Privacy Policy

1.1 Fata Projects Pty Ltd (ACN 675 950 740), trading as Tracta (Company, we, us, our), is committed to protecting the privacy of individuals who visit our marketing website located at tracta.com.au (Marketing Website) and who interact with us in connection with inquiries, demonstrations, and pre-sale communications.

1.2 This Privacy Policy (Policy) governs the collection, use, storage, disclosure, and management of personal information obtained through the Marketing Website. It does not govern personal information processed within the Tracta platform environment on behalf of paying customers; such processing is governed by the applicable SaaS Services Agreement and associated data processing terms.

1.3 This Policy is made in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) contained in Schedule 1 to the Privacy Act. To the extent any user accesses the Marketing Website from a jurisdiction imposing additional privacy obligations (including the General Data Protection Regulation (EU) 2016/679 (GDPR)), the applicable supplementary provisions set out in clause 14 of this Policy apply.

1.4 By accessing or using the Marketing Website, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must immediately cease use of the Marketing Website.

1.5 This Policy is incorporated into and forms part of our Website Terms of Use. In the event of inconsistency between this Policy and any other communication or representation, this Policy prevails to the extent of the inconsistency.

In this Policy:

Australian Privacy Principles or APPs means the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth).

Cookies means small data files placed on a user's device that enable the collection of usage and preference data as further described in clause 7.

De-identified Data means data that has been processed so that it can no longer be used to identify an individual, whether directly or indirectly.

Marketing Website means the publicly accessible website located at tracta.com.au, including all pages, subdomains, and associated landing pages operated by the Company.

Personal Information has the meaning given in the Privacy Act 1988 (Cth), being information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in material form or not.

Platform means the Tracta cloud-based engineering document and record management software-as-a-service product, access to which is governed by a separate SaaS Services Agreement.

Privacy Act means the Privacy Act 1988 (Cth), as amended from time to time.

Sensitive Information has the meaning given in the Privacy Act 1988 (Cth), including health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, and genetic or biometric information.

Third Party Service Providers means technology, analytics, marketing, and operational vendors engaged by the Company in connection with the operation of the Marketing Website, as described in clause 9.

you or your means any individual who accesses or uses the Marketing Website.

3.1 Information You Provide Directly

3.1.1 We collect Personal Information that you voluntarily provide to us through the Marketing Website, which may include: (a) full name and position or title; (b) company or organisation name and industry; (c) email address, telephone number, and postal address; (d) information submitted via contact forms, demo request forms, or waitlist registrations; (e) the content of any communications, inquiries, or correspondence you send to us; and (f) any other information you choose to include in a free-text field on the Marketing Website.

3.2 Information Collected Automatically

3.2.1 When you access the Marketing Website, our systems and Third Party Service Providers may automatically collect technical and usage information, including: (a) Internet Protocol (IP) address and approximate geographic location derived therefrom; (b) browser type, version, and configuration; (c) operating system and device type; (d) referring URL and exit pages; (e) pages visited, links clicked, and duration of visit; (f) date and time of access; (g) Cookie identifiers and session tokens; and (h) anonymised engagement metrics including scroll depth, click maps, and form interaction.

3.2.2 To the extent that automatically collected information constitutes or can be linked to Personal Information, it is handled in accordance with this Policy.

3.3 Sensitive Information

3.3.1 We do not intentionally collect Sensitive Information through the Marketing Website. You must not submit Sensitive Information through any contact form or free-text field on the Marketing Website. In the event that Sensitive Information is submitted inadvertently, we will take reasonable steps to securely delete it and will not use it for any purpose other than notifying you of its deletion.

3.4 Information About Third Parties

3.4.1 If you provide Personal Information about another individual (for example, by referring a colleague), you represent and warrant that: (a) you have that individual's consent to provide their Personal Information to us; (b) you have informed them of this Policy; and (c) the information is accurate and current.

4.1 We collect Personal Information: (a) directly from you when you submit forms, request demonstrations, contact us by email or telephone, or otherwise communicate with us through the Marketing Website; (b) automatically through the operation of the Marketing Website via Cookies, server logs, and analytics technologies (see clause 7); and (c) from third parties, including analytics providers, advertising platforms, CRM integrations, and referral sources, to the extent permitted by law.

4.2 Where we collect Personal Information from a third party, we will, to the extent practicable, notify you of the collection and the source as soon as reasonably practicable after collection, or at the time of first contact with you.

4.3 We will not collect Personal Information by unlawful means, by unreasonable intrusion into your privacy, or in a manner that would not be reasonably expected by you given the nature of our business and the context of collection.

5.1 We collect, hold, and use Personal Information for the following primary purposes: (a) to respond to inquiries, requests for demonstrations, and general correspondence submitted through the Marketing Website; (b) to manage waitlist registrations and notify you when the Platform or relevant features become available; (c) to communicate with you about our products, services, updates, case studies, and industry developments, subject to your right to opt out; (d) to analyse Marketing Website usage, improve the performance and content of the Marketing Website, and understand visitor behaviour; (e) to measure the effectiveness of our marketing and advertising campaigns; (f) to maintain records of correspondence and manage our customer relationship activities; (g) to verify your identity and prevent fraudulent, abusive, or unauthorised use of the Marketing Website; (h) to comply with our legal and regulatory obligations; and (i) any other purpose disclosed to you at the time of collection.

5.2 We will not use your Personal Information for a secondary purpose unless: (a) the secondary purpose is directly related to the primary purpose of collection and you would reasonably expect the use; (b) you have expressly consented to the secondary use; or (c) we are required or authorised by law to do so.

5.3 We will not use Sensitive Information for any purpose other than the purpose for which it was collected, a directly related secondary purpose, or as required or authorised by law.

6.1 We may use your name and contact details to send you direct marketing communications relating to the Platform, product updates, industry news, and related services. We will only send such communications where: (a) we collected your Personal Information directly from you; (b) you would reasonably expect to receive direct marketing from us; and (c) we have provided you with a simple, free-of-charge mechanism to opt out.

6.2 We will not use Sensitive Information for direct marketing under any circumstances.

6.3 Every direct marketing communication we send will contain a prominent, functional opt-out mechanism (including an unsubscribe link in electronic communications). If you opt out, we will process your request within a reasonable period, which shall not exceed five (5) business days, and we will not send you further direct marketing communications after that period has elapsed.

6.4 If you do not wish to receive direct marketing communications, or if you wish to withdraw consent previously given, you may contact us at any time using the contact details in clause 17.

6.5 Opting out of direct marketing does not constitute a request to delete your Personal Information generally. If you wish to request deletion of Personal Information, please see clause 13.

7.1 The Marketing Website uses Cookies and similar tracking technologies (including pixel tags, web beacons, and JavaScript tags) to operate and improve the Marketing Website, analyse traffic, and support marketing activity.

7.2 Cookies deployed on the Marketing Website may include: (a) Strictly necessary cookies — required for the operation of the Marketing Website, including session management and security. These cannot be disabled without materially impairing Website functionality; (b) Performance and analytics cookies — used to collect anonymised information about how visitors interact with the Marketing Website, including pages visited, session duration, and error events. We use tools including but not limited to Google Analytics; (c) Functional cookies — used to remember your preferences and settings to enhance your experience; and (d) Targeting and advertising cookies — used to deliver relevant advertisements and measure campaign effectiveness through third-party platforms including but not limited to Google Ads and LinkedIn Insight Tag.

7.3 Most web browsers accept Cookies by default. You may configure your browser to decline Cookies or to notify you when Cookies are set. Please note that disabling certain categories of Cookies may impair the functionality of the Marketing Website or prevent some features from operating correctly.

7.4 Where required by applicable law (including the GDPR), we will obtain your consent prior to placing non-essential Cookies on your device via a Cookie consent banner. You may withdraw Cookie consent at any time through your browser settings or by contacting us.

7.5 Third-party services that set Cookies on the Marketing Website (including analytics and advertising platforms) are governed by their own privacy policies. We encourage you to review those policies, which are accessible on the respective third-party websites.

8.1 We may disclose your Personal Information to the following categories of recipients, to the extent necessary and proportionate to the purposes set out in clause 5: (a) our employees, officers, and contractors who require access to perform their roles, each of whom is bound by confidentiality obligations no less protective than those in this Policy; (b) Third Party Service Providers engaged to provide hosting, cloud infrastructure, email delivery, CRM, analytics, advertising, payment processing, legal, accounting, and other business services; (c) regulatory authorities, law enforcement agencies, courts, and government bodies where required by law, court order, or enforceable governmental request; (d) a purchaser, successor entity, or investor in the event of a merger, acquisition, asset sale, or corporate restructure, subject to appropriate confidentiality protections and to the extent permitted by law; and (e) any other party where you have given express prior consent to such disclosure.

8.2 We do not sell, rent, or trade your Personal Information to third parties for their independent commercial purposes.

8.3 Where we disclose Personal Information to a Third Party Service Provider, we take reasonable contractual and technical steps to ensure that the provider handles the information in a manner consistent with this Policy and applicable privacy law.

9.1 The Marketing Website relies on third-party technology providers for analytics, infrastructure, and marketing functions. These currently include, without limitation: (a) Google LLC — website analytics (Google Analytics), advertising (Google Ads), and cloud infrastructure (Google Cloud Platform / Google Workspace); (b) LinkedIn Corporation — professional audience advertising (LinkedIn Insight Tag); and (c) other providers engaged from time to time for email marketing, CRM, and operational support.

9.2 We reserve the right to change our Third Party Service Providers at any time. We will update this Policy to reflect material changes to the categories of providers we engage.

9.3 Each Third Party Service Provider is required, as a condition of engagement, to handle Personal Information in accordance with applicable privacy law and, where applicable, to execute a Data Processing Agreement with us.

10.1 We are based in New South Wales, Australia. However, some of our Third Party Service Providers operate systems and infrastructure outside Australia, including in the United States, the European Union, and the United Kingdom.

10.2 Where Personal Information is transferred to a recipient in a foreign country, we take reasonable steps to ensure that the overseas recipient handles the Personal Information in a manner consistent with the APPs, including by: (a) assessing whether the foreign jurisdiction has privacy protections substantially similar to the APPs; (b) entering into contractual arrangements with the overseas recipient that require them to handle Personal Information in accordance with the APPs or equivalent standards; or (c) obtaining your consent to the disclosure, after informing you that APP 8.1 (accountability for overseas disclosures) will not apply.

10.3 You acknowledge that, despite the foregoing measures, the protection of Personal Information transmitted internationally may be subject to the laws of the destination country, which may differ from Australian privacy law.

11.1 We implement and maintain technical, physical, and organisational security measures designed to protect Personal Information from unauthorised access, loss, misuse, modification, disclosure, or destruction. These measures include, without limitation: (a) encryption of data in transit using industry-standard TLS protocols; (b) access controls limiting Personal Information to personnel with a legitimate need to access it; (c) regular review of our information security practices; and (d) contractual obligations requiring Third Party Service Providers to maintain appropriate security standards.

11.2 Notwithstanding the foregoing, the transmission of information over the internet is inherently insecure. You acknowledge that we cannot guarantee the absolute security of information transmitted to or from the Marketing Website and that any such transmission is at your own risk.

11.3 We will notify you and the Office of the Australian Information Commissioner (OAIC) of any eligible data breach involving your Personal Information in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, within the timeframes prescribed by law.

12.1 We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by law, including to satisfy our legal, tax, regulatory, and record-keeping obligations.

12.2 The specific retention period applicable to each category of Personal Information depends on the nature of the information and the purpose of collection. As a general guide: (a) inquiry and contact form submissions — retained for a period of up to three (3) years from the date of last interaction, or until deletion is requested; (b) marketing preference records — retained for a period consistent with applicable marketing and consent obligations; and (c) analytics and log data — retained in accordance with the default retention settings of the relevant analytics platform, subject to our configuration.

12.3 When Personal Information is no longer required, we will take reasonable steps to destroy, de-identify, or anonymise it securely and in a manner that prevents recovery.

13.1 Access

13.1.1 You have the right, under APP 12, to request access to the Personal Information we hold about you. We will respond to access requests within a reasonable period, ordinarily within thirty (30) days of receipt of a written request. We may charge a reasonable fee for providing access in certain circumstances, provided we notify you of any applicable fee before fulfilling the request.

13.1.2 We may refuse an access request in the circumstances specified in APP 12.3 (including where access would unreasonably impact the privacy of another individual, where the request is frivolous, or where a law enforcement exemption applies). Where we refuse access, we will provide written reasons and information about available complaint mechanisms.

13.2 Correction

13.2.1 You have the right, under APP 13, to request correction of Personal Information that is inaccurate, incomplete, out of date, irrelevant, or misleading. We will act on a correction request within a reasonable period. Where we decline to make a requested correction, we will notify you of our reasons and you may request that we associate a statement of your view with the information.

13.3 Deletion

13.3.1 You may request deletion of your Personal Information where it is no longer required for the purpose for which it was collected and we are not required by law to retain it. We will consider all deletion requests on their merits. Where we decline a deletion request, we will provide written reasons.

13.4 Complaint

13.4.1 If you believe we have interfered with your privacy, you are entitled to make a complaint. Our complaint handling procedure is set out in clause 16.

13.5 How to Exercise Your Rights

13.5.1 To exercise any of the above rights, please contact our Privacy Officer using the contact details set out in clause 17. We will require you to verify your identity before acting on any request.

14.1 This clause 14 applies additionally to individuals who access the Marketing Website from within the European Union or the European Economic Area (EU/EEA Residents). In the event of any inconsistency between this clause 14 and the remainder of this Policy, this clause 14 prevails for EU/EEA Residents.

14.2 Legal Bases for Processing

14.2.1 We process Personal Information about EU/EEA Residents on the following legal bases under the GDPR: (a) Consent (Article 6(1)(a)) — where you have provided freely given, specific, informed, and unambiguous consent, including consent to receive direct marketing and to the placement of non-essential Cookies; (b) Contract (Article 6(1)(b)) — where processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering a contract; (c) Legal obligation (Article 6(1)(c)) — where processing is necessary to comply with a legal obligation to which we are subject; and (d) Legitimate interests (Article 6(1)(f)) — where processing is necessary for the purposes of our legitimate interests, including the security and improvement of the Marketing Website, fraud prevention, and business development, except where those interests are overridden by your interests or fundamental rights.

14.3 Your GDPR Rights

14.3.1 In addition to the rights described in clause 13, EU/EEA Residents have the following rights under the GDPR: (a) the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal; (b) the right to data portability under Article 20, including the right to receive Personal Information in a structured, commonly used, and machine-readable format; (c) the right to object to processing based on legitimate interests under Article 21; (d) the right to restriction of processing under Article 18; and (e) the right not to be subject to solely automated decision-making, including profiling, which produces legal or similarly significant effects.

14.3.2 To exercise any GDPR right, please contact our Privacy Officer using the contact details in clause 17. EU/EEA Residents may also lodge a complaint with the relevant supervisory authority in their country of residence.

14.4 International Transfers under GDPR

14.4.1 Where Personal Information is transferred to a third country outside the EU/EEA, such transfers are made in accordance with Chapter V of the GDPR, including through Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other appropriate safeguards as applicable.

15.1 The Marketing Website is not directed at, and is not intended for use by, individuals under the age of 18 years. We do not knowingly collect Personal Information from individuals under the age of 18. If you believe we have inadvertently collected Personal Information from a minor, please contact us immediately using the contact details in clause 17 and we will take prompt steps to delete that information.

15.2 Parents and guardians who become aware that a minor has provided Personal Information to us without their consent should contact us immediately.

16.1 If you have a complaint about the manner in which we collect, use, disclose, or otherwise handle your Personal Information, you must submit your complaint in writing to our Privacy Officer using the contact details set out in clause 17.

16.2 Upon receipt of a written complaint, we will: (a) acknowledge receipt of your complaint within five (5) business days; (b) investigate the complaint thoroughly and in good faith; (c) seek any clarifying information from you reasonably required to investigate the complaint; and (d) provide you with a written response setting out our findings and any remedial action taken, within thirty (30) days of receipt of your complaint (or such extended period as is reasonably necessary given the complexity of the matter, of which we will notify you).

16.3 If you are not satisfied with our response, or if we do not respond within thirty (30) days, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. EU/EEA Residents may additionally lodge a complaint with the relevant supervisory authority in their member state.

17.1 For all privacy-related inquiries, access requests, correction requests, deletion requests, complaints, or other matters under this Policy, please contact our Privacy Officer:

Privacy Officer — Fata Projects Pty Ltd (trading as Tracta)

Email: privacy@tracta.com.au

Website: tracta.com.au/privacy

17.2 We will use your contact details solely for the purpose of responding to your inquiry or resolving your complaint.

18.1 We reserve the right to amend, update, or replace this Policy at any time in our sole discretion. All amendments will take effect immediately upon posting of the updated Policy on the Marketing Website, unless a different effective date is specified.

18.2 We will take reasonable steps to notify you of material changes to this Policy, which may include a notice on the Marketing Website homepage or a direct communication to the email address you have provided to us.

18.3 Your continued use of the Marketing Website after the effective date of any amendment constitutes your acceptance of the amended Policy. If you do not agree to an amended Policy, you must cease using the Marketing Website and, where applicable, request deletion of your Personal Information in accordance with clause 13.

18.4 We recommend that you review this Policy periodically. The version number and last-updated date at the top of this Policy will assist you in identifying whether a change has been made since your last review.

19.1 This Policy is governed by the laws of New South Wales, Australia. You irrevocably submit to the exclusive jurisdiction of the courts of New South Wales, and any courts of appeal therefrom, in respect of any dispute arising out of or in connection with this Policy.

19.2 Nothing in this clause limits your rights to make a complaint to the OAIC or any other applicable regulatory authority.