Privacy Policy

This Privacy Policy explains how SwapU Pty Ltd (ABN 38 633 008 456), trading as SwapBox ("SwapBox", "we", "us", or "our"), collects, uses, discloses, and protects your personal information when you use the SwapBox platform, including the SwapBox mobile application, website, and associated services (the "Platform"). We are bound by the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth). This Policy should be read in conjunction with our Terms and Conditions. By using the Platform, you consent to the collection, use, and disclosure of your personal information as described in this Policy. If you do not agree, please do not use the Platform.

Information you provide directly: • Account registration details: name, email address, mobile phone number, residential address, and Building association • Payment information: credit or debit card details provided to Stripe Connect for Escrow processing. SwapBox does not store your full card number — this is held by Stripe in accordance with PCI-DSS standards • Listing content: photographs of Items, descriptions, category selections, condition grades, and estimated values • Communications: messages sent through support channels, dispute submissions, and feedback • Verification data: any information provided to verify your identity or Building association Information collected automatically: • Device information: device type, operating system, unique device identifiers, browser type, and app version • Usage data: pages viewed, features used, time spent on the Platform, search queries, and interaction patterns • Location data: approximate location based on IP address. We do not collect precise GPS location unless you explicitly grant permission • Locker interaction data: timestamps of deposits and collections, Locker and Compartment identifiers, and Access Code usage • Push notification tokens: technical identifiers required to send notifications Information from third parties: • Stripe Connect: transaction status, payment confirmations, and fraud screening results • My Parcel Locker (MPL): Locker event data (door open/close events, deposit and collection confirmations). MPL's dome cameras may record your image during Locker interactions — this footage is managed by MPL under their own privacy practices • Building managers: confirmation of your residency or authorised access status • Analytics providers: aggregated usage data

Platform operation: creating and managing your account; facilitating swaps including matching, notifications, Locker access coordination, and deposit/collection tracking; processing Escrow authorisations via Stripe Connect; providing customer support and resolving disputes; enforcing our Terms and Conditions. AI and algorithmic services: running the matching algorithm to identify compatible swaps and Swap Chains; generating personalised swap suggestions; powering AI-assisted communications; photo analysis for condition grading assistance; training and improving our AI models using anonymised and aggregated data. Analytics and improvement: understanding how Users interact with the Platform; generating aggregated, anonymised ESG metrics for Building manager reports; monitoring Platform performance, security, and reliability. Communications: sending Transactional Messages (swap confirmations, deposit and collection reminders, dispute updates); sending service messages; sending Commercial Messages with your express consent — you can withdraw consent at any time via Profile > Communication Preferences. Legal and safety: complying with legal obligations; detecting, preventing, and investigating fraud, security incidents, or violations of our Terms; protecting the rights, property, or safety of SwapBox, our Users, or the public.

Photographs are central to the SwapBox platform. When you list an Item, you upload photographs that must accurately represent the Item's condition. Storage: Photographs are stored on Amazon Web Services (AWS) S3 infrastructure located in the Asia-Pacific (Sydney) region. Photographs are retained for the duration of your account and for 12 months following account closure or Item deletion. Use: Photographs are used to display your Listing to other Users, facilitate matching, support dispute resolution, and train AI condition-grading systems using anonymised data. MPL Camera Footage: Locker dome cameras are operated by MPL, not SwapBox. SwapBox may request specific footage from MPL in the course of dispute resolution or security investigations.

All payment processing is handled by Stripe Connect, a PCI-DSS Level 1 certified payment processor. SwapBox's systems store only: • Stripe customer identifiers and connected account references • Transaction records (amounts, dates, status) • Last four digits of your card number (for display purposes only) SwapBox does not store, process, or have access to your full card number, CVV, or other sensitive payment credentials. For information about how Stripe handles your payment data, please refer to Stripe's Privacy Policy at stripe.com/privacy.

SwapBox collects approximate location data (based on IP address) to associate you with the correct Building and Locker. We do not collect precise GPS location data unless you explicitly grant permission for location-based features. You can disable location services for the SwapBox app at any time through your device settings.

SwapBox generates environmental impact metrics from swap activity, including estimated weight diverted from landfill, CO2 emissions avoided, and value circulated. This data is aggregated at the Building level — individual User swap data is never shared with Building managers — and used in SwapBox's ESG reports, grant applications, and marketing materials in anonymised, aggregated form. Your individual ESG contribution may be displayed to you within your account dashboard. This data is not shared with third parties in an individually identifiable form.

Matching algorithm: Our matching algorithm uses your Listing data, preferences, and swap history to identify compatible Matches and Swap Chains. Matching decisions are fully automated. You are not obligated to accept any Match proposed by the algorithm. AI-assisted communications: SwapBox uses AI-powered agents to generate and send communications including swap notifications, reminders, re-engagement messages, and personalised suggestions. Condition grading: AI tools may analyse your Item photographs to suggest a Condition Grade. The final grade is always your decision. Fraud detection: Automated systems monitor for suspicious activity. Account suspension decisions involve human review. You have the right to request human review of any automated decision that significantly affects you. Contact us using the details in Section 16.

We do not sell your personal information. With other Users: when you are matched with another User, they can see your Listing details and your first name. They cannot see your full name, address, phone number, or payment details. With service providers: we share information with third-party service providers who assist in operating the Platform, including: • Stripe Connect — payment processing and Escrow management • My Parcel Locker (MPL) — Locker access coordination • Amazon Web Services (AWS) — cloud storage • Firebase — push notification delivery • Klaviyo — email and SMS communications • Google Analytics 4 / PostHog — analytics and usage tracking • Supabase — database hosting and management All service providers are contractually required to protect your information and use it only for the purposes for which it was shared. With Building managers: we share aggregated, anonymised ESG and usage data only. We do not share individual User data, swap details, or personal information with Building managers. For legal reasons: we may disclose your information if required by law, regulation, legal process, or enforceable government request. Business transfers: if SwapBox is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such transfer.

We implement reasonable technical and organisational measures to protect your personal information, including: • Encryption in transit (TLS/HTTPS) and at rest for sensitive data • Access controls limiting employee access to personal information on a need-to-know basis • Regular security assessments and monitoring • Database-level row-level security No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

We retain your personal information for as long as necessary to fulfil the purposes described in this Policy, including: • Account data: retained for the duration of your account and 12 months following account closure • Swap transaction records: retained for 7 years for tax, legal, and dispute resolution purposes • Listing photographs: retained for the duration of the Listing and 12 months following deletion • Communications and support records: retained for 3 years • Communication consent records: retained for 7 years for Spam Act compliance • Analytics data: retained in anonymised, aggregated form indefinitely When personal information is no longer required, we will securely delete or de-identify it.

Under the Privacy Act and Australian Privacy Principles, you have the following rights: Access: you may request access to the personal information we hold about you. We will respond within 30 days. Correction: you may request correction of any personal information that is inaccurate, out of date, incomplete, or misleading. Deletion: you may request deletion of your personal information, subject to our legal obligations to retain certain data. Withdraw commercial message consent: you may withdraw your consent to receive Commercial Messages at any time via Profile > Communication Preferences. We will action your request within 5 business days. Complaint: if you believe your privacy has been breached, lodge a complaint with us. If you are not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

SwapBox will only send you Commercial Messages (including re-engagement prompts, swap suggestions, community updates, referral invitations, and new feature announcements) if you have given express consent during account registration. Consent is voluntary — you are not required to opt in to Commercial Messages to use the Platform. You will still receive all Transactional Messages necessary for your swaps. Every Commercial Message contains a functional unsubscribe facility. SwapBox will action all unsubscribe requests within 5 business days. SwapBox complies with the Spam Act 2003 (Cth).

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal information from children under 18. While the Platform facilitates swapping of children's items (kids' clothes, toys, etc.), only adults (18+) may create accounts and participate in swaps.

Your personal information may be transferred to and processed in countries outside Australia, including: • United States: Stripe (payment processing), Firebase (notifications), AWS (cloud storage), Klaviyo (email and SMS communications) • Other jurisdictions: where our service providers maintain infrastructure Before transferring personal information overseas, we take reasonable steps to ensure the recipient complies with the APPs or is subject to a substantially similar privacy regime, in accordance with APP 8.

If you have questions about this Privacy Policy, wish to exercise your rights, or have a privacy complaint: SwapU Pty Ltd (ABN 38 633 008 456) Email: privacy@swapbox.au For complaints to the Office of the Australian Information Commissioner: Website: oaic.gov.au Phone: 1300 363 992

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through the Platform at least 14 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.