Privacy Policy

This is the Privacy Policy of Buy Collective Pty Ltd (ACN 697 722 660), trading as Buy Collective. We are an Australian proprietary company based in Melbourne. We operate a group-buying platform that industry bodies licence to give their member practices lower prices on products they already purchase commercially.

This policy explains what personal information we collect, how we use and share it, where it goes, how long we keep it, and how you can access, correct, or raise a complaint about it.

We publish this policy to meet our obligations under Australian Privacy Principle 1 (APP 1) in the Privacy Act 1988 (Cth). If you have questions, contact us at hello@buycollective.com.au.

Members (practices using the platform through an industry body) - Identity and contact details — name, practice or business name, role, work email, work phone, and industry body membership number. - Business identifiers — practice ABN or equivalent. - Transaction data — orders placed, invoices uploaded, amounts paid, supplier and product details, returns, and adjustments. - Account credentials — password (hashed, never stored in plaintext) and multi-factor authentication settings. - Technical data — IP address, browser type, device identifiers, and pages visited on the platform.

Suppliers (companies offering products on Buy Collective) - Business and contact details — company name, ABN, primary contact name and role, work email, work phone. - Commercial information — pricing, product descriptions, RFP submissions, scoring records, payment account details, and remittance records. - Account credentials — password and MFA settings as above.

Savings Analyser users (non-members using the free tool) - Email address — so we can deliver the savings analysis report. - Invoice file — typically containing supplier name, products, quantities, prices, and the business name on the invoice.

We keep Savings Analyser data minimal. We do not require your name, ABN, phone number, or practice details to use the tool. We do not retain invoice files beyond what is needed to deliver the report, unless you become a Member or separately consent to marketing under our Savings Analyser Lead Terms (TC-001) at https://www.buycollective.com.au/savings-analyser-terms/.

Industry body administrators - Name, role, work email, work phone, and the industry body you administer on the platform.

Website visitors - IP address, browser type, pages visited, and (where you have consented to cookies) analytics identifiers. Used to operate the website and understand usage patterns.

- Directly from you — when you sign up, place an order, upload an invoice, submit an RFP, or contact us. - From your industry body — when they enrol you as a Member they share your name, work email, role, and practice details to set up your account. - From your employer — where a practice, body, or supplier provisions an account for you. - Automatically — through platform telemetry and website analytics, in line with the cookie controls on the site.

We do not buy personal information from data brokers. We do not collect personal information from social media unless you have provided it to us directly.

- To operate the Buy Collective platform — authenticating you, displaying the correct catalogue for your industry body, processing orders, generating invoices and remittances, and providing customer support. - To deliver services your industry body has licensed — including savings reporting, analytics to the body, and member onboarding. - To process payments — securely through our payment partners (see section 6). - To run the Savings Analyser — parsing your invoice, computing potential savings, and emailing you a report. - To meet our legal, regulatory, and contractual obligations — including obligations to industry bodies under their Platform Licence Agreements. - To protect the platform — detecting and preventing fraud, abuse, and security incidents.

We only use personal information for these primary purposes or a related secondary purpose you would reasonably expect. We will not use your personal information for direct marketing unless you have separately and specifically opted in.

Providing your email address to receive a report or to open an account is NOT, by itself, consent to marketing. We treat marketing communications as a separate, specific consent under the Spam Act 2003 (Cth).

We only send marketing emails where you have ticked a clear, separate opt-in checkbox. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by emailing hello@buycollective.com.au.

For Savings Analyser users, the full marketing consent terms are at https://www.buycollective.com.au/savings-analyser-terms/ (TC-001 Savings Analyser Lead Terms). We do not use SMS marketing.

We share personal information only as needed to operate the platform and meet our obligations. We do not sell personal information. We do not share personal information with advertising networks for targeted advertising.

The current named sub-processors and their processing details are maintained in our Sub-processor Register (REG-001), available on request.

Industry body (your licensee) — receives aggregated, de-identified purchasing analytics and member onboarding details as strictly needed for platform operation. Located in Australia.

Cloud hosting — Microsoft Azure — receives all platform data, encrypted at rest and in transit, to host the platform and store data securely in Australian data centres. Located in Australia (East / Southeast regions). Azure is a global provider but our workloads run in Australian regions.

AI processing — Anthropic (Claude) — receives invoice text and product descriptions for parsing. Personal identifiers are minimised or removed where practicable. Located in the United States. See section 7.

AI processing — OpenAI (embeddings) — receives product names, SKU descriptions, and category text. No personal identifiers. Used to match catalogue items to invoice line items for savings comparison. Located in the United States. See section 7.

Payment processing — receives Member contact and business identifiers, payment amounts and reference data. Cardholder data is captured by our payment provider's hosted payment flow and does not pass through Buy Collective servers. Used to process inbound Member payments by credit/debit card and PayID (NPP real-time bank transfer). Located in Australia.

Transactional email — Resend — receives your email address and the content of the email being sent to you, to deliver platform emails: order confirmations, password resets, Savings Analyser reports. See our Sub-processor Register for current processing location.

Source control — GitHub — receives no platform data (source code and deployment configs only). Located in the United States.

Professional advisors and regulators — receive information strictly necessary, on a confidential basis, where required by law, to meet legal obligations, defend legal claims, or co-operate with regulators. Located primarily in Australia.

Some of our service providers process information outside Australia. Overseas processing happens primarily in the United States — AI processing (Anthropic and OpenAI) and source control (GitHub). Microsoft Azure is a global provider but our Buy Collective workloads run in Australian Azure regions.

Under APP 8, where we disclose personal information to an overseas recipient we are accountable for that recipient's handling of it. Our approach is to: - Choose providers with mature security and privacy programs — typically ISO/IEC 27001 certification and SOC 2 Type II reports. - Put a data processing agreement in place with each provider (DPA-TPL-001 is our standard template; for large providers we accept their equivalent terms and record any divergence in REG-001). - Minimise what is sent — we strip or substitute personal identifiers before sending content to AI providers where practicable. - Maintain the Sub-processor Register (REG-001) and review it at least quarterly.

We operate an Information Security Management System aligned with ISO/IEC 27001:2022. Key controls include: - encryption at rest and in transit across all platform components; - multi-factor authentication for all administrator accounts; - multi-tenant data isolation by body_id and member_id at the database layer; - secrets stored in Azure Key Vault; - immutable audit logging for key transactions; - documented incident response procedures.

No security system is perfect. If we become aware of an eligible data breach under the Privacy Act 1988 (Cth) Part IIIC, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required.

Member account data — retained for the duration of your account, then deleted within 30 days of account closure, unless longer retention is required (e.g. tax records, dispute defence).

Transaction and invoice data — retained for at least 7 years from the end of the financial year (TAA s 262A).

Savings Analyser uploads — deleted within 30 days of the report being delivered, unless you have consented to marketing or become a Member.

Audit logs — retained per our Logging and Monitoring Policy.

Marketing consent records — retained for the current consent period plus 7 years after withdrawal (Spam Act compliance).

Under the Privacy Act 1988 (Cth) you have the right to: - Ask what personal information we hold about you and request a copy (APP 12). - Ask us to correct personal information that is inaccurate, out of date, incomplete, or misleading (APP 13). - Ask us to delete personal information we no longer need for the original purpose, subject to our retention obligations. - Complain to us if you think we have mishandled your personal information.

To exercise any of these rights, email hello@buycollective.com.au with enough information for us to identify your request. We will respond within 30 days. There is no fee for making a request, though for very large or complex requests we may charge a reasonable fee after notifying you.

If you are not satisfied with how we have handled your complaint, you can contact the Office of the Australian Information Commissioner: oaic.gov.au | 1300 363 992.

We use cookies and similar technologies to keep you logged in, remember preferences, and understand how the platform and website are used. You can control cookies in your browser settings; turning off cookies may affect platform functionality.

On the public website we use first-party analytics and aggregated usage reporting only. We do not use cross-site advertising trackers or remarketing pixels.

We may update this policy from time to time. The current version is always available at https://www.buycollective.com.au/privacy-policy/. Material changes will be communicated to Members through the platform (banner notice and email) at least 14 days before they take effect. Minor changes take effect on publication.