Privacy Policy

About this Policy

This Privacy Policy explains how Humanta Pty Ltd ACN 698 004 009 (Humanta, we, us, our) collects, uses, holds, discloses and protects your personal information. It applies to our website at humanta.co, the Humanta web and mobile application (the Platform), and all related services (the Services). We are bound by the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act, as well as the Notifiable Data Breaches scheme set out in Part IIIC of that Act.

Who this Policy is for. This Policy is for individuals whose personal information we collect, including: (a) employees, contractors and other personnel of our business customers (each, a Client) who are nominated to access the Platform (Eligible Employees); (b) guests of Eligible Employees attending a Spark or Teams Event; (c) visitors to humanta.co; and (d) personnel of Venue Providers and other parties who interact with us in connection with the Services.

Snapshot

Who we are — Humanta Pty Ltd ACN 698 004 009, registered in New South Wales, Australia.

What we do — We operate a B2B human-connection platform that helps employers organise (a) curated dining and experience moments for their employees and one guest of the employee's choosing (Sparks), and (b) coordinated group dining, experience and team events (Teams Events). The actual dining or experience is provided by third-party Venue Providers; we act as concierge, matching engine and booking agent.

Personal information we collect — Identity and contact details, employer and role, account and login data, dietary and accessibility requirements (which may be Sensitive Information), preference data, guest details, manager-note content, transactional and feedback data, photographs (if you choose to upload them), and technical and device data.

Why we collect it — To deliver the Services (including making Bookings with Venue Providers), to operate the Platform, to communicate with you, to improve and develop the Platform (including through Anonymised Data), to comply with law, and (in a limited way) for direct marketing where you have consented.

Who we share it with — Venue Providers (for Bookings), your Client (in limited and aggregated form), our sub-processors (cloud hosting, AI/large-language-model providers, communications, payments, analytics) and law-enforcement or regulators where required by law.

Data hosting — As at the effective date of this Policy, our core platform data is stored and processed on cloud infrastructure located outside Australia, primarily in the United States. A number of our sub-processors also process Personal Information overseas, including in the countries identified in the current Sub-Processor List referred to in clause 9.5. We make these cross-border disclosures under Australian Privacy Principle 8, and we take such steps as are reasonable in the circumstances under Australian Privacy Principle 8.1 to ensure that overseas recipients handle your personal information consistently with the APPs (see clause 9).

Your rights — You may request access to, or correction of, the personal information we hold about you, and you may complain about our handling of your personal information (see clauses 13 and 17).

Contact — Privacy Officer, Humanta Pty Ltd – privacy@humanta.co.

1. Application of this Policy

1.1This Policy applies to all personal information we collect, hold, use and disclose in connection with the Platform, the website at humanta.co, and the Services we provide to our Clients.

1.2This Policy is a "clearly expressed and up to date" privacy policy for the purposes of Australian Privacy Principle 1.3.

1.3In this Policy, "personal information" has the meaning given in section 6 of the Privacy Act 1988 (Cth), and "sensitive information" means the categories of information set out in that section, which includes (relevantly) health information.

1.4If you do not agree to the collection, use or disclosure of your personal information as described in this Policy, please do not use the Platform. If you are an Eligible Employee, please contact your Client to advise that you do not wish to participate. Participation in the Services is voluntary.

2. Personal information we collect

2.1The categories of personal information we may collect depend on how you interact with us. They include:

(a)Identity and contact details — name, work and (if you choose to provide it) personal email address, work phone number, job title, department and the name of your employer or engaging entity (the Client).

(b)Account and login data — your username and password (which is encrypted and not accessible to us in plain text), preferences you set in the Platform, and records of your activity within the Platform.

(c)Booking and preference data — Sparks selected, Venue Providers chosen, dates, times, dining and experience preferences, occasion type, guest details (where you have invited a guest), and any special requests.

(d)Sensitive Information — dietary requirements, allergens, intolerances, accessibility needs and any other health or medical information you choose to provide to enable us to fulfil your Booking. See clause 3.

(e)Guest details — the name, contact details and (where you provide them) dietary, allergen and accessibility requirements of any guest you invite to a Spark or Teams Event. See clause 2.3.

(f)Manager-note content — text composed by a manager or other nominated person at the Client and intended for delivery to an Eligible Employee in connection with a Spark.

(g)Transactional data — records of Bookings made, Sparks issued and redeemed, payments processed by the Client, refunds and cancellations.

(h)Feedback and ratings — post-experience feedback, ratings, comments and recognition signals you provide through the Platform.

(i)User Content — photographs and other content you choose to upload through the Platform.

(j)Technical and device data — IP address, device identifier, browser type and version, operating system, language preference, time-zone setting, log data, and information about how you access and use the Platform.

(k)Communications — records of your correspondence with us (including by email and through in-Platform messaging) and, where required by law and with appropriate disclosure, recordings or notes of calls.

2.2We do not collect, and you are not required to provide to us, any government related identifier (for example, a Tax File Number, Medicare number or driver licence number) to use the Platform.

2.3In respect of any guest you invite to a Spark or Teams Event, we collect only the information you elect to provide. You warrant that you have informed your guest of this Policy and that they have consented to the disclosure of their personal information to us for the purposes of the Booking.

3. Sensitive Information

3.1Some of the information you may provide to us — including allergen, intolerance, dietary, accessibility and medical information — may constitute "sensitive information" under section 6 of the Privacy Act 1988 (Cth). We collect this information only where you choose to provide it, and only for the purpose of (and to the extent necessary to) fulfil your Booking and the Services more broadly.

3.2By providing Sensitive Information to us through the Platform (whether at sign-up, in your profile, in a Booking, or by communicating it to our team), you consent (for the purposes of Australian Privacy Principle 3.3) to our collection, use and disclosure of that Sensitive Information for the purposes described in this Policy, including disclosure to the relevant Venue Provider so that they can accommodate your requirements at the relevant Booking.

3.3You can withdraw your consent to our use of Sensitive Information at any time by contacting us (see clause 21). If you withdraw your consent, we may be unable to provide some or all of the Services to you, and we will discuss the consequences with you before any change takes effect.

4. How we collect personal information

4.1We collect personal information in a number of ways:

(a)Directly from you — when you create an account on the Platform, when you set preferences or submit information about a Spark or Teams Event, when you provide feedback, when you correspond with us, and when you visit humanta.co.

(b)From the Client (your employer) — when the Client nominates you for the Platform, the Client may share with us your name, work email address, role, department and other limited employment details necessary to provision your access.

(c)From Venue Providers — limited information necessary to confirm a Booking, accommodate a special request, or follow up on the Booking.

(d)Automatically — technical and device data when you visit humanta.co or use the Platform, including via cookies and similar technologies (see clause 16).

(e)From our sub-processors — for example, analytics platforms that report usage patterns to us, or communications providers that send messages on our behalf.

4.2Wherever it is reasonable and practicable to do so, we collect personal information about you only from you. If we collect personal information about you from someone else, we will take reasonable steps to make you aware of the matters set out in Australian Privacy Principle 5.

5. Purposes for which we collect, hold, use and disclose personal information

5.1We collect, hold, use and disclose your personal information for the following primary purposes:

(a)to provide the Services, including by AI-assisted matching of you to suitable Venue Providers, generating Spark recommendations, coordinating Bookings with Venue Providers, communicating manager-note content, coordinating Teams Events, and capturing post-experience feedback;

(b)to communicate with you about your account, Bookings, the Services and any issues or service messages;

(c)to verify your eligibility (including the in-Platform age-confirmation step at Venue Providers that serve or permit alcohol);

(d)to facilitate payment for Bookings (through the Client and our payment sub-processors), including by passing through Venue Provider costs to the Client without margin or markup;

(e)to provide reporting to the Client about participation, engagement and aggregate Spark and Teams Event outcomes (we limit and de-identify the information disclosed to the Client to what is necessary for that purpose – see clause 7);

(f)to operate, maintain, secure, support and improve the Platform, including by detecting and preventing fraud, abuse, security incidents and unauthorised use;

(g)to develop new features and improve our Services, including (where appropriate) through training and fine-tuning of AI and machine learning models on Anonymised Data only (see clause 10);

(h)to comply with our legal and regulatory obligations and to enforce our terms of service, including this Policy, the End User Licence Agreement and our agreements with Clients and Venue Providers; and

(i)for direct marketing of related goods or services that you would reasonably expect to receive from us, in accordance with Australian Privacy Principle 7 and clause 15 of this Policy.

5.2We will not use or disclose your personal information for any purpose other than a purpose set out in this clause 5, except: (a) with your consent; (b) where the use or disclosure is for a related secondary purpose that you would reasonably expect; or (c) where we are required or authorised by or under an Australian law or a court or tribunal order to do so.

6. Disclosure to Venue Providers

6.1To fulfil a Booking, we are required to share certain of your personal information with the relevant Venue Provider. This typically includes:

(a)your name and contact details (or, for Teams Events, the name and contact details of the Client representative co-ordinating attendance);

(b)the date, time and party size of the Booking;

(c)any dietary, allergen, intolerance, accessibility or special-request information you have provided in connection with the Booking; and

(d)any other information reasonably required by the Venue Provider to accommodate the Booking (such as occasion or theme).

6.2Once your personal information is shared with a Venue Provider, the Venue Provider becomes responsible for its handling of that personal information in accordance with the Venue Provider's own privacy policy and the applicable law. We are not responsible for the Venue Provider's privacy practices.

7. Disclosure to the Client (your employer)

7.1In our reports and communications to the Client, we provide limited, role-relevant information. By default this includes:

(a)aggregate metrics — participation rates, manager adoption, experience ratings, recognition signal and word-of-mouth indicators across Eligible Employees as a whole;

(b)identifiable booking confirmations — confirmation that a particular Eligible Employee has accepted, redeemed or declined a Spark (so the Client can manage its rewards and recognition program); and

(c)qualitative feedback in de-identified form, unless you have given consent for your feedback to be attributed to you.

7.2We will not, without your additional consent, disclose to the Client any Sensitive Information (such as dietary, allergen or accessibility information) that you have provided to us, except to the extent necessary for the Client to manage its arrangements with us (for example, in respect of a particular Teams Event run-sheet that you have asked the Client representative to manage).

7.3We recognise that the Client is also an APP entity (or its overseas equivalent) in respect of your personal information and is independently responsible for its handling of your personal information.

8. Sub-processors and other recipients

8.1We engage trusted sub-processors to assist us in providing the Services. By using the Platform you consent to our use of sub-processors. As at the effective date of this Policy, sub-processors include providers of:

(a)cloud hosting and infrastructure;

(b)AI and large-language-model services used to power AI-assisted matching, drafting and other features;

(c)transactional email, SMS and in-Platform messaging;

(d)payment processing (in respect of the Client's payment of Concierge Fees and Pass-Through Costs);

(e)analytics, performance monitoring and error reporting;

(f)identity, fraud-prevention and security tooling; and

(g)professional advisers (legal, accounting and audit).

8.2We require our sub-processors to keep your personal information confidential and to handle it only for the purposes for which we have engaged them. We remain responsible for the acts and omissions of our sub-processors as if they were our own (as between us and the Client). A current list of our material sub-processors is available on request at privacy@humanta.co.

8.3We may also disclose your personal information to:

(a)law-enforcement authorities, regulators, courts and other government bodies where required or authorised by law;

(b)a third party in connection with the actual or proposed sale, merger, reorganisation or financing of our business or any part of it (subject to appropriate confidentiality protections); and

(c)any other person to whom you authorise us to disclose your personal information.

9. Cross-border disclosure

9.1Humanta uses cloud infrastructure and service providers located outside Australia. As at the effective date of this Policy, Client Data and Eligible Employee personal information held within the Platform are stored and processed on cloud infrastructure located outside Australia, primarily in the United States. The specific countries in which our sub-processors are likely to receive, store or process personal information are identified, where practicable to specify, in the current Sub-Processor List maintained under clause 9.5 of this Policy. As at the effective date of this Policy, those countries comprise the United States.

9.2In addition to our primary data store and hosting, some of our sub-processors (including, in particular, AI and large-language-model providers, communications providers, analytics providers and internal-messaging providers) may receive, store or process personal information outside Australia. Where this occurs: (a) the cross-border disclosure is made in reliance on Australian Privacy Principle 8; (b) we take such steps as are reasonable in the circumstances under Australian Privacy Principle 8.1 to ensure that each overseas recipient does not breach the APPs in relation to your personal information, including by entering into data-processing terms with appropriate privacy and security protections, and we remain accountable under section 16C of the Privacy Act 1988 (Cth) for the acts and practices of those recipients; and (c) the categories of sub-processor we engage and the countries in which they process personal information are described in the current Sub-Processor List referred to in clause 9.5.

9.3Before disclosing personal information to an overseas recipient, we take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to that personal information, in accordance with Australian Privacy Principle 8.1. Reasonable steps may include the use of standard contractual terms with appropriate privacy and security protections.

9.4If we change the principal data-hosting location for the Platform, we will update this Policy and notify Clients in accordance with clause 9.5.

9.5Sub-Processor List and changes. We maintain a current list of our sub-processors that may receive personal information, together with the categories of personal information processed and the countries in which the processing occurs (Sub-Processor List). A copy of the current Sub-Processor List will be provided to a Client on written request to privacy@humanta.co. We will use reasonable endeavours to notify Clients of any material change to the Sub-Processor List (including any change to the principal data-hosting location for the Platform) before that change takes effect. Notification may be given by email to the Client Lead, by in-app notice to the Platform administrator, or by an update to this Policy together with email notice to Clients.

10. Anonymised Data

10.1We may at any time, and in perpetuity, create, retain, use, disclose and exploit data that has been de-identified in accordance with the Privacy Act 1988 (Cth) such that it is no longer personal information (Anonymised Data). Anonymised Data is not personal information for the purposes of the Privacy Act 1988 (Cth) or this Policy.

10.2Our use of Anonymised Data may include: (a) generating analytics, benchmarks and aggregated insights; (b) reporting to Clients on participation and engagement; (c) developing, training, fine-tuning and improving the Platform, including our AI and machine learning models; (d) research and the design of new products and features; and (e) marketing and promotion of the Platform.

10.3We take care to ensure that Anonymised Data does not (alone, or in combination with other information reasonably available to us or our recipients) re-identify you, the Client or any other natural person.

11. Data security

11.1We take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification or disclosure, in accordance with Australian Privacy Principle 11.

11.2Our technical and organisational measures include, at the date of this Policy: (a) encryption of personal information in transit and at rest; (b) role-based access controls and authentication; (c) logging and monitoring; (d) sub-processor security review and contractual privacy and security obligations; (e) personnel training and confidentiality undertakings; and (f) incident-response and business-continuity processes.

11.3No system can be guaranteed to be free of error or vulnerability. While we take reasonable steps to protect your personal information, we cannot guarantee its security against all possible threats.

12. Data retention

12.1We retain personal information for as long as is necessary for the purposes for which it was collected, together with a reasonable archival period to enable us to respond to enquiries, comply with our legal and tax record-keeping obligations, manage disputes, and enforce our agreements.

12.2When personal information is no longer needed for the purposes for which it was collected, we will take reasonable steps to destroy it or to ensure that it is de-identified in accordance with Australian Privacy Principle 11.2. Anonymised Data created under clause 10 may be retained indefinitely.

12.3Where the Client has terminated its arrangement with us, we will return or destroy Client Data in accordance with our Master Services Agreement with the Client, subject to any legal retention obligations and our right to retain Anonymised Data.

13. Access and correction

13.1You may request access to the personal information we hold about you, and you may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant or misleading. Most of your account information can also be accessed and updated directly through the Platform.

13.2To make an access or correction request, please contact us by email at privacy@humanta.co with sufficient detail to enable us to identify you and the relevant personal information. We may require you to verify your identity before responding.

13.3We will respond to access requests within a reasonable period (and in any event within thirty (30) days), and will provide access in the manner reasonably requested, unless it is unreasonable or impracticable to do so. There is no charge for making an access or correction request, although we may charge a reasonable cost-recovery fee for providing access where the request is complex or voluminous.

13.4In some circumstances we may decline an access or correction request as permitted under the Privacy Act 1988 (Cth) — for example, where access would have an unreasonable impact on the privacy of others. If we decline a request, we will explain our reasons in writing and inform you of available complaint mechanisms.

14. Anonymity and pseudonymity

14.1Australian Privacy Principle 2 provides that, where lawful and practicable, you must have the option of not identifying yourself, or of using a pseudonym, when dealing with us.

14.2It is not practicable for us to provide the Services to you anonymously or under a pseudonym, because we need to know who you are in order to: (a) confirm with the Client that you are an Eligible Employee; (b) make a Booking in your name with a Venue Provider; and (c) coordinate dietary, allergen and accessibility requirements with the Venue Provider. You can, however, choose not to provide non-essential information.

14.3You can interact with us anonymously or pseudonymously in respect of general enquiries (for example, when contacting us via humanta.co about how the Platform works).

15. Direct marketing

15.1From time to time we may use your personal information to send you direct marketing communications about our Services and related products and features, where you would reasonably expect to receive them and in accordance with Australian Privacy Principle 7. We will not use Sensitive Information for direct marketing without your express consent.

15.2Every direct marketing communication we send will include a simple, easily exercisable opt-out (typically an "unsubscribe" link). You may also opt out of direct marketing at any time by contacting us at privacy@humanta.co.

15.3Operational and transactional communications (including Booking confirmations, account messages and material updates to this Policy or the End User Licence Agreement) are not direct marketing and will continue regardless of any marketing opt-out.

16. Cookies and analytics

16.1We use cookies and similar technologies on humanta.co and within the Platform to: (a) enable essential functionality (such as login and session management); (b) remember your preferences; (c) measure and analyse use of humanta.co and the Platform; and (d) help us detect, prevent and respond to fraud and security threats.

16.2Most browsers allow you to refuse or delete cookies. Disabling cookies may, however, affect the functionality of humanta.co and the Platform.

16.3We may use analytics tools (such as third-party page-analytics and product-analytics providers) to understand how humanta.co and the Platform are used. These tools may collect technical data automatically as described in clause 2.1(j).

17. Complaints

17.1If you believe we have breached the APPs or any other applicable privacy law, or you are dissatisfied with how we have handled your personal information, please contact us in the first instance at privacy@humanta.co. Please provide sufficient detail about the basis of the complaint to enable us to investigate.

17.2We will acknowledge your complaint within seven (7) days and aim to respond substantively within thirty (30) days. We will treat all complaints seriously and confidentially.

17.3If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

18. Notifiable Data Breaches

18.1If we become aware that there are reasonable grounds to believe that an "eligible data breach" within the meaning of Part IIIC of the Privacy Act 1988 (Cth) has occurred in respect of personal information we hold, we will: (a) carry out an assessment within thirty (30) days as required by section 26WH of the Privacy Act 1988 (Cth); (b) where notification is required, notify the Office of the Australian Information Commissioner as soon as practicable; and (c) notify affected individuals (or, where direct notification is not practicable, publish a statement on humanta.co and take reasonable steps to publicise it).

18.2Where we hold personal information on behalf of a Client, we will also notify the Client without undue delay (and in any event within 72 hours of becoming aware of the breach) and cooperate with the Client in respect of any notifications required under the Notifiable Data Breaches scheme.

19. Children

19.1The Platform is intended for use by individuals aged 18 and over. We do not knowingly collect personal information from any individual under the age of 18. If you become aware that a person under 18 has provided personal information to us, please contact us at privacy@humanta.co and we will take steps to delete that information.

20. Changes to this Policy

20.1We may update this Policy from time to time to reflect changes in our practices or in applicable law. The current version is available at humanta.co/privacy, and the version number and last-updated date are stated at the top of this Policy.

20.2Where we make a material change to this Policy, we will notify Eligible Employees who use the Platform by in-Platform notice or by email (to the email address most recently provided through the Platform) at least fourteen (14) days before the change takes effect, and will require re-confirmation of consent through an updated consent gate where appropriate. Non-material updates (including for typographical, clarifying or administrative reasons) take effect on posting.

21. Contact us

21.1If you have any question about this Policy, want to exercise a right under it, or wish to make a privacy complaint, please contact: Privacy Officer, Humanta Pty Ltd ACN 698 004 009, Email: privacy@humanta.co, Postal: 1/457-459 Elizabeth Street, Surry Hills, NSW 2010.

21.2If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner: Website: www.oaic.gov.au, Phone: 1300 363 992.