Privacy Policy

Solido AI Pty Limited ACN 683 063 372 ("we", "us", "our") is committed to protecting the privacy of its existing and prospective customers and of the visitors of its website ("you", "your"). This privacy policy outlines how we collect, use, and disclose your Personal Information when you access our website and content, and when you use our services, any related software, mobile and other applications ("Services").

When you access or use our Services, you consent to us collecting, holding, using, and disclosing your personal information in accordance with this policy.

You are not obligated to provide us with your personal information, but it may be necessary to provide you with certain Services, such as account registration. In such cases, if you do not provide your personal information, we may not be able to provide you with the requested Services.

This privacy policy covers the Personal Information collected by us when you use, access or interact with our website or content, and when you use or apply to use any of our Services.

We may also create and use deidentified data from time to time, being data that can no longer reasonably be used to identify you. Where we maintain deidentified data, we make no attempt to re-identify it, except for the purpose of determining whether our de-identification process satisfies the requirements of any applicable laws.

For the purposes of the General Data Protection Regulation (GDPR) and UK GDPR, we may act as either a Data Controller or a Data Processor, depending on the circumstances:

• We act as a Data Controller when we determine the purposes and means of processing personal data, such as when we collect user information directly from you for account creation, provision of the Services, marketing, analytics, or compliance with legal obligations.
• We act as Data Processor in cases where we process personal data on behalf of our clients (such as handling debtor data from integrated third-party accounting software like Xero or QuickBooks), and only process such data in accordance with the instructions of the Data Controller (our client).

If we are acting as a Data Controller, you may exercise your privacy rights directly with us, however if we are acting as a Data Processor, you should contact the Data Controller (our client) to exercise your rights regarding personal data processing.

This policy does not apply to:

• Customer Personal Data, being any personal data you or your organisation collects from its customers and provides to us for processing on your behalf, which is subject to your privacy policy;
• Employee Data, being personal data relating to our employees or prospective employees;
• Third-Party Data, being data collected by third-party platforms or services integrated with the any of our Services, and which are governed by their respective privacy policies; and
• Personal information processed under the instructions of business customers (i.e. when we are the Data Processor).

For the purposes of this Privacy Policy, "personal information" refers to any information or opinion about an identified individual or an individual who is reasonably identifiable. This may include, but is not limited to:

• name, address, email address, phone number, and other contact details;
• financial information such as transaction records or debtor information; and
• information about interactions with our Tool, such as usage data and technical information.

We collect personal information in various ways, depending on your interactions with our Services. Below is a breakdown of what we collect, how we collect it, and why:

We collect and process your personal information for a variety of reasons. Below, we outline how and why we use your personal information and the legal basis for processing it.

Certain categories of personal information may be classified as Sensitive Personal Information (SPI) under applicable privacy laws. We do not collect SPI unless it is reasonably necessary for our Services and you have provided explicit consent. For our purposes, this may include:

• Financial information (such as bank account details, credit history, payment records); or
• Government-issued identifiers (such as Social Security Number, Tax File Number, passport details.

Where SPI is collected, we will process it only as necessary to provide our services, comply with legal obligations, prevent fraud, or with user consent. To understand your rights in relation to SPI, please refer to section 12.

We process your personal information based on the following legal grounds:

• Consent: where you have explicitly provided your consent or agreed to the integration of third-party software accounts (e.g. Xero, Quickbooks, Microsoft) with the Services;
• Contractual necessity: where processing is required to fulfill our obligations under the terms of service, including to provide the Services;
• Legitimate interest: where processing is necessary for our legitimate business interests, including improving Service functionality, detecting fraud, and securing our systems, provided there interests are not overridden by your fundamental rights and freedoms;
• Legal obligation: where processing is required for us to comply with legal obligations, such as financial record keeping or responding to lawful requests.

In jurisdictions where applicable law distinguishes between primary and ancillary processing purposes:

• Primary Purposes include essential activities necessary to provide the Services and to fulfill our contractual obligations, including managing debtor communications, analysing Third-Party Integration Data, and all other processing purposes not identified as Ancillary Purposes;
• Ancillary Purposes are processing activities that support and enhance our Services, including fraud prevention, marketing, analytics, and compliance with legal obligations.

We process personal information for ancillary purposes only where it is:

• Compatible with the original processing purpose,
• Reasonably expected by users, or
• Explicitly consented to.

In accordance with the GDPR's Purpose Limitation Principle (Article 5(1)(b)), we do not process personal information for new purposes that are incompatible with the original purpose without first obtaining a new legal basis.

We may disclose your personal information in the following circumstances, where necessary and in compliance with applicable privacy laws:

• Service Providers and Vendors: We share personal data with third-party vendors who assist in delivering our Services, such as cloud hosting providers, payment processors, analytics services, and customer support platforms. These vendors are contractually obligated to handle your data securely and use it only for the specified purposes.
• Third-Party Software Integrations: If you connect third-party services (e.g., Xero, QuickBooks, or email inbox providers) with the Services, we may share relevant data to enable these integrations. We do not control how these third parties use your data, and their processing is governed by their respective privacy policies.
• Regulatory and Legal Obligations: We may disclose personal data to law enforcement agencies, regulatory authorities, or government bodies if required by law, legal process, or to protect our legal rights.
• Business Transfers: In the event of a merger, acquisition, restructuring, sale, or other transfer of assets, personal information may be shared with the acquiring entity, legal advisors, or due diligence teams as necessary for the transaction.
• Professional Advisors: We may share personal data with legal counsel, accountants, auditors, and other professional advisors for compliance, legal, tax, or risk management purposes.
• Affiliates and Business Partners: We may share information with affiliated companies or business partners where required for service delivery, internal business operations, or marketing initiatives (where permitted by law).
• Fraud Prevention and Security Measures: To protect against fraud, security breaches, and illegal activities, we may share relevant data with fraud prevention and security monitoring services.

We may also disclose your information to third parties where you have expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances (such as to your professional advisors).

We do not sell personal information in the traditional sense. However, under certain laws (such as California law (CCPA/CPRA)), certain data-sharing arrangements (e.g., sharing usage data with advertising networks) may be considered a "sale" or "sharing" of personal data. If you are a California resident, you may opt out of such data sharing by submitting a "Do Not Sell or Share My Personal Information" request as outlined in section 12 below.

We retain personal information for as long as necessary to provide our Services and to fulfill legal, regulatory, or operational requirements. The retention period for personal data is determined based on several factors, including the nature of the data, the purpose for which it was collected, and any legal or regulatory obligations that require its retention.

We assess data retention periodically to ensure that personal information is retained only for as long as necessary. The following examples illustrate how we determine data retention:

• Account Information: we retain account information for as long as your account remains active. If your account is closed, we may retain relevant data for a limited period as required for operational or legal reasons, such as resolving disputes or enforcing agreements.
• Marketing and Communication Preferences: If you opt out of marketing communications, we will remove your details from our marketing lists but retain a record of your request to ensure your preferences are respected.
• Usage Analytics Data: We may retain user analytics data collected via cookies and tracking technologies to improve our Services.

Certain information may be retained for an extended period to comply with regulatory, security, fraud prevention, and financial record-keeping obligations.

Once personal information is no longer required, we will securely delete or deidentify it so that it is no longer identifiable.

We implement robust security measures, including encryption, multi-factor authentication, and monitoring systems, to protect your personal information from unauthorised access, disclosure, or loss. In the event of a data breach, we will notify affected individuals and relevant authorities in compliance with applicable laws, including the Australian Notifiable Data Breaches scheme, GDPR Article 33, and relevant U.S. state laws.

Personal information we collect may be stored and processed in your region, in Australia, or in any other country where we or our affiliates or service providers maintain facilities. We may transfer personal information to jurisdictions outside of Australia, the UK, or the EU, including to cloud service providers and other third-party vendors. Before transferring data overseas, we take reasonable steps to ensure that the recipient complies with Australian Privacy Principles (APPs), GDPR, or offers equivalent protections. This may include contractual obligations requiring compliance with privacy standards comparable to those in Australia, the EU or the UK, such as the Privacy Principles, Standard Contractual Clauses, adequacy decisions, Binding Corporate Rules, or additional safeguards where necessary, in compliance with applicable privacy laws. If you require further information about how we protect your data overseas, please contact us at info@solido.ai.

We may use AI-powered analytics in providing the Services and to analyse debtor payment behaviour and trends. While these insights help improve our services, no fully automated decisions with legal or significant effects are made without human review. If you wish to contest an AI-generated insight or opt out of profiling, you may contact us at info@solido.ai.

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete it.

If you have any questions or concerns about this Privacy Policy or how we handle your personal information, please contact us at info@solido.ai.

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us at info@solido.ai.

We will consider your complaint and determine whether it requires further investigation, and will notify you of the outcome of this investigation and any subsequent internal investigation.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or, depending in your jurisdiction, contact the following authorities for guidance on alternative courses of action which may be available:

• Australia: Office of the Australian Information Commissioner (OAIC)
• EU/UK: National Data Protection Authority
• U.S.: Relevant state privacy agencies

We reserve the right to make changes to this Privacy Policy from time to time to reflect changes in the laws or regulations, our practices, our Services, or our operational requirements.

If we make any material changes to the terms of this policy, or any other change that may be relevant to you or impact you, we will notify you via email, website banner, or in-app notification ahead of the changes taking effect. Continued use of the Services after any updates constitutes your acceptance of the revised Privacy Policy. Please review this page periodically, and especially before you provide any personal information to us.