PRIVACY POLICY

At xSource, we are committed to protecting your privacy and privacy of your clients in
accordance with the Privacy Act 1988 (Cth) and Privacy Amendment Act 2012 (Cth). We
comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act
1988. In the event of a data breach that is likely to result in serious harm, we will notify
affected individuals and the Office of the Australian Information Commissioner (OAIC) as
required by law. This Privacy Policy describes our current policies and practices in relation to
the handling and use of personal information.

What information do we collect and how do we use it?

As a service provider we are subject to requirements to obtain and hold detailed information,
which personally identifies you and/or contains information about you (“personal
information”). In addition, to provide you with a comprehensive service we need to obtain
certain personal information about you or your clients.
We use personal information only for the purposes defined in a Supply of Services
Agreement providing loan processing, bookkeeping, financial control, content moderation,
design and administrative services.
We use your information to send you requested product information and promotional material
and to enable us to manage your ongoing requirements, e.g. further information regarding
specific job and our relationship with you, e.g. invoicing.
We may use your information internally to help us improve our services and help resolve
any problems.

How do we hold and protect your information?

We keep personal information only for as long as it is reasonably necessary for the purpose
for which it was collected or to comply with any applicable legal or ethical reporting or
document retention requirements. For active service engagements, personal information is
retained for the duration of the engagement. For completed engagements without ongoing
follow-up, personal information is reviewed and deleted within 6 months of completion. For
engagements with ongoing bank follow-up, personal information is retained until the
engagement ceases to be active, and deleted within 6 months thereafter. Periodic reviews of
retained data are conducted to ensure compliance with these retention periods.
We have access to the information collected from you using secure external online server
facility powered by our software partners. We will strive to maintain the privacy of this data
from our part, but we encourage you to ensure you practice the highest level of online
security for your personal logins when using these software packages.

Our information security management system is certified to ISO/IEC 27001:2022,
independently audited to ensure the highest standards of data protection and security are
maintained.
We ensure that your information and information you provided to us is safe by limiting access
to your personal data to your assistant/bookkeeper and his/her associate as requested. An
External Auditor may request access to any of our files for the purpose of compliance audit
only and you will be advised in this instance.

Will we disclose the information we collect to anyone?

We do not sell, trade, or rent your personal or your client personal information to others.
We may disclose your personal information to, and obtain personal information about you
from the following organizations for the purposes previously outlined (as well as otherwise
permitted by the Privacy Act): banks and finance organisations, valuation companies,
mortgage insurers, real estate agents, settlement agents, solicitors, information technology
companies, loan processors, bookkeepers and mailing organisations.
We may provide your information to others if we are required to do so by law or under some
unusual other circumstances which the Privacy Act permits.

Disclosures to overseas recipients

Some of the recipients to whom we disclose your personal information may be based
overseas. It is not practicable to list every country in which such recipients are located but it
is likely that such countries will include New Zealand, Germany and Serbia.

How can you check, update or change the information we are holding?

By calling 02 8669 9686 and providing enough information to allow us to identify you, we will
disclose to you the personal information we hold about you. We will also correct, amend or
delete any personal information that we agree is inaccurate.
You may complain to us about a breach of the Australian Privacy Principles by writing to our
address listed on our website (xsource.com.au). We will review your complaint and notify
you within 48 hours of outcomes of such review.

Promotional communications

If you are a customer or a potential customer, from time to time we may contact you with
information about products and services offered by xSource, which we think may be of
interest to you. When we contact you, it may be by mail, telephone, email or SMS.
You may opt out of receiving promotional communications from us by using the unsubscribe
link within each email or emailing us to have your contact information removed from our
promotional email list or registration database. Although opt-out requests are usually
processed immediately, please allow ten (10) business days for a removal request to be
processed. Even after you opt out from receiving promotional messages from us, you will
continue to receive messages from us regarding our services.

Internet site

The xSource website may at times contain links to other websites whose operator may or
may not adhere to a privacy policy or be governed by the Australian Privacy Principles.

Your consent

By asking us to assist you with services (Supply of Services Agreement), you consent to the
collection, use and disclosures to overseas recipients of the personal information you have
provided to us for the purposes described above.