Privacy Policy

Last Updated: 30 January 2026

1. Introduction

1.1 About This Policy

This Privacy Policy explains how Tillered Holdings Pty Ltd, Tillered Australia Pty Limited, and their related entities (collectively referred to as “Tillered”, “we”, “us”, or “our”) collect, use, disclose, and protect personal information in accordance with applicable privacy laws in the jurisdictions where we operate.

This policy applies to all personal information collected by Tillered, whether through our websites, products, services, business operations, or any other interactions with us.

1.2 Applicable Laws

Tillered is committed to providing quality services while respecting your privacy rights. This policy has been designed to comply with the following privacy legislation:

  • The Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Australia)
  • The Privacy Act 2020 (New Zealand)
  • The General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR), where applicable to international transfers

1.3 Your Consent

By engaging with Tillered, including using our websites, products, or services, you agree to the collection and use of your personal information as set out in this Privacy Policy.

A copy of the Australian Privacy Principles may be obtained from the Office of the Australian Information Commissioner at www.oaic.gov.au.

2. Personal Information We Collect

2.1 Types of Personal Information

Personal information is information or an opinion that identifies an individual. We may collect the following types of personal information:

  • Identification details – name, title, organisation, role, date of birth
  • Contact details – email address, phone number, postal address, business address
  • Account and profile information – login credentials, usernames, passwords, preferences, communication settings
  • Transaction information – records of products or services you purchase or use from us, billing information, payment details
  • Communication records – emails, support tickets, feedback, survey responses, correspondence, interview notes
  • Technical and usage information – IP address, device identifiers, browser type, operating system, pages viewed, access times, and other usage data collected via cookies or similar technologies
  • Business records – contractual documentation, compliance records, regulatory submissions

2.2 Sensitive Information

Sensitive information is a subset of personal information that is afforded a higher level of protection under the Privacy Act 1988, section 6. It includes information such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health information, sexual orientation, biometric data, and criminal records.

Tillered will only collect sensitive information where:

  • It is reasonably necessary for one or more of our primary purposes
  • It is directly related to a secondary purpose and you would reasonably expect us to collect it
  • You have provided your express consent
  • We are required or authorised by law to do so

2.3 How We Collect Personal Information

Where reasonably practicable, we collect personal information directly from you, for example:

  • When you register for an account or subscribe to our services
  • When you contact us via email, phone, or online forms
  • When you attend meetings, interviews, or events
  • When you use our websites, products, or platforms
  • When you apply for a position with us

We may also collect personal information from third parties where permitted by law, including:

  • Your employer or organisation
  • Business partners and referral sources
  • Publicly available sources and government registries
  • Third-party analytics and marketing platforms

Where we collect personal information about you from a third party, we will take reasonable steps to ensure that you are made aware of the information collected and the circumstances of the collection.

2.4 Consequences of Not Providing Information

If you do not provide the personal information we request, we may not be able to provide some or all of our services to you, process your requests, or fulfil our contractual or regulatory obligations.

3. Purposes for Collecting and Using Personal Information

3.1 Primary Purposes

We collect and use personal information for the following primary purposes:

  • To provide, deliver, and improve our products and services
  • To manage our relationship with you, including account administration and customer support
  • To operate, maintain, and improve our website and online platforms
  • To communicate with you, including responding to enquiries and providing updates
  • To comply with applicable laws, regulations, and industry standards, including compliance frameworks such as ISM, ISO 27001, SOC 2, Essential Eight, DISP, ITAR, and DSPF
  • To meet our legal obligations, including tax, record-keeping, and reporting requirements
  • To establish, exercise, or defend legal claims
  • To support internal business administration, including auditing, analytics, and quality assurance
  • For any other purpose authorised or required by law, or to which you have consented

3.2 Ancillary Purposes

We may also use personal information for ancillary purposes that are closely related to the primary purpose, in circumstances where you would reasonably expect such use. If we intend to use your information for a purpose that is not related to the original purpose of collection, we will seek your consent before doing so, unless otherwise permitted by law.

3.3 Marketing Communications

We may use your personal information to send you marketing communications about our products, services, offers, and events that may be of interest to you. We comply with anti-spam requirements under the Spam Act 2003 (Australia) and equivalent legislation. You can unsubscribe from marketing communications at any time by:

  • Following the unsubscribe instructions in any marketing email
  • Contacting us in writing using the details in Section 13
  • Updating your communication preferences

4. Disclosure of Personal Information

4.1 Categories of Recipients

We may disclose your personal information to the following categories of recipients:

  • Internal personnel – employees, officers, directors, contractors, related entities, and subsidiaries of Tillered who require access to perform their duties
  • Third-party service providers, including:
    • IT hosting and cloud infrastructure providers
    • Security and cybersecurity service providers
    • Analytics and monitoring platforms
    • Communications and marketing platforms
    • Payment and financial service providers
    • Professional advisers (such as lawyers, accountants, and auditors)
  • Your organisation or employer – where you access our services through an enterprise arrangement or where your employer has engaged us to provide services
  • Regulatory and government authorities, including:
    • Regulators and oversight bodies
    • Law enforcement agencies
    • Defence and national security agencies
    • Tax and revenue authorities
  • Integration partners – third parties whose services integrate with our products, subject to ISO 27001 and data protection agreement requirements
  • Third parties with your consent – where you have authorised the disclosure
  • Acquirers or successors – in the event of a merger, acquisition, business restructure, or sale of all or part of our business, subject to confidentiality obligations

4.2 Safeguards for Third-Party Disclosures

When disclosing personal information to third parties, we take reasonable steps to ensure that:

  • The recipient is bound by obligations consistent with the Privacy Act 1988, the Privacy Act 2020, and the APPs
  • Appropriate technical safeguards are in place, including encryption, Microsoft Entra ID integration, and access controls
  • Data protection agreements are executed with all third-party recipients
  • Regular audits and assessments are conducted to verify compliance

4.3 Circumstances for Disclosure

We may disclose personal information in the following circumstances:

  • Where you have provided your consent to the disclosure
  • Where the disclosure is required or authorised by law
  • Where the disclosure is necessary to provide our services to you
  • Where the disclosure is necessary to protect the rights, property, or safety of Tillered, our customers, or the public

5. International Transfers and Cross-Border Disclosure

5.1 Overseas Transfers

Some of the third parties to whom we disclose personal information, and some of our own systems and infrastructure, may be located outside Australia and New Zealand. This may include transfers to entities or service providers located in:

  • The United States of America
  • Countries within the European Economic Area (EEA)
  • The United Kingdom
  • Singapore
  • Other jurisdictions where our service providers, cloud infrastructure, or business partners operate

5.2 Compliance with Australian Privacy Principles (APP 8 – Cross-border disclosure)

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that:

  • The recipient does not breach the Australian Privacy Principles in relation to the information
  • The recipient is subject to a law or binding scheme that provides substantially similar protections
  • Appropriate contractual protections are in place
  • We have assessed the privacy practices and applicable laws of the recipient’s country

5.3 Compliance with New Zealand Privacy Act (IPP 12)

Where personal information is disclosed to an overseas recipient under the New Zealand Privacy Act 2020, we ensure compliance with Information Privacy Principle 12 (IPP 12). We take reasonable steps to ensure that:

  • The overseas recipient is subject to privacy protections that are comparable to those under New Zealand law
  • The recipient is subject to enforceable privacy obligations
  • Appropriate contractual safeguards are implemented
  • The individual is informed and, where necessary, consents to the transfer

5.4 International Transfers under GDPR and UK GDPR

5.4.1 Scope. Where the GDPR or UK GDPR applies to our processing of personal data, we ensure that any transfer of personal data to a country outside the EEA or the United Kingdom is carried out in accordance with the applicable transfer requirements. In the context of Tillered’s operations, this may arise where we act as a controller or processor of personal data relating to individuals in the EEA or the United Kingdom, including in connection with product licensing, installation, support, or related services.

5.4.2 Transfers to New Zealand. The European Commission has recognised New Zealand as providing an adequate level of data protection. Accordingly, transfers of personal data from the EEA to New Zealand may take place without requiring additional safeguards (adequacy decision). We ensure compliance with the following conditions:

  • The transfer is within the scope of the adequacy decision
  • We monitor any changes to the adequacy status
  • Supplementary measures are implemented where required

5.4.3 Transfers to Australia. Australia has not received an adequacy decision from the European Commission. For transfers of personal data from the EEA or the United Kingdom to Australia, we rely on Standard Contractual Clauses (SCCs), specifically Module 2 (Controller to Processor), as adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, to provide appropriate safeguards. The SCCs include:

  • Annex I: details of the transfer (parties, data subjects, categories of data, transfer purpose)
  • Annex II: technical and organisational measures
  • Annex III: list of sub-processors (where applicable)

5.4.4 Alternative SCC Modules and Roles. Where the nature of the data transfer requires a different module (for example, Module 1: Controller to Controller, Module 3: Processor to Processor, or Module 4: Processor to Controller), we will implement the appropriate SCC module corresponding to the roles and relationships of the parties involved. The applicable module will be specified in the data protection schedule agreed between the parties.

5.4.5 Local Law and Supplementary Measures. Where required, we carry out transfer impact assessments to evaluate whether the laws of the destination country provide an essentially equivalent level of protection. Where deficiencies are identified, we implement supplementary measures, including:

  • Encryption of diagnostic logs and personal data in transit and at rest
  • Strict access controls with multi-factor authentication
  • Minimisation of personal data transferred
  • Onward transfer restrictions
  • Regular security audits and penetration testing
  • Contractual prohibitions on government access beyond what is required by law

6. Website, Cookies, and Analytics

6.1 Cookies and Similar Technologies

When you visit our website at www.tillered.com and related domains, we may collect certain information automatically using cookies and similar technologies. We use cookies for the following purposes:

  • To understand and improve user experience
  • To personalise content and features
  • To analyse website performance and usage patterns
  • To monitor security and prevent fraud
  • To deliver relevant marketing communications

6.2 Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling cookies may affect the functionality of our website and your ability to access certain features. For more information about cookies, visit www.aboutcookies.org or www.allaboutcookies.org.

6.3 Third-Party Links and Services

Our website may contain links to third-party websites or services. These third parties have their own terms of use and data collection practices. We are not responsible for the privacy practices of those third parties, and we do not guarantee the security or accuracy of information collected by them. We encourage you to review the privacy policies of any third-party websites you visit.

7. Storage, Security, and Retention

7.1 Security Measures

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, in accordance with the Privacy Act 1988, the Privacy Act 2020, and applicable data security standards. Our security measures include:

  • Technical measures – encrypted databases, secure cloud infrastructure, firewalls, intrusion detection systems (IDS), multi-factor authentication (MFA), and secure network architecture
  • Access controls – Microsoft Entra ID, privileged access management, least-privilege principles, and regular access reviews
  • Organisational measures – information security policies, staff training, background checks, and confidentiality agreements
  • Physical measures – secure facilities, restricted data centre access, visitor management, and environmental controls
  • Monitoring – continuous monitoring, audit logging, SIEM (Security Information and Event Management), and regular security assessments
  • Compliance frameworks – ISO 27001:2022, SOC 2, Essential Eight ML2, ISM, and DISP

7.2 Storage Methods

Personal information may be stored in electronic and/or hard copy form using a combination of methods, including:

  • Our own information systems and infrastructure, located in Australia and/or approved jurisdictions
  • Systems operated by third-party service providers on our behalf
  • Encrypted databases and approved collaboration platforms
  • Physical files in access-controlled facilities, where applicable

7.3 Retention Periods

We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Retention periods vary based on the nature of the information, legal, regulatory, and contractual obligations, business requirements, and audit requirements.

Typical retention periods include:

  • Customer and contract records – duration of the contract plus 7 years
  • Financial and taxation records – 7 years from the end of the financial year
  • Employee records – duration of employment plus 7 years
  • Audit and compliance records – as required by applicable regulatory obligations
  • Marketing and communications – until you unsubscribe or withdraw consent, or as required by law

7.4 Secure Disposal

When personal information is no longer required, we take reasonable steps to destroy or de-identify it. Our disposal methods include:

  • Cryptographic wipe or secure erasure for digital media and storage devices
  • Cross-cut shredding or incineration for physical documents
  • De-identification or anonymisation where retention is required for statistical or analytical purposes
  • Secure disposal certificates from approved vendors

7.5 Data Breach Management

A data breach occurs when personal information held by Tillered is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. We have established procedures for responding to data breaches. In the event of a suspected or actual data breach, our response includes:

  • Contain the breach to prevent further unauthorised access or disclosure
  • Preserve logs, records, and evidence related to the breach
  • Convene the incident response team
  • Assess the nature, scope, and severity of the breach
  • Determine whether the breach is notifiable under applicable legislation
  • Take steps to reduce the risk of harm to affected individuals
  • Implement improvements to prevent recurrence
  • Keep records of the breach, response actions, and outcomes

8. Access, Correction, and Your Rights

8.1 Right to Access

You have the right to request access to the personal information we hold about you, in accordance with the Privacy Act 1988 and the Privacy Act 2020. To make an access request, please contact our Privacy Officer using the details in Section 13.

8.2 Identity Verification

For the protection of your personal information, we may require you to verify your identity before processing an access or correction request. Verification methods may include government-issued identification, verification of account details, or other reasonable means.

8.3 Access Fees

No fee is charged for making an access request. However, an administrative fee may apply for providing copies of documents or compiling information in a particular format.

8.4 Right to Correction

You have the right to request that we correct any personal information we hold about you that is inaccurate, incomplete, out of date, irrelevant, or misleading. To request a correction, please contact our Privacy Officer using the details in Section 13.

Where we correct personal information that we have previously disclosed to a third party, we will take reasonable steps to notify the third party of the correction.

8.5 Refusal of Access or Correction

We may refuse an access or correction request in certain circumstances, including where:

  • Providing access would pose a serious threat to the life, health, or safety of any individual
  • Providing access would have an unreasonable impact on the privacy of others
  • The request is frivolous or vexatious
  • The information relates to existing or anticipated legal proceedings and would not normally be discoverable
  • Providing access would prejudice negotiations with you
  • Providing access would reveal commercially sensitive decision-making processes or trade secrets
  • Providing access would prejudice enforcement activities, an investigation, or national security
  • Denying access is required or authorised by or under an Australian law or a court or tribunal order

If we refuse a request, we will provide you with written reasons for the refusal and the mechanisms available to you to make a complaint.

8.6 Response Timeframes

We will respond to access and correction requests within the following timeframes:

  • Australia – within 30 calendar days of receiving the request
  • New Zealand – as soon as reasonably practicable, and no later than 20 working days

If we require additional time, we will notify you and provide an estimated timeframe for our response.

8.7 Maintaining Data Quality

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up to date, complete, relevant, and not misleading. We encourage you to keep your information current and to notify us of any changes.

9. Direct Marketing and Communications

9.1 Marketing Communications

We may send you direct marketing communications about our products, services, events, and promotions where permitted by applicable law. We comply with:

  • The Spam Act 2003 (Australia)
  • The Unsolicited Electronic Messages Act 2007 (New Zealand)
  • Other applicable anti-spam and direct marketing laws
  • Your communication preferences

Marketing communications may be delivered via:

  • Email
  • SMS
  • Telephone
  • Mail
  • In-product notifications

9.2 Opt-Out and Unsubscribe

You may opt out of receiving marketing communications at any time by:

  • Using the unsubscribe link or mechanism provided in the communication
  • Replying ‘STOP’ or ‘UNSUBSCRIBE’ to SMS messages
  • Contacting our Privacy Officer (see Section 13)
  • Updating your communication preferences in your account settings

We will process your opt-out request as soon as practicable. Please note that even if you opt out of marketing communications, we may still send you transactional and service-related communications.

9.3 Ongoing Relationship Communications

Regardless of your marketing preferences, we may continue to send you communications that are necessary for the management of your account or our relationship, including:

  • Account administration and service updates
  • Billing, payment, and transaction notifications
  • Security, system, and critical alerts
  • Responses to your enquiries and support requests
  • Legal, regulatory, and compliance communications

10. Notifiable Privacy Breaches and Notification

10.1 What is a Notifiable Privacy Breach

Under the Notifiable Data Breaches (NDB) scheme in Australia and Part 7 of the Privacy Act 2020 (NZ), a notifiable privacy breach occurs when there is unauthorised access to, or unauthorised disclosure of, personal information, or loss of personal information, in circumstances where:

  • A reasonable person would conclude that the breach is likely to result in serious harm to any affected individual
  • The entity has not been able to prevent the likely risk of serious harm through remedial action
  • The breach meets the threshold for notification under applicable legislation

10.2 Assessment of Serious Harm

In assessing whether a breach is likely to result in serious harm, we consider the following factors:

  • The sensitivity and volume of the personal information involved
  • Who has obtained or may obtain the information
  • The kinds of harm that could result, including:
    • Identity theft or fraud
    • Financial loss
    • Reputational damage
    • Physical harm or psychological distress
  • The security safeguards in place at the time of the breach
  • The characteristics and vulnerabilities of the affected individuals
  • Whether remedial action has been taken to reduce the risk of harm

10.3 Use of Self-Assessment Tools

For breaches involving personal information subject to the New Zealand Privacy Act 2020, we may use self-assessment tools provided by the Office of the Privacy Commissioner (OPC), including the NotifyUs tool, to assist in evaluating whether a breach meets the threshold for notification.

10.4 Notification to Regulators

Where a notifiable breach has occurred, we will notify the relevant regulatory authority as required by law:

10.4.1 Australia – Office of the Australian Information Commissioner (OAIC)

  • Notification via the OAIC online form or in writing
  • As soon as practicable after becoming aware that the breach is notifiable

10.4.2 New Zealand – Office of the Privacy Commissioner (OPC)

  • Notification via the OPC NotifyUs tool or in writing
  • With the aim of notifying within 72 hours of becoming aware of the breach

10.5 Notification to Affected Individuals

Where a notifiable breach has occurred and notification to affected individuals is required or appropriate, we will take reasonable steps to notify affected individuals as soon as practicable. We may not notify individuals where an exception applies under applicable law, including where:

  • Doing so would prejudice law enforcement activities
  • Notification would create a serious threat to life, health, or safety
  • Notification is prohibited by law
  • Remedial action has been taken that reduces the risk of harm below the notification threshold

10.6 Form of Notification

Where practicable, we will notify affected individuals directly using contact methods such as:

  • Email
  • Letter
  • Telephone
  • In-product notification
  • In-person communication

Where direct notification is not practicable, we may use indirect methods such as:

  • Publishing a notice on our website
  • Issuing a media or press statement
  • Notifying through intermediaries

10.7 Content of Notifications

Breach notifications will include, to the extent known and practicable:

  • A description of the breach and the type of personal information involved
  • The steps we have taken or intend to take in response to the breach
  • Recommendations for steps that affected individuals can take to protect themselves
  • Contact details for our Privacy Officer for further information
  • Contact details for the relevant regulatory authority

10.8 Post-Breach Remediation

Following a notifiable breach, we will undertake remediation activities including:

  • Taking steps to reduce the risk of harm to affected individuals, including offering support services or credit monitoring where appropriate
  • Implementing improvements to security controls and processes
  • Conducting a post-incident review to identify root causes and lessons learned
  • Keeping records of the breach, response actions, and outcomes
  • Reporting to senior management and the Board

10.9 Regulatory Consequences

Failure to comply with notifiable data breach obligations may result in regulatory consequences, including:

  • Civil penalties, including fines of up to AU$2.5 million for a body corporate under current legislation
  • Enforceable undertakings or compliance notices
  • Investigations and audits by regulatory authorities
  • Reputational harm and loss of stakeholder trust

11. Children’s Information

11.1 General Position

Our products and services are generally directed at business customers, government agencies, and organisational users. We do not knowingly or intentionally collect personal information from individuals under the age of 18 without the consent of a parent or guardian.

11.2 Parental Consent

Where we become aware that a person under the age of 18 wishes to engage with our services, we will take the following steps:

  • Seeking consent from a parent, guardian, or person with parental responsibility
  • Verifying the identity and authority of the consenting person
  • Limiting collection to the minimum information necessary
  • Providing enhanced security and privacy protections

11.3 Notification of Inadvertent Collection

If you believe that we have inadvertently collected personal information from a child without appropriate consent, please contact us using the details in Section 13. Upon notification, we will:

  • Investigate the matter promptly
  • Cease further collection of the information
  • Delete or de-identify the information from our systems
  • Notify the parent or guardian where practicable

12. Changes to This Privacy Policy

12.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in:

  • Our business operations, products, services, or technologies
  • Applicable laws, regulations, or industry standards
  • New products, services, or business activities
  • Data processing technologies or security standards
  • Feedback from customers, regulators, or privacy assessments
  • Corporate restructures, mergers, or acquisitions

12.2 Review Schedule

This Privacy Policy is scheduled for review annually, or upon material change in legislation, regulatory guidance, or business operations.

12.3 Notification of Changes

When we make material changes to this Privacy Policy, we will publish the updated policy on our website at www.tillered.com and related domains, with the effective date and review date clearly indicated. We will notify you by:

  • Email notification
  • Prominent notice on our website or products
  • In-product notification
  • Direct communication from our Privacy Officer

12.4 Continued Use

Your continued use of our products, services, or website following the publication of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should discontinue use of our services and contact us to discuss your concerns, or request deletion of your personal information (subject to our legal obligations to retain certain records).

13. How to Contact Us or Make a Complaint

13.1 Privacy Officer Contact Details

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, wish to make an access or correction request, or have a complaint about how we have handled your personal information, please contact our Privacy Officer:

  • Privacy Officer: Colin C Stone, Director
  • Email: [email protected]
  • Postal Address: Tillered Holdings Pty Ltd / Tillered Australia Pty Limited, Suite 1, G03, 120 Siganto Drive, Helensvale QLD 4212, Australia
  • Phone: +61 7 5665 4000
  • Alternative Contact: [email protected]

13.2 Complaint Handling Process

We take all privacy complaints seriously. Our complaint handling process is as follows:

  • Step 1: Lodgement – Submit your complaint to our Privacy Officer in writing, including:
    • Your name and contact details
    • A description of the conduct you are complaining about
    • The outcome you are seeking
  • Step 2: Acknowledgement – We will acknowledge receipt of your complaint within 5 business days and provide you with a reference number and the name of the person handling your complaint.
  • Step 3: Investigation – We will investigate the complaint and may contact you for further information. We aim to complete our investigation within 30 days.
  • Step 4: Outcome – We will provide you with a written response outlining:
    • The outcome of our investigation
    • Any actions we have taken or propose to take
    • The reasons for our decision
    • Your right to escalate the complaint
  • Step 5: Escalation – If you are not satisfied with our response, you may escalate your complaint to the relevant external complaint body (see Section 13.3).

13.3 External Complaint Bodies

If you are not satisfied with the outcome of your complaint, you may lodge a complaint with the relevant external regulatory body:

Australia – Office of the Australian Information Commissioner (OAIC)

New Zealand – Office of the Privacy Commissioner (OPC)

European Economic Area and United Kingdom

If you are located in the EEA or the United Kingdom, you may lodge a complaint with your local data protection authority. A list of EEA data protection authorities is available at the European Data Protection Board (EDPB) members page.

14. Definitions and Interpretation

14.1 Key Definitions

  • APPs means the Australian Privacy Principles contained in Schedule 1 of the Privacy Act 1988 (Cth).
  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
  • Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not, as defined in the Privacy Act 1988 (Cth).
  • Privacy Act 1988 means the Privacy Act 1988 (Cth) of Australia, as amended from time to time.
  • Privacy Act 2020 means the Privacy Act 2020 of New Zealand, as amended from time to time.
  • Sensitive Information has the meaning given in section 6 of the Privacy Act 1988 (Cth), and includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information, genetic information, biometric information, or biometric templates.
  • Tillered means Tillered Holdings Pty Ltd (ABN [insert]) and Tillered Australia Pty Limited (ACN [insert]), and their related bodies corporate and associated entities.
  • UK GDPR means the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

14.2 Interpretation

In this Privacy Policy, unless the context otherwise requires:

  • Headings are for convenience only and do not affect interpretation.
  • Words importing the singular include the plural and vice versa.
  • References to a person include an individual, company, partnership, or other legal entity.
  • References to “writing” include electronic communications.
  • A reference to a statute, regulation, or legislative instrument includes any amendment, consolidation, or replacement.
  • A reference to “including” or “includes” means including without limitation.
  • Where any word or phrase is given a defined meaning, any other part of speech or other grammatical form in respect of such word or phrase has a corresponding meaning.
  • A reference to “you” or “your” means the individual whose personal information is being collected, used, or disclosed.