PRIVACY POLICY

1.  Introduction

GS-APAC Pty Ltd (ACN 606 128 741 / ABN 68 606 128 741), trading as Small Business Reboot (we, us, our or the firm), is committed to protecting your privacy and to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We provide commercial debt management, pre-insolvency strategy, Small Business Restructuring (SBR) advisory, asset protection advisory, refinance facilitation, and external dispute resolution support services to Australian small and medium businesses, their directors and related parties.

This Privacy Policy explains the kinds of personal information we collect, how we collect, hold, use and disclose that information, how you may access and seek correction of it, how to make a complaint, and how we handle overseas disclosures. It applies to all dealings with the firm, including engagements with our staff, contractors, authorised representatives and service providers.

2.  Key terms

2.1  Personal information

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

2.2  Sensitive information

Sensitive information is a subset of personal information and includes information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or practices, criminal record, health information, genetic information and biometric information.

2.3  Business information

Information about a business (including company names, ABN/ACN, financial performance and trading details) is not personal information for the purposes of the Privacy Act unless it identifies, or is capable of identifying, a particular individual — for example, a sole trader, a director, a guarantor or another natural person.

3.  Information we collect

The personal information we collect depends on the nature of your dealings with us. We generally collect the following categories of information.

3.1  Identity and contact information

Full name, date of birth (where required for identification), residential and postal addresses, email address, telephone numbers, occupation, and identification documents (including driver licence, passport or other government-issued identification) where reasonably required for verification, anti-money laundering, or fraud prevention purposes.

3.2  Business and commercial information

Business name, trading name, ABN/ACN, business address, ownership and director details, shareholding and trust structures, related entities, beneficial ownership information, and information about your business activities, structure and operations where relevant to your matter.

3.3  Financial information

Information relevant to debt management, restructuring, refinance and dispute resolution work, including:

• creditor names, account references and statements of debt;
• debt balances, repayment history and arrears information;
• invoices, contracts, loan documents, security documents and correspondence with creditors and their agents;
• business income and expenses, cashflow information, management accounts, profit and loss statements, balance sheets and tax records;
• personal asset and liability details (including property, vehicles, superannuation and equity interests);
• bank account, BSB, account number and payment processing details (only where required for payment, refund, trust account or agreed financial arrangements); and
• credit reporting information about you, where lawfully obtained from a credit reporting body or from you directly.

3.4  Hardship, vulnerability and health information

Where relevant to your engagement or to a creditor negotiation, we may collect information about circumstances affecting your or a related party's capacity to meet financial obligations (for example, serious illness, mental health, bereavement, family violence, separation, natural disaster, or business disruption). Where this information is sensitive information (including health information), we will only collect it with your consent or where the collection is required or authorised by or under an Australian law or court or tribunal order.

3.5  Information about other individuals

In the course of your matter, you may provide us with personal information about other individuals (for example, business partners, co-directors, employees, guarantors, family members, or persons against whom we may take action on your behalf). See Section 17 for the warranties and indemnities you give us in respect of that information.

3.6  Technical and website information

When you visit our website, complete an online form, or interact with our digital channels, we may collect technical information including IP address, browser type and version, operating system, device identifiers, referring URL, pages visited, click activity, session duration, and information collected through cookies, web beacons and similar technologies. See Section 18.

4.  How we collect information

Wherever reasonable and practicable, we collect personal information directly from you. We may also collect it from third parties where the collection is necessary, lawful, or otherwise authorised.

4.1  Direct collection

We collect personal information directly from you when you enquire about or use our services, complete forms or questionnaires (paper or electronic), participate in client onboarding, communicate with us by telephone, video conference, email, messaging platform or in writing, use any client portal or platform we provide, or visit our website.

4.2  Indirect collection

We may collect personal information from third parties where it is unreasonable or impracticable to collect directly from you, where you have authorised the collection, or where the collection is required or authorised by or under an Australian law or court or tribunal order. Sources may include:

• creditors, lenders, debt purchasers, debt collectors and their agents;
• your accountant, bookkeeper, solicitor, financial adviser, mortgage broker or other authorised representative;
• registered liquidators, voluntary administrators, Small Business Restructuring practitioners, trustees and other insolvency professionals;
• financial institutions involved in payments, refinance or transactions relevant to your matter;
• credit reporting bodies (where you have authorised access, or where access is otherwise lawful);
• the Australian Securities and Investments Commission (ASIC), the Australian Business Register, the Personal Property Securities Register, land titles offices and other public registers;
• the Australian Taxation Office (ATO) and other government agencies, where you have authorised disclosure to us;
• the Australian Financial Complaints Authority (AFCA), courts, tribunals and other dispute resolution bodies; and
• publicly available sources, including media, professional networking platforms and court records.

5.  Why we collect, hold, use and disclose information

We collect, hold, use and disclose personal information for purposes connected with the provision of our services and the operation of our business. These purposes include:

• assessing whether our services are suitable for your circumstances and providing scoping, fee proposals and engagement documents;
• delivering commercial debt management, restructuring, asset protection, refinance facilitation, AFCA and external dispute resolution support, and related advisory services;
• communicating and negotiating with creditors, lenders, debt collectors, debt purchasers, solicitors, insolvency practitioners and other relevant parties on your behalf;
• preparing proposals, submissions, statements of position, dispute documents, settlement deeds and supporting documentation;
• verifying identity, conducting conflict checks, and meeting anti-money laundering, counter-terrorism financing and sanctions screening obligations;
• administering our client relationship, including invoicing, payment processing, trust accounting (where applicable) and record keeping;
• responding to enquiries, complaints and requests for information;
• complying with our legal, regulatory, professional and contractual obligations, including obligations to ASIC, the ATO, AFCA, courts, tribunals and other regulators;
• managing legal claims, exercising legal rights, and protecting our interests, the interests of our clients and the interests of third parties;
• training staff, contractors and authorised representatives, quality assurance and improving our services and processes; and
• direct marketing of our services and those of our affiliated businesses, subject to your right to opt out (see Section 11).

6.  Who we disclose information to

We may disclose personal information to the following categories of recipient for the purposes described in Section 5:

• creditors, lenders, debt purchasers, debt collectors and their agents;
• solicitors, barristers, counsel and other legal advisers (whether engaged by you or by us);
• registered liquidators, voluntary administrators, Small Business Restructuring practitioners, trustees and other insolvency professionals;
• accountants, bookkeepers, financial advisers, mortgage brokers and other professional advisers;
• refinance lenders, valuers, settlement agents and PEXA participants;
• payment processors, banks and financial institutions for authorised payments;
• information technology, customer relationship management, document management, communications, telephony, email, file storage, transcription, electronic signature and cybersecurity service providers;
• contractors, consultants and authorised representatives engaged by us to assist in service delivery;
• AFCA, ASIC, the ATO, courts, tribunals, regulators, law enforcement agencies and government departments, where required or authorised by law or where reasonably necessary to protect our interests or those of our clients;
• our professional indemnity insurers, auditors, accountants, lawyers and other advisers;
• any successor in title or purchaser of all or part of our business, and prospective purchasers and their advisers (subject to appropriate confidentiality undertakings); and
• any other party you have authorised us to deal with on your behalf, including parties identified in your engagement documents or authorities to act.

7.  Notifiable Data Breaches

We have processes in place to identify, contain, assess and respond to suspected data breaches in accordance with our obligations under Part IIIC of the Privacy Act. Where we form the view that an eligible data breach has occurred, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches scheme.

8.  Overseas disclosure

Some of our staff, contractors and service providers are located outside Australia. The countries in which overseas recipients are likely to be located include the Philippines (client communications, marketing and administrative support), India (document preparation, review and case administration), and the United States and European Union (cloud-based software, file storage, communications and infrastructure services).

We may also disclose personal information to other jurisdictions where this is required to give effect to an engagement (for example, to overseas creditors, lenders or service providers nominated by you).

9.  Use of technology and artificial intelligence

We use a range of secure technology platforms in the delivery of our services, including cloud-based document management, customer relationship management, communications, transcription and artificial intelligence (AI) tools. Where AI tools are used to draft, summarise or analyse documents, we apply appropriate confidentiality, vendor and de-identification controls, and we retain professional oversight of all advice and work product provided to you. We do not authorise vendors to train public or third party AI models on identifiable client information.

10.  Government identifiers

We do not adopt government-related identifiers (such as your tax file number, Medicare number or driver licence number) as our own identifier of you. We will only use or disclose such identifiers where the use or disclosure is reasonably necessary to verify your identity, to fulfil our obligations to a government agency, or where otherwise required or authorised by or under an Australian law or court or tribunal order.

11.  Direct marketing

We may use your contact details to send you information about our services, news, regulatory updates, articles and events that we consider may be of interest to you. You may opt out of direct marketing at any time by using the unsubscribe link in our communications, or by contacting our Privacy Officer using the details in Section 20. Opting out of direct marketing does not affect communications relating to your active matter or our administration of your engagement.

12.  Data quality and security

We take reasonable steps to ensure the personal information we collect, use and disclose is accurate, up to date, complete and relevant. We rely on you to provide accurate information and to inform us promptly of any change to your details.

We protect personal information using a combination of physical, electronic and procedural safeguards, including access controls, multi-factor authentication, password management, encryption in transit, secure cloud storage, staff confidentiality undertakings, training and policies, and secure destruction or de-identification of information no longer required.

13.  Retention of information

We retain personal information for as long as is reasonably necessary for the purposes for which it was collected, to comply with our legal, regulatory, professional, tax and insurance obligations, to manage actual or anticipated legal claims, and to maintain a complete file record. For most engagements this means we retain client records for at least seven (7) years after the conclusion of the engagement. Longer retention periods may apply where required by law or where the file relates to ongoing or potential legal proceedings. When personal information is no longer required, we take reasonable steps to destroy it or to permanently de-identify it.

14.  Accessing your information

You may request access to the personal information we hold about you by contacting our Privacy Officer using the details in Section 20. We will respond to your request within a reasonable period and ordinarily within thirty (30) days of receipt.

We do not charge a fee for making a request for access. We may, however, charge a reasonable fee to recover the cost of locating, collating, retrieving, reviewing and providing access to the information requested. We will give you an estimate of any such fee before incurring it, and you may modify or withdraw your request.

We may refuse access in the circumstances permitted by APP 12 and other applicable law, including (without limitation) where access would be unlawful, would unreasonably impact the privacy of another individual, relates to existing or anticipated legal proceedings, would reveal evaluative information generated in connection with a commercially sensitive decision making process, or where the request is frivolous or vexatious. If we refuse access, we will provide written reasons (to the extent reasonable in the circumstances) and information about how to complain.

15.  Correcting your information

If you believe the personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may request that we correct it. We will respond to your request within a reasonable period and ordinarily within thirty (30) days. We do not charge a fee for making or processing a correction request.

Where we agree the information should be corrected, we will take reasonable steps to correct it. If we are unable to agree that correction is appropriate, you may request that we associate a statement with the information noting that you consider it to be inaccurate, out of date, incomplete, irrelevant or misleading, and we will take reasonable steps to do so.

16.  Complaints

16.1  How to lodge a complaint

If you believe we have breached the APPs, the Privacy Act or this Privacy Policy, please lodge your complaint in writing with our Privacy Officer using the contact details in Section 20. To help us respond, please include your name and contact details, a description of the conduct you are concerned about, and the outcome you are seeking.

16.2  How we will respond

We will acknowledge your complaint within seven (7) business days of receipt and will use reasonable endeavours to investigate and respond substantively within thirty (30) days. If we require additional time, we will tell you the reason and provide an expected timeframe for a substantive response.

16.3  External avenues

If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC), which is the privacy regulator under the Privacy Act.

Where your complaint relates to financial services or credit activities and falls within AFCA's jurisdiction, you may also be able to lodge a complaint with the Australian Financial Complaints Authority.

17.  Information about other individuals

Where you provide us with personal information about another individual (including a business partner, co-director, employee, guarantor, family member, debtor or other third party), you warrant to us that:

• you are authorised to provide that information to us for the purposes described in this Privacy Policy;
• the information is accurate, up to date and complete to the best of your knowledge;
• you have made the individual aware of the matters set out in this Privacy Policy, including how we collect, hold, use and disclose their personal information, and have obtained any consents required; and
• you indemnify us against any loss, cost, expense, claim or liability we suffer or incur arising from a breach of these warranties or from the disclosure or use of that information in accordance with this Privacy Policy.

18.  Cookies and website analytics

Our website uses cookies and similar technologies to operate the site, remember your preferences, measure traffic and improve user experience. We may use third party analytics services (such as Google Analytics) and marketing platforms which place cookies and collect technical information about your interaction with our website. You can usually disable cookies through your browser settings; however, some features of our website may not function properly without them.

19.  Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is available on our website at www.smallbusinessreboot.com.au. Where the changes are material, we will take reasonable steps to bring the updated Privacy Policy to your attention (for example, by email or a prominent notice on our website). Your continued engagement with us, or use of our services or website, after a change takes effect constitutes your acceptance of the updated Privacy Policy.

20.  Contact us

If you have any questions about this Privacy Policy, wish to access or correct your information, opt out of direct marketing, or lodge a privacy complaint, please contact our Privacy Officer:

21.  Governing law

This Privacy Policy is governed by the laws in force in Victoria, Australia. The Privacy Act 1988 (Cth) and the Australian Privacy Principles take precedence to the extent of any inconsistency.