Privacy Policy

For the purposes of the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs), the EU General Data Protection Regulation (EU GDPR), and the United Kingdom General Data Protection Regulation (UK GDPR), the data controller of personal information collected through the Reco platform is:

Where required by the EU GDPR, our EU representative is published on the Platform. Where required by the UK GDPR, our UK representative is published on the Platform.

Reco handles personal information in two distinct roles:

• As data controller, for information you submit directly to us to create and use your Account (for example, your name, email, and Account activity). This Policy covers that processing.
• As data processor, when a Provider provides employee or customer contact data to the Platform to send account invitations and and shares incentives. In that case the Provider is the controller, and we process the data on the Provider's behalf under our Data Processing Addendum. See section 12.

"Reco" is the brand and product name. The legal entity is Netfect Platforms Pty Ltd. References in this Policy to Reco mean Netfect Platforms Pty Ltd trading as Reco.

We collect only the personal information we need for the purposes described in section 4. The categories are:

We do not collect, and you should not submit:

• Government identifiers (tax file numbers, passport numbers, driver license numbers).
• Full payment card numbers or bank account details (these are handled by our payment processor).
• Biometric or genetic information.
• Content of messages sent via third-party apps (e.g., WhatsApp, iMessage) that you use outside the Platform to forward a referral link — we only know that a link was generated, not where you sent it or its contents.

When a Referrer sends a referral, the following happens in order:

1. The Referrer provides a short name (nickname or real name) for a Referee and an optional covering message . We collect these to enable the referral to be tracked and referenced by the Referrer and auto compose the message for the Referrer to send in the next step. The Referrer can use a nickname for the name and compose the message outside of the platform if they choose.
2. The Referrer sends the referral using the native functionality of their device through their chosen channel. We do not record any content of this step including Referee details or the message sent, except that created in the previous step. We only record the link that is created.
3. The Referee chooses whether to accept the referral, using the link sent to them by the Referrer, or not act on it at all.
4. If the Referee ignores the message, the referral will be deleted after a certain period to avoid stale referrals being presented to the Provider.
5. If the Referee accepts the referral, their name and chosen contact details are verified and are shared with the relevant Provider so the Provider can follow up. The Referee's consent to this sharing is captured in the verification step.

We do not seek sensitive information (as defined in the Privacy Act and the GDPR — including health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, trade-union membership, biometric or genetic data, criminal record).

Reco may be used by Providers in health-related fields, ALL USERS should avoid including sensitive information in reviews or messages. If you do, we treat it as voluntarily provided and we hold it under the same safeguards as other personal information. You can ask us to remove it at any time.

Where a Provider enables reviews of individual Associates, the Associate must have been informed by the Provider and must have consented before being made reviewable on the Platform. Associates have the right to:

• review what has been posted about them;
• request correction of factually inaccurate content;
• request that their name be anonymised or removed from reviews;
• request that they be removed from the reviewable-Associates list going forward.

Requests can be made to privacy@reco.tips or raised through the Provider.

Reco is for adults. We do not knowingly collect personal information from anyone under 18. See section 16.

The Platform uses AI to help Providers draft business descriptions, reward descriptions and Reward terms. When a Provider uses these features:

• The Provider's inputs (typically a short business description and preferences) are sent to an AI service provider for processing.
• We do not use your personal content to train third-party AI models. Our arrangements with AI service providers prohibit their use of our API inputs for training.
• AI outputs are drafts only. The Provider is responsible for reviewing and adopting them, as explained in clause 6 of the Terms of Service.

Providers must not input personal information into AI features beyond the minimum necessary and must not input sensitive information or confidential information belonging to their own customers or Associates.

The Platform may include automated fraud detection that scores referrals for indicators of manipulation. Fraud flags can lead to a referral being held for review, a Fee being refunded, or an Account being suspended.

• Any such outcomes are not solely automated — we keep a human in the loop for material decisions that significantly affect you (such as suspending a Provider Account).
• Where a Provider disputes a fraud flag, the 14-day dispute window in clause 15 of the Terms of Service applies, and a human reviews the decision.
• Where we are subject to Article 22 GDPR, you have the right to request human review, express your point of view, and contest the decision — write to privacy@reco.tips.

We use a small set of service providers to operate the Platform. They process personal information on our instructions under written contracts that require appropriate security and confidentiality, and they may not use the data for their own purposes. The categories we use are:

• Cloud hosting, database, authentication, and file storage (currently Google Cloud and Firebase, operated by Google LLC).
• Payment processing and subscription billing (currently Stripe, Inc. and its regional affiliates). Stripe handles card data directly and is responsible for its own processing under its own privacy policy.
• Transactional SMS and email (currently Twilio and and Resend, published in our current Sub-Processors list).
• Address lookup and mapping (currently Google Maps Platform, for country-appropriate functionality).
• Customer support tooling is currently internally constructed and your details are not stored on any third party for this purpose
• AI service providers that power the AI-drafting features described in section 7.

The current list of sub-processors is updated as our suppliers change.

When a Referrer verifies their details for a referral, if the Referrer chooses, we share the Referrer's name and contact details with the relevant Provider. This sharing:

• happens only after the Referrer has verified their contact details and agreed to share this with the Provider;
• is limited to information the Referrer provided for the purpose of the referral;
• does not include the Referrer's information beyond the Referrer's name and contact details that are verified (so the Provider can identify who referred the new Client and deliver any Referrer Reward).

Once shared, the Provider is the controller of that information in respect of its own follow-up with the Referee, and the Provider's privacy policy applies.

We may share personal information with:

• Professional advisers (lawyers, auditors, insurers) under duties of confidentiality, where necessary.
• Authorities, in response to lawful requests (court orders, subpoenas, valid regulator demands). We review each request and push back where the request is overbroad or unlawful.
• A successor entity in connection with a business sale, merger, reorganisation or similar event, with the successor bound by commitments at least as protective as this Policy.

Before transferring personal information overseas we take reasonable steps to ensure the recipient handles it consistently with this Policy and applicable law, including:

• for transfers subject to APP 8 (Australian Privacy Principles), assessing the recipient's privacy regime and reasonable steps to ensure APP-equivalent handling;
• for transfers of EEA/UK personal data to a country without an adequacy decision, relying on the European Commission's Standard Contractual Clauses (or the UK IDTA / UK Addendum as applicable) and, where relevant, supplementary measures informed by the Schrems II decision and current EDPB/ICO guidance.

The current list of data processing centers includes Australia (primary), the United States, the European Economic Area, and the United Kingdom.

By using the Platform you acknowledge that some personal information is processed overseas by the service providers listed in section 8.1.

Before you reach for formal requests, you can manage a significant amount of your personal information yourself directly in your Account settings, including:

• Profile information — view, correct, and update your name, contact details, location, language and time-zone.
• Visibility and sharing — choose what is visible on your public profile or Community Page, and which fields are shared with Providers when you verify a referral.
• Notification preferences — choose whether you receive emails, SMS, push notifications, or in-app alerts, for which categories of message (service, referral activity, marketing), and at what frequency.
• Marketing preferences — opt in or out of marketing communications at any time. This is separate from service communications, which are necessary to operate your Account.
• Associate Information (Providers) — control the structure of the organizations within the platform, structure of the teams, members of the teams and data of the Associates within those teams
• Connected Providers (Clients) — see which Providers you are connected to and disconnect at any time.
• Account closure and data deletion — initiate the deletion of your Account and associated personal information from your settings. For Client only accounts, the data deletion is immediate. Provider accounts currently require back office processing.

Where you change a setting, the change takes effect promptly and is the fastest way to adjust how your information is handled. Using the in-Account controls is equivalent, for most purposes, to making a formal rights request under this section. You can always escalate to a formal request (section 11.11) if a setting does not do what you need.

You can request a copy of the personal information we hold about you.

You can ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Most fields can be corrected directly in your Account settings.

You can ask us to delete your personal information. We will do so unless we are legally required or permitted to keep it (see section 10). You can initiate deletion directly in your Account settings or by emailing privacy@reco.tips. We will verify your identity before acting on a request and confirm completion within 30 days.

You can opt out of marketing at any time by clicking the unsubscribe link in any marketing email, or by updating preferences in your Account settings.

Where we rely on legitimate interests, you can object to processing. Where certain conditions are met, you can ask us to restrict processing.

Where we rely on consent or contract and process your data by automated means, you can ask for a copy of your data in a structured, commonly used, machine-readable format, or ask us to transmit it to another controller where technically feasible.

Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Under APP 2, where lawful and practicable, you may deal with us anonymously or using a pseudonym. For an Account, this is usually not practicable because verification is central to the Platform; we will explain where that is the case.

See section 7.2. You can ask for human review of a material automated decision that affects you.

You can complain to a supervisory authority — see section 18.

Email privacy@reco.tips. Please tell us which right you wish to exercise and include enough information to identify you (usually the email on your Account). We may need to verify your identity to protect your data against impersonation. We respond to verified requests within 30 days (one month in the EEA/UK), and will tell you if we need to extend this, up to a total of three months for complex requests, as permitted by law. There is no charge for a reasonable request.

If we decline a request we will tell you why and explain your further rights.

When a Provider uploads, imports, or otherwise introduces information about its own customers to the Platform (for example, contact details used to invite existing customers to join the Provider's referral program), the Provider is the controller of that information and Reco is the processor.

Clause 18 of the Terms of Service sets out the Provider's warranties, including that the Provider has a lawful basis to provide the data to Reco and has given all required notices and obtained required consents under applicable privacy law in the Provider's jurisdiction.

Where required by applicable privacy law (including the GDPR and UK GDPR), Reco's Data Processing Addendum ("DPA") applies between the Provider and Reco. The current DPA is published on the Platform and forms part of the Terms of Service when a Provider uploads personal data. The DPA sets out:

• the subject matter and duration of processing;
• categories of data subjects and personal data;
• sub-processor terms;
• international-transfer mechanisms (including Standard Contractual Clauses where required);
• security measures (Art 32 GDPR);
• breach notification;
• audit and assistance rights; and
• return/deletion of data on termination.

Providers must maintain their own privacy policy covering their own collection and use of customer information, including their use of the Reco platform. Reco's Policy does not replace the Provider's obligations.

A Community Page is a public-facing page about a business that a Client has recommended. It may exist whether or not the business has signed up with Reco. See section 27 of our Terms of Service.

For a Non-Member Business, a Community Page may contain:

• the business name, trading location (at suburb/city level), and publicly listed contact information;
• a description and category;
• reviews and ratings submitted by Clients;
• the fact that the business has been recommended, and aggregated recommendation counts.

Where a Non-Member Business is a sole trader or where the business name includes an individual's name, the Community Page may incidentally contain personal information which has been publicly sourced. We treat that information under this Policy and under applicable privacy law.

You can:

• Claim the Page by creating a verified Provider Account, after which you gain control of it.
• Correct factual inaccuracies via complaints@reco.tips or the Platform's complaints process.
• Remove the Page by submitting a verified request. On receipt, we will review within 14 days and remove the Page unless retention is required for legal, public-interest, or statutory-defense reasons, and even then only to the minimum extent.
• Object to particular reviews or content, which we will handle under clause 9 of the Terms of Service and section 18 of this Policy.

Before processing any requests as outlined above, we may require proof that you legally represent the Non-member business. As a Non-Member business, you have no rights to own or re-distribute the content in the public page without our consent. We may at our sole discretion remove or modify the page and any comments or reviews it contains.

Where a data breach is likely to result in serious harm to affected individuals and meets the threshold of an "eligible data breach" under Part IIIC of the Privacy Act, we will notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable, in accordance with the scheme.

Where the GDPR or UK GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach where required, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

If you become aware of a suspected data breach affecting the Platform (for example, a compromised Account, an exposure of Referee data, or an email appearing to come from Reco that you did not expect), you must notify us within 24 hours at privacy@reco.tips and at complaints@reco.tips.

If you believe we have mishandled your personal information, please contact us at privacy@reco.tips (or complaints@reco.tips for content-takedown matters). We will acknowledge within 3 business days and respond substantively within 30 days.

You also have the right to complain to a privacy regulator. Depending on where you are, that may be:

• Australia — Office of the Australian Information Commissioner (OAIC), at oaic.gov.au.
• New South Wales public-sector matters — NSW Information and Privacy Commission (IPC), at ipc.nsw.gov.au.
• European Economic Area — the supervisory authority in the EU member state where you live, work, or where the alleged infringement took place.
• United Kingdom — Information Commissioner's Office (ICO), at ico.org.uk.
• Other jurisdictions — your local privacy or data-protection authority.

You do not need to complain to us first before going to a regulator, but we appreciate the opportunity to address concerns directly.