Privacy Policy

BLACK BOX CO | BASE PAIR GENOMICS

PRIVACY POLICY

Effective date: 16 June 2026 (version 2.0, replacing the August 2023 policy)

Applies to: Black Box Trading Company Pty Ltd (ACN 645 397 342) and Acubilar Pty Ltd trading as Base Pair Genomics (ACN 668 971 613), and their related entities

Owner: Privacy Officer, privacy@blackboxco.com.au

Next review: June 2027, or earlier on a change of law or practice

1. Overview and consent

We are Black Box Trading Company Pty Ltd (ACN 645 397 342), trading as Black Box Co, and our related company Acubilar Pty Ltd (ACN 668 971 613), trading as Base Pair Genomics (together, we, us and our). We are committed to respecting your privacy.

This policy explains how we collect, use, hold and disclose personal information when you use our websites, our applications and our products and services, including our livestock analytics platform and our genomic testing and breeding-value services. By using our Services you agree to the collection and use of information in accordance with this policy.

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Although a business with annual turnover under $3 million may be exempt from the Privacy Act, we have chosen to comply with the APPs as a matter of good practice and because we promise our customers we will.

2. Key terms

Services means our websites (including blackboxco.com.au and the Base Pair Genomics website), our applications (including app.blackboxco.com.au), and our products and services however provided, including physical sample testing.

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable. Sensitive information is a subset that includes health and genetic information about a person, and attracts higher protection.

Genomic and animal data means DNA and SNP data, genotype calls, phenotype and production records, and breeding values, that relate to animals. This is generally not personal information (see section 5).

Usage data is information collected automatically through your use of the Services or the infrastructure behind them.

Cookies are small files stored on your device when you visit our websites. See our Cookie Policy for detail (link at the end of this policy).

3. About this policy

This policy is a compliance document required by law, not a contract. Our website terms require you to have read and understood it. Australian privacy law applies to us as the Australian business collecting the information, regardless of where you are located. This policy is designed to meet the APPs in the Privacy Act 1988 (Cth) and the consent requirements of the Spam Act 2003 (Cth).

Recent reforms. The Privacy Act has been strengthened, including substantially increased penalties for serious or repeated interferences with privacy and a statutory right of action for serious invasions of privacy. We keep our practices under review as further reforms take effect.

4. Personal information we collect

When you use our Services, particularly when you create an account, we may ask for personal information that can be used to contact or identify you. This may include, but is not limited to:

- Name, business or trading name - to identify you and provide the Services

- Postal and property address - to provide the Services and locate animals or properties where relevant

- Email address and phone number - to provide the Services and contact you

- Account and login credentials - to give you secure access to our platforms

- Billing and payment details (including card or bank details) - to process payments and meet tax and record-keeping obligations

- Date of birth - to verify age (employees only)

- Employee and contractor records - collected if you apply for or hold a role with us

- IP address and approximate location - collected automatically by our website and analytics tools

- Genomic-to-farmer linkage data - the mapping that connects animal records to you as an identifiable customer or property (see section 5)

We collect only the personal information reasonably necessary for the purpose it is collected for, or for related purposes set out in this policy. We rely on this information being accurate, up to date, complete, relevant and not misleading.

5. Genomic, animal and linkage data

A large part of what we hold is animal data: DNA and SNP data, genotype calls, phenotype and production records, and the genomic breeding values we derive from them. Animal data is not, on its own, personal information under the Privacy Act, because the Act protects information about people, not animals.

Some data is different. The linkage that connects an animal's genomic or phenotype record to you as an identifiable farmer, account holder or property is personal information, because it makes the data about you and can indicate your location. We treat this linkage data as personal information under this policy and apply appropriate access controls and security to it.

Samples we test are animal samples (tissue and tail hair). We do not collect or process human genetic or biometric data. Rights to use the data you submit, including any commercialisation of de-identified and aggregated animal data, are governed by the End User Licence Agreement and its Genomic Data Consent, not by this policy.

6. Automated decision-making

Our Services use algorithms and statistical models to calculate genomic breeding values and other analytical outputs from animal data. These are decision-support tools about animals. Where any automated process uses your personal information in a way that could significantly affect you, we will be transparent about that use in line with current privacy-law requirements. You can contact our Privacy Officer for more information about how these tools work.

7. How we collect information

We collect information directly from you, and sometimes from third parties, when you register for, interact with or communicate about the Services, submit samples, take part in surveys or promotions, engage with our content or marketing, or enquire about or invest in our business. Where practicable we collect personal information directly from you, with your consent and by lawful means.

Cookies and tracking. We use cookies and similar technologies on our websites to operate the Services, remember your preferences, provide security and analyse use. You can set your browser to refuse cookies, though some features may not work. You may browse our public website without an account; if you create an account you must use your real name and details. Our Services do not currently respond to browser Do Not Track signals; if you do not wish to be tracked, contact us.

8. How we use information

We use the information we collect to:

- provide, operate, maintain, protect and improve the Services (to perform our contract with you);

- notify you about changes to the Services (our legitimate business interest);

- provide customer support and respond to your enquiries;

- process payments and administer your account;

- run surveys, promotions and events you choose to take part in;

- analyse and monitor how the Services are used so we can improve them;

- detect, prevent and address technical and security issues;

- send you service messages and, where you have consented, marketing about other products and services (you can opt out at any time);

- consider your application if you apply to work with us; and

- comply with our legal obligations and enforce our agreements.

9. How we disclose information

We may disclose personal information, for the purposes described in this policy, to: our staff and related companies; third-party suppliers and service providers who help us operate the Services and our business; professional advisers and agents; payment providers; existing or potential business partners; anyone to whom our business or assets are transferred; specific third parties you authorise; and government agencies, regulators or law enforcement where required or permitted by law.

We do not sell your personal information. Where we collaborate with a third party and you join a mailing list for that collaboration, your details may be shared only with that core third party, only for the marketing you consented to.

9.1 Business transactions

If we are involved in a merger, acquisition or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a different privacy policy.

10. Service providers we use

We use trusted service providers to deliver the Services. They may access personal information only to perform their functions for us. Our main service providers are:

- Zoho - CRM, support, billing and marketing - Australia

- Google Workspace - email, document storage and calendar - Australia

- Xero - accounting and invoicing - Australia

- Neogen Australasia - genotyping laboratory - Australia (Queensland)

- Helical - third-party genomic data platform - see section 11

- ShareFile - secure delivery of genomic reports - see section 11

- Squarespace - websites and enquiry forms - United States

- Google Analytics - website analytics - United States

- Linear - engineering and issue tracking - United States

11. Storage and overseas disclosure

We store personal information on servers and services located in Australia, including our Zoho and Google Workspace environments and our accounting records in Xero. Backups and cloud storage are held in Australia.

Some service providers are located overseas, mainly in the United States (for example Google Analytics, Squarespace and Linear). Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure it is handled consistently with the APPs. By providing your information and using the Services, you consent to these overseas disclosures.

We hold personal information in electronic and, occasionally, hard-copy form, and take reasonable physical, administrative, personnel and technical steps to protect it against misuse, interference, loss and unauthorised access, modification or disclosure.

12. How long we keep information

We keep personal information only for as long as necessary for the purposes in this policy or as required by law. In particular:

- identified personal information is deleted within 90 days of the end of your service agreement, in line with our End User Licence Agreement, except where we must keep it for legal reasons;

- financial and tax records are kept for at least 7 years; and

- de-identified and aggregated animal data may be retained indefinitely as a business and research asset, because it no longer identifies you.

Usage data is generally kept for a shorter period, except where it is needed for security or to improve the Services, or where the law requires longer retention.

13. Marketing and communications

We try to obtain your express consent before sending marketing, using a consent request when you sign up for the Services or a newsletter, contact us, or download material. Every marketing email identifies us as the sender and includes an unsubscribe option, which we action within five business days. For information on Australian spam rules, see the Australian Communications and Media Authority at acma.gov.au.

14. Children

Our Services are not directed at anyone under 18, and we do not knowingly collect personal information from children. If we learn we have collected a child's personal information without parental consent, we take steps to delete it. If you believe a child has given us personal information, please contact us.

15. Data breaches

We maintain a Data Breach Response Plan. If a data breach involving your personal information is likely to result in serious harm, we will assess it and, where the Notifiable Data Breaches scheme requires, notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

16. Your rights and how to complain

Under the APPs you may request access to the personal information we hold about you, and ask us to correct it. To make a request, or to raise a privacy concern, contact our Privacy Officer using the details below. Our Privacy Officer will review your complaint and respond as soon as practicable.

If we cannot resolve your concern, you can complain to the OAIC at oaic.gov.au.

17. Changes to this policy

We may update this policy from time to time. We will post the updated policy on this page, update the effective date, and where appropriate let you know by email or a prominent notice. Please review this page periodically. Our related documents are:

- Privacy Policy: [insert URL]

- Cookie Policy: [insert URL - confirm this document exists]

- Terms of Use / EULA: [insert URL]

18. Contact us

If you have any questions about this policy, the information we hold, or you wish to exercise your rights, please contact us.

Company: Black Box Trading Company Pty Ltd (ACN 645 397 342)

Attention: Privacy Officer

Email: info@blackboxco.com.au

Phone: 0419 805 790

Postal: C/- Macpherson Kelley Lawyers, Level 16, 324 Queen Street, Brisbane QLD 4000, Australia

(c) Black Box Trading Company Pty Ltd and Acubilar Pty Ltd 2026.