Introduction and Scope

AEXPHL GROUP PTY LTD ABN 42 622 654 255 and Aussie Expat Home Loans Pte Ltd Reg No. 201734831N (herein AEXPHL) and its affiliate and related entities (collectively referred to as “we”, “our”, “us”, or the “Group”) are committed to the highest standards of privacy and data protection compliance. The Group includes entities incorporated in Australia, Singapore, and other jurisdictions that operate under the AEXPHL corporate structure.

We comply with all applicable data protection laws, including:

• the Privacy Act 1988 (Cth) (as amended by the Privacy and Other Legislation Amendment Act 2024) and the Australian Privacy Principles (APPs);
• the Privacy Regulation 2013 (Cth);
• the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth);
• the Cyber Security Act 2024 (Cth);
• the Personal Data Protection Act 2012 of Singapore (PDPA) and regulations enacted under it, including the Personal Data Protection Regulations 2021; and
• any other applicable data protection laws in jurisdictions where the Group operates.
  

This Privacy Policy sets out how and why we collect, store, use,transfer, and disclose your personal information, and how you may access your personal information and request corrections. It applies to all personal information handled by any entity within the Group, regardless of which jurisdiction that entity is incorporated or operates in.

Key Definitions

Personal Information / Personal Data means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not (as defined under the Privacy Act), and data about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access (as defined under the PDPA).

Affiliate or Related Entity means any entity that is a subsidiary, holding company, or fellow subsidiary of AEXPHL,or any entity that is under common ownership or control with AEXPHL, whether incorporated in Australia, Singapore, or any other jurisdiction.

Data Protection Officer (DPO) means the individual appointed by the Group to oversee compliance with applicable data protection laws.

Lending-Related Processes means all activities necessary to assess, process, settle, manage, and administer credit and lending products, including loan origination, credit assessment, valuation,settlement, post-settlement servicing, compliance, regulatory reporting, and related administrative functions.

Collection of Your Information

Types of Information Collected

Like most companies with an online presence, we collect non-personally-identifying information of the sort that web browsers and servers typically make available, such as browser type, language preference,referring site, and the date and time of each visitor request. We collect non-personally-identifying information to better understand how our visitors use our site, troubleshoot problems, analyse our resources, and improve our services and products.

We also collect potentially personal information such as Internet Protocol (IP) addresses. We only disclose IP addresses under the same circumstances that we use and disclose personal information as described in this Privacy Policy.

We collect personal information in a number of ways, including:

• when you or a third party contacts us independently of our site,such as by email, phone, messaging application, or in person;
• when you visit and interact with our site and related software;
• when you engage in transactions with us, whether online or offline;
• when you register interest in, enquire about, or apply for a loan or other financial product;
• through cookies and other technologies that allow us to provide you with a better experience on our site;
• when you contact us via our site or sign up for our newsletter or mailing list;
• from third parties such as credit reporting bodies, lenders,valuers, mortgage insurers, solicitors, and other service providers involved in lending-related processes; and
• from publicly available sources where lawful and reasonable to do so.

Purpose Limitation

AEXPHL and its affiliates and representatives will only seek to collect information that is necessary and reasonable for the purposes identified in this Privacy Policy or as otherwise notified to you at the time of collection. You may refuse to supply personal information; however, this may prevent you from engaging in certain site-related activities, and we may not be able to provide our services, products, or assistance to you or on your behalf.

You must not provide us with personal information about another person unless you have first obtained that person’s prior consent to do so and you have informed them that their personal information will be handled in accordance with this Privacy Policy (including where to find it).

Cookies and Tracking Technologies

A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. Our site uses cookies to help us identify you from other users, track your usage of our site, and your website access preferences.We use the following categories of cookies:

Strictly Necessary Cookies: These are cookies required for the operation of our site, including cookies that enable you to log into secure areas, use a shopping cart, or make use of e-billing services.

Analytical/Performance Cookies: These allow us to recognise and count the number of visitors and to see how visitors navigate our site, helping us improve the way our site works.

Functionality Cookies: These are used to recognise you when you return to our site, enabling us to personalise our content for you and remember your preferences.

Targeting Cookies: These cookies record your visit to our site, the pages you have visited and the links you have followed. We use this information to make our site and any advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

Please note that third parties (including advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

If you do not wish to have cookies placed on your computer, you should set your browser to refuse cookies before using our site, with the drawback that certain features of our site may not function properly without the aid of cookies. You may also manage your cookie preferences through our cookie consent tool where available.

Use of Personal Data

We collect your personal information to enable you to receive the benefit of our site and services. Subject to this Privacy Policy, we may use your personal information for the following purposes:

• to provide you with the credit assistance, financial products, or services you have sought from us;
• for purposes associated with lending-related processes, including credit assessment, loan processing, settlement, post-settlement management, and regulatory compliance;
• to share your personal information between our affiliate and related entities where necessary to facilitate lending-related processes (see Section 7below);
• for purposes associated with our services such as follow-up calls,notices, or communications to assist you;
• to make you aware of connected offers or services which are likely to be relevant to you (subject to your marketing preferences – see Section 9below);
• for quality assurance and training purposes;
• for internal analytics, reporting, and business improvement;
• to comply with legal and regulatory obligations, including obligations under the National Consumer Credit Protection Act 2009 (Cth), the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), and equivalent Singapore and international regulations;
• to respond to lawful requests from regulatory authorities, courts,or law enforcement agencies; and
• any other uses identified to you at the time of collecting your personal information or as reasonably contemplated by this Privacy Policy.

Consent

This Privacy Policy applies to the site you are currently viewing and to the services provided by any entity within the Group. By visiting our site, using any of our services, or providing us with your personal information in any other way (or authorising it to be provided to us by someone else), you agree to this Privacy Policy and consent to your personal information being collected, used, and disclosed as set out in this Privacy Policy.

Under the Singapore PDPA, we rely on the following lawful bases for collecting, using, and disclosing your personal data:

• your express consent, obtained at or before the time of collection;
• deemed consent, where you have voluntarily provided your personal data for a purpose, and a reasonable person would consider it appropriate;
• deemed consent by notification, where we have notified you of the purpose and you have not taken any action to opt out within a reasonable period; and
• legitimate interests, where the collection, use, or disclosure is in our legitimate interests and the benefit to the public or to you outweighs any adverse effect on you.

You may withdraw your consent at any time by contacting our Data Protection Officer (see Section 12). However, withdrawal of consent may affect our ability to provide services to you. We will inform you of the likely consequences of withdrawing consent before processing your request.

Cross-Border Data Transfers and Intra-Group Sharing

Intra-Group Transfers for Lending-Related Processes

You acknowledge and consent that your personal information may be transferred to and shared between any affiliate or related entity within the AEXPHL group structure, whether based in Australia, Singapore, or any other jurisdiction, where such transfer is necessary for or related to lending-related processes. These transfers are essential to the operation of our business and the provision of services to you.

Intra-group transfers for lending-related processes may include, but are not limited to:

• loan origination, processing, and credit assessment;
• coordination with lenders, valuers, mortgage insurers, and other third-party service providers;
• settlement and post-settlement loan administration;
• compliance with regulatory and reporting obligations in each relevant jurisdiction;
• internal audit, risk management, and quality assurance; and
• IT systems administration, data storage, and business continuity.

Safeguards for Cross-Border Transfers

When personal information is transferred between jurisdictions, we ensure that:

• all Group entities are bound by this Privacy Policy and by internal binding corporate rules that establish a uniform standard of data protection across the Group;
• the receiving entity provides a standard of protection for personal data that is comparable to or exceeds the protections afforded by the Australian Privacy Act and the Singapore PDPA, in accordance with APP 8 and Section 26 of the PDPA respectively;
• appropriate contractual arrangements are in place to ensure compliance with applicable data protection laws in both the transferring and receiving jurisdictions;
• data is transferred securely using appropriate technical and organisational measures, including encryption in transit and at rest; and
• access to personal data is limited to authorised personnel who require it for legitimate business purposes.
• Where we transfer personal data to a jurisdiction that does not have data protection laws comparable to Australia or Singapore, we will implement additional safeguards, which may include standard contractual clauses, data transfer agreements, or other mechanisms recognised under the applicable law.

Transfers to Third Parties

AEXPHL and its affiliates will never unnecessarily exchange your personal or business information with any third party, unless compelled by law. However, to assist you, we may need to provide your personal information to certain parties, including but not limited to:

• our employees, officers, and any related entity within the Group;
• third-party partners or entities with whom we have a commercial relationship, including lenders, mortgage insurers, other mortgage intermediaries, and valuers;
• third-party service providers for the purpose of enabling them to provide services such as (but not limited to) IT services, data storage,hosting, payment processing, debt collection, and insurance;
• credit reporting bodies and other credit providers in accordance with applicable credit reporting legislation;
• prospective sellers or buyers of our business or assets;
• regulators or government-linked third parties for the purpose of legislative or contractual compliance and/or reporting, including the Australian Securities and Investments Commission (ASIC), the Office of the Australian Information Commissioner (OAIC), the Personal Data Protection Commission of Singapore (PDPC), and the Monetary Authority of Singapore (MAS);and
• other entities or individuals, provided you have given your consent.

‍

Data Retention and Destruction

We will retain your personal information only for as long as is necessary for the purposes for which it was collected, or as required by applicable laws and regulations. In determining retention periods, we consider the nature of the personal information, the purposes for which it was collected, legal and regulatory requirements (including record-keeping obligations under credit legislation), and our legitimate business interests.

We will cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention, and retention is no longer necessary for legal or business purposes. This is consistent with both the Australian Privacy Act and the Singapore PDPA’s requirements regarding data retention.

Marketing and Affiliate Communications

Marketing Consent

From time to time, AEXPHL and its affiliate companies within the Group may wish to contact you with information about products and services that we believe may be relevant and of interest to you. By providing your personal information to us, you consent to receiving such marketing communications from AEXPHL and its affiliate companies, unless you opt out as described below.

Scope of Affiliate Marketing

Marketing communications shared between Group affiliate companies will be limited to information that is directly relevant to your enquiry,application, or the services we have provided or are providing to you. We will not share your personal information with unrelated third parties for their own independent marketing purposes without your express consent.

The types of marketing communications you may receive from the Group include:

• updates on lending products, interest rates, and refinancing opportunities relevant to your circumstances;
• information about related financial products and services offered by Group affiliates, such as insurance, property services, or investment opportunities;
• educational content relating to property, lending, or financial planning; and
• invitations to events, webinars, or other informational sessions hosted by the Group.

Opting Out

You may opt out of receiving marketing communications at any time by: contacting us directly using the details set out in Section 12 below; using the “unsubscribe”link in any marketing email; or notifying any Group entity from which you have received marketing. We will process your opt-out request promptly and at no cost to you. Please note that opting out of marketing communications will not affect transactional or service-related communications that are necessary for the administration of your loan or services.

Security of Your Personal Information

AEXPHL takes reasonable technical and organisational measures to ensure the security of your personal information from unauthorised access,collection, use, disclosure, copying, modification, or disposal. These measures include access controls, encryption, secure storage, regular security assessments, and staff training.

However, we also rely on you to advise us of any changes to your personal information, so please update us when your details change.

Data Breach Notification

Australian Law: In the event that AEXPHL suspects that there has been an eligible data breach that is likely to result in serious harm to any individual, we will conduct an assessment expeditiously and within 30 days. If we determine that a notifiable data breach has occurred,we will notify the Office of the Australian Information Commissioner and affected individuals in accordance with Part IIIC of the Privacy Act.

Singapore Law: Under the PDPA, if we have reason to believe a data breach has occurred affecting personal data in our possession or control, we will conduct an assessment in a reasonable and expeditious manner. If the breach is a notifiable data breach(i.e., it results in or is likely to result in significant harm, or is of a significant scale), we will notify the PDPC and affected individuals in accordance with Part 6A of the PDPA.

Access, Correction, and Portability

Access to Your Personal Information

You have the right to request access to the personal information we hold about you, and to be informed about how it has been used or disclosed.Under both the Australian Privacy Act and the Singapore PDPA, we will respond to your access request within a reasonable time frame (generally within 30days).

However, we may refuse to provide access if doing so could reasonably be expected to:

• threaten the safety or physical or mental health of another individual;
• cause immediate or grave harm to your safety, physical, or mental health;
• reveal personal data about another individual;
• reveal the identity of an individual who has provided personal data about another individual and that individual does not consent to the disclosure of their identity;
• be contrary to the national interest; or
• be otherwise permitted to be refused under applicable law.

Correction of Personal Information

You may request that we correct any personal information that is inaccurate, incomplete, or out of date. We will take reasonable steps to correct the information within 30 days of your request and, where required,notify third parties to whom the incorrect information was previously disclosed.

Data Portability (Singapore)

Under the PDPA’s data portability provisions (when fully in effect), you may request that we transmit your personal data to another organisation in a commonly used machine-readable format, subject to the requirements and exceptions under the PDPA.

Data Protection Officer and Contact Details

If you wish to access the personal information we hold about you,make a correction request, withdraw consent, make a complaint, or otherwise contact us about this Privacy Policy, please contact:

Data Protection Officer: Timothy Raes

Address: Level 12 / 484 St Kilda Road Melbourne VIC 3004

Email: Enquiry@aexphl.com

Information which is easily accessible will be provided to you free of charge. However,information which is more difficult to access may have a reasonable fee associated with the request, of which we will inform you in advance.

Feedback and Complaints

Should you be unsatisfied with the manner in which AEXPHL or any Group entity has handled your personal information, please contact us using the details above. We will take all necessary steps to investigate and address your concerns.

If the issue is not resolved to your satisfaction, you may contact the relevant regulatory authority:

Australia – Office of the Australian Information Commissioner (OAIC)

Phone: 1300 363 992

Email: enquiries@oaic.gov.au

Mail: GPO Box 5218, Sydney NSW 2001

Website: www.privacy.gov.au

Singapore – Personal Data Protection Commission (PDPC)

Phone: +65 6377 3131

Email: info@pdpc.gov.sg

Website: www.pdpc.gov.sg

Automated Decision-Making

Where we use automated processes to make decisions that significantlyaffect you (for example, automated credit assessments), we will provide youwith information about the automated decision-making process, the informationused to make the decision, and your right to request a review of the decisionby a human. This obligation applies in accordance with the transparencyrequirements introduced by the Privacy and Other Legislation Amendment Act2024, which will be fully effective from December 2026.

Children’s Privacy

Our services are not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete that information as soon as practicable.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. Where changes are significant, we will take reasonable steps to notify you, such as by posting a notice on our site or sending you an email. The updated Privacy Policy will be effective from the date it is posted on our site, unless otherwise stated. We encourage you to review this Privacy Policy periodically.

Governing Law

This Privacy Policy is governed by the laws of the Commonwealth of Australia and the Republic of Singapore, as applicable. To the extent of any inconsistency between the requirements of different jurisdictions, we will apply the standard that affords the greatest protection to your personal information.