DRAFT for review by a qualified Australian legal practitioner before use — not legal advice.

Privacy Policy

Operating entity: Blue Collar News Services Pty Ltd (ABN [TBC]) ("we", "us", "our") Website: Services.BlueCollarNews.com.au (the "Platform") Version: 1.0 (draft) | Effective date: [TBC]

This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) (the "Privacy Act") and the Australian Privacy Principles ("APPs"). It should be read together with our Collection Notice and Consent, Terms of Use and Cookie Policy.

1. About us and the most important thing to understand

1.1 We operate an online lead-generation marketplace. Consumers submit a request for a quote for a service. We are an introducer / lead vendor only. We are not the service provider, we are not your agent, and we are not a party to any contract you enter into with a business.

1.2 The single most important thing to understand about your privacy on this Platform: when you submit a service request, we will disclose your personal information to up to five (5) independent businesses so that they can contact you to provide quotes. Once we disclose your information to those businesses, each of them becomes an independent handler (controller) of your information and is responsible for its own privacy practices. We cannot control, and are not responsible for, what those businesses do with your information after we share it. See clause 6.

1.3 We do not rely on the "small business operator" exemption in the Privacy Act (the under-AU$3 million annual turnover exemption). Because we disclose personal information about individuals to other parties for a benefit, service or advantage (and collect it for that purpose), we are taken to trade in personal information and are an "APP entity" bound by the Privacy Act and all APPs. We comply with the Privacy Act regardless of our turnover.

2. What this policy covers

2.1 This policy covers personal information we collect through the Platform from consumers submitting service requests, from businesses who are our customers, and from visitors to our website.

2.2 "Personal information" has the meaning given in the Privacy Act: information or an opinion about an identified individual, or an individual who is reasonably identifiable.

3. The personal information we collect

3.1 From consumers submitting a service request, we collect:

3.2 From businesses (our paying customers), we collect: business name, ABN, contact person details, licensing/insurance details, service categories and areas, payment and billing information (processed by Stripe — we do not store full card numbers), and account activity.

3.3 Automatically, from all visitors: IP address, device and browser information, pages visited, and similar technical data via cookies and analytics (see our Cookie Policy). We also record the version of consent wording shown, the timestamp, and the IP address at the time you give consent, as a record of consent.

3.4 Sensitive information. We do not seek to collect sensitive information (as defined in the Privacy Act, e.g. health, racial, religious or biometric information). Please do not include sensitive information in free-text job descriptions or photos. If you do, you consent to us handling it for the purpose of matching you with businesses.

4. How we collect personal information (APP 3)

4.1 We collect personal information directly from you when you complete a service request form, create an account, contact us, or otherwise interact with the Platform.

4.2 We collect some technical information automatically (clause 3.3).

4.3 We will only collect personal information by lawful and fair means and only where it is reasonably necessary for one or more of our functions or activities.

5. Why we collect, hold, use and disclose your information (APPs 3 & 6)

5.1 Primary purpose — matching. The primary purpose for which we collect your personal information is to match your service request with up to five independent businesses and to facilitate them contacting you to provide quotes.

5.2 We also use personal information for these related secondary purposes, which you would reasonably expect:

5.3 We will not use or disclose your personal information for an unrelated secondary purpose unless an exception in APP 6 applies (for example, you consent, or the use/disclosure is required or authorised by law).

6. Disclosure to up to five (5) independent businesses — the core disclosure

6.1 What we do. When you submit a service request, we make your request available to businesses that match your job and area. Businesses "claim" leads on a first-come, first-served, non-exclusive basis, up to a maximum of five (5) businesses per request.

6.2 What we disclose to each claiming business: your name, phone number, email address, location, job details, and any photos you uploaded — i.e. the information necessary for them to contact you and prepare a quote.

6.3 Your consent. We disclose this information with your consent, which you give by ticking the unbundled, un-ticked consent checkbox on the service request form (see our Collection Notice and Consent). This consent is a condition of submitting your request, because the entire service is the introduction.

6.4 Each business becomes an independent handler. Once we disclose your information to a business, that business independently controls and is responsible for the information. Each business is required under our Business Customer Agreement to comply with the Privacy Act, the Spam Act and the Do Not Call Register Act, to use the lead only to quote on your job, and not to on-sell, share, scrape or re-market it. However, we cannot guarantee their conduct, and their handling of your information is governed by their own privacy policies, not this one.

6.5 We cannot recall data already shared. Because up to five independent businesses may receive your information, once it has been disclosed we cannot retrieve, recall or force the deletion of it. If you want a business to delete your information, you can ask us and we will relay that request to the business(es) that claimed your lead, and the business is contractually required to action it — but the practical control rests with that business. See clause 11.

7. Other disclosures — our service providers (APP 6)

7.1 We disclose personal information to trusted third-party service providers who help us run the Platform, under contracts requiring them to protect it and use it only for our purposes. These include:

| Provider | Purpose | Indicative location of processing | |---|---|---| | Supabase | Database, authentication and hosting of application data | Data-centre region [TBC — e.g. Sydney AWS ap-southeast-2]; may involve overseas support | | Stripe | Payment processing for business customers | United States (and other regions) | | Slack | Lead delivery to business customers | United States | | Twilio / MessageMedia | SMS delivery | United States (Twilio) / Australia (MessageMedia) [confirm which is used] | | Resend | Transactional email delivery | United States | | Hosting / CDN provider [TBC] | Website hosting and content delivery | [TBC] |

7.2 We may also disclose personal information to professional advisers, regulators, law enforcement, or courts where required or authorised by law, or to protect our rights.

8. Direct marketing and opt-out (APP 7)

8.1 We may use your personal information to send you direct marketing about our services, only where you have consented (clause 5.2(f)), or where otherwise permitted by APP 7.

8.2 Marketing consent is optional and is never a condition of using the Platform. You can opt out at any time by using the unsubscribe link in any marketing message, or by contacting our Privacy Officer (clause 16). We will action opt-out requests promptly and will not charge you to opt out.

8.3 Our electronic marketing also complies with the Spam Act 2003 (Cth) (consent, sender identification, and a functional unsubscribe facility).

8.4 We do not sell your personal information to third parties for those third parties' own marketing. Our disclosure to claiming businesses (clause 6) is for the matching purpose you requested, not for those businesses to add you to general marketing lists; businesses are contractually prohibited from doing so.

9. Overseas disclosure (APP 8)

9.1 Some of our service providers store or process personal information outside Australia, including in the United States (notably Stripe, Slack, Twilio, Resend) and potentially other regions depending on our data-centre configuration (clause 7.1).

9.2 Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient does not breach the APPs, including through contractual protections and selecting reputable providers with recognised security and privacy standards.

9.3 The claiming businesses to whom we disclose your information under clause 6 are expected to be located in Australia.

10. Data quality (APP 10)

10.1 We take reasonable steps to ensure the personal information we collect, use and disclose is accurate, up to date, complete and relevant. Because we rely on the information you provide, please keep your details accurate and let us know of any errors (clause 12).

11. Security, retention and destruction (APP 11)

11.1 Security. We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure — including encryption in transit, access controls, use of reputable hosting/security providers, and staff confidentiality obligations.

11.2 Retention. We retain personal information only for as long as reasonably necessary for the purposes in this policy, or as required by law (for example, records to support billing, tax, and lead-validity dispute resolution).

11.3 Destruction / de-identification. When personal information is no longer needed and we are not required to retain it by law, we take reasonable steps to destroy it or de-identify it.

11.4 Downstream limitation. As explained in clause 6.5, our retention and destruction controls apply to information we hold. We cannot destroy or de-identify information already disclosed to independent businesses; that is governed by each business's own obligations.

11.5 Data breaches. We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act and will notify affected individuals and the OAIC where an eligible data breach is likely to result in serious harm.

12. Access and correction (APPs 12 & 13)

12.1 You may request access to the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading. Contact our Privacy Officer (clause 16).

12.2 We will respond within a reasonable time (ordinarily within 30 days). We will not charge for making a request and will not charge an excessive fee for giving access. If we refuse access or correction, we will tell you why in writing and how to complain.

12.3 Note (clause 6.5): if your information has already been shared with a business, a correction made with us will not automatically update the copy held by that business; we will, on request, relay the correction to the business(es) that claimed your lead.

13. Dealing with us anonymously or by pseudonym (APP 2)

13.1 You have the option of not identifying yourself, or using a pseudonym, when dealing with us — except where it is impracticable for us to deal with you anonymously. It is not practicable to provide the matching service anonymously, because the businesses need your real contact details to provide a quote. You may still browse the website without identifying yourself.

14. Automated decision-making

14.1 Our matching uses simple, rules-based logic (e.g. service category, location, first-come-first-served) to make leads available to businesses. We do not currently make decisions that have a legal or similarly significant effect on you using solely automated processing.

14.2 [Placeholder — 2024 privacy reform.] Amendments to the Privacy Act introduced in 2024 will require privacy policies to include information about automated decisions that significantly affect individuals (the relevant transparency requirement is expected to commence in approximately December 2026). We will update this policy with the prescribed disclosures before that requirement commences if it applies to us.

15. Cookies and children

15.1 Cookies. The Platform uses cookies and similar technologies. See our Cookie Policy.

15.2 Children. The Platform is intended for users aged 18 and over (see Terms of Use). We do not knowingly collect personal information from children. If you believe we have collected information from a person under 18, please contact our Privacy Officer and we will take reasonable steps to delete it.

16. Complaints and how to contact us

16.1 Privacy Officer. If you have a question, request, or complaint about how we handle personal information, contact:

16.2 Complaints. We will acknowledge your complaint promptly and aim to respond within 30 days. We will investigate and tell you the outcome and any steps taken.

16.3 Office of the Australian Information Commissioner (OAIC). If you are not satisfied with our response, you can complain to the OAIC:

17. Changes to this policy

17.1 We may update this policy from time to time. The current version will always be available on the Platform with its effective date. Material changes will be notified as required by law.

End of Privacy Policy (draft).