Carma Limited (ACN 648 091 418) and all related entities in the Carma Group (“Carma”)
Dated: 16 October 2025
Adopted by the Board on: 16 October 2025
In this policy, "we," "us" and "our" refers to Carma and its subsidiaries.
We are committed to the protection of your Personal Information in accordance with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth) ("Privacy Act").
This policy explains how and why we collect, use, hold and disclose your Personal Information.
This policy applies to all Personal Information collected by us. We may, from time to time, review and update this Privacy Policy including to take into account new laws, regulations and technology. All Personal Information held by us will be governed by this Privacy Policy as updated from time to time which will be posted on our website (https://carma.com.au/privacy-policy) ("Website").
You consent to us collecting, holding, using, and disclosing your Personal Information in accordance with this policy.
Personal Information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be Personal Information regardless of whether it is true.
'Sensitive information' is a special category of Personal Information. Sensitive information includes information about an individual’s racial or ethnic origin; political, religious, or philosophical beliefs; political, trade or professional memberships; sexual orientation or practices; criminal record; health information; genetic information; and biometric information that is used for the purpose of automated biometric verification or identification, and biometric templates.
The Personal Information we collect and hold includes, but is not limited to:
(“Personal Information”).
We collect Personal Information through various means, including but not limited to the following:
If you interact with us via a social media platform you agree to allow us to receive information about you from the social media platform, which may include your Personal Information (if you directly communicate with us via the social media platform), information about your visits and interaction with our website.
We may also collect Personal Information about you from third parties. For example, if you link, connect or log in to our platform with a third-party service (e.g. Google, Meta, Facebook etc) then you direct the service to send us information about you such as your profile information, your registration or friends list, and your interactions with our services. We may also collect information about you from service providers, referral partners and publicly available sources where it is unreasonable or impracticable to collect the information directly from you.
We collect sensitive information and we will only collect sensitive information about you with your consent (unless we are otherwise required or authorised by or under law to do so). We only collect sensitive information where it is reasonably necessary for recruitment purposes (for example, criminal records, health information and biometric information).
If you provide us with Personal Information about another person, please make sure that you tell them about this Privacy Policy and that you have their permission to share their information with us.
Where it is lawful and practicable, you may interact with us by using a pseudonym (for example, when making a general enquiry). However, for many of our functions and activities such as processing a vehicle purchase, arranging insurance, or fulfilling warranty obligations we need your identifying information and cannot provide those products or services without it.
We use cookies on our website. A cookie is a small text file that the website may place on your device to store information. We may use persistent cookies (which remain on your computer even after you close your browser) to store information that may speed up your use of our website for any of your future visits to the website. We may also use session cookies (which no longer remain after you end your browsing session) to help manage the display and presentation of information on the website. You may refuse to use cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of the website. We may collect information about how you access, use, and interact with the website.
We also use a range of other tools such as Google Analytics and Mouseflow to collect information about how you use, access, and interact with our website. This information may include:
You can opt out of having your activity on the website available to Google Analytics by installing the Google Analytics opt-out browser add-on, which you can find here: https://tools.google.com/dlpage/gaoptout/.
The add-on prevents Google Analytics Javascript from sharing information with the Google Analytics about website visit activities. For more information on the privacy practices of Google, please visit the Google Privacy & Terms webpage: https://policies.google.com/privacy.
We may combine information collected via cookies and analytics tools with other Personal Information we hold about you to better understand your preferences and improve our products and services.
We collect, hold, and use your Personal Information so that we can:
If you do not provide us with your Personal Information, we may not be able to provide you with our products, communicate with you, consider you for jobs with us or respond to your enquiries.
We store most information about you in computer systems and databases (including cloud service providers) operated by either us or our external service providers. Some information about you is recorded in paper files that we store securely.
We implement and maintain processes and security measures to protect the Personal Information that we hold from misuse, interference, or loss, and from unauthorised access, modification, or disclosure.
These processes and systems include:
We will also take reasonable steps to destroy or de-identify Personal Information once we no longer require it for the purposes for which it was collected or for any secondary purpose permitted under the APPs. Where destruction is not possible (for example, due to backup or archival systems), we will securely store the information and restrict access until it can be destroyed.
We may store Personal Information with third party storage providers.
We may transfer or disclose your Personal Information to our related companies.
We may disclose Personal Information to external service providers so that they may perform services for us or on our behalf. For example, we may use a third-party provider to undertake recruitment related criminal history and medical checks on our behalf.
We may also disclose your Personal Information to third parties that we consider may have products or services which may be of interest to you. These third parties may include, but are not limited to, finance, insurance and roadside assistance companies such as:
We require our service providers to handle Personal Information in accordance with applicable privacy laws and only for the purposes of providing services to us.
We may also disclose your Personal Information to others where:
If the ownership or control of all or part of our business changes, we may transfer your Personal Information to the new owner.
We may disclose your Personal Information to recipients which are located outside Australia.
Those recipients are likely to be in Indonesia, Vietnam and the United States of America, and on occasion other countries where our service providers or their support teams are located.
We will use your Personal Information to offer you products we believe may interest you, but we will not do so if you tell us not to. These products may be offered by us, our related companies, our other business partners, or our service providers.
Where you receive electronic marketing communications from us, you may opt out of receiving further marketing communications by following the opt-out instructions provided in the communication.
We will keep your Personal Information only for as long as required for our business purposes and otherwise as required by Australian law or court/tribunal order.
Where we no longer need to keep your Personal Information, we will take reasonable steps to destroy or de-identify your Personal Information.
If you wish to have your Personal Information destroyed or de-identified, please let us know and we will take reasonable steps to do so (unless we need to keep it for legal, auditing or internal risk management reasons).
You may access or request correction of the Personal Information that we hold about you by contacting us directly. Our contact details are set out below. Please understand there are some circumstances in which we are not required to give you access to your Personal Information, but we will advise you if these circumstances apply to your request.
There is no charge for requesting access to your Personal Information, but we may require you to meet our reasonable costs in providing you with access (such as photocopying costs or costs for time spent on collating large amounts of material).
We will respond to your requests to access or correct Personal Information in a reasonable time and will take all reasonable steps to ensure that the Personal Information we hold about you remains accurate, up-to date and correct. However, with a client portal you can also access and correct some of your Personal Information that we hold about you. When you request a correction, if we do not agree that the information is incorrect, we will take reasonable steps to associate a statement with the information that you believe the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If you are a security holder in Carma, the Australian taxation legislation and the Corporations Act require Personal Information about you, including your name, address and details about your Shares, to be included on the share register. Your Personal Information held on the share register must be accessible to the public under the Corporations Act and will continue to be included on the share register where you cease to be a security holder. Your Personal Information may also be used from time to time and disclosed for purposes relating to your investment to our agents and service providers we may engage with in connection with the ordinary conduct of its operations, persons inspecting the register, bidders for your securities in the context of takeovers, regulatory bodies, including the Australian Taxation Office, the ASX Limited, authorised securities brokers, legal and accounting firms, auditors and other advisers for the purpose of advising on the Shares, print service providers, mail houses, the Share Registry or as otherwise required under the Privacy Act 1988 (Cth).
If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your Personal Information, you should contact us. Our contact details are set out below.
We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation.
If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au) for guidance on alternative courses of action which may be available. If applicable, you may also have the right to complain to a recognised external dispute resolution scheme.
If you have any questions, comments, requests, or concerns, please contact us at: privacy@carma.com.au or +61 2 8319 3210.
From time to time, we may change our policy on how we handle Personal Information or the types of Personal Information which we hold. Any changes to our policy will be published on our website.
You may obtain a copy of our current policy from our website or by contacting us at the contact details above.
Last update: 16th October 2025