PRIVACY POLICY

Background

As an Authorised Representative under Australian Financial Services Licensee Flotilla Capital Pty Ltd (AFSL No. 289898) and a holder of personal information about our clients, it is our objective to ensure that Sandton Capital Advisory Pty Ltd (“Sandton Capital”) and its representatives comply with all relevant aspects of the Australian Privacy Principles (APPs), as set out in the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The APPs require Sandton Capital to take reasonable steps to protect the personal information it holds from misuse, interference, and loss, as well as unauthorised access, modification or disclosure under APP11 – Security of Personal Information. Licensees who trade in personal information have additional obligations under the remaining APPs. All Licensees holding personal information are expected to implement a Privacy Policy in compliance with the APPs. Adherence to the Sandton Capital Privacy Policy is expected and will be monitored to ensure that personal information is secured adequately and breaches, both suspected and actual, are treated appropriately as per the guidelines set by the Office of the Australian Information Commissioner (OAIC).

Purpose

Sandton Capital believes that this Privacy Policy discloses how the personal information you provide to us (and our representatives) is collected, used, held, disclosed and disseminated. As an Authorised Representative, Sandton Capital ensures that there are adequate resources in place to develop, implement and maintain the privacy program and response plan. All representatives of Sandton Capital are aware of the privacy program and are encouraged to identify privacy issues and notify directly to Sandton Capital. Sandton Capital is required to meet legislative and regulatory requirements. The information that we seek to collect about you will depend on the products or services that we provide. If you provide inaccurate or incomplete information, we may not be able to provide you with the services you requested. We encourage you to check our website regularly for any updates to our Privacy Policy.

Why do we need a Privacy Policy?

The Office of the Australian Information Commissioner (OAIC)’s focus of the Privacy Act and obligations is to increase protection levels and keep individual’s personal information more secure. It’s the responsibility of APP entities to secure and protect the personal information they hold and prevent breaches from occurring.

The Notifiable Data Breach Scheme provides a framework that requires businesses to respond swiftly and with transparency to mitigate the damage potentially caused by a breach. This ultimately gives consumers more confidence that their personal information is being appropriately safeguarded and that they will be made aware if their information is compromised.

Sandton Capital’s Commitment to Privacy for our Clients

Sandton Capital is committed to providing the highest levels of client service. Sandton Capital recognises that privacy is very important to everybody. As such, the organisation is committed to providing a privacy program that ensure the correct management of personal information, identification of breaches or suspected breaches of the Policy and utilising the breach Response Plan to ensure we can respond quickly to suspected data breaches, and take appropriate steps as required under the NDB Scheme.

What are the Australian Privacy Principles (APP)?

1. Open and transparent management of personal information

2. Anonymity and pseudonymity

3. Collection of solicited personal information

4. Dealing with unsolicited personal information

5. Notification of the collection of personal information

6. Use or disclosure of personal information

7. Direct Marketing

8. Cross-border disclosure of personal information

9. Adoption, use or disclosure of government related identifiers

10. Quality of personal information

11. Security of personal information

12. Access to personal information

13. Correction of personal information

Sandton Capital as an organisation has ensured that its privacy program embraces the principles established by the APPs under the Privacy Act.

Your Personal Information

What Sandton Capital may collect: When you apply for our products or services, we may ask for identification information. This could include your name, address, contact details and date of birth. We may also collect your tax file number if we are authorised to collect it, and if you choose to supply it.

Some of the information we collect is to ensure that we can meet other legislative requirements such as the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

How Sandton Capital collects Personal Information: We collect personal information directly from you and, if authorised by you, from third parties also. You have a right to refuse authorisation for us to collect information from a third party.

How Sandton Capital uses your Personal Information: Primarily, your personal information is used to provide you with products or services. We may also use the information that is related to the primary purpose, and it is reasonable for you to expect that information to be disclosed to assist us in providing you with the service.

Occasionally, we may provide you with direct marketing material. This will include articles and newsletters that may be of interest to you. We may only use sensitive information about you for direct marketing once we have received your consent.

Sandton Capital maintains records of the source of the personal information used for direct marketing and you have the right to request these details. We will endeavour to meet your request within two (2) weeks.

In compliance with the Anti-Hawking legislation, we maintain a register for those individuals not wanting to receive direct marketing materials.

When Sandton Capital can disclose your information: In line with the business practices of many financial institutions, and to meet yo ur specific needs, we may disclose your personal information to the following organisations:

superannuation fund trustees, insurance providers, fund managers and other product providers to manage or administer your product or service,

compliance consultants,

temporary staff to handle workloads during peak periods,

mailing houses,

your professional advisers, including your solicitor or accountant as authorised by you,

information technology service providers,

Government and regulatory authorities, as required or authorised by law,

another authorised representative of Flotilla Capital if necessary,

a potential purchaser/organisation involved in the proposed sale of Sandton Capital’s business for the purpose of due diligence, corporate re-organisation and transfer of all or part of the assets of the business. Disclosure will be made in confidence, and it will be a condition of that disclosure that no personal information will be used or disclosed by them,

a new owner of the business that will require the transfer of your personal information.

Sandton Capital’s employees and the outsourcing companies/contractors are obliged to respect the confidentiality of any personal information held by Sandton Capital.

The Corporations Act has provided the Australian Securities and Investments Commission (ASIC) with the authority to inspect certain personal information that is kept on Sandton Capital’s files about you.

Sandton Capital takes its obligations to protect your information seriously, this includes if/when Sandton Capital operates throughout Australia and overseas, as part of its operations. Some uses and disclosures of your information may occur outside your State or Territory and/or outside of Australia. In some circumstances we may need to obtain your consent before disclosure of your information outside Australia occurs.

How Sandton Capital stores and secures your Personal Information: Sandton Capital keeps your personal information in your client files or electronically. These files are accessible to authorised personnel only and are appropriately secured and subject to confidentiality requirements.

Personal information will be treated as confidential information and sensitive information will be treated highly confidential.

It is a legislative requirement that Sandton Capital keeps all personal information and records for a period of seven (7) years. Should you cease to be our client, we will maintain your personal information on or off site in a secure manner for seven (7) years. After this period, the information will be appropriately destroyed.

Ensuring your Personal Information is correct: Sandton Capital takes all reasonable precautions to ensure that the personal information collected, used and disclosed is accurate, complete and up to date. To ensure that we can maintain this level of accuracy and completeness it is recommended that, as soon as possible, you:

Inform us of any errors in your personal information, and

Update us with any changes to your personal information.

Receiving Unsolicited Information: Sandton Capital does not usually collect unsolicited personal information. Where we received unsolicited personal information, it will be determined whether it would have been permissible to collect this information if it had been solicited. If Sandton Capital determines that collection would not have been permissible, to the extent permitted by law, the personal information will be appropriately destroyed or de-identified as soon as practicable.

Accessing your own Personal Information: You have a right to access your personal information, subject to certain exceptions allowed by law. We ask that you provide a request in writing (for security purposes) and we will provide you with access to that personal information. Access to the requested personal information may include:

Providing you with copies,

Providing you with the opportunity for inspection, or

Providing you with a summary.

If charges are applicable in providing access to you, these charges will be disclosed to you prior to providing the information.

Some exceptions exist where Sandton Capital will not provide you with access to your personal information, these include if:

Providing access would pose a serious threat to the life or health of a person,

Providing access would have an unreasonable impact on the privacy of others,

The request for access is frivolous or vexatious,

The information is related to existing or anticipated legal proceedings between Sandton Capital and a client and would not be discoverable in those proceedings,

Providing access would reveal Sandton Capital’s intentions in relations to negotiations with you in such a way as to prejudice those negotiations,

Providing access would be unlawful,

Denying access is required or authorised by or under law, and

Providing access would be likely to prejudice certain operations by, or on behalf of, an enforcement body or an enforcement body requests that access not be provided on the grounds of national security.

Should we refuse you access to your personal information, a written explanation for that refusal will be provided.

Using Government Identifiers

In certain circumstances Sandton Capital is required to collect Government identifiers such as your tax file number (TFN), Medicare number or pension card number. Sandton Capital does not use or disclose this information other than when required or authorised by law or unless you have voluntarily consented to disclose this information to any third party.

Dealing with Sandton Capital Anonymously

You can deal with us anonymously or by using a pseudonym where it is lawful and practicable to do so, for example when telephoning to request publicly accessible information such as our postal address or operating hours. It would not be lawful to access our products or services anonymously or by using a pseudonym.

Your Sensitive Information

Without your consent Sandton Capital will not collect information about you that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs or affiliations, memberships of professional or trade associations, membership of a trade union, details of health, disability, sexual orientation or criminal record.

This is subject to some exception, including if collection is required by law or when the information is necessary for the establishment, exercise or defence of a legal claim.

Sandton Capital’s Website

Sandton Capital’s website may provide links to third party websites. If you disclose personal information to these third-party sites, the use of your information by these third parties is not within Sandton Capital’s control and Sandton Capital cannot accept responsibility for the conduct of these organisations. Other websites are not subject to Sandton Capital’s privacy standards. You will need to contact or review those websites directly to ascertain their privacy policies. You may register on Sandton Capital’s website to receive newsletters and other information, and by doing so, your name and email address will be collected and stored on Sandton Capital’s database. We will take care to ensure that the personal information you provide on our website is protected by having electronic security systems in place, including the use of firewalls and data encryption. If you do not wish to receive any further information from Sandton Capital, or you wish to update your registration details, please email your request directly to us. We will endeavour to meet your request within five (5) business days. Our website utilises cookies to provide you with a better user experience. Cookies also allow Sandton Capital to identify your browser while you are using the site – the cookies do not identify you personally. If you do not wish to receive cookies, you can instruct your web browser to refuse these cookies.

Spam Policy

Spam is a generic term used to describe electronic ‘junk mail’ – unwanted messages sent to a person’s email account or mobile phone. In Australia, spam is defined as “unsolicited commercial electronic messages”.

Electronic messaging covers emails, instant messaging (IM), SMS and other mobile phone messaging, but it does not cover normal voice-to-voice communications by telephone. Sandton Capital complies with the provisions of the Spam Act 2003 when sending commercial electronic messages. In addition, Sandton Capital is also bound by their own internal Anti-Hawking Policy. The Spam Act 2003 specifies that the person’s consent has been withdrawn within five (5) working days from the date that an ‘unsubscribe’ request was sent (in the case of electronic unsubscribe messages) or delivered (in the case of unsubscribe messages sent by post or other means). Sandton Capital follows the following steps when using electronic messaging:

1. Consent – only commercial electronic messages are sent with the addressee’s consent, either inferred or expressed consent.

2. Identify – electronic messages will include clear and accurate information about the person and the Sandton Capital contact that is responsible for sending the commercial electronic message.

3. Unsubscribe – Sandton Capital ensures that a functional unsubscribe facility is included in all its commercial electronic messages and deals with unsubscribe requests promptly.

Commercial Communications with a Forwarding Facility (Viral Messages)

Sandton Capital ensures that Commercial Communications that include a Forwarding Facility comply with the law by containing a clear recommendation. This recommendation is that the Recipient should only forward the Commercial Communication to persons with whom they have a relationship, and where that relationship means that the person could be said to have consented to receiving Commercial Communications.

Complying with the Age Sensitive Content of Commercial Communication

Where content of a Commercial Communication seeks to promote or inspire interaction with a product, service or event that is age sensitive, Sandton Capital takes reasonable steps to ensure that such content is sent to Recipients who are legally entitles to use or participate in the product, service, or event.

Related Laws and Regulations

There may be times when other legislation or obligations override the obligation in the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012. These include, but are not limited to:

• The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), where Sandton Capital is required to report to suspicious matters and large money transactions AUSTRAC.

• Regulatory Guide 78 Breach reporting by AFS licensees, where Licensees are required to report any breach or potential breach to ASIC

• Mandatory reporting requirements during a Disaster Recovery event or in the event of a Cyber breach as detailed in the Corporations Act 2001

• Requirement with regards to ATO requests

Privacy Complaints Process

Clients may contact Sandton Capital’s Privacy Officer if you wish to complain about any breach or potential breach of your privacy rights. Your complaint will be responded to within seven (7) days. Sandton Capital’s Privacy Officer will investigate the issue and determine steps to undertake to resolve your complaint.

Sandton Capital’s Privacy Officer will contact you if any additional information is required from you and will notify you in writing of the determination. If you are not satisfied with the outcome of your complaint, you are entitled to contact the Office of the Australian Information Commissioner.

Consultation processes

This policy shall be updated, reviewed or further developed in consultation with the stakeholders of the organisation.

Approvals

This policy is approved for us by the Compliance Committee/Board and takes effect immediately.