Privacy Policy

Our commitment to the protection of your personal information

Gadens is committed to protecting your privacy. Our commitment in respect of personal information is to abide by the Australian Privacy Principles for the protection of personal information, as set out in the Privacy Act 1988 (Cth) (Privacy Act) and to abide by any other relevant law, including the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the AML/CTF Rules.

What is covered in this policy?

1. Collection of personal information
2. Use of personal information
3. Disclosure of personal information (including outside Australia)
4. Security of personal information
5. Retention and destruction of personal information
6. Using our website
7. Marketing communications
8. Data breach response
9. Access, corrections and complaints
10. Third party providers

When we refer to personal information, we mean information or an opinion about an identified individual, or an individual who is reasonably identifiable. This information may include facts or an opinion about you. The personal information we hold about you may also include sensitive information or credit information.

The kinds of personal information we may collect about you include your name, date of birth, address, bank account details, occupation, position, email address, phone number and any other information we may need to identify you or provide our services.

We may also collect personal information to comply with our obligations under the AML/CTF Act and the AML/CTF Rules, for example, when conducting client due diligence. This may include information from identification documents (such as your name, date of birth, residential address, passport or licence number, and the date of expiry of the document), details about the nature of the legal service we are providing, and information relevant to assessing money laundering or terrorism financing risk.

We may collect personal information from you directly or indirectly. Where required or authorised under the AML/CTF Act, we may collect personal information about you from third parties, such as from our clients (for example, where we need to identify beneficial owners of a client’s company or a client’s agent). It may be unreasonable or impracticable to collect personal information directly from you in these circumstances.

We will only collect personal information which is reasonably necessary for our services, functions and activities, including our AML/CTF obligations. The ‘reasonably necessary’ test is an objective test: we will only collect personal information where a reasonable person who is properly informed would agree that the collection is necessary for our functions and activities.

If we collect government identifiers, such as your tax file number, we will not use or disclose this information other than as required or authorised by law.

In most circumstances it will be necessary for us to identify you to successfully do business with you, including meeting our client due diligence obligations under the AML/CTF Act. However, if you choose not to provide us with personal information, we may not be able to do business with you, or we may not be able to provide you with a legal service.

We may also collect personal information if required or permitted by law or professional standards, including the AML/CTF Act and AML/CTF Rules.

Sensitive information

Sensitive information includes any information about a person’s racial or ethnic origin, political opinions membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences orientation or practices, criminal record, health information and certain genetic or biometric information, including biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or biometric templates.

We will not ask you to disclose sensitive information unless it is necessary to provide our services to you, or unless it is required to comply with our obligations under the AML/CTF Act. For example, information about an individual’s membership of a political association may be collected where relevant to determining whether the client is a politically exposed person or subject to sanctions. However, if you elect to provide unsolicited sensitive information, it may be captured and stored if it is reasonably necessary for our functions or activities (or if otherwise permitted by law). Where we collect sensitive information for AML/CTF purposes, we may do so without your consent where the collection is required or authorised by Australian law, including the AML/CTF Act or the AML/CTF Rules.

Where we or a third party agent collect or use biometric information for identification or verification for client due diligence purposes, we will generally seek your consent before doing so and will provide you with sufficient information about the process in our collection notice.

We collect personal information for the purpose of providing the services you have requested and managing our relationship with you. This occurs when you seek legal advice from us, attend a seminar, sign up to receive information from us, apply for a position with us or provide services to us. We also collect personal information to comply with our obligations under the AML/CTF Act and AML/CTF Rules, including for client due diligence and personnel due diligence.

We may also collect your personal information from our clients, where that information is necessary for us to act for them.

Generally, we will only use or disclose personal information for the purpose for which it was collected (the primary purpose). We will not use or disclose personal information for another purpose (a secondary purpose) unless an exception applies or we obtain your consent.

Where the use or disclosure of personal information is required or authorised under the AML/CTF Act or AML/CTF Rules, we are permitted to use and disclose that personal information (including without your consent). For example, the AML/CTF Act may require us to submit a suspicious matter report to AUSTRAC in certain circumstances, and these reports will contain personal information.

We will ensure that any use or disclosure of personal information is not inconsistent with our information-handling obligations under the AML/CTF Act, including secrecy provisions and tipping off obligations.

We may use your personal information as required by or authorised by law.

We may disclose your personal information to the following parties:

• external service providers (including, without limitation, litigation funders), so they can provide a service we have contracted out or wish to contract out to them;
• companies that provide information and infrastructure systems, IT services or other services to us;
• regulatory bodies and government agencies, including AUSTRAC, where required or authorised by the AML/CTF Act or AML/CTF Rules;
• anybody who represents you;
• anyone, where you have provided us consent;
• investors, agents, advisors, or any entity that has an interest in our business;
• third parties who have instructed us to provide services;
• organisations that provide products or services used or marketed by us; or
• other persons or entities as required or allowed by law.

We may utilise cloud storage located in an Australian data centre to securely store the personal information we hold about you. Additionally, we may disclose your personal information to other entities within Australia as necessary to fulfill our obligations and provide our services.

Where we disclose personal information to recipients located overseas, we will take such steps as are reasonable in the circumstances to ensure that the overseas recipients handle personal information in accordance with the Australian Privacy Principles. We will generally be accountable if the overseas recipient mishandles the information. However, we will not be responsible for the acts or practices of the overseas recipient where the disclosure is required or authorised by the AML/CTF Act or the AML/CTF Rules, or where a foreign law requires the act or practice and it is done outside Australia.

We will include in our collection notices the likelihood of any cross-border disclosure of personal information and the countries in which such recipients are likely to be located.

We may retain your personal information electronically or in hard copy.

We employ a variety of security measures to keep your personal information secure by limiting access to our offices, utilising firewalls and secure databases, password protecting our IT systems, frequently updating our anti-virus software and conducting regular audit and data integrity checks. We also implement multifactor authentication, minimum password complexity requirements, audit logs and access monitoring for systems that store personal information.

All of our partners and employees are also bound to keep your personal information secure and treat it as confidential.

We cannot guarantee the security of your personal information. The internet is not a safe environment. However, The Firm takes reasonable steps in the circumstances to ensure that the personal information it holds is protected from unauthorised access, modification or disclosure misuse, interference and loss, as well as unauthorised access, modification or disclosure.

We do not retain copies of full identification documents (such as driver’s licences or passports) for AML/CTF record keeping purposes. Instead, we record the relevant personal information from identification documents that is reasonably necessary to demonstrate compliance with our client due diligence obligations (for example, names, date of birth, residential address, date of expiry, passport or licence number, the type of document, what we did to identify the client, and the outcome of the verification and analysis). We may retain copies of identification documents where another professional or legal obligation requires us to do so.

Our websites and electronic newsletters may also contain links to other websites operated by third parties. We are not responsible for the privacy practices or the content of those linked websites. The privacy policies that apply to those other websites may differ from our privacy policy, so we recommend you read them before proceeding to those websites.

We will only retain personal information for as long as it is needed to comply with our AML/CTF obligations, for the purposes for which it was collected, or for another permitted purpose under the Privacy Act or APPs. Where we are required by the AML/CTF Act or another Australian law or a court or tribunal order to retain personal information, we will do so in accordance with those requirements.

Where personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, we will take reasonable steps to destroy or de-identify that information. We have systems and processes in place to specify retention periods and identify when retention is no longer necessary, including destruction schedules and alerts. We ensure that processes for the retention and destruction of personal information are well known to all staff through regular training and monitoring.

When you interact with our website, we and our internet service providers collect data to enhance your experience when using our website. We also use this data to interpret and report on which pages and downloads are used by visitors.

We use cookies in a limited manner when you visit our website, for the purpose of providing you with a better and more customised service. Cookies are not used by us to collect and store your personal information. A cookie is a small text placed on your computer by our webpage server. A cookie can later be retrieved by our webpage services. Cookies are frequently used on websites. You can choose if and how a cookie will be accepted by configuring your preferences and options in your internet browser.

We use cookies for different purposes such as:

• to allocate a unique number to your internet browser;
• to customise our website for you;
• for statistical purposes;
• for security purposes; or
• to authenticate or identify whether you are registered on our website, without requiring you to re-enter details each time you log on to our website.

The types of data we collect includes:

• your device’s IP address (collected and stored in an anonymized format);
• search terms and pages visited on our website;
• date and time when pages were accessed;
• downloads, time spent on page, and bounce rate;
• referring domain and out link if applicable;
• device type, operating system and browser information;
• device screen size;
• your geographic location.

If at any time you do not wish to accept cookies or wish to delete existing cookies, you may manually configure your browser to refuse cookies or may manually delete existing cookies from your hard drive. However, by deleting or refusing to accept cookies you may frustrate or hinder your access to or use of areas of our website.

Social networking services

We use services such as LinkedIn, X, Facebook and YouTube to communicate with the public about our services. When you interact with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. These services have their own privacy policies which you can access directly.

If we have an existing relationship with you, or if you have subscribed to our mailing list, registered for our events or provided feedback, we may use your personal information to provide you with current information about legal issues, firm developments, including information relating to new products and services that we offer, sector-focused newsletters or events that you may find of interest. We will not use personal information collected for AML/CTF purposes for direct marketing unless permitted by an exception under APP 6. If you do not wish to receive marketing information, you may at any time decline to receive such information by telephoning us on +61 03 9252 2555, by writing to us at MS-PrivacyOfficer@gadens.com or if the direct marketing is by email you may also use the unsubscribe function in the email message.

A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. We have a data breach response plan in place to enable us to respond quickly to any data breach. Under the Notifiable Data Breaches scheme, we are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach has occurred that is likely to result in serious harm.

There are some exceptions to the notification requirement. For example, notification is not required where it would be inconsistent with a secrecy provision under the AML/CTF Act, such as the prohibition on tipping off. In those circumstances, we will comply with the notification requirements under the Privacy Act only to the extent necessary to avoid inconsistency with the secrecy provision.

Access

We will provide you with access to the personal information we hold about you (unless we are entitled to rely on an exemption under relevant legislation). You may request access to any of the personal information that we hold about you at any time. We will need to verify your identity before giving you access to information. Depending on the type of request that you make, we may respond to your request immediately. Otherwise, we will usually respond to you within 30 days of receiving your request. We may need to contact other entities to properly respond to your request.

There may be situations where we are not required to provide you with access to your personal information, for example if your request is vexatious, or where giving access would be unlawful (for example, where it may constitute tipping off under the AML/CTF Act), or where there is reason to suspect that unlawful activity or serious misconduct has been, is being, or may be engaged in and giving access would be likely to prejudice the taking of appropriate action, or where giving access would be likely to prejudice enforcement related activities. An explanation will be provided to you if we deny you access to the personal information we hold about you, except to the extent that providing such an explanation would be unreasonable or inconsistent with our legal obligations (for example, tipping off obligations under the AML/CTF Act).

If we refuse to give access, or refuse to give access in a manner requested, we will give you a written notice setting out the reasons for refusal (except to the extent it would be unreasonable to do so), how you may make a complaint about our decision, and information about external complaint avenues (such as the OAIC).

Corrections

It is important to us that the personal information we hold about you is accurate and up to date. During the course of our relationship with you we may ask you to inform us if any of your personal information has changed. If you wish to make any changes to your personal information, you may contact us. We will generally rely on you to ensure the information we hold about you is accurate or complete. In addition, we may review and update your Know Your Client (KYC) information as part of our ongoing client due diligence obligations under the AML/CTF Act.

If any of the personal information we hold about you is incorrect, inaccurate or out of date, you may request that we correct the information. If appropriate, we will correct the personal information at the time of the request. Otherwise, we will usually provide an initial response to you within seven days of receiving your request. Usually, we will provide you with details about whether we have corrected the personal information within 30 days.

We may need to consult with other entities to respond to your request. If we refuse to correct your personal information, we will provide you with our reasons for not correcting the information.

Complaints

If you are dissatisfied with how we have dealt with your personal information, or you have a complaint about our compliance with the Privacy Act, please contact us on the details below. We will usually acknowledge your complaint within seven days, and provide you with a substantive response to your complaint within 30 days.

If you are dissatisfied with our response you may make a complaint with the Office of the Australian Information Commissioner (OAIC) enquiries@oaic.gov.au or on 1300 363 992. Further information is available on the OAIC’s website at https://www.oaic.gov.au/.

Where we engage a third party to handle your personal information (for example, to assist with client due diligence or to provide client management systems), we will take steps to ensure the third party is aware of its obligations under the Privacy Act and that the contractual arrangements cover how personal information will be handled.

Before entering into a contract with a third party, we will review the terms of the agreement to understand how personal information is collected, handled and stored, and satisfy ourselves that the third party has appropriate processes in place to protect personal information. This may include reviewing the third party’s privacy policy, information security policy and data breach response plan, and conducting due diligence on past security incidents. We include terms in our contracts that impose specific obligations on service providers about the handling of personal information and mechanisms to ensure those obligations are fulfilled.

We conduct periodic reviews of the personal information handling requirements of our third party arrangements and keep detailed records to maintain an audit trail and ensure we know what personal information a third party holds on our behalf. Where a third party is located overseas, we may be held accountable for that third party’s handling of personal information in accordance with APP 8.

Further information

You may request further information about the way we manage your personal information by contacting us on the details below.

Changes in our privacy policy

We regularly review all of our policies and attempt to keep up to date with market expectations. Technology is constantly changing, as are the law and marketplace practices.

As a consequence, we may change this privacy policy from time to time.

This version of this privacy policy is dated 7 April 2026.

Contact details:

MS-PrivacyOfficer@gadens.com | +61 3 9252 2555

Level 13, Collins Arch
447 Collins Street
Melbourne VIC 3000

GPO Box 48
Melbourne VIC 3000