It is our policy to respect your privacy regarding any information we collect from you across byoben.to and any other sites or services we own and operate.

Privacy Policy

Effective date: 1st June 2026

Introduction

Your privacy is important to us. This Privacy Policy explains how [BYOBEN.TO LEGAL ENTITY NAME] (ABN [ABN]) ("we", "us", "our") collects, uses, discloses and protects your personal information when you access or use byoben.to, including any associated websites, applications, public "boxes" and services (collectively, the "Platform").

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use and disclosure of your personal information as described here. If you do not agree, please do not use the Platform.

We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and, where applicable, the EU/UK General Data Protection Regulation (GDPR).

1. Who This Policy Applies To

1.1 This Policy applies to two broad groups of people:

• Account holders ("Users") — people who register for an account and create or manage a box on the Platform.
• Visitors — people who view, interact with, book, subscribe to, message or purchase through a User's box.

1.2 Where a User collects information from their own customers or visitors through their box (for example, bookings, enquiries, subscriber sign-ups or payments), that User is the party responsible for that information ("controller"), and we act on their behalf as a service provider ("processor"). In those cases the User's own privacy practices apply to that data, in addition to this Policy. See section 9.

2. Information We Collect

2.1 Information you provide to us

We may collect personal information you give us directly, including your:

• Email address
• First and last name
• Phone or mobile number
• Business or brand name and details
• Profile content, images and any material you add to your box
• Billing and payment information (processed by our payment providers — see section 2.4)
• Communications you send to us (for example, support requests)

2.2 Information collected from visitors to a box

When you interact with a User's box, we may collect information on that User's behalf, including your name, email address, phone number, booking details, messages, subscription preferences and payment information.

2.3 Log and technical data

When you use the Platform, our servers automatically log standard data provided by your browser or device. This is generally non-identifying on its own and may include your IP address, browser type and version, the pages or boxes you visit, referring pages, the date, time and duration of your visit, and similar diagnostic data.

2.4 Device data

We may collect data about the device you use to access the Platform, including device type, operating system, unique device identifiers, device settings and approximate geo-location. What we collect can depend on your device and software settings; we recommend reviewing your device manufacturer's or software provider's policies.

2.5 Payment data

We do not store full payment card details. Payments are handled by third-party payment processors who collect and process this information under their own privacy policies and security standards (such as PCI-DSS). We receive limited information such as transaction confirmation and the last digits of a card.

2.6 Information from third parties

If you sign up or log in using a third-party service (for example, a social or single sign-on provider), we may receive information from that service such as your name and email address, in accordance with that provider's settings and policies.

2.7 Cookies and similar technologies

We use cookies and similar technologies to operate and improve the Platform. Please see our Cookie Policy for full details.

3. How We Collect Information

3.1 We collect personal information by fair and lawful means, with your knowledge and consent. We tell you why we are collecting it and how it will be used. You are free to refuse our request for information, with the understanding that we may be unable to provide some or all of our services without it.

3.2 Where practical, we collect personal information directly from you. We may also collect it from third parties (such as payment processors or authentication providers) where you have authorised this or it is otherwise permitted by law.

4. Legal Bases for Processing

4.1 Where the GDPR applies, we rely on the following legal bases to process your personal information:

• Performance of a contract — to provide the Platform and services you have requested.
• Consent — for example, where you opt in to marketing communications. You may withdraw consent at any time.
• Legitimate interests — to operate, secure, analyse and improve the Platform, provided these interests are not overridden by your rights.
• Legal obligation — to comply with applicable laws and lawful requests.

4.2 Where the Australian Privacy Act applies, we collect, use and disclose personal information in accordance with the Australian Privacy Principles.

5. How We Use Information

5.1 We use personal information to:

• Create and manage your account and boxes;
• Provide, maintain and improve the Platform and its features (including bookings, payments, messaging, subscribers, CRM and analytics);
• Process transactions and send related confirmations and account notifications;
• Respond to your enquiries and provide customer support;
• Understand how the Platform is used and improve user experience;
• Detect, prevent and address fraud, abuse, security and technical issues;
• Send you service and administrative communications;
• Send you marketing communications where you have consented (see section 6); and
• Comply with our legal obligations and enforce our terms.

5.2 We may use aggregated and anonymised information (which does not identify you) for analytics, research and reporting, including usage trend reports.

6. Marketing Communications

6.1 We will only send you marketing or promotional communications where you have opted in, or where otherwise permitted by law.

6.2 You can opt out of marketing communications at any time using the unsubscribe link in the message or by contacting us using the details in section 16. Opting out does not affect service or transactional communications that are necessary to operate your account.

7. Disclosure of Information

7.1 We may disclose personal information to third-party service providers who perform functions on our behalf, including:

• Hosting and infrastructure providers;
• Analytics providers;
• User authentication providers;
• Payment processors (processing, not storage);
• Customer support and communication tools;
• Advertising and promotion partners (where applicable).

7.2 These providers may access information solely to perform specific tasks on our behalf, and are bound to keep it confidential and secure. We do not authorise them to use it for any other purpose.

7.3 We will refuse government and law enforcement requests for data where we believe a request is too broad or unrelated to its stated purpose. However, we may cooperate where we reasonably believe it is necessary to:

• (a) comply with a legal process or applicable law;
• (b) protect our rights or property;
• (c) protect the safety of the public or any person;
• (d) prevent a crime; or
• (e) prevent activity we reasonably believe to be illegal, legally actionable or unethical.

7.4 We do not otherwise share or supply personal information to third parties, and we do not sell or rent your personal information to marketers or other third parties.

7.5 If we are involved in a merger, acquisition or sale of assets, your information may be transferred as part of that transaction. We will notify you and take reasonable steps to ensure it remains protected.

8. International Data Transfers

8.1 We are based in Australia, and your personal information may be stored and processed in Australia or in other countries where we or our service providers maintain facilities.

8.2 Where we transfer personal information overseas, we take reasonable steps to ensure it is handled consistently with this Policy and applicable law, including the use of appropriate safeguards (such as standard contractual clauses) where required.

9. Boxes, Bookings and Customer Data

9.1 When you use a User's box to make a booking, send a message, subscribe or make a payment, the relevant User determines how your information is used and is responsible for it as the controller. We process that information on the User's behalf to deliver the requested functionality.

9.2 If you are a Visitor and wish to access, correct or delete information held by a User, please contact that User directly. We will assist Users in responding to such requests where required.

9.3 If you are a User, you are responsible for ensuring you have a lawful basis to collect personal information from your Visitors, for providing them with an appropriate privacy notice, and for handling their information in accordance with applicable law.

10. Data Security and Retention

10.1 We protect personal information using commercially acceptable measures to prevent loss, theft, and unauthorised access, disclosure, copying, use or modification. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

10.2 We retain personal information only for as long as necessary to provide our services, comply with legal obligations, resolve disputes and enforce our agreements.

10.3 Where you close or suspend your account, or where personal information is no longer required, we will delete or de-identify it within a reasonable timeframe, unless we are required to retain it by law.

11. Data Breach Notification

11.1 If we become aware of a data breach that is likely to result in serious harm, we will assess and respond to it in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) and, where applicable, the GDPR. This may include notifying affected individuals and the relevant regulator.

12. Your Rights and Choices

12.1 Subject to applicable law, you have the right to:

• Be informed about how your personal information is collected and used;
• Access the personal information we hold about you;
• Request correction of inaccurate or incomplete information;
• Request deletion of your information;
• Object to or restrict certain processing;
• Withdraw consent where processing is based on consent;
• Request portability of your information (where the GDPR applies); and
• Lodge a complaint with a supervisory authority.

12.2 You can exercise many of these rights directly through your account settings. For other requests, contact us using the details in section 16. We may need to verify your identity before actioning a request.

12.3 If you are in Australia and are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. If you are in the EU/UK, you may contact your local data protection authority.

13. Children's Privacy

13.1 The Platform is not intended for children under the age of 16 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

14. Third-party Links

14.1 The Platform and Users' boxes may link to external sites or services not operated by us. We have no control over their content or practices and cannot accept responsibility or liability for their privacy practices. We encourage you to review their policies.

15. Changes to this Policy

15.1 We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will take reasonable steps to notify you of material changes via the Platform or by other means. Your continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.

16. Contact Us

16.1 For any questions, requests or complaints about this Privacy Policy or your personal information, please contact:

Privacy Officer Email: privacy@byoben.to

16.2 We will respond to privacy enquiries and complaints within a reasonable timeframe and in accordance with our legal obligations.

17. Intellectual Property Infringements

17.1 If you believe your work has been copied or your intellectual property rights have otherwise been violated on the Platform, please first report the box or content using the "Report" button on the associated page so we can monitor the report directly.

17.2 You can also report infringing content directly to us using the details below. Please include the following:

i. The URL of the box or page where the allegedly infringing material is located; ii. A description of the copyrighted work or other intellectual property you claim has been infringed; iii. Your name, address, contact number and email address; iv. A signed statement that the disputed use is not authorised by the copyright owner, its agent or the law, and that you are the owner or are authorised to act on the owner's behalf.