Credit Information Management Policy

Version 1.1 — 15 January 2026

1. We respect your privacy

We are committed to protecting the credit-related personal information we collect from you in accordance with Australian law. This Policy supplements Part IIIA of the Privacy Act 1988 (Cth), the Privacy Regulation 2013 and the Registered Privacy (Credit Reporting) Code (CR Code).

2. When this Policy applies

Under the Privacy Act, if you engage our services you may be applying for credit from us (for example, where we provide services/products and allow you more than 7 days to pay).

3. What we collect and from where

If you apply for credit from us we may collect and use credit-related personal information. We normally collect information directly from you, but may also collect from your representatives, other organisations, other credit providers and/or credit reporting bodies (CRBs).

4. Third parties who assist us

In some circumstances, third parties assist us to provide credit and may have access to your credit-related personal information for this purpose. We impose contractual and technical safeguards requiring those parties to protect credit-related personal information and use it only for the specific function we engage them to perform.

5. Credit reporting bodies (CRBs) we use

We may deal with the following CRBs: Equifax and Illion. Their current contact details and credit reporting policies are available on their websites.

6. Notifiable matters — credit reporting (required by the CR Code)

We may exchange your credit-related information with CRBs. A CRB may include your information in reports provided to other credit providers to assist them to assess your creditworthiness. You have the right to:

• access and correct your credit-related information, and complain if you believe it has been mishandled;

• request a ban period from a CRB if you believe you are (or are likely to be) a victim of fraud; during a ban, CRBs must not disclose your credit reporting information and offer a ban-notification service to alert you to requests made during the ban;

• opt out of pre-screening by CRBs for unsolicited offers of credit (where applicable).

7. Storage and overseas disclosure

We hold credit-related personal information electronically on servers located in Australia and overseas, on computers and in hard copy files at our premises. We apply physical, technical and organisational measures (e.g., access controls, encryption, multi-factor authentication, secure disposal). Where we use service providers outside Australia (currently including United States, United Kingdom, Philippines), we take reasonable steps (contractual and technical safeguards) to ensure overseas recipients do not breach the Privacy Act and the CR Code.

8. Access, correction and the 30‑day rule

You can make a written request to access or correct credit-related personal information we hold about you. We do not charge for correction requests. We will take reasonable steps to correct information that is inaccurate, out‑of‑date, incomplete, irrelevant or misleading and will:

• respond and correct within 30 days (or a longer period you agree to in writing);

• consult with other credit providers and/or CRBs as needed (the “no wrong door” approach); and

• notify you in writing of the outcome, and where corrected, notify relevant recipients.

9. What we may disclose to CRBs

Identification information; consumer credit liability information; repayment history and payment information; default information; financial hardship information; and serious credit infringement information, in accordance with the Privacy Act and the CR Code.

10. Complaints

If you have a concern about how we have handled your credit-related personal information, please email us at connect@sbbpartners.com.au or write to us via the addresses on our Contact page. We aim to acknowledge and respond within 30 days. If you are not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC). If you are eligible to use an External Dispute Resolution (EDR) scheme for credit complaints, we will provide details on request.

11. Where to find more information

This Policy should be read with our Privacy Policy (APPs) and any credit-collection notices provided at or before collection (statement of notifiable matters).