Effective date: 1 November 2025

Version: 1.0

Updated: 1 November 2025.

This DataBreach Notification Protocol (“Protocol”) describes how ReachAlternatives IM Pty Ltd t/a Reach Alts (ACN 657 758 006) (“we”, “us”,“our”) responds to and notifies data breaches and certain security incidents involving personal information and other information we hold.

ThisProtocol is published for transparency, to support our compliance with privacy and data protection laws that apply to us from time to time (which may include the Privacy Act 1988 (Cth) and, where applicable, the Notifiable Data Breaches (NDB) scheme).

ThisProtocol is a general description of our practices and is not intended to create legal obligations that do not already apply to us under applicable law or our contracts.

We may update this Protocol from time to time. The current version is always available at this page.

1.         Scope of this Protocol

1.1       This Protocol applies to:

(a)       Personal information we handle in connection with:

(1)       Our products and services (including any funds, platforms or portals we operate);and

(2)       Services we provide to or receive from third parties (for example, technology, platform, custody, payment or account service providers); and

(b)       Other information that may reasonably be treated as confidential or sensitive.

1.2       This Protocol describes how we respond. It does not limit any additional obligations that may apply under:

(a)       Specific contracts we enter into with clients, counterparties or service providers; or

(b)       Applicable laws or regulatory requirements.

1.3       If there is any inconsistency between this Protocol and a written contract, that contract will prevail to the extent of the inconsistency.

2.         What is a Data Breach?

2.1       For the purposes of thisProtocol, a data breach is any of the following involving personal information or other information we hold:

(a)       Unauthorised access – for example, an external attacker or an internal user accessing information they are not permitted to see;

(b)       Unauthorised disclosure – for example, information sent to the wrong recipient; or

(c)        Loss of information– for example, loss of an unencrypted laptop or storage device.

2.2       A subset of data breaches will be “eligible data breaches” under the NDB scheme – those that are likely to result in serious harm to one or more individuals.

2.3       We also treat certain security incidents (such as suspected compromises of accounts or systems) with the same level of urgency while we investigate whether a data breach has occurred.

3.         Our Response to Suspected or Actual Data Breaches

3.1       When we become aware of a suspected or actual data breach, we will take reasonable steps to:

(a)       Contain the incident

(1)       Take immediate action to stop unauthorised access, disclosure or loss (for example, suspending accounts, isolating affected systems, disabling credentials).

(b)       Assess what has occurred

(1)       Investigate the cause, scope and impact of the incident;

(2)       Identify what types of information are involved, and how many individuals may be affected;

(3)       Consider whether the information was protected (for example, encrypted) and the likelihood of misuse.

(c)        Mitigate the risk of harm

(1)       Implement technical and organisational measures to secure affected systems and prevent recurrence;

(2)       Support affected individuals or clients as appropriate (for example, recommending password resets or enhanced monitoring).

(d)       Documentour actions

(1)       Keep internal records of the incident, our assessment and any notifications we make.

4.         When We Will Notify Individuals and Regulators

4.1       Where applicable law (which may include, where it applies to us, the NDB scheme) requires us to notify a regulator and/or affected individuals, we will do so as soon as reasonably practicable.

4.2       Our notifications will generally describe:

(a)       What we know about the incident (to the extent we can reasonably share this);

(b)       The types of information involved;

(c)        The steps we have taken, or plan to take, in response; and

(d)       Practical steps individuals can take to protect themselves.

4.3       Even where the NDB scheme does not strictly require notification, in some cases we may choose to notify affected individuals or clients even if we are not legally required to do so.

4.4       Where direct notification to each individual is not practicable, we may instead publish a notice on our website and take reasonable steps to publicise it.

5.         5. Incidents Involving Third-Party Service Providers

5.1       We work with a range of third-party service providers (for example, technology platforms, data hosts, custodians, payment and account service providers).

5.2       Where an incident involves or may involve a third-party provider:

(a)       We will work with that provider to investigate and respond to the incident;

(b)       We will follow any legal and contractual requirements we have to notify them of incidents and to cooperate with their investigations; and

(c)        We will coordinate communications so that:

(1)       Affected individuals receive clear and consistent information; and

(2)       It is clear which terms and conditions, and which entity, apply to which aspect of any affected service.

5.3       In some cases, a third-party provider may also contact you directly about an incident involving services they provide.

6.         Incidents Where We Act as a Service Provider

6.1       In some situations, we handle information on behalf of another organisation (for example, where we act as a service provider to a platform, adviser group, institutional client, orsimilar).

6.2       Where that is the case:

(a)       We will generally notify our client/partner organisation in accordance with our contract with them and applicable law; and

(b)       That organisation may be responsible for notifying affected individuals and/or regulators, and for providing you with information and support.

6.3       We will cooperate with our client/partner to help them meet their obligations, including by providing information about the incident, its impact and remediation steps.

7.         How You Can Help Protect Your Information

7.1       You can reduce the risk of harm by:

(a)       Using strong, unique passwords and enabling multi-factor authentication where available;

(b)       Keeping your devices, browsers and software up to date;

(c)        Treating unsolicited emails, messages and calls with caution, especially where they request personal or financial information or ask you to click on links;

(d)       Contacting us promptly if you become aware of suspicious activity involving any account or service connected with us.

7.2       If we notify you of an incident, we may recommend additional steps tailored to the circumstances (for example, monitoring your accounts, changing passwords, or contacting your bank).

8.         Contact Details

8.1       If you have any questions about this Protocol or are concerned about a possible data breach involving information we hold, you can contact us:

(a)       Email: contact@reachalts.com.au

(b)       Phone: +61 (2)9000 5060

(c)        Postal address: Level 1 / 39 Martin Place, Sydney, NSW 2000, Australia

You can find more information about your privacy rights and the NDB scheme on the OAIC website.