Privacy Policy

This privacy notice is effective from May 25th, 2018, and was last updated January 15, 2025.

Scope and purpose

This Policy has been adopted to assist in establishing and maintaining an adequate level of
personal data privacy in the collecting, holding, using, processing, disclosing and crossborder
transfer of personal data, i.e. any information that relates to an identified or
identifiable living individual (Personal Data) including relating clients, investors, contractors,
business associates and other stakeholders of the OX2 group.

OX2 AB’s (org.nr 556675-7487) and all its subsidiaries’ (herein jointly referred to as OX2)
processes and activities are performed with the objective to ensure that your privacy and
integrity are protected, that your privacy is respected and that your Personal Data is
processed correctly. We take responsibility to ensure that Personal Data processed by OX2 is
used only for the purpose(s) for which it is collected and is protected against accidental or
unlawful destruction, loss, use, or alteration and against unauthorized disclosure or access.

All processing of Personal Data by OX2 is carried out in accordance with applicable privacy
legislation.

Part A of this Policy only applies to Personal Data which is processed by or on behalf of OX2
and is or was processed at any time by or on behalf of OX2 in a jurisdiction which is either:

(i) in the EU or EEA; or

(ii) not in the EU or EEA, but is a jurisdiction which imposes similar restrictions on the use or extra-territorial transfer of Personal Data;

Part B of this policy contains the policy for how OX2 Australian entities collects, holds, uses
and discloses personal information

This Policy should not conflict with applicable national laws in the jurisdictions in which an
OX2 company operates and the Policy shall be so construed wherever possible. In the event
of any conflict between this Policy and any applicable national laws, the provisions of the
relevant law shall prevail. In this event, the relevant OX2 company shall immediately notify
the OX2 General Counsel.

Part A: International data transfers by OX2 Group companies with registered offices in Europe

In addition to applying the below Key principles, in the event that any OX2 company with
registered office within European Economic Area (EEA) transfers your Personal Data outside
the EEA, we ensure that your data is protected in a manner which is consistent with the GDPR
(EU 2016/679). Therefore, and if required by applicable law, we take the following measures:

We transfer Personal Data to external recipients outside the European Economic Area (EEA)
only if the recipient has (i) entered into EU Standard Contractual Clauses with us, or (ii)
implemented Binding Corporate Rules in its organization. You may request further information about the safeguards implemented in relation to specific transfers by contacting
us.

Who is responsible for your personal information?

For Personal Data collected in the in the EU or EEA, OX2 AB is OX2 Group’s main data
controller. In addition, subsidiaries of OX2 AB can also be data controllers (including joint controllers) and process Personal Data as described in this Privacy Policy. Your relationship
with OX2 will determine which of our group companies have access to and processes your
Personal Data, and which of our group companies are the data controller(s) responsible for
the Personal Data.

Key principles

In handling Personal Data as a controller OX2 will apply the following key principles:

1. Transparency: OX2 will provide individuals with information about how we process their Personal Data to the extent necessary to ensure that processing is fair.

2. Purpose limitation: OX2 will only process Personal Data for the purposes

(i) set out in any notice made available to the relevant individuals;

(ii) as required by law; or

(iii) where consented to by the relevant individuals.

3. Data quality and proportionality: Personal Data should be kept accurate and where
necessary, up to date. The Personal Data OX2 hold must be adequate, relevant and
not excessive for the purposes for which they are processed and should only be
retained for as long as necessary for the purposes of the relevant processing.

4. Sensitive Data: Where OX2 process sensitive Personal Data, we will take such
additional measures (e.g., relating to security) as are necessary to protect such
Personal Data in accordance with applicable law.

5. Data minimization: Where OX2 retain Personal Data, we will do so in a form
identifying or rendering an individual identifiable only for so long as it serves the
purpose(s) for which it was initially collected or subsequently authorized, except to
the extent permitted by applicable law; and

6. Information transfer and compliance: Within OX2, Personal Data may be transferred
outside the country in which it was collected, including countries outside of the EEA,
for legitimate business activities in accordance with applicable law. In addition, in
accordance with applicable law, the OX2 may store Personal Data in facilities
operated by OX2/or third parties on behalf of OX2 outside the country in which the
data was collected. Nevertheless, Personal Data must not be transferred to another
country unless the transferor has assurance that an adequate level of protection is
in place in relation to that Personal Data as required under applicable law. In the
case of each, an adequate level of protection is created by the Group Data Sharing Agreement which each OX2 group company shall abide by. OX2 will ensure that
where Personal Data is transferred to third parties outside of OX2 for processing (for
example to OX2’s service providers to support OX2’s business), that this is only done
where the Personal Data is adequately protected. OX2 companies will achieve this
by entering into written agreements with third parties which impose obligations that
reflect the requirements of this policy.

Security

To protect your Personal Data against accidental or unlawful destruction, loss, use, or
alteration and against unauthorized disclosure or access, we use adequate physical,
technical and organizational security measures. Any disclosure of Personal Data is always in
according to legal obligations, practices and standard procedures.

Your rights

Where your Personal Data is collected in the EU or EEA, the GDPR grants you as an individual
specific rights in relation to your Personal Data. In particular, and subject to the legal
requirements, you may be entitled to

Obtain from us confirmation as to whether or not Personal Data concerning you are
being processed, and where that is the case, access to the Personal Data;
Obtain from us the correction of inaccurate Personal Data concerning you;
Obtain from us the erasure of your Personal Data;
Obtain from us restriction of processing regarding your Personal Data;
Data portability concerning Personal Data, which you actively provided;
Object, on grounds relating to your particular situation, to further processing of Personal
Data concerning you; and
Withdraw your consent to our processing of your Personal Data

How and when do we process your personal information?

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Supplier and stake- holder relationship management To administer our supplieror stakeholder relationshipto fulfil our contract with you	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction.	Name, contract details (such as address, e-mail, address, phone number),

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Supplier and stake-
holder relationship
management

To administer our
supplieror stakeholder
relationshipto fulfil
our contract with you

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction.

Name, contract details
(such as address, e-mail,
address, phone number),

Lawful basis of the processing: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subjects prior to entering into a contract (article 6.1 b GDPR).

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary for the performance of a contract which the data subject is party (article 6.1 b GDPR).

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Business relationship In the context of the business relationship with us we process the Personal Data for the following purposes: Communicating with Business partners about our products and services (e.g., responding to inquiries or request providing you with information). Planning, performing and managing the contractual relationship with you as Business partner. Maintaining and protecting the security of our products and services, preventing and detecting security threats, frauds or other criminal activities. Ensuring compliance with legal obligations (such as record keeping obligations, compliance background checks and our policies or industry standards. Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction.	In the context of the business relationship with us, we may process the following categories of Personal Data of customers and contact personas (prospective) customers, suppliers, vendors and partners (each a “Business partner”: Contact information such as full name, contact information. Organizational information including job position and company name. Contractual data such as data necessary for processing fraud preventions. Further information necessarily processed in a project or contractual relationship with us provided by the Business partner, such as Personal Data relating to orders placed, payments made, requests and project milestones. Personal Data collected from publicly available resources, credit agencies and information that are legally required for Business partner compliance screenings such as date of birth, nationality, place of residence, ID-numbers, identify cards and information about relevant and significant litigation or other legal proceedings against Business partners.

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Business relationship

In the context of the
business relationship with us
we process the Personal
Data for the following
purposes:

Communicating with
Business partners about our
products and services (e.g.,
responding to inquiries or
request providing you with
information).

Planning, performing and
managing the contractual
relationship with you as
Business partner.

Maintaining and protecting
the security of our products
and services, preventing
and detecting security
threats, frauds or other
criminal activities.

Ensuring compliance with
legal obligations (such as
record keeping obligations,
compliance background
checks and our policies or
industry standards.

Solving disputes, enforce
our contractual agreements
and to establish, exercise or
defend legal claims.

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction.

In the context of the
business relationship with
us, we may process the
following categories of
Personal Data of customers
and contact personas
(prospective) customers,
suppliers, vendors and
partners (each a “Business
partner”:

Contact information such
as full name, contact
information.

Organizational information
including job position and
company name.

Contractual data such as
data necessary for
processing fraud
preventions.

Further information
necessarily processed in a
project or contractual
relationship with us
provided by the Business
partner, such as Personal
Data relating to orders
placed, payments made,
requests and project
milestones.

Personal Data collected
from publicly available
resources, credit agencies
and information that are
legally required for Business
partner compliance
screenings such as date of
birth, nationality, place of
residence, ID-numbers,
identify cards and
information about relevant
and significant litigation or
other legal proceedings
against Business partners.

Lawful basis of the processing: Processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the request of the data subjects prior
to entering into a contract (article 6.1 b GDPR) and for the purposes of the legitimate interest
pursued by us a data controller (article 6.1 f GDPR).

More specific: To provide our products and services: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1 f GDPR).

To bill your use of our products and services: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1 f GDPR).

To verify your identity: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1
f GDPR).

To fulfil your requests or instructions: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1 f GDPR).

When necessary to enforce the contractual agreement, to establish and preserve legal claims or defense, to prevent fraud or other criminal activities: Compliance with legal obligations (article 6.1 c GDPR); Legitimate interest (article 6.1 f GDPR).

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary in compliance with
the initial purpose and applicable legal obligations.

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Invoicing To handle payment transactions for our products and services	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction	Billing information (such as name, address, purchased product or service), transaction history.

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Invoicing

To handle payment
transactions for our
products and services

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction

Billing information
(such as name, address,
purchased product or
service), transaction
history.

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary in compliance with applicable legal obligation.

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Cookies and online identifiers or other tracking technologies We have an interest in making our websites operate efficiently, providing account related functionalities, understanding how you interact with our websites and what service you are interested in.	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction	We use cookies or other tracking technologies to monitor how you interact with our websites.

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Cookies and online
identifiers or other
tracking technologies

We have an interest in
making our websites
operate efficiently,
providing account
related functionalities,
understanding how
you interact with our
websites and what
service you are
interested in.

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction

We use cookies or
other tracking
technologies to
monitor how you
interact with our
websites.

Lawful basis of the processing: The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes (article 6.1 a GDPR).

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary for the initial purpose. You control and/or delete cookies as you wish – for details, see our cookie policy.

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Advertisement and marketing We disclose information about our products and services with the purpose to market our products and services to individuals who consent to receive such information.	Collection, storage, use, disclosure by transmission, erasure or destruction	E-mail address

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Advertisement and
marketing

We disclose information
about our products and
services with the purpose
to market our products
and services to individuals
who consent to receive
such information.

Collection, storage, use,
disclosure by transmission,
erasure or destruction

E-mail address

Lawful basis of the processing: The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes (article 6.1 a GDPR). You can withdraw your consent to our marketing at any time by contacting us.

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) subsidiary(ies)

The retention periods: As long as we have your consent to provide you with information and marketing.

Further information for OX2 Group's employees

Further information and privacy notices are available in the OX2’s intranet (OX2 intranet access is required).

Complaints, questions and additional information

To express a concern, raise a question, make a complaint, or to obtain additional information about the processing of Personal Data by OX2, the concerned individual should contact the Local Legal Counsel or the General Counsel (“the Data Privacy Organization”) for the relevant OX2 company in the first instance.

Besides contacting the Data Privacy Organization, you always have the right to approach the competent data protection authority in your country with your request or complaint.

Part B

OX2 Holdings Pty Ltd ABN 47 666 878 771 (we or us) and any other OX2 entity registered under
the laws of Australia, understands the importance of protecting the privacy of an individual’s
personal information. This statement sets out how we aim to protect the privacy of your
personal information, your rights in relation to your personal information managed by us and
the way we collect, hold, use and disclose your personal information. We are the data
controller of any personal information collected by us by any of the means set out below.

In handling your personal information, we will comply with the Privacy Act 1988 (Cth) (Privacy
Act) and with the Australian Privacy Principles in the Privacy Act. This privacy statement may
be updated from time to time.

Personal information is information or an opinion about an identified, or reasonably
identifiable, individual. During the provision of our products or services, we may collect, hold,
use and disclose your personal information.

The kinds of personal information we collect and hold	How we collect and hold personal information	The purposes for which we collect, hold, use and disclose personal information
Name Contact details (such as address, e-mail address, phone number). Organizational information including job position and company name. Contractual information necessary for processing fraud preventions. Information collected in a project or contractual relationship with us provided by customers and contact personas, prospective customers, suppliers, vendors and partners (each a Business partner), such as personal information relating to orders placed, payments made, requests and project milestones. Personal information collected from publicly available resources, credit agencies and information that is legally required for Business partner compliance screenings such as date of birth, nationality, place of residence, ID-numbers, identity cards and information about relevant and significant litigation or other legal proceedings against Business partners. Billing information (such as name, address, purchased product or service), transaction history.	Generally, we collect your personal information directly from you: in the course of our business relationship with you, exchanges and discussions with you, whether in person or via telephone, video, email, or post; through our website, including the completion of online forms, registering or subscribing to any of our products or services, submitting material or information or otherwise requesting further information or products or services. There may be other occasions when we collect your personal information from other sources such as from publicly available resources, credit agencies. Generally, we will only collect your personal information from sources other than you if it is unreasonable or impracticable to collect your personal information from you.	To provide our products and services to you or to an entity with which you are connected. To bill you or an entity with which you are connected for use of our products and services. To verify your identity. To fulfil your requests or instructions. When necessary, to enforce contractual agreements, to establish and preserve legal claims or defences, to prevent fraud or other criminal activities. Any other legal requirements To assist us with continual improvement, asking you to participate in surveys conducted by us, or third party providers on our behalf, about our service and your experience with us. Where personal information is used or disclosed, we take steps reasonable in the circumstances to ensure it is relevant to the purpose for which it is to be used or disclosed. You are under no obligation to provide your personal information to us. However, without certain information from you, we may not be able to provide our products and/or services to you.

The kinds of personal
information we collect and
hold

How we collect and hold
personal information

The purposes for which we
collect, hold, use and
disclose personal
information

Name
Contact details (such as address, e-mail address, phone number).
Organizational information including job position and company name.
Contractual information necessary for processing fraud preventions.
Information collected in a project or contractual relationship with us provided by customers and contact personas, prospective customers, suppliers, vendors and partners (each a Business partner), such as personal information relating to orders placed, payments made, requests and project milestones.
Personal information collected from publicly
available resources, credit agencies and information that is legally required for Business partner compliance screenings such as date of birth, nationality, place of residence, ID-numbers, identity cards and information about
relevant and significant litigation or other legal
proceedings against Business partners.
Billing information (such as name, address,
purchased product or service), transaction
history.

Generally, we collect your personal information directly from you:

in the course of our business relationship with you, exchanges and discussions with you, whether in person
or via telephone, video, email, or post;
through our website, including the completion of online forms, registering or subscribing to any of our products or services, submitting material or information or otherwise requesting further information or products or services.

There may be other occasions when we collect your personal information from other sources such as from publicly available resources, credit agencies. Generally, we will only collect your personal information from sources other than you if it is unreasonable or impracticable to collect your personal information
from you.

To provide our products and services to you or to an entity with which you are connected.
To bill you or an entity with which you are connected for use of our products and services.
To verify your identity.
To fulfil your requests or instructions.
When necessary, to enforce contractual agreements, to establish and preserve legal claims or defences, to prevent fraud or other criminal activities.
Any other legal requirements
To assist us with continual improvement, asking you to participate in surveys conducted by us, or third party providers on our behalf, about our service and your experience with us.

Where personal information is used or disclosed, we take steps reasonable in the circumstances to ensure it is relevant to the purpose for which it is to be used or disclosed. You are under no obligation to provide your personal information to us. However, without certain information from you, we may not be able to provide our products and/or
services to you.

Direct marketing

We may use and disclose your personal information in order to inform you of products and/or
services that may be of interest to you. Where legally required (including under the GDPR) we
will only provide these communications to you after you have opted to receive them and will
provide you with the opportunity to opt out of receiving them at any time if you do not want
to receive further marketing-related communications from us. Where a specific ‘opting in’
process is not legally required (including under the Privacy Act), you can opt out at any time if
you do not wish to receive further marketing-related communications from us. In either case,
you can opt out by contacting us via the contact details set out below or through any opt-out
mechanism contained in a marketing communication to you.

To whom do we disclose your personal information

We disclose your personal information for the purpose for which we collect it. That is,
generally, we will only disclose your personal information for the purpose of providing our
products and/or services or other purpose set out in the second column of the above table.
This may include disclosing your personal information to third parties engaged to perform
administrative or other business management services. This disclosure is always on a
confidential basis or otherwise in accordance with law. We may also disclose your personal
information with your consent or if disclosure is required or authorised by law.

Overseas disclosure

We may disclose personal information to overseas recipients in order to provide our products
and/or services and for administrative or other business management purposes. Before
disclosing any personal information to an overseas recipient we take steps reasonable in the
circumstances to ensure the overseas recipient complies with the Australian Privacy
Principles or is bound by a substantially similar privacy scheme unless you consent to the
overseas disclosure or it is otherwise required or permitted by law. It is impracticable to list all
countries in which recipients may be located. However, we are likely to disclose personal
information to our parent company OX2 AB in Sweden and other related bodies corporate.

Cookies

We use cookies or other tracking technologies to monitor how you interact with our websites.
You can control and/or delete cookies as you wish – for details, see our cookie policy.

Security of your personal information

We take steps reasonable in the circumstances to ensure that the personal information we
hold is protected from misuse, interference and loss and from unauthorised access,
modification or disclosure. We hold personal information in both hard copy and electronic
forms in secure databases on secure premises, accessible only by authorised staff.

We will destroy or de-identify personal information in circumstances where it is no longer
required unless we are otherwise required or authorised by law to retain the information.

Access and correction of your personal information

We take steps reasonable in the circumstances to ensure personal information we hold is
accurate, up-to-date, complete, relevant and not misleading. Under the Privacy Act, you
have a right to access and seek correction of your personal information that we collect and
hold.

If at any time you would like to access or correct the personal information that we hold about
you, or you would like more information on our approach to privacy, please contact us via the
contact details set out below.

We will grant access to the extent required or authorised by the Privacy Act or other law and
take steps reasonable in the circumstances to correct personal information where necessary
and appropriate.

To obtain access to your personal information:

you will have to provide proof of identity to ensure that personal information is provided
only to the correct individuals and that the privacy of others is protected
we request that you be reasonably specific about the information you require; and
we can provide you with a copy of your personal information in our current records free
of charge. If we provide access to non-current records, we may charge you a reasonable
administration fee, which reflects the cost to us for providing access in accordance with
your request.

If we refuse your request to access or correct your personal information, we will provide you
with written reasons for the refusal and details of complaint mechanisms. We will also take
steps reasonable in the circumstance to provide you with access in a manner that meets your
needs and our needs.

We will endeavour to respond to your request to access or correct your personal information
within 30 days from your request.

How to contact us

For further information or enquiries regarding your personal information, or if you would like
to opt-out of receiving any promotional or marketing communications, please contact our
Country Legal Counsel at:

OX2 Holdings Pty Ltd
Suite 403, Level 4, 65 Dover Street, Cremorne VIC 3121
T: +61 3 8595 2406
E: Email: [email protected]

Privacy complaints

Please direct all privacy complaints to our Country Legal Counsel. At all times, privacy
complaints:

will be treated seriously
will be dealt with promptly
will be dealt with in a confidential manner and
will not affect your existing obligations or affect the commercial arrangements between
you and us.

Our Country Legal Counsel will commence an investigation into your complaint. You will be
informed of the outcome of your complaint following completion of the investigation.

If you are dissatisfied with the outcome of your complaint, you may refer the complaint to the
Office of the Australian Information Commissioner.

Your Competent Data Protection Authority

Besides contacting our Data Privacy Organization, you always have the right to approach the competent Data Protection Authority with your request or complaint:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) (Estonia)

Tatari 39
10134 Tallinn
Tel. +372 6828 712
E-mail: [email protected]
Website: http://www.aki.ee/

Agencia Española de Protección de Datos (AEPD) (Spain)

C/Jorge Juan, 6
28001 Madrid
Tel. +34 91 266 3517
Fax +34 91 455 5699
E-mail: [email protected]
Website: https://www.aepd.es/

Swedish Authority for Privacy Protection (Sweden)

Box 8114, 104 20 Stockholm, Sweden
Tel. +46(0)8-657 61 00
E-mail: [email protected]
Website: http://www.imy.se/

Datatilsynet (Denmark)

Carl Jacobsens Vej 35
2500 Valby
Tel. +45 33 1932 00
E-mail: [email protected]
Website: http://www.datatilsynet.dk/

Office of the Data Protection Ombudsman (Finland)

P.O. Box 800
FI-00531 Helsinki
Tel. +358 29 56 66700
Fax +358 29 56 66735
E-mail: [email protected]
Website: http://www.tietosuoja.fi/en/

Agencia Española de Protección de Datos (AEPD) (Spain)

C/Jorge Juan, 6
28001 Madrid
Tel. +34 91 266 3517
Fax +34 91 455 5699
E-mail: [email protected]
Website: https://www.aepd.es/

Swedish Authority for Privacy Protection (Sweden)

Box 8114, 104 20 Stockholm, Sweden
Tel. +46(0)8-657 61 00
E-mail: [email protected]
Website: http://www.imy.se/

Download the privacy policy in PDF