Privacy policy

This policy explains how BLASO Provenance Pty Ltd (ACN 698 788 528) (the entity, we, us) handles personal information. It is to be read with the entity's obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

Effective date: 12 June 2026. Draft, pending legal review.

1. Scope

This policy applies to personal information we collect in the course of providing, or preparing to provide, our designated services and operating our business. Where AML/CTF law requires or permits a particular handling of personal information, that law prevails to the extent of any inconsistency with this policy.

2. Information we collect

We collect personal information necessary for our functions and activities, including to meet our customer due diligence and record-keeping obligations under the AML/CTF Act. This may include:

• identity information — full name, date of birth, residential address;
• identification documents and the results of electronic identity verification conducted under the Safe Harbour procedures;
• for companies and trusts — registered details, and the identity of beneficial owners and of the individual acting for the customer;
• politically-exposed-person (PEP) self-declarations and screening results;
• sanctions screening results against the DFAT Consolidated List;
• transaction records and related correspondence; and
• information you provide when you contact us.

3. How and why we use it

We collect, hold, use and disclose personal information to:

• verify identity and conduct customer due diligence (initial, enhanced and ongoing);
• perform sanctions and PEP screening;
• detect, assess and report suspicious matters;
• meet our record-keeping, reporting and other obligations under the AML/CTF Act and the Rules; and
• provide, administer and account for our services.

Identity information collected for AML/CTF purposes is used only for those purposes and as otherwise permitted or required by law.

4. Disclosure

We may disclose personal information to: AUSTRAC and other regulators or law-enforcement agencies where required or authorised by law; our external legal and accounting advisers; identity-verification, sanctions and PEP screening providers engaged to perform those checks; and our banking and payment provider. We do not sell personal information. Where law requires (for example, the tipping-off prohibition in section 123 of the AML/CTF Act), we will not disclose that a suspicious matter report has been or may be made.

5. Storage, security and integrity

Personal information is stored securely with access restricted to the Compliance Officer and, on a need basis, external advisers. Onboarding and verification events are written to an append-only (immutable) audit log with HMAC-signed token integrity, providing a tamper-evident record. We take reasonable steps consistent with Australian Privacy Principle 11 to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Where personal information is no longer needed for any purpose for which it may be used or disclosed, and we are not required by law or a court/tribunal order to retain it, we take reasonable steps to destroy it or to ensure it is de-identified.

6. Retention

We retain records — including identity and beneficial-ownership records, transaction records, screening results, and reports and supporting analysis — for at least 7 years, consistent with section 111 and related provisions of the AML/CTF Act. For identity records the period runs from the end of the customer relationship; for transaction records, from the transaction. This statutory retention obligation prevails over the APP 11.2 destruction expectation for the records to which it applies.

7. Access and correction

Subject to the Privacy Act and to any AML/CTF restriction (including the tipping-off prohibition), you may request access to, or correction of, the personal information we hold about you by contacting us at the address below. We may need to verify your identity before responding. Where we are unable to provide access or make a correction, we will give you our reasons in writing where required.

8. Complaints

If you consider we have handled your personal information in a way that breaches the Privacy Act or the APPs, you may lodge a complaint with us at compliance@blaso.com.au. We will acknowledge and investigate your complaint and respond within a reasonable period. If you are not satisfied with our response, you may refer the matter to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Changes to this policy

We may update this policy from time to time. The current version is the version published on this page. Material changes will be reflected in the effective date above.

10. Contact

Privacy enquiries and requests should be directed to the AML/CTF Compliance Officer:

This policy is a draft prepared for the entity-attribution surface and is subject to legal review before it is relied upon. It is not legal advice.