Carma Limited (ACN 648 091 418) and all related entities in the Carma Group (“Carma”)

Dated: 16 October 2025

Adopted by the Board on: 16 October 2025

1. Privacy policy

In this policy, "we," "us" and "our" refers to Carma and its subsidiaries.

We are committed to the protection of your Personal Information in accordance with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth) ("Privacy Act").

This policy explains how and why we collect, use, hold and disclose your Personal Information.

This policy applies to all Personal Information collected by us. We may, from time to time, review and update this Privacy Policy including to take into account new laws, regulations and technology. All Personal Information held by us will be governed by this Privacy Policy as updated from time to time which will be posted on our website (https://carma.com.au/privacy-policy) ("Website").

You consent to us collecting, holding, using, and disclosing your Personal Information in accordance with this policy.

2. What is Personal Information?

Personal Information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be Personal Information regardless of whether it is true.

'Sensitive information' is a special category of Personal Information. Sensitive information includes information about an individual’s racial or ethnic origin; political, religious, or philosophical beliefs; political, trade or professional memberships; sexual orientation or practices; criminal record; health information; genetic information; and biometric information that is used for the purpose of automated biometric verification or identification, and biometric templates.

3. What Personal Information do we collect and hold?

The Personal Information we collect and hold includes, but is not limited to:

• name;
• contact information (e.g. email address, phone number);
• employment history (if you apply for a job with us);
• your history of purchases;
• date of birth;
• postal address;
• payment information; and
• other information you provide to us voluntarily, which may include driver licence details, government identifiers, and information about your preferences and interactions with our websites and advertising.

(“Personal Information”).

We collect Personal Information through various means, including but not limited to the following:

• when you register an account with us;
• when you place an order or make a purchase;
• when you engage our services;
• when you apply for external finance arranged through one of our preferred partners, and we provide your Personal Information to the relevant preferred finance partner;
• when you participate in surveys, competitions or promotions;
• when you contact us (for example, if you call us, send us an email or interact with us via social media such as Facebook, Tik Tok, Instagram, Twitter and Snapchat);
• when you interact with our website and marketing campaigns;
• when you interact with our online ads on Google, Bing or social media; and
• when you apply for a job with us.

If you interact with us via a social media platform you agree to allow us to receive information about you from the social media platform, which may include your Personal Information (if you directly communicate with us via the social media platform), information about your visits and interaction with our website.

We may also collect Personal Information about you from third parties. For example, if you link, connect or log in to our platform with a third-party service (e.g. Google, Meta, Facebook etc) then you direct the service to send us information about you such as your profile information, your registration or friends list, and your interactions with our services. We may also collect information about you from service providers, referral partners and publicly available sources where it is unreasonable or impracticable to collect the information directly from you.

We collect sensitive information and we will only collect sensitive information about you with your consent (unless we are otherwise required or authorised by or under law to do so). We only collect sensitive information where it is reasonably necessary for recruitment purposes (for example, criminal records, health information and biometric information).

If you provide us with Personal Information about another person, please make sure that you tell them about this Privacy Policy and that you have their permission to share their information with us.

Where it is lawful and practicable, you may interact with us by using a pseudonym (for example, when making a general enquiry). However, for many of our functions and activities such as processing a vehicle purchase, arranging insurance, or fulfilling warranty obligations we need your identifying information and cannot provide those products or services without it.

4. Cookies and similar technology

We use cookies on our website. A cookie is a small text file that the website may place on your device to store information. We may use persistent cookies (which remain on your computer even after you close your browser) to store information that may speed up your use of our website for any of your future visits to the website. We may also use session cookies (which no longer remain after you end your browsing session) to help manage the display and presentation of information on the website. You may refuse to use cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of the website. We may collect information about how you access, use, and interact with the website.

We also use a range of other tools such as Google Analytics and Mouseflow to collect information about how you use, access, and interact with our website. This information may include:

• the location from which you have come to the site and the pages you have visited;
• technical data, which may include IP address, the types of devices you are using to access the website, device attributes, browser type, language, and operating system; and
• data collected with Google Analytics is shared with other Google services. Google may use the data to contextualise and personalise the ads on its own advertising network.

You can opt out of having your activity on the website available to Google Analytics by installing the Google Analytics opt-out browser add-on, which you can find here: https://tools.google.com/dlpage/gaoptout/.

The add-on prevents Google Analytics Javascript from sharing information with the Google Analytics about website visit activities. For more information on the privacy practices of Google, please visit the Google Privacy & Terms webpage: https://policies.google.com/privacy.

We may combine information collected via cookies and analytics tools with other Personal Information we hold about you to better understand your preferences and improve our products and services.

5. Why do we collect, hold and use your Personal Information?

We collect, hold, and use your Personal Information so that we can:

• provide you with products or services, and manage our relationship with you;
• contact you, for example, to respond to your queries or complaints, or if we need to tell you something important;
• determine your eligibility to receive finance arranged through one of our preferred partners, which includes collecting relevant information required by the financier, conducting serviceability checks using their tools, and assessing whether you meet their minimum eligibility criteria (which can include age, credit score, employment type and history);
• comply with our legal obligations and assist government and law enforcement agencies or regulators;
• identify and tell you about other products or services that we think may be of interest to you;
• consider you for jobs that you apply for with us; and
• operate and improve our business (including our website, products and services).

If you do not provide us with your Personal Information, we may not be able to provide you with our products, communicate with you, consider you for jobs with us or respond to your enquiries.

6. How do we store and hold Personal Information

We store most information about you in computer systems and databases (including cloud service providers) operated by either us or our external service providers. Some information about you is recorded in paper files that we store securely.

We implement and maintain processes and security measures to protect the Personal Information that we hold from misuse, interference, or loss, and from unauthorised access, modification, or disclosure.

These processes and systems include:

• the use of identity and access management technologies to control access to systems on which information is processed and stored;
• requiring all employees to comply with internal information security policies and keep information secure;
• requiring all employees to complete training about information security; and
• monitoring and regularly reviewing our practice against our own policies and industry best practice.

We will also take reasonable steps to destroy or de-identify Personal Information once we no longer require it for the purposes for which it was collected or for any secondary purpose permitted under the APPs. Where destruction is not possible (for example, due to backup or archival systems), we will securely store the information and restrict access until it can be destroyed.

We may store Personal Information with third party storage providers.

7. Who do we disclose your Personal Information to, and why?

We may transfer or disclose your Personal Information to our related companies.

We may disclose Personal Information to external service providers so that they may perform services for us or on our behalf. For example, we may use a third-party provider to undertake recruitment related criminal history and medical checks on our behalf.

We may also disclose your Personal Information to third parties that we consider may have products or services which may be of interest to you. These third parties may include, but are not limited to, finance, insurance and roadside assistance companies such as:

• Allied Retail Finance Pty Ltd trading as Automotive Finance - Australian Credit Licence No. 483211
• Plenti Finance Pty Limited and its servicer, Plenti RE Limited - Australian Credit Licence No. 449176
• Wisr Services Pty Ltd which provides rate estimates and other services as an agent for Wisr Finance Pty Ltd - Australian Credit Licence No. 458572
• Volkswagen Financial Services Australia Pty Ltd - Australian Credit Licence No. 389344
• Lodge IQ Pty Limited - Australian Credit Licence No. 510399
• Drive IQ Technology Pty Limited
• Harrier-National (Sales) Pty Ltd
• National Roadside Assist Pty Ltd
• National Roads and Motorists' Association Limited (NRMA)
• Compare The Market Pty Ltd - AFSL 422926

We require our service providers to handle Personal Information in accordance with applicable privacy laws and only for the purposes of providing services to us.

We may also disclose your Personal Information to others where:

• we are required or authorised by law to do so;
• you have consented to the disclosure, or the consent may be reasonably inferred from the circumstances; or
• we need to share it with data processors to operate our business and provide products to you.

If the ownership or control of all or part of our business changes, we may transfer your Personal Information to the new owner.

8. Do we disclose Personal Information to overseas recipients?

We may disclose your Personal Information to recipients which are located outside Australia.

Those recipients are likely to be in Indonesia, Vietnam and the United States of America, and on occasion other countries where our service providers or their support teams are located.

9. Do we disclose your Personal Information for marketing?

We will use your Personal Information to offer you products we believe may interest you, but we will not do so if you tell us not to. These products may be offered by us, our related companies, our other business partners, or our service providers.

Where you receive electronic marketing communications from us, you may opt out of receiving further marketing communications by following the opt-out instructions provided in the communication.

10. Request to delete your Personal Information

We will keep your Personal Information only for as long as required for our business purposes and otherwise as required by Australian law or court/tribunal order.

Where we no longer need to keep your Personal Information, we will take reasonable steps to destroy or de-identify your Personal Information.

If you wish to have your Personal Information destroyed or de-identified, please let us know and we will take reasonable steps to do so (unless we need to keep it for legal, auditing or internal risk management reasons).

11. Access to and correction of your Personal Information

You may access or request correction of the Personal Information that we hold about you by contacting us directly. Our contact details are set out below. Please understand there are some circumstances in which we are not required to give you access to your Personal Information, but we will advise you if these circumstances apply to your request.

There is no charge for requesting access to your Personal Information, but we may require you to meet our reasonable costs in providing you with access (such as photocopying costs or costs for time spent on collating large amounts of material).

We will respond to your requests to access or correct Personal Information in a reasonable time and will take all reasonable steps to ensure that the Personal Information we hold about you remains accurate, up-to date and correct. However, with a client portal you can also access and correct some of your Personal Information that we hold about you. When you request a correction, if we do not agree that the information is incorrect, we will take reasonable steps to associate a statement with the information that you believe the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

12. Security holders

If you are a security holder in Carma, the Australian taxation legislation and the Corporations Act require Personal Information about you, including your name, address and details about your Shares, to be included on the share register. Your Personal Information held on the share register must be accessible to the public under the Corporations Act and will continue to be included on the share register where you cease to be a security holder. Your Personal Information may also be used from time to time and disclosed for purposes relating to your investment to our agents and service providers we may engage with in connection with the ordinary conduct of its operations, persons inspecting the register, bidders for your securities in the context of takeovers, regulatory bodies, including the Australian Taxation Office, the ASX Limited, authorised securities brokers, legal and accounting firms, auditors and other advisers for the purpose of advising on the Shares, print service providers, mail houses, the Share Registry or as otherwise required under the Privacy Act 1988 (Cth).

13. Complaints

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your Personal Information, you should contact us. Our contact details are set out below.

We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au) for guidance on alternative courses of action which may be available. If applicable, you may also have the right to complain to a recognised external dispute resolution scheme.

14. Contact details

If you have any questions, comments, requests, or concerns, please contact us at: privacy@carma.com.au or +61 2 8319 3210.

15. Changes to this policy

From time to time, we may change our policy on how we handle Personal Information or the types of Personal Information which we hold. Any changes to our policy will be published on our website.

You may obtain a copy of our current policy from our website or by contacting us at the contact details above.

---

Last update: 16th October 2025