Privacy Policy

IP Assembly Pty Ltd trading as Ten4 Law (we, us, our, the firm)

14 McKenzie Drive, Currumbin Waters QLD 4223

Email: admin@ten4law.com

ABN: 44 625 413 934

1. About this policy

Ten4 Law is a legal practice providing services across Queensland, New South Wales and throughout Australia, including due diligence, conveyancing, estate planning, commercial transactions and litigation.

We are committed to protecting the privacy of the personal information we collect and hold. This policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).

From 1 July 2026, Ten4 Law is also a "reporting entity" under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) when we provide a "designated service" within the meaning of that Act. This policy explains how our obligations under the AML/CTF Act affect the personal information we collect, use, disclose and retain. Where the AML/CTF Act requires or authorises us to handle personal information in a particular way, those requirements operate alongside (and in some cases override) our usual practices under the Privacy Act, as described below.

This policy applies to personal information we collect through our website, in the course of acting for clients, and in dealing with other people such as referrers, suppliers, contractors and contacts.

2. What is personal information

"Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in a material form or not.

"Sensitive information" is a subset of personal information and includes information about an individual's racial or ethnic origin, political opinions, religious beliefs, health, and criminal record. We treat sensitive information with additional care and only collect it where it is reasonably necessary for our functions and you have consented, or where the collection is otherwise required or authorised by law.3. The kinds of personal information we collect and hold

The personal information we collect depends on the nature of our dealings with you. It may include:

Client and matter information

- name, date of birth, contact details (address, email, phone);

- identifiers such as occupation, employer and business details;

- information relevant to the matter we are acting on, which may include sensitive information (for example, in estate planning, family or litigation matters);

- billing, trust account and payment information.

Customer due diligence (KYC) information — AML/CTF

Where we provide a designated service, the AML/CTF Act requires us to identify and verify our clients and certain other persons before, or in some cases shortly after, we provide that service. For this purpose we collect and hold:

- identity information and verification documents (for example, full name, date of birth, residential address, and copies or records of government-issued identity documents such as a passport or driver licence);

- information about beneficial owners, persons acting on behalf of a client, and the ownership and control structure of corporate, trust or other non-individual clients;

- information about whether a person is a politically exposed person (PEP) and the outcome of sanctions and other screening checks;

- information about the source of funds and, where relevant, source of wealth, and the nature and purpose of the matter or transaction.

Website and technical information

When you use our website we may collect technical information such as your IP address, browser type, device information, pages visited and the date and time of access. See Section 12 (Cookies and website analytics).

Other people

We also collect personal information about people other than our clients where reasonably necessary, including other parties to a matter, witnesses, referrers, contractors, suppliers and our own personnel.

4. How we collect personal information

We collect personal information in a range of ways, including:

- directly from you — in person, by phone, by email, through our website, through client instruction forms and onboarding processes, and through identity verification processes;

- from third parties where you have consented or where we are required or authorised by law to do so — for example, from electronic identity verification and screening service providers, public registers, your other advisers, or other parties to a matter; and

- automatically through our website (see Section 12).

We collect personal information from sources other than you where it is unreasonable or impracticable to collect it only from you, where you have consented, or where the collection from another source is required or authorised by law (including the AML/CTF Act).

Where it is lawful and practicable, you may deal with us anonymously or using a pseudonym. However, we cannot usually act for you, and cannot meet our AML/CTF customer due diligence obligations, without verifying your identity.

5. Why we collect, hold, use and disclose personal information

We collect, hold, use and disclose personal information for purposes connected with our legal practice, including to:

- provide legal services and conduct client matters;

- communicate with you and respond to enquiries;

- establish and verify identity and conduct conflict checks before accepting instructions;

- comply with our obligations under the AML/CTF Act and other laws (see Section 6);

- manage billing, trust accounting and debt recovery;

- administer, maintain and improve our business, systems and website;

- meet our professional, regulatory and legal obligations; and

- with your consent or as otherwise permitted, send you firm updates and information about our services.

We will only use or disclose personal information for the purpose for which it was collected (the primary purpose), for a directly related secondary purpose you would reasonably expect, where you have consented, or where the use or disclosure is required or authorised by or under an Australian law or a court or tribunal order.

6. Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF)

As a reporting entity under the AML/CTF Act, we are required to:

- Verify identity (customer due diligence). Before or shortly after providing a designated service, we must identify and verify our client and, where applicable, beneficial owners and persons acting on a client's behalf, and assess money laundering and terrorism financing risk. We may decline to act, or be unable to continue to act, if we cannot complete this process.

- Report to AUSTRAC. We are required to report certain matters to the Australian Transaction Reports and Analysis Centre (**AUSTRAC**), including suspicious matters and certain transactions, and to provide information in response to AUSTRAC notices. These reports may contain personal information.

- "Tipping off." The AML/CTF Act restricts us from disclosing certain information, including whether we have made or are required to make a report to AUSTRAC. This means that, in some circumstances, we may be legally prevented from telling you that a report has been made or that your information has been provided to AUSTRAC, and we may be unable to give you access to, or reasons in relation to, certain information (see Section 11).

- Keep records. We are required to keep customer due diligence and transaction records for at least 7 years after the end of our relationship with the client or after the relevant transaction (see Section 10).

- Legal professional privilege. Nothing in this policy or in our AML/CTF compliance affects your legal professional privilege. The AML/CTF Act preserves privilege, and we will continue to claim privilege on your behalf where it applies.

Our handling of personal information for AML/CTF purposes is guided by our obligations under the AML/CTF Act and applicable AUSTRAC and Office of the Australian Information Commissioner (**OAIC**) guidance. Our AML/CTF Compliance Officer can be contacted at admin@ten4law.com.

7. Who we disclose personal information to

We may disclose personal information to:

- AUSTRAC and other regulators, courts, tribunals and government or law enforcement agencies, where required or authorised by law;

- the other party or parties to your matter and their representatives, as necessary to conduct the matter;

- barristers, experts, agents and other advisers we engage in connection with your matter;

- electronic identity verification, sanctions and PEP screening providers engaged to assist us meet our AML/CTF obligations;

- our professional indemnity insurers, auditors, accountants and professional advisers;

- IT, document management, practice management and cloud service providers who host or support our systems; and

- any person to whom you have consented or directed us to disclose, or where disclosure is otherwise required or authorised by law.

We require our service providers to handle personal information consistently with the Privacy Act and our obligations under the AML/CTF Act.

8. Disclosure of personal information overseas

Some of our service providers (for example, cloud hosting, document management or identity verification providers) may store or process personal information outside Australia. Where this occurs, the recipient may be located in the United States or the European Union.

Before disclosing personal information overseas, we take steps that are reasonable in the circumstances to ensure the recipient handles the information consistently with the APPs, except where an exception under APP 8 applies.

9. Security of personal information

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include physical, technical and administrative safeguards such as access controls, secure systems, confidentiality obligations on our personnel, and secure storage of identity and verification records. We hold AML/CTF records securely and restrict access to authorised personnel, consistent with our obligations to avoid tipping off.

10. How long we keep personal information

We retain personal information for as long as it is needed for the purposes set out in this policy and to meet our legal and professional obligations, including:

- file and trust records retained in accordance with our professional obligations and applicable law; and

- AML/CTF customer due diligence and transaction records, which we are required to keep for at least 7 years after the end of our relationship with the client or after completion of the relevant transaction.

When personal information is no longer required and we are not required by law to retain it, we take reasonable steps to destroy it or to ensure it is de-identified.

11. Access to and correction of your personal information

You may request access to the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading. To make a request, contact us using the details in Section 16. We may need to verify your identity before processing your request.

We will respond within a reasonable period. In some cases we may decline a request as permitted by law, in which case we will give you reasons (except where we are not required or permitted to do so).

AML/CTF limitation: We must not provide access to, or information about, personal information where doing so would be inconsistent with our obligations under the AML/CTF Act — including where it would, or could reasonably be expected to, breach the tipping off provisions. In those circumstances we may be unable to confirm whether we hold particular information, provide access to it, or explain our reasons.

12. Cookies and website analytics

Our website may use cookies and similar technologies to operate the site, remember your preferences and understand how the site is used.

Most browsers allow you to refuse or delete cookies. If you disable cookies, some parts of our website may not function properly.

13. Direct marketing

We may, with your consent or as otherwise permitted by law, send you information about our services and firm updates. You can opt out at any time by using the unsubscribe facility in our communications or by contacting us. We do not use sensitive information for direct marketing without your consent.

14. Data breaches

We have procedures in place to respond to data breaches. Where a data breach involving personal information is likely to result in serious harm, we will comply with our obligations under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, including notifying affected individuals and the OAIC where required. Any notification will be managed consistently with our AML/CTF obligations, including the tipping off provisions.

15. Complaints

If you have a concern or complaint about how we have handled your personal information, please contact us using the details in Section 16. We will acknowledge your complaint and aim to resolve it within a reasonable time.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner:

- Website: oaic.gov.au

- Phone: 1300 363 992

- Post: GPO Box 5288, Sydney NSW 2001

16. How to contact us

For privacy enquiries, requests for access or correction, or complaints, please contact:

Privacy Officer

IP Assembly Pty Ltd trading as Ten4 Law

14 McKenzie Drive, Currumbin Waters QLD 4223

Email: admin@ten4law.com

17. Changes to this policy

We may update this policy from time to time. The current version will be published on our website and applies from the effective date shown above.

---

This policy is provided for transparency about our information handling practices and does not limit any rights you have under the Privacy Act 1988 (Cth) or any other law.