Last updated: April 2026 | Effective date: April 2026

Applies to: my.emanda.app (Platform) | www.emanda.app (Website) | All associated services

Emanda App Pty Ltd ACN 671 957 387 and Emanda Group Pty Ltd ACN 659 345 169 ('Emanda App', 'Emanda Group', 'we', 'us', 'our') operate the Emanda App platform (my.emanda.app) and website (www.emanda.app), together referred to as the Service. This Privacy Policy explains how we collect, use, store, and disclose personal information in connection with the Service.

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where users or third parties are located in the European Economic Area (EEA) or the United Kingdom, we also observe the General Data Protection Regulation (GDPR) and UK GDPR to the extent applicable. By using the Service you agree to this Privacy Policy.

1. DEFINITIONS

In this Privacy Policy:

• 'Activity Logs' means records of all User and third-party activity within the Service, including data views, metric views, document views and downloads, AI Q&A interactions, shared report or document access, and any other actions taken through the Service. Activity Logs are accessible to the subscription owner and are not accessible to third parties.
• 'Client Data' means all data, content, and information uploaded, input, or submitted to the Service by or on behalf of a User, including documents, financial data, and business information.
• 'Derived Insights' means anonymised and aggregated insights, benchmarks, metrics, and rankings generated by Emanda App from processing content across the platform. Derived Insights contain no data attributable to any individual User or business and are not personal information under the Privacy Act 1988 (Cth).
• 'EEA' means the European Economic Area.
• 'GDPR' means the General Data Protection Regulation (EU) 2016/679 and, where applicable, the UK equivalent.
• 'Personal Data' or 'Personal Information' means data about a living individual who can be identified from that data, or from that data combined with other information we hold.
• 'Third-Party Recipient' means any individual who receives access to content, reports, metrics, documents, or other outputs shared from a User's account, including potential buyers, advisers, brokers, lawyers, and accountants, whether access is granted through the data room, metric sharing, report sharing, document sharing, or any other sharing functionality in the Service.
• 'Toolkit Outputs' means Information Memoranda, adjusted profitability and maintainable earnings calculations, industry benchmarking and ranking reports, and any other documents, insights, or reports generated by the Emanda suite of toolkits.
• 'Usage Data' means data collected automatically from the use of the Service, including IP address, browser type, pages visited, and session duration.
• 'User' means any person who accesses or uses any part of the Service, including registered Platform users, Website visitors, and Third-Party Recipients.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

When you create an account or use the Service, we may collect:

• Name, email address, phone number, job title, company name, and any other profile information you provide
• Business documents, financial data, valuation inputs, and other materials you upload to the Platform
• Billing information and payment details (processed by Stripe; we do not store card numbers)
• Preferences about marketing and communications
• Communications and support requests you send to us

2.2 Usage Data

We automatically collect information when you use the Service, including:

• IP address, browser type and version, and device information including operating system and device identifiers
• Pages visited, time and date of visits, time spent on pages, and navigation paths
• Referring URLs, crash information, and application identifiers
• General location inferred from IP address (we do not collect GPS data without your consent)

2.3 Third-Party Recipients

Where you receive access to content shared from another User's account — whether through the data room, metric sharing, report sharing, document sharing, or any other sharing functionality — we collect:

• Information provided as part of your access invitation
• Activity records including all data, metrics, documents and reports viewed or downloaded, AI Q&A questions asked and answers generated, and any other actions you take within the Service

This activity is recorded in Activity Logs accessible to the subscription owner. By accessing shared content through the Service, you acknowledge and agree that your activity is recorded in accordance with these terms and the Terms of Service.

2.4 Google Workspace Data

Where you connect a Google Workspace account to the Service, we access data through Google APIs solely to enable features that are visible and central to your experience. See Section 14 for full details of our Google Workspace API compliance.

2.5 Cookies and Tracking Technologies

We use cookies and similar tracking technologies. See Section 11 for full details.

3. HOW WE USE YOUR INFORMATION

We use personal information for the following purposes:

• To provide, operate, and maintain the Service, including the data room, metric and report sharing, AI extraction and analysis, Toolkit Outputs, AI Q&A, activity logging, and all other Service features
• To generate Business Valuations, Toolkit Outputs (including Information Memoranda, adjusted profitability calculations, and industry benchmarking and ranking outputs), and other automated analyses
• To enable sharing of content, reports, metrics, and documents with Third-Party Recipients as directed by you or your delegated admin
• To provide indicative business guidance and observations through Guidance Outputs (not professional advice — see Terms of Service Section 7A)
• To record and maintain Activity Logs accessible to the subscription owner
• To communicate with you about your account, the Service, and changes to our terms and policies
• To process payments and manage billing
• To provide customer support and respond to enquiries
• To monitor and analyse usage of the Service for improvement and security purposes
• To detect, prevent, and address technical issues and security threats
• To send marketing communications where you have consented or where we have a legitimate interest (you may opt out at any time)
• To generate Derived Insights for platform improvement and benchmarking products (see Section 6)
• To comply with applicable legal obligations in Australia and other applicable jurisdictions

4. LEGAL BASIS FOR PROCESSING (GDPR — EEA AND UK USERS)

If you are located in the EEA or UK, we process your personal information on the following legal bases under the GDPR:

• Contract: processing is necessary to perform our contract with you or to take steps at your request before entering into a contract
• Legitimate interests: processing is necessary for our legitimate interests in improving the Service, marketing to existing and prospective customers, operating Activity Logs, and maintaining security, where these interests are not overridden by your fundamental rights and freedoms
• Legal obligation: processing is necessary to comply with a legal obligation applicable to us
• Consent: where we rely on consent (for example, for certain marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing

For Australian users, we process personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

5. CONTENT SHARING, DELEGATED ADMIN, AND THIRD-PARTY ACCESS

The Service enables Users to share content with Third-Party Recipients using granular access controls. Sharing can occur through multiple features including:

• The data room (view-only, download-enabled, or preview-only access to documents)
• Metric and data sharing (sharing of specific financial metrics or valuation outputs)
• Report sharing (sharing of Toolkit Outputs including IMs, maintainable earnings calculations, and industry rankings)
• Document sharing (sharing of any other documents or outputs generated through the Service)
• Any other sharing functionality made available through the Service from time to time

Users may also grant delegated admin rights to third parties — such as brokers, lawyers, or accountants — enabling those admins to further share content with additional parties within the permissions framework the User has configured. Users are responsible for the access and sharing decisions made by their delegated admins.

The Service also enables certain Toolkit Outputs to be marked as 'Specialist' approved or checked, where a relevant specialist has reviewed the content. Users may share Specialist-marked outputs with third parties where legal, financial, or specialist advice is required.

All activity by Third-Party Recipients within the Service — including all data, metrics, documents and reports accessed, AI Q&A interactions, and any other actions taken — is recorded in Activity Logs accessible to the subscription owner. Third-Party Recipients acknowledge this recording by accessing the Service, as notified through the Terms of Service.

6. AI PROCESSING AND DERIVED INSIGHTS

6.1 AI Processing

Emanda App uses artificial intelligence and machine learning to extract data from documents, generate Business Valuations and Toolkit Outputs, answer queries through AI Q&A, provide Guidance Outputs, and produce other automated analyses. All AI processing occurs within Emanda App's own Amazon Web Services (AWS) infrastructure located in Australia. We do not transmit identifiable Client Data to external third-party AI API providers.

AI-generated outputs are automated computational results. They are not financial advice, professional valuation opinions, or certified appraisals. You should not rely on AI-generated outputs without independent verification. See Terms of Service Sections 6 and 7 for full disclaimers.

6.2 Derived Insights

Emanda App generates anonymised and aggregated Derived Insights from content processed across the platform. Derived Insights include aggregated financial benchmarks, valuation multiples, adjusted profitability metrics, industry rankings, and other platform-wide analytical outputs. They are generated through automated processes that aggregate and anonymise data at a level that prevents attribution to any individual User, business, or piece of identifiable content.

Derived Insights are not personal information and are owned by Emanda App. We use Derived Insights to improve the accuracy and performance of the Service, refine valuation multiples and industry ranking methodologies, and develop benchmarking and market analysis products. By using the Service you consent to Emanda App generating and using Derived Insights in accordance with the Terms of Service (Section 9(g)).

6.3 AI Training

Emanda App does not use identifiable Client Data, data room documents, financials, or other private content to train, fine-tune, or improve AI or machine learning models, or to create foundational models and insights, without express written consent from the User. Any AI systems used within the Service are either pre-trained on public or third-party licensed data, or operate within a constrained, client-specific context. Anonymised and aggregated patterns derived from platform-wide AI interactions may form part of Derived Insights used to improve the Service.

6.4 AI Q&A Logs and Guidance Outputs

AI Q&A interactions — including questions asked and answers generated by Users and Third-Party Recipients — are stored as part of Activity Logs for the duration of the User's account. Following account termination, AI Q&A Logs are retained for 30 days to permit retrieval and are then securely deleted. Identifiable AI Q&A Logs are not used to improve AI models without express User consent.

Guidance Outputs — indicative business observations and suggestions generated by the Service — are produced by automated analysis of a User's data. They are platform-generated information only and do not constitute financial advice, investment advice, or any other form of regulated or professional advice. See Terms of Service Section 7A.

7. DISCLOSURE OF INFORMATION

We do not sell your personal information. We may disclose personal information in the following circumstances:

• Service providers: third-party companies that assist us in operating the Service, bound by confidentiality and data protection obligations no less onerous than those in this policy
• Emanda Group: where you have engaged Emanda Group for professional advisory services, or where the nature of your use of the Service requires Emanda Group's involvement
• White-label partners: where you access the Service through a white-label portal, outputs and activity data may be accessible to the relevant business partner operating that portal
• Third-Party Recipients: outputs, reports, metrics, and documents are shared with Third-Party Recipients as directed by you or your delegated admin through the Service's sharing features
• Business transactions: if Emanda App is involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will provide prior notice of any such transfer and any resulting change to this Privacy Policy
• Law enforcement and legal obligations: we may disclose personal information where required by law, court order, or government authority; to protect the rights or property of Emanda App; to prevent wrongdoing; to protect user safety; or to protect against legal liability

8. CROSS-BORDER DATA TRANSFERS

Our primary data hosting infrastructure is located in Australia (AWS ap-southeast-2, Sydney). We take all reasonable steps to ensure your data is treated securely in accordance with this Privacy Policy.

Cross-border transfers of personal information may occur in the following circumstances:

• Where you share content, reports, metrics, or documents with Third-Party Recipients located outside Australia through any of the Service's sharing features. In this case, the shared content transits to the recipient's jurisdiction as a direct result of your instruction. You are responsible for ensuring such sharing complies with your obligations under applicable law.
• Where you or a Third-Party Recipient access the Service from outside Australia. Usage data and session information may be processed across jurisdictions as part of normal Service delivery.
• Where our service providers (including analytics and advertising providers) process data in other jurisdictions. See Sections 11–13 for details of specific providers.

For EEA and UK users, we rely on the following transfer mechanisms where applicable: adequacy decisions made by the European Commission; Standard Contractual Clauses (SCCs); or other lawful transfer mechanisms under the GDPR. We do not transfer data to countries or organisations that do not provide adequate protections.

Your use of the Service and submission of personal information constitutes acknowledgement of these transfer arrangements.

9. DATA RETENTION

We retain personal information and Client Data for the duration of your account and for 7 years after the end of your engagement with the Service, in accordance with our legal obligations and legitimate business interests under the Terms of Service (Section 9(f)).

Following account termination, we retain Client Data for 30 days to permit export and retrieval. After that period, Client Data is securely deleted subject to any applicable legal retention obligations. We will confirm deletion in writing within 14 days of a written request.

Activity Logs and AI Q&A Logs are retained for the duration of the User's account. Following termination, they are treated as Client Data and subject to the same 30-day retrieval and deletion process.

Usage Data collected for analytics purposes is generally retained for shorter periods, except where retained to improve Service security or functionality or where legally required.

Derived Insights, being anonymised and aggregated, are not personal information and are not subject to deletion obligations. They may be retained indefinitely.

10. SECURITY OF DATA

The security of your data is important to us. We implement reasonable technical and organisational measures to protect personal information against unauthorised access, use, disclosure, alteration, or destruction, including encryption at rest and in transit, access controls, and regular security reviews.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. Users are responsible for maintaining the security of their account credentials and must notify us immediately of any suspected security breach.

11. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies — including beacons, tags, and scripts — to operate the Service, remember your preferences, maintain security, and analyse usage.

Types of cookies we use:

• Session cookies: used to operate the Service during your session
• Preference cookies: used to remember your preferences and settings
• Security cookies: used for authentication and security purposes
• Analytics cookies: used to understand how the Service is used (see Section 12)
• Advertising cookies: used to deliver relevant advertising (see Section 13)

You can instruct your browser to refuse all cookies or to notify you when a cookie is being sent. However, refusing cookies may affect your ability to use some parts of the Service.

Do Not Track: we do not currently support Do Not Track signals. You can enable or disable Do Not Track through your browser settings.

12. ANALYTICS

Google Analytics (GA4)

We use Google Analytics 4 (GA4), a web analytics service provided by Google LLC. Google Analytics uses cookies to collect information about how users interact with the Service. This data is used to compile reports and improve the Service. Google may use the collected data to contextualise and personalise its own advertising network.

You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on available at tools.google.com/dlpage/gaoptout. For more information on Google's privacy practices, visit policies.google.com/privacy.

13. ADVERTISING AND REMARKETING

We use the following advertising services to market Emanda App to existing and prospective users. These services use cookies and similar technologies to serve advertising based on your prior visits to our Service and other websites.

Google Ads

We use Google Ads remarketing, provided by Google LLC. This service uses cookies to serve ads on third-party websites to users who have previously visited our Service. You can opt out of Google's interest-based advertising by visiting Google's Ad Settings at adssettings.google.com. We also recommend installing the Google Analytics opt-out browser add-on. For more information, visit policies.google.com/privacy.

LinkedIn

We use LinkedIn Insight Tag and LinkedIn advertising services, provided by LinkedIn Corporation. These services use cookies to serve ads and to provide analytics about how LinkedIn members interact with our advertisements and website. LinkedIn members can opt out of LinkedIn advertising at linkedin.com/psettings/guest-controls/retargeting-opt-out. For more information, visit linkedin.com/legal/privacy-policy.

Behavioural Remarketing Generally

Our advertising partners may also participate in industry self-regulatory programmes for interest-based advertising. You can opt out through the Digital Advertising Alliance (DAA) at aboutads.info/choices, the Digital Advertising Alliance of Canada at youradchoices.ca, or the European Interactive Digital Advertising Alliance at youronlinechoices.eu.

14. GOOGLE WORKSPACE API COMPLIANCE

Where you connect a Google Workspace account to the Service, we access data through Google Workspace APIs in full compliance with Google's Limited Use of User Data policy and Google Workspace API policies:

• Purpose-limited use: we use Google Workspace data only to enable or enhance features that are visible and central to your experience within the Service
• No unauthorised transfer: we do not transfer Google-sourced data except to enable a user-facing feature with your explicit consent; for security investigations (e.g. abuse detection); to comply with legal or regulatory obligations; or during an acquisition or asset sale with explicit prior user consent
• Limited human access: Google-sourced data is not accessible to humans unless you explicitly consent (for example, for support or account recovery); the data is aggregated and anonymised for internal operations only; or access is necessary for security or legal compliance
• Prohibited uses: we do not sell or transfer Google user data to third parties; use it for targeted advertising or credit scoring; or use it to train or improve general AI or machine learning models, except for personalised in-app features for that specific user

15. PAYMENTS

We use Stripe for payment processing. We do not store or collect your payment card details. Payment information is provided directly to Stripe, whose use of your personal information is governed by their Privacy Policy at stripe.com/privacy. Stripe adheres to PCI-DSS standards for the secure handling of payment information.

16. YOUR RIGHTS

16.1 Australian Users (Privacy Act 1988 (Cth))

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you
• Request correction of personal information that is inaccurate, incomplete, or out of date
• Make a complaint if you believe we have breached the APPs

To exercise these rights, contact us at legal@emanda.app. We will respond within 30 days. If we cannot resolve your complaint, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

16.2 EEA and UK Users (GDPR)

If you are located in the EEA or UK, you have the following rights under the GDPR:

• Right of access: to receive a copy of the personal information we hold about you
• Right to rectification: to have inaccurate or incomplete information corrected
• Right to erasure: to request deletion of your personal information in certain circumstances
• Right to restriction: to request that we restrict the processing of your personal information
• Right to data portability: to receive your personal information in a structured, machine-readable format
• Right to object: to object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at legal@emanda.app. We may ask you to verify your identity before responding. You also have the right to lodge a complaint with your local data protection authority in the EEA or UK.

16.3 Third-Party Recipients

If you have accessed the Service as a Third-Party Recipient and wish to access or correct personal information we hold about you — including Activity Log records — please contact us at legal@emanda.app. We may direct requests to the relevant subscription owner where they hold primary responsibility for that information.

17. CHILDREN'S PRIVACY

The Service does not address anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at legal@emanda.app and we will take steps to remove that information from our systems.

18. EMANDA GROUP

Emanda Group Pty Ltd ACN 659 345 169 (AR 001310995) is an Authorised Representative of Avenir Capital Pty Ltd ACN 150 790 355 (AFSL 405469). Where you engage Emanda Group for professional advisory services, Emanda Group will handle your personal information in accordance with its own privacy obligations and the terms of your separate engagement.

Emanda App and Emanda Group are related entities and share certain operational infrastructure. Information shared between the entities is limited to what is necessary for the delivery of the relevant service.

19. LINKS TO OTHER SITES

The Service may contain links to third-party websites or services not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites. We strongly advise you to review the privacy policy of every site you visit.

20. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of any Material Changes (as defined in the Terms of Service) by email to your registered address or by prominent notice within the Service, at least 30 days before the change takes effect. Non-material changes (such as typographical corrections or updated contact details) will be reflected by updating the date at the top of this policy.

You are advised to review this Privacy Policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

21. CONTACT US

For privacy enquiries, access or correction requests, or complaints:

• Email: legal@emanda.app
• Customer support: support@emanda.app
• Professional Services (Emanda Group): pete@emanda.com.au
• Website: www.emanda.app

Emanda App Pty Ltd ACN 671 957 387 | Victoria, Australia