Outward Limited (Outward, we, us or our) operates a business providing escrow services (the Escrow Services) to importers and exporters (the Users, you or your) seeking to engage in international trade. In order to provide the Escrow Services, we operate a platform (Platform), which can be accessed by Users at www.outward.co.nz (our Website). On the Platform, Users insert details for a transaction and the Platform provides certain functionality (which we call the Trade Management Services) which assist the Users in completing the transaction. Most Users use the Platform for both the Escrow Services and the Trade Management Services (which together we refer to as the Services), but some may just use it for the Trade Management Services. In order to provide the Services, and ensure an indisputable record of User actions and authenticity of uploaded documents within Outward’s platform certain personal information, for example a User's name, is cryptographically (irreversibly) hashed and recorded on the Ethereum blockchain. No third party can unhash this information or access your personal information from the Ethereum blockchain.

We take privacy seriously and care about personal information. This Privacy Policy explains how we may collect, hold and use your personal information. 'Personal information' means information or an opinion about an identified individual, or an individual who is reasonably identifiable. This Privacy Policy applies to personal information collected and held by Outward in, or in connection with, the provision of the Services where we act as data “controller”. In addition to addressing matters specific to New Zealand’s regulatory environment, this Privacy Policy explains how we process 'personal data' about Users located in other jurisdictions, including in the European Union (EU), as required under the General Data Protection Regulation (GDPR). Please read this Privacy Policy carefully. It applies to any personal information that you provide to us, or you authorise us to collect, in connection with your use of the Services. By providing us with personal information, in the course of using our Platform and the Services, you authorise us to collect, use and disclose your personal information in accordance with this Privacy Policy. This includes our Website. We may update this Privacy Policy at any time by uploading an updated version of this Privacy Policy on our Website. The updated version of this Privacy Policy will take effect immediately upon it being uploaded onto the Website. We may (at our discretion) also take additional steps to bring the changes to your attention, including by notifying you directly. You remain, however, responsible for reviewing this Privacy Policy regularly to ensure that you are aware of any updates. This Privacy Policy applies in addition to, and does not limit, our rights and obligations under the Privacy Act 1993 (as amended or replaced from time to time) or any specific authorisation that you provide to us when you interact with us or use the Services. You are not required to provide us with any personal information that we request. However, if you do not do so, we may not be able to provide the Services to you.

We collect personal information about the Users in order provide the Services (including associated customer support). The Services, and associated customer support, are principally provided through the Platform, but may also include our Website more generally or through email / telephone correspondence. The personal information we collect may depend on whether you procure both the Escrow Services and the Trade Management Services, or just the Trade Management Services. Not all information requested, collected, and processed by us is “Personal Information” as it does not identify you as a specific natural person. This will include majority of data that you provide to us with the intention of sharing with other Users inside the specific transaction. Such “Non-Personal Information” is not covered by this Privacy Policy. However, as non-personal information may be used in aggregate or be linked with existing personal information, when in this form it will be treated as personal information. As such, this Privacy Policy will list both types of information for the sake of transparency. In some situations Users may provide us with personal information without us asking for it, or through means not intended for the collection of particular types of information. Whilst we may take reasonable steps to protect this data, the User(s) will have bypassed our systems, processes, and control and thus the information provided will not be governed by this Privacy Policy. In some situations Users may provide us personal information over platforms that are outside our control. Whilst any information collected by us is governed by this Privacy Policy, the platform by which it was communicated will, unless Outward has a contractual relationship with that platform, be governed by that platform’s own privacy policy.

While you use the Services, you may be asked to provide certain types of personal information. This Privacy Policy explains how we will use the personal information we are asking for. We may request, collect, and process the following information:

• bank account details
• contact details - email address, phone number
• location details - physical address, billing address
• identity details - full name, proof of identity (e.g. drivers licence, passport), proof of address (e.g. utility bill), date of birth
• financial information - credit card details, wire transfer details, payment processor details, tax numbers
• user generated content - transaction descriptions, transaction attachments, messaging between Users

Users have the ability to start a transaction with non-users by providing contact details such as email address, physical address and phone number of the non-user. In these situations, the information will be collected and stored by us to contact the non-user and to prevent abuse of our systems, Website and Platform. Your payment provider may transmit information to us about the payment that we may collect or process. In some situations, personal information of Users may be collected from public sources. We may collect and process the following information:

• contact details - email address, phone number
• location details - physical address, billing address,
• financial information - transaction details, payment account details (e.g. bank account, email address and physical address), wire transfer details
• user generated content - transaction description, payment milestones and release conditions

We maintain records of the interactions we have with our Users, including the Services we have provided to those Users. This includes the interactions Users have with the Platform such as when a User has viewed a page or clicked a button within the Platform. When we are contacted by a User we may collect personal information that is intrinsic to the communication. For example, if we are contacted via email, we will collect the email address used. We may collect and process the following information:

• metadata - IP address, computer and connection information, referring web page, standard web log information, language settings, etc.
• device Information - device identifier, device type, device plugins, hardware capabilities, etc
• actions - pages viewed, buttons clicked, time spent viewing, search keywords, etc.

We also collect information through our Website through cookies. Cookies are small pieces of information that are stored on a user’s computer. We may use cookies to personalise your experience on our Website, make it easier for you to navigate our Website, and improve your experience by storing your search, posting and application history, and, if we develop log-in functionality, your login details. Cookies can be disabled via your web browser; however doing so may limit your access to some of our Website’s content and features. We may use cookies to track non-personally identifiable information such as usage and volume statistics, for research purposes in order to further develop our Website. When you use our Website we may also collect the information that does not identify you (or any other individual), such as analytical information about use of our Website. When you use our Website, short text files called “cookies” may be automatically downloaded to your computer or mobile device. Cookies enable us to provide you with a better experience. For example, by enabling the Website to know that you have visited before and in some cases to record preferences in order to personalise your visit. Cookies also assist us to analyse the profile of our visitors. These can be session cookies which are deleted when you close your browser and/or persistent cookies which remain on your computer or mobile device for a longer period of time. To delete or stop cookies being placed on your computer refer to the help menu on your internet browser. In a few cases blocking cookies may reduce the functionality of our Website or otherwise prevent access to them depending on your chosen browser options. For further information visit www.aboutcookies.org.

On our Website, you will encounter links to third party websites. These links may be from us, or they may appear as content generated by other Users. These linked sites are not under our control and thus we are not responsible for their actions. Before providing your personal information via any other website, we advise you to examine the terms and conditions of using that website and its privacy policy.

The information we request, collect and process is primarily used to provide Users with the Services. More specifically, we may use your personal information for the following purposes:

• to provide the Services (or the Services you have requested);
• to accurately record the transaction and the transaction details on our servers
• to accurately (in an anonymised form) record the transaction on a digital ledger (with the use of Ethereum’s blockchain technology);
• to provide technical or other support to you in connection with the Services;
• to answer enquiries about the Services (or to respond to a complaint);
• to promote any other products or services which we may provide and which may be of interest to you (unless you have opted out from such communications);
• to allow for debugging, testing and otherwise operate our Platform;
• to conduct data analysis, research and otherwise build and improve our Platform;
• to conduct customer due diligence for AML purposes (or any similar statutory or regulatory regime)
• to comply with legal and regulatory obligations;
• if otherwise permitted or required by law; or
• for other purposes with your consent, unless you withdraw your consent for these purposes.

This list is not an exhaustive list and we may use your personal information for other purposes within the scope of this Privacy Policy. The 'lawful processing' grounds on which we may use your personal information are (but are not limited to):

• when a User has given consent;
• when necessary for the performance of the contract to which the User is a party and which governs the User’s use of the Services;
• processing is necessary for compliance with our legal obligations;
• processing is necessary in order to protect the vital interests of Users or of another natural person;
• processing is done in pursuing our legitimate interests, where these interests do not infringe on the rights of Users.

By using the Services, you agree that we can access, aggregate and use non-personally identifiable data we have collected from you. This data will in no way identify you or any other individual. We may use this aggregated non-personally identifiable data to:

• assist us to better understand how Users are using the Services;
• provide Users with further information regarding the uses and benefits of the Services; and
• otherwise improve the Services, the Platform and our Website.

We may disclose your personal information to third parties that participate in a transaction with you, including but not limited to:

• other Users;
• banks and payment providers;
• brokers (where applicable); and
• affiliates involved in origination of the transaction (where applicable).

The personal information of Users may be held and processed on our behalf outside New Zealand, including 'in the cloud', by our third party service providers. Our third party service providers are bound by contract to only use your personal information on our behalf, under our instructions. Our third party service providers include:

• blockchain providers - Ethereum
• cloud hosting, storage, networking and related providers – Google Cloud Platform
• SMS providers
• payment and banking providers
• marketing and analytics providers
• security providers
• chat providers
• email providers
• AML customer due diligence service providers

We may also disclose your personal information to third parties for the following purposes:

• if necessary to provide the Services you have requested;
• we receive court orders, subpoenas or other requests for information by law enforcement;
• if otherwise permitted or required by law; or
• for other purposes with your consent.

When we share personal information, it may be transferred to, and processed in, countries other than the country you live in (such as in Australia, where our data hosting provider’s servers are located). Such countries may have laws different to what you’re used to. Rest assured, where we disclose personal information to a third party in another country, we put safeguards in place to ensure your personal data remains protected. For individuals in the European Economic Area (EEA), this means that your personal information may be transferred outside of the EEA. Where your personal information is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where we have approved transfer mechanisms in place to protect your personal information – i.e., by entering into the European Commission’s Standard Contractual Clauses, or by ensuring the entity is Privacy Shield certified (for transfers to US-based third parties). For further information, please contact our Privacy Officer using the details set out below. If you do not want your personal information to be transferred to a server located in Australia, you should not provide us with your personal information or use the Services.

Security of your information is very important to us. We will take reasonable technical and organisational precautions to protect personal information that we hold. However, due to the inherent nature of the internet, we are not able to guarantee the security of any information that we hold or that you transmit to us. In the event of a potentially harmful data breach of your personal information we will notify you and the Office of the Privacy Commissioner.

If you make a payment on our Website, Stripe will process your payment. Stripe will encrypt and store your payment card number securely, in accordance with Stripe’s privacy policy available at www.stripe.com. Stripe protects personal information (at a minimum) to the Payment Card Industry Data Security Standards (PCI-DSS). Your payment card number is not held by and is never revealed to us.

We will keep your personal information for as long as is reasonably required in light of the duration of your use, and any ongoing use, of the Services and in accordance with this Privacy Policy (unless we are required by law to hold it longer). We will then delete your personal information, where possible. However, the anonymised (hashed) information recorded on the Ethereum blockchain, cannot be deleted.

You have the right to request access to the personal information we hold about you. Unless an exception applies, we must allow you to see the personal information we hold about you, within a reasonable time period, and without unreasonable expense for no charge. Most personal information can be accessed by logging into your account. If you wish to access information that is not accessible through the Platform, or wish to download all personal information we hold on you in a portable data format, please contact our Privacy Officer. You also have the right to request the correction of the personal information we hold about you. All your personal information can be updated through the User settings pages of the Platform. If you require assistance please contact our customer support through the Platform.

You have a number of other rights in relation to the personal information we hold about you, however, there may be restrictions on how you may exercise these rights. This is largely due to the nature of the Services we provide. You have the right to:

• opt-out of direct marketing, and profiling for marketing;
• have your personal information erased; and
• place a temporary restriction of processing.

Direct marketing and profiling - you can choose to be removed from any mailing list not essential to the Services on our Website. Erasure of personal information - Some personal information cannot be deleted as it is used to support contracts between Users, document financial transactions, is used in providing protection for Users on the Platform and may form part of the immutable ledger on the blockchain. In the case of non-personal data that can be linked with personal information, it will either be erased or otherwise anonymised from the personal information. Temporary restriction to processing - under certain circumstances you may exercise this right, in particular if you believe that the personal information we have is not accurate, or you believe that we do not have legitimate grounds for processing your information. In either case you may exercise this right by contacting our Privacy Officer. Users may exercise any of the above rights by contacting our Privacy Officer

If you have an enquiry or a complaint about the way we handle your personal information, or to seek to exercise your privacy rights in relation to the personal information we hold about you, you may contact our Privacy Officer as follows: By Email: privacy@outward.co.nz By Mail: Privacy Officer Level 2, 29 Waterloo Road, Lower Hutt, 5010, New Zealand For the purposes of the GDPR, our Privacy Officer is also our Data Protection Officer. While we endeavour to resolve complaints quickly and informally, if you wish to proceed to a formal privacy complaint, we request that you make your complaint in writing to our Privacy Officer, by mail or email as above. We will acknowledge your formal complaint within 10 working days. If you are in the European Union, you can choose to lodge a complaint with your local Data Protection Authority (DPA). The list of DPAs can be found at http://ec.europa.eu/justice/article-29/structure/dataprotection-authorities/index_en.htm.