Privacy Policy

This Privacy Policy explains how GNLC Consulting Pty Ltd (ABN pending), trading as Buy Collective ("we", "us", "our"), collects, holds, uses, and discloses personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Buy Collective platform, website, or services (collectively, the "Platform"), you consent to the practices described in this Policy.

We may collect the following categories of personal information:

• Account information — name, email address, phone number, practice name, and ABN when you register or enquire. • Professional information — practice type, state, specialty, and role (e.g. practice manager, principal). • Transactional data — orders placed, products purchased, payment confirmations, and invoice history. • Invoice data — supplier invoices you upload for our AI savings analysis, including product names, quantities, and prices. • Device and usage data — IP address, browser type, pages visited, and session duration collected automatically via cookies and analytics tools. • Communications — messages you send via our contact form or email.

We do not collect sensitive information (e.g. health records, tax file numbers) unless you voluntarily provide it and it is strictly necessary for the service.

We collect personal information:

• Directly from you when you register an account, place an order, upload an invoice, or contact us. • Automatically when you browse the Platform (cookies, analytics). • From industry groups that operate under a licence agreement with us (where you are a member of that industry group). • From third-party payment processors when you complete a transaction.

We collect and use personal information to:

• Create and manage your account and membership. • Process orders, payments, and refunds. • Provide the AI invoice savings analysis and generate personalised savings reports. • Communicate transactional updates (order confirmations, shipping notices). • Send marketing communications you have opted into. • Comply with legal obligations, including tax and GST record-keeping under Australian law. • Improve the Platform through aggregated, de-identified analytics. • Investigate disputes or suspected fraud.

We do not use your personal information for any purpose that is unrelated to providing and improving the Platform.

We may share your personal information with:

• Industry groups — the industry group under which your membership is managed, for member administration purposes. • Suppliers — only the minimum information needed to fulfil an order (name, delivery address, order lines). • Payment processors — Monoova Pty Ltd for bank transfer / NPP payments; Stripe, Inc. for card payments. These processors operate under their own privacy policies. • Email service providers — Resend, Inc. for transactional emails. • AI service providers — Anthropic, Inc. for invoice parsing. Uploaded invoices are processed via Anthropic's API and subject to Anthropic's data handling practices; we do not use invoice data to train models. • Legal and regulatory authorities — where required by law, court order, or regulation.

We do not sell, rent, or trade personal information to third-party marketers.

All platform data, including personal information, is stored in Australia (Azure Database for PostgreSQL, Australia East region). We do not transfer personal information outside Australia except to use the third-party service providers listed in Section 5, each of which has agreed to handle data in compliance with Australian Privacy Principles or equivalent standards.

We implement industry-standard technical and organisational measures to protect personal information, including encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, and audit logging. Despite these measures, no internet transmission or electronic storage system is 100% secure.

We use cookies and similar tracking technologies to:

• Maintain your session while you are logged in. • Understand how the Platform is used (page views, feature usage). • Improve performance and user experience.

You may disable cookies in your browser settings; however, some features of the Platform (including login) require cookies to function. We do not use third-party advertising cookies.

Under the Privacy Act 1988, you have the right to request access to personal information we hold about you, and to ask us to correct it if it is inaccurate, incomplete, or out of date.

To make a request, contact us at hello@buycollective.com.au. We will respond within 30 days. We may need to verify your identity before providing access. We do not charge a fee for access requests.

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint by emailing hello@buycollective.com.au. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

We retain personal information for as long as necessary to provide the service and comply with legal obligations. Transaction records are retained for 7 years in accordance with Australian taxation law. Account information is retained until you request deletion, subject to any applicable legal holds.

You may request deletion of your account and associated personal information by contacting us at hello@buycollective.com.au. Some information may be retained in anonymised or aggregated form.

We may update this Policy from time to time. The current version will always be available at this URL. If we make a material change, we will notify registered users by email. Continued use of the Platform after notification constitutes acceptance of the updated Policy.

For any privacy enquiries, contact:

Buy Collective — Privacy Officer GNLC Consulting Pty Ltd Melbourne, Victoria, Australia Email: hello@buycollective.com.au