Privacy Policy & Data Collection Statement

This Privacy Policy is prepared in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Teddy is an Australian legal information AI assistant operated by ASSA Media Pty Ltd (hereinafter referred to as "the Company"). Teddy provides general legal information only and does not constitute legal advice, nor does it establish a solicitor-client relationship. This Policy is intended to inform you of: what personal information the Company collects, the purpose of collection, how it is used, and your rights under Australian law. Please read this Policy carefully before using Teddy's services.

In accordance with APP 3 (Collection Principle) and APP 5 (Notification Obligation), we hereby inform you of the following: 2.1 Information We Collect With your express consent, we may collect the following anonymised information: • Conversation content and context (for AI model training and improvement) • Conversation category tags (e.g., tenancy, traffic, employment) • Usage statistics including conversation duration and message count • Device type identifier (mobile/desktop/tablet) • Non-identifying information you voluntarily provide (e.g., age group, occupation, visa type) 2.2 Information We Expressly Do Not Collect • Your real name or identity document numbers • Your precise IP address or geolocation (only IP hash is used for abuse prevention) • Your bank account, credit card, or other payment information (subscription payments are independently and securely processed by Stripe) • Any sensitive information that could directly identify you personally 2.3 Method of Collection Information is collected automatically through your interactions with Teddy, and only after you have given express consent.

In accordance with APP 6 (Use and Disclosure Principle), anonymised data we collect is used solely for the following purposes: Primary Purpose: • To provide you with legal information query services Secondary Purposes (with your consent): • Training and improving Teddy's AI model to enhance response accuracy • Analysing common legal question types to optimise service coverage • Generating anonymous statistical reports for internal service evaluation • Improving user experience and product features We will never: • Sell, rent, or trade your data to any third party • Use data for targeted advertising or commercial marketing • Use data for purposes beyond those stated above without your consent

In accordance with APP 11 (Security Principle), we implement reasonable technical and organisational measures to protect your data: • All data transmission uses TLS 1.3 encryption • Data is stored on secure cloud servers compliant with ISO 27001 standards • Strict access controls limit data access to authorised personnel only • Conversation content is anonymised before storage • Regular security audits and vulnerability assessments are conducted • Data is not transferred outside Australia (except where cloud infrastructure located in the United States is used, with the service provider having executed a data processing agreement compliant with APPs requirements)

Under Australian privacy law, you are entitled to the following rights: 5.1 Consent and Refusal • You have the right to consent to or refuse data collection • If you refuse, Teddy will not retain your conversation records, but you may continue to use basic services • Your consent choice will be recorded and may be changed at any time 5.2 Access and Correction (APP 12 & APP 13) • You have the right to request access to information we hold about you • You have the right to request correction of inaccurate information • We will respond to your request within 30 business days 5.3 Deletion • You may request deletion of collected data at any time • Deletion requests will be processed within 30 business days • Anonymised data already used for AI training may not be fully retrievable, but contains no personally identifiable information 5.4 Complaints • If you believe we have breached the Australian Privacy Principles, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

• Anonymised conversation data is retained for AI training purposes for a period not exceeding 3 years • Usage statistics are retained in aggregate form and contain no personal information • Upon your request for deletion, we will process within 30 business days • When data is no longer required, it will be securely destroyed or de-identified in accordance with APP 11

Teddy uses the following technologies to maintain service operation: • Local Storage (localStorage): To save your language preferences and session state • Device Fingerprint: For anonymous usage statistics and abuse prevention, not for personal identity tracking We do not use third-party tracking cookies or advertising tracking technologies.

Teddy's services are not intended for individuals under the age of 16. If we become aware that we have collected information from a minor, we will immediately delete the relevant data. If you are a parent or guardian and discover that your child has provided information to us, please contact us immediately.

We may update this Privacy Policy from time to time. Material changes will be communicated to you via in-app notification. Continued use of the service constitutes acceptance of the updated Policy. We recommend reviewing this Policy periodically.

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact: Privacy Officer ASSA Media Pty Ltd Email: [email protected] If you are dissatisfied with our response, you have the right to lodge a complaint with: Office of the Australian Information Commissioner (OAIC) Website: www.oaic.gov.au Phone: 1300 363 992 Email: [email protected]