PRIVACY POLICY

One Place Pty Ltd (ABN 87 616 612 214]) trading as One Place ("One Place", "we", "our", "us")

Last updated: 20 April 2026

1. About this policy

One Place Pty Ltd is an Australian construction and property development business based in Melbourne, Victoria. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy explains how we collect, hold, use, disclose, and protect personal information, and how you can access or correct your information or make a privacy complaint.

A copy of the Australian Privacy Principles is available from the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

2. Who this policy covers

This policy applies to personal information handled by One Place Pty Ltd. Where we share personal information with related entities (such as other companies in our group or special purpose entities associated with a development), or with joint venture partners, we do so only in accordance with this policy.

3. Personal information we collect

"Personal information" is information or an opinion that identifies, or could reasonably identify, an individual. Depending on how you interact with us, we may collect:

Website visitors and subscribers

• Name, email address, and any details you submit through forms or mailing lists

• IP address, device and browser information, pages visited, and interaction data (see Cookies and website analyticsbelow)

Prospective and current purchasers

• Name, contact details, date of birth, and occupation

• Identification documents (e.g. driver's licence, passport) where needed to verify identity or satisfy contract or regulatory requirements

• Financial and employment information relevant to a purchase

• Details of your interest in our developments

Prospective and current tenants (including directors and guarantors of corporate tenants)

• Name, contact details, date of birth, and occupation

• Identification documents

• Financial information, rental history, trade references, and information obtained from commercial credit or trade reference providers where relevant to assessing your application

• Lease correspondence and records of dealings during the tenancy

Suppliers, contractors, and subcontractors

• Name, contact details, ABN, and banking details

• Insurance certificates, licences, white cards, and trade qualifications

• Information needed to induct workers onto our sites

Job applicants and employees

• Information provided in applications (CV, references, right-to-work documents)

• Tax file number, superannuation details, and bank account details of successful applicants

• Information generated during employment (some of which may be exempt from the Australian Privacy Principles under the employee records exemption in section 7B(3) of the Privacy Act, to the extent the act or practice is directly related to a current or former employment relationship)

Professional contacts and counterparties

• Names, roles, and contact details of people at organisations we deal with (e.g. financiers, lawyers, architects, consultants, agents)

Investors and financiers

• Names, roles, and contact details of investor and lender representatives

• Information required to satisfy know-your-customer (KYC), anti-money laundering, and funding due diligence requirements, including beneficial owner and director information

Adjoining owners, occupiers, and the local community

• Names and contact details of adjoining owners and occupiers in connection with protection work notices, planning consultation, and related construction notifications

• Feedback, enquiries, and correspondence received during development approval and community consultation processes

Visitors to our sites and offices

• Sign-in details, induction records, and emergency contact information

• Where relevant, photographs of ID or visitor passes

4. Sensitive information

Sensitive information includes information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union or professional or trade association, sexual orientation or practices, criminal record, health information, genetic information, and biometric information.

We only collect sensitive information where it is reasonably necessary for our functions or activities, and generally with your consent. The most common situations are:

• Health or injury information relating to workplace incidents or site safety

• Other sensitive information where required by law or where you have provided your consent

5. How we collect personal information

Where reasonably practicable, we collect personal information directly from you — for example, when you submit an enquiry, sign a contract, lease a space, apply for a job, attend one of our sites, or supply goods or services to us.

We sometimes collect personal information from third parties, including:

• Real estate agents, buyers' agents, and leasing agents

• Commercial credit reporting or trade reference providers

• Recruiters, referees, and publicly available sources (e.g. LinkedIn)

• Government registers (e.g. ASIC, Land Use Victoria, PPSR)

• Our professional advisers and service providers

If we collect personal information about you from someone else, we will take reasonable steps to let you know.

6. Why we collect and how we use personal information

We use personal information for the purposes for which it was collected, including:

• Evaluating and managing property acquisitions, sales, and leases

• Managing construction projects, contracts, and subcontractor arrangements

• Complying with legal, regulatory, and tax obligations

• Recruiting and managing staff

• Managing our relationships with financiers, investors, and advisers

• Responding to enquiries and providing information you have requested

• Marketing our developments and services (see below)

• Improving our website and business operations

We may also use personal information for directly related secondary purposes that you would reasonably expect.

7. Direct marketing

We may send you information about our current and future developments, properties available for sale or lease, and related services. Our marketing communications comply with:

• The Australian Privacy Principles (APP 7)

• The Spam Act 2003 (Cth) — every commercial electronic message we send identifies us and includes a functional unsubscribe option

You can opt out of marketing at any time by:

• Clicking "unsubscribe" in any marketing email

• Replying STOP to a marketing SMS

• Emailing hello@oneplacecorp.com.au

We will action opt-out requests promptly and at no cost to you.

8. Who we disclose personal information to

We may disclose personal information to:

• Our related entities and joint venture parties

• Professional advisers (lawyers, accountants, surveyors, valuers, architects, engineers, consultants)

• Financiers, lenders, brokers, and insurance providers

• Real estate agents, conveyancers, and settlement agents

• Contractors, subcontractors, and suppliers, as needed to carry out project works

• Commercial credit or trade reference providers, where relevant to tenant, purchaser, or guarantor assessment

• Regulators, courts, and government bodies as required or authorised by law

• Our service providers, including our IT, hosting, and cloud providers (see Overseas disclosure below)

• Secure document sharing platforms or data rooms used to provide information to authorised investors, financiers, and advisers, subject to confidentiality obligations

We do not sell personal information.

9. Overseas disclosure

Some of our service providers store or process personal information outside Australia. In particular:

• Squarespace hosts our website — servers are located primarily in the United States

• Microsoft 365 provides our email, calendaring, and productivity tools — core content (such as email, documents, and calendar data) is stored primarily in Australia, with some services processed in other regions where Microsoft operates data centres, including the United States and the European Union

• Dropbox provides our document management — servers are located primarily in the United States

• Google (including Google Analytics) may process website analytics data in the United States and other jurisdictions where Google operates

We take reasonable steps to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles. This includes, where practicable, contractual arrangements, reliance on standard terms, and due diligence on security and privacy certifications (such as ISO 27001 or SOC 2), as well as reviewing published privacy and security commitments.

Under APP 8.1 we generally remain accountable under section 16C of the Privacy Act for acts or practices of overseas recipients that would breach the APPs.

10. Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our measures include:

• Access controls and unique login credentials for our systems

• Multi-factor authentication on key platforms, including Microsoft 365 and Dropbox

• Encryption of data in transit (TLS) and at rest where supported by our platforms

• Staff training on privacy and information security

• Secure disposal of hard-copy and electronic records when no longer needed

• Contractual and practical requirements on our service providers to protect personal information

• Periodic review of access permissions and data handling practices

No system is perfectly secure, and transmission over the internet involves inherent risks. We encourage you to take care when sending sensitive information to us electronically.

11. Notifiable data breaches

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If we experience an eligible data breach that is likely to result in serious harm, we will notify the OAIC and affected individuals as required by law.

If you believe your personal information has been compromised, please contact our Privacy Officer as soon as possible using the contact details below.

12. How long we keep personal information

We retain personal information only for as long as we need it for the purposes for which it was collected, or as required by law. In practice this means:

• Purchaser, tenant, and project records: generally retained for at least the relevant limitation period for construction and contract claims (in Victoria this is up to 10 years for building work under section 134 of the Building Act 1993 (Vic))

• Financial and tax records: at least 5 years from the relevant transaction, as required by the Income Tax Assessment Act

• Anti-money laundering records: where we are subject to obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), at least 7 years after the end of the business relationship with the relevant person

• Employee records: in accordance with the Fair Work Act 2009 (Cth) and related legislation

• Workplace health and safety and incident records: retained in accordance with applicable workplace safety laws and insurance requirements

• Insurance and claim-related records: retained in accordance with policy requirements and applicable limitation periods

• Marketing records: until you unsubscribe, after which we retain only what is needed to action and evidence your opt-out

When we no longer need personal information, we take reasonable steps to securely destroy or de-identify it.

13. Access, correction, and withdrawal of consent

You can request access to, or correction of, the personal information we hold about you by contacting our Privacy Officer (see below). We will respond within 30 days.

We may ask you to verify your identity before providing access. If we refuse access or correction, we will explain our reasons in writing and tell you how you can complain.

If you ask us to correct information and we disagree, you can ask us to attach a statement to the record noting your view.

Where we have relied on your consent to collect or handle your personal information, you can withdraw that consent at any time by contacting our Privacy Officer. Withdrawing consent will not affect anything we have lawfully done based on your consent before it was withdrawn, and we may still need to retain some information to meet our legal obligations.

14. Cookies and website analytics

Our website uses cookies — small data files stored on your device — to help the site function, remember your preferences, and understand how visitors use the site.

We use Google Analytics, which sets its own cookies to collect aggregated, de-identified information about site usage. You can opt out of Google Analytics by installing the browser add-on at https://tools.google.com/dlpage/gaoptout.

Our website is hosted on Squarespace, which also sets cookies to operate the site.

You can control cookies through your browser settings, though some parts of the site may not work as intended without them. Where required, we seek your consent to the use of non-essential cookies.

15. CCTV and site surveillance

We may use CCTV at our construction sites and offices for safety, security, and site management purposes. Where CCTV is in use, signage is displayed. Footage is retained only as long as needed for its stated purpose and is handled in accordance with this policy and the Surveillance Devices Act 1999 (Vic). Where surveillance may affect employees, we provide notice in accordance with applicable workplace, surveillance, and employment laws.

16. Photography and imagery

We take photographs and video, including drone footage, for marketing, sales, and project documentation purposes. This imagery may incidentally include individuals and surrounding properties. Where reasonably practicable, we display signage or otherwise notify people when photography is taking place on our sites or at events, and we do not use identifiable images of individuals for marketing without their consent, which may be obtained through contractual terms, release forms, or direct agreement.

17. Automated decision-making

We do not currently use automated decision-making systems that, without meaningful human involvement, make decisions significantly affecting your rights or interests. If this changes, we will update this policy in line with the new obligations under APP 1.7–1.9 of the Privacy Act, which commence on 10 December 2026.

18. Children

Our website and services are directed to adults. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided personal information to us, please contact our Privacy Officer and we will take reasonable steps to delete it.

19. Anonymity and pseudonymity

Where it is lawful and practicable, you can deal with us anonymously or using a pseudonym — for example, when making a general enquiry. For most of our services (such as purchasing property, leasing a space, or applying for employment) we need to identify you in order to deal with you properly.

20. Complaints

If you believe we have mishandled your personal information, please contact our Privacy Officer using the details below. We will:

• Acknowledge your complaint within 5 business days

• Investigate and respond within 30 days where reasonably practicable

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au

• Phone: 1300 363 992

21. Contact us

Privacy Officer One Place Pty Ltd, 3/31 Kylie Place, Cheltenham VIC 3192

Email: hello@oneplacecorp.com.au

22. Changes to this policy

We may update this policy from time to time. The current version will always be available at oneplacecorp.com.au/privacy-policy and will be dated. Material changes will be communicated as appropriate.