1

PRIVACY POLICY

Last updated 10 August 2018

We treat personal data provided to us with respect and integrity. Respect and integrity form part of our core values, which are the foundation for the conduct of our business in all parts of the globe. We are committed to protecting your privacy and it is important that you understand how we look after your personal data and how we make sure that we meet our legal obligations to you under Australian data protection rules (including associated guidance) (the “Data Protection Laws“). This Privacy Policy outlines how we will use, store and share your personal data and supplements any fair processing notice provided to you.

This privacy policy applies globally to CHC (St Louis) Pty Ltd. ABN 20 117 455 973 at 10 Albert St, Claremont, WA, 6010, Australia, and its related companies (the ‘CHC (St Louis) Group’, ‘we’, ‘our’ or ‘us’) and the personal data that we collect online through your use of our website www.stlouisestate.com.au. including all country-specific websites and any other website operated by any member of the CHC (St Louis) Pty Ltd., (“website”), online systems or offline through your interactions with us.

As a global organisation the CHC Group regularly handles and transfers “personal data” (being information which is capable of identifying an individual) between CHC Group companies, including between CHC Group companies operating in different countries. Many of our developments are delivered by the CHC

Group companies working together, sometimes through a joint venture vehicle such as a limited liability partnership. In such cases, any personal data submitted to or otherwise collected by this website which is related to those developments is collected by all of these organisations working together. Each of these organisations is a data controller in respect of the use it makes of this information and each has agreed to comply with this Privacy Policy.

In this Privacy Policy, the terms ‘we’, ‘our’ or ‘us’ are used to refer to the data controller primarily responsible for your personal information. Who the data controller is depends on where you are based, and the information is provided as set out below.

WHAT DO WE COLLECT, WHAT DO WE DO WITH IT AND WHY?

Information collected

Who from?

                  Purpose/ lawful basis

  Who is it shared with?

Contact details (name, address, Email address, Phone number, fax number, correspondence)

You (the data subject)

General enquiry – in our

legitimate interests to process the information to respond to your

enquiry

      The CHC               Group

Contact details (name, address, Email address, Phone number, fax number, correspondence)

You (the data

subject)

To register your interest in a residential property or make a reservation – to take steps at your request to enter into a contract with you

      The CHC              Group

2

Financial information

You (the data subject)

When you make a reservation and when you purchase a property –

for the performance of our contract with you

         The CHC Group and its legal                      and sales advisors

Contact details (name, address, Email address, Phone number), marketing preferences

You (the data

subject)

To sign up to our newsletter/ marketing or shopping centre Wi-Fi – this is in our legitimate interests, but to comply with marketing rules, we will ask you for your consent to electronic marketing

                   The CHC Group

Contact Details (name, address, email address, phone number, fax number, warranty information, contract, account information, Defect notification(s), correspondence)

You (the data subject), contractors/

sub

contractors where maintenance/ support provided (e.g. defects)

To manage your purchase/our contractual relationship – for the performance of our contract with you

Contractors/sub-contractors to remedy defects, the CHC Group, our Customer Relationship Management System provider.

3

Call recording

    Our phone           system

For training and monitoring purposes – for our legitimate business interests

                   The CHC Group

CCTV images

    Our CCTV         cameras

For crime prevention and public safety – for our legitimate business interests

The CHC Group and its property and security managers and law enforcement agencies

Job applications (CHC)

(CV information, contact details (name, address, phone number, email address), references, correspondence)

   Workday (external website),you

(the data subject)

To review and interview job candidates – for our legitimate business interests

The CHC Group, recruitment contractors

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.

At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non- identifiable way for statistical analysis and business planning.

4

Some examples of customer data retention periods:

Homeowners

When you purchase a home from us, we’ll keep the personal data you give us for twelve years, so we can comply with our legal and contractual obligations.

Inactive customers

If you’ve not used your account for more than five years, it will be flagged as inactive and we’ll contact you to ask whether you want to keep it open. Unless you reply to say ‘yes’, we’ll close the account and delete or anonymise the personal data associated with it.Where we say above that we collect your information on the basis of our legitimate business interests, we are required to carry out a balancing test of these interests against your interests and rights under the Data Protection Laws. As a result of our balancing test, which is detailed below, we have determined, acting reasonably and considering the circumstances, that we are able to process your personal data in accordance with the Data Protection Laws on the basis that we have a legitimate business interest.

5

Special Categories of personal data

Where we process any special categories of personal data (e.g. diversity, medical, biometric information), we will separately ask for explicit consent, if this is required by law.

In this case, you have the right to withdraw your consent to this processing at any time.

In some circumstances, we may have another lawful reason to collect such special categories of personal data, in which case we will inform you of this prior to the processing taking place.

OTHER DISCLOSURES OF YOUR PERSONAL DATA?

We may disclose your personal information to any member of the CHC Group, which means our subsidiaries, our ultimate holding company and its associated entities as defined by the Corporations Act 2001 (Cth) (“CHC Group”).

6

We will disclose your personal information to third parties, as set out above and:

  • to our professional advisors (including without limitation tax, legal or other corporate advisors who provide professional services to the CHC Group);
  • to other third-party suppliers for business administration or IT purposes;
  • in the event, or in connection with, a merger or sale involving all or part of the CHC Group or as part of a corporate re-organisation or share sale or other change in corporate control to any prospective sellers or buyers of such business or assets;
  • in the event of any insolvency situation (e.g. the administration or liquidation) of CHC Group or any of its group entities;
  • if we, or any member of the CHC Group, or substantially all of its assets, are acquired by a third party, in which case personal data held by us about our customers and/or employees may be one of the transferred assets; in order to enforce or apply our website terms of use;
  • to protect the rights, property, or safety of us, our staff, our customers, or others. This includes exchanging information with other companies and organisations (including without limitation the local police or other local law enforcement agencies or regulatory bodies) for the purposes of staff and customer safety, crime prevention, fraud protection and credit risk reduction; and/or
  • if we are under a duty to disclose or share your personal

7

data in order to comply with any legal obligation or regulatory requirements, or otherwise for the prevention or detection of fraud or crime.

We may disclose, use and/or aggregate, anonymous information about you for marketing, advertising, research, compliance, or other purposes.

DO WE DISCLOSE PERSONAL DATA TO THIRD COUNTRIES?

We may transfer personal information to countries other than the country in which the data was originally collected. These countries may not have the same data protection laws as the country in which you initially provided the information and may not provide the same level of protection.

Where your information is processed by or shared between the CHC Group, your information is likely to be transferred to or from Australia and the United States for the purposes set out above.

8

Where your information is transferred to a third party (for example our Customer Relationship Management system provider) this is also likely to be transferred to a third country, namely the United States.

Where your personal data is collected within the European Economic Area (“EEA”), it will only be transferred outside of the EEA where an adequate level of protection for your rights as a data subject can be ensured, and where the transfer is otherwise in accordance with relevant data protection laws, including by incorporating standard clauses approved by the European Commission in our agreements. A copy of these can be found at: http://eur-lex.europa.eu/

Search = CELEX:32010D0087

WHAT DO WE DO TO HELP PROTECT PERSONAL DATA?

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We, and our external service providers, take reasonable steps to protect personal data from misuse, interference or loss and

9

unauthorised access, modification and disclosure with appropriate safeguards and security measures and restrict access to those who have a legitimate business purpose and reason for accessing it. We store most data about you in computer systems and databases operated by either us or our external service providers. However, safeguards and security measures apply to personal data in both electronic and hard copy form.

Personal data is only retained for as long as it is necessary for the identified purposes, to the extent necessary for purposes reasonably related to those identified purposes (for example, resolving disputes) or as required by law, in accordance with the periods set out above.

WHAT RIGHTS DO YOU HAVE?

You have a number of rights under the Data Protection Laws in relation to the way we process your personal data, which are set out below. You may contact us using the details set out below to exercise any of these rights. We will respond to your request within one month.

In some instances, we may be unable to carry out your request, in which case we will write to you (again, within one month) to explain why.

10

4. You have the right to ask us to restrict or block the processing of your personal data

You have the right to ask us to restrict or block the processing of your personal data that we hold about you. This right applies where you believe the personal data is not accurate, you would rather we block the processing of your personal data rather than erase your personal data, where we don’t need to use your personal data for the purpose we collected it for but may require it to establish, exercise or defend legal claims.

5. You have the right to port your personal data

You have the right to obtain your personal data from us and use it for your own purposes across different services. This allows you to move personal data easily to another organisation, or to request us to do this for you.

13

6. You have the right to object to our processing of your personal data

You have the right to object to our processing of your personal data where we process your data on the basis of our legitimate business interests, unless we are able to demonstrate that, on balance, our legitimate interests override your rights or we need to continue processing your personal data for the establishment, exercise or defence of legal claims.

7. You have the right not to be subject to automated decisions

You have the right to object to any automated decision making, including profiling, where the decision has a legal or significant

impact on you.

8. You have the right to withdraw your consent

You have the right to withdraw your consent to our processing of personal data, if consent was the mechanism we used to collect it.

HAVE A PRIVACY ENQUIRY?

If you have any enquiries regarding this Privacy Policy, wish to exercise your rights in respect of your personal data or wish to make a complaint in relation to how the CHC Group has handled your personal data, you should contact us at:

ATTN: CEO, CHC (St Louis)

10 Albert St, Claremont,

14

Western Australia, 6010, Australia

We aim to resolve all enquiries promptly and in accordance with Data Protection Laws.

We will always aim to address your concerns if you have any and would encourage you to contact us at the address above.You can also contact the relevant data protection/ supervisory authority in your jurisdiction. For the purposes of the Data Protection Laws, our lead supervisory authority is the CEO, who can be contacted at 10 Albert St, Claremont, WA, 6010, Australia, or at www.stlouisestate.com.au

Sole traders, partnerships and businesses

Where we are engaged with you as a sole trader, partnership or business that you represent or are employed/ contracted by and this involves the collection and use of your personal data by us, this will be done in accordance with the relevant parts of this Privacy Policy.

Other websites

Our website may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies or your use of those websites.

15

CHANGES TO THIS POLICY

From time to time, we may change our policy on how we deal with personal data or the types of personal data which we hold. We will take all measures necessary to communicate any changes to this Privacy Policy to you and any updated version of this Privacy Policy will be published on this page. You may obtain a copy of our current policy from our website or by contacting us at the contact details above.

In the event of any conflict between the English language version of this Privacy Policy and other language versions, the

English language version will prevail.