Cayman Islands. These jurisdictions may not provide the same level of data protection as Australia.

6.2 Before disclosing personal information to overseas recipients, we take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles in relation to that information, in compliance with APP 8 of the Privacy Act 1988 (Cth) (as amended).

6.3 In some circumstances, we may seek your express consent before transferring personal information overseas. Where we have obtained your consent, you acknowledge that Australian law may not apply to the overseas recipient's handling of your information.

6.4 Certain disclosure obligations to overseas regulatory authorities (such as the exchange of financial account information under the Common Reporting Standard (CRS)) are mandatory under Australian law and do not require your consent.

7. Security of Personal Information

7.1 We implement appropriate administrative, technical, and physical safeguards to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

7.2 Security measures include, but are not limited to, access controls, encryption, secure network architecture, and staff training.

7.3 While we take all reasonable steps to protect personal information, no method of data transmission or storage is completely secure. We cannot guarantee the absolute security of information transmitted to us over the internet.

7.4 In the event of an eligible data breach (as defined under Part IIIC of the Privacy Act 1988 (Cth) (as amended)), we will comply with our notification obligations to the Office of the Australian Information Commissioner (OAIC) and to affected individuals, as required by the Notifiable Data Breaches scheme.

8. Data Retention

8.1 We retain personal information only for as long as necessary for the purposes for which it was collected, or as required or permitted by law.

8.2 Transaction records and customer due diligence documents must be retained for a minimum of 7 years following the end of the customer relationship, in accordance with section 117 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (as amended).

8.3 CRS and FATCA-related records are retained for the periods required under the Taxation Administration Act 1953 (Cth) and applicable ATO guidance.

8.4 When personal information is no longer required and we are not legally required to retain it, we take reasonable steps to destroy or de-identify it securely.

9. Cookies and Tracking Technologies

9.1 Our website uses cookies and similar tracking technologies to:

• maintain your session and remember your preferences;
• analyse website traffic and usage patterns; and
• improve the functionality and security of our platform.

9.2 You may configure your browser to refuse cookies or to alert you when cookies are being set. However, disabling cookies may affect the functionality of our website.

9.3 We do not use cookies to deliver targeted advertising.

10. Your Rights

10.1 Access (APP 12)

You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days. We may charge a reasonable fee to cover the cost of providing access. We may refuse access in limited circumstances permitted by law.

10.2 Correction (APP 13)

If you believe that personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct it. We will take reasonable steps to correct the information or, if we disagree, to associate a notation with the information.

10.3 Complaint to the OAIC

If you are not satisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

10.4 GDPR Rights (where applicable)

Where GDPR applies to our processing of your personal information (i.e., where you are in the EU), you may also have the right to request restriction of processing and, in certain circumstances, erasure of your personal data.

11. Direct Marketing

11.1 We may use your contact details to send you information about our services and updates where you have consented to receive such communications or where we are otherwise permitted to do so by law.

11.2 You may opt out of receiving marketing communications from us at any time by:

• clicking the "unsubscribe" link in any email we send; or
• contacting us at info@delphifintek.com.

11.3 Even if you opt out of marketing communications, we may still send you service-related and transactional messages as required by our legal obligations or the Terms and Conditions of your account.

12. Third-Party Websites

12.1 Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.

13. Updates to This Privacy Policy

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or regulatory requirements.

13.2 Material changes will be communicated by:

• updating this Policy on our website at www.delphifintek.com with a new version number and date; and
• where practicable, notifying you by email or through the platform.

13.3 Continued use of our services following the publication of an updated Policy constitutes your acceptance of the revised terms.