Privacy Policy

1. About This Policy

1.1 Who We Are

This Privacy Policy is issued by Audrie Pty Ltd (ACN 695 896 363) of 265 Exhibition Street, Melbourne VIC 3000 (“Audrie”, “we”, “us”, “our”). Audrie operates the document authentication platform available at audrie.io and app.audrie.io (the “Platform”).

1.2 What This Policy Covers

This policy explains how Audrie collects, holds, uses, and discloses personal information in connection with the Platform. It applies to:

• —Authenticators: individuals who register to issue Authentication Records through the Platform
• —Verifiers: individuals who use the Platform to verify documents
• —Organisation contacts: representatives of organisations that hold enterprise or pro subscriptions
• —Website visitors: individuals who visit audrie.io without registering

1.3 Applicable Law

Audrie is an Australian company. This policy is designed to comply with:

• —the Privacy Act 1988 (Cth) ("Privacy Act"), including the Australian Privacy Principles ("APPs") in Schedule 1
• —the General Data Protection Regulation (EU) 2016/679 ("GDPR") to the extent it applies to our processing of personal data of individuals located in the European Economic Area, the United Kingdom, or other GDPR-applicable jurisdictions

Where this policy refers to obligations that apply only under GDPR (for example, lawful basis, data subject rights, or the role of Data Protection Officer), those provisions apply to individuals in GDPR-applicable jurisdictions and are identified clearly.

1.4 Our Role Under GDPR

For individuals in GDPR-applicable jurisdictions, Audrie acts as the data controller in respect of personal data processed through the Platform. Where we engage third parties to process data on our behalf, those parties act as data processors under contracts that meet the requirements of GDPR Article 28.

2. Information We Collect and How We Collect It

Audrie's data model is intentionally minimal. We collect and store only what is necessary to operate the Platform and provide the authentication and verification services it delivers. The categories below represent the totality of personal information we hold.

2.1 Authenticator Account Data

When an individual registers as an Authenticator, we collect and store:

• —Full legal name
• —Email address
• —Mobile phone number (collected during onboarding; used for account communications and SSO)
• —Professional identifier (e.g., company director ID, solicitor's practising certificate number, CPA membership number)
• —Role type (director, company secretary, lawyer, accountant, or other authorised role)
• —Linked organisation name and company registration number (e.g., ACN, ABN, or equivalent in other jurisdictions)
• —Onboarding tier (Enterprise Verified or Standard)
• —Account status (active, suspended, or revoked)
• —Date of account creation and date of most recent re-identification

We do not store copies of government-issued identity documents or biometric data. Those are collected and retained by our identity verification provider, currently IDVerse (see Section 4.3).

2.2 Authentication Records

When an Authenticator issues an Authentication Record, we store:

• —A cryptographic hash (SHA-256) of the document — a mathematical fingerprint that uniquely represents the document in its exact state at the time of authentication
• —A reference to the Authenticator's identity (by internal identifier, not full name in the operational record)
• —Timestamp of authentication
• —Authentication type (self-authenticated, independently authenticated, or system-issued)
• —Onboarding tier of the Authenticator at the time of authentication

We do not store the document itself or any portion of its content.

2.3 Verification Audit Trail

Each time a document is submitted for verification, we record:

• —The email address provided by the Verifier
• —The cryptographic hash of the document submitted
• —Timestamp of the verification event
• —Verification result returned (match or no-match, and if match: Authenticator identity, authentication date, and Authenticator status)

Where a Verifier is a returning user recognised by cookie, we record the same information.

2.4 Organisation Records

For organisations holding subscriptions, we store:

• —Organisation legal name and company registration number
• —Subscription tier, billing cycle, and status
• —List of linked Authenticator accounts
• —Billing contact name and email address

Payment card details are not stored by Audrie. They are held by our payments provider, currently Stripe (see Section 4.4).

2.5 Contact and Enquiry Data

If you contact us via the website's contact form or by email, we collect:

• —Your name
• —Email address
• —Company name (if provided)
• —Phone number (if provided)
• —The content of your message

This information is used solely to respond to your enquiry and is not used for marketing without your separate consent.

2.6 Website Usage Data

When you visit audrie.io, we may collect standard technical data, including:

• —IP address (stored in hashed, non-reversible form for abuse prevention purposes only)
• —Browser type and version
• —Pages visited and time spent
• —Referring URL

We do not use persistent advertising cookies. We do not build behavioural profiles of website visitors. Any analytics tools we use are configured to minimise personal data collection.

2.7 Passkey and Authentication Session Data

Login and authentication actions are conducted via passkey (WebAuthn). We do not store the private key component of any passkey — that remains on your device. We store only the public key component associated with your registered passkey, for the purpose of verifying your identity when you log in or issue an Authentication Record.

3. How We Use Personal Information

3.1 Purposes of Use

We use personal information only for the following purposes:

• (a) Providing and operating the PlatformTo create and manage Authenticator accounts; to process document authentication and verification requests; to generate Verification Certificates; to maintain the verification audit trail.
• (b) Identity verification and trust assuranceTo verify the identity and authority of Authenticators during onboarding; to conduct annual re-identification; to display Authenticator identity and status on Verification Results.
• (c) Subscription management and billingTo manage subscriptions, process payments, and issue invoices. Payment processing is handled by Stripe on our behalf.
• (d) Platform security and integrityTo detect and prevent fraud, abuse, and unauthorised access; to investigate reports of misconduct; to manage revocation of Authenticator status where required.
• (e) Legal and regulatory complianceTo comply with applicable laws and regulations; to respond to lawful requests from courts, regulators, law enforcement, and professional bodies; to maintain records required under applicable law.
• (f) Communication and supportTo respond to enquiries and support requests; to notify you of material changes to the Platform or this policy; to provide service-related communications.
• (g) Platform improvementTo analyse aggregate, anonymised usage patterns for the purpose of improving the Platform. We do not use identifiable personal data for this purpose.

3.2 Lawful Basis (GDPR)

For individuals in GDPR-applicable jurisdictions, we rely on the following lawful bases under GDPR Article 6:

3.3 Special Category Data (GDPR)

We do not store biometric data. Biometric data captured during the IDV process is held by our identity verification provider, currently IDVerse, and is not transmitted to or stored by Audrie. To the extent that the processing of identity documents by IDVerse on our behalf engages GDPR Article 9 (special categories of personal data), Audrie relies on Article 9(2)(g) (substantial public interest in preventing fraud) and Article 9(2)(b) (processing necessary for carrying out obligations in the field of employment and social security law, to the extent applicable) as the lawful basis.

3.4 No Sale, No Advertising

We do not sell personal information to any third party. We do not use personal information for advertising, marketing profiling, or any purpose other than those described in this policy.

4. Disclosure of Personal Information

4.1 Disclosure in Verification Results

When a document is successfully verified, the Platform returns a Verification Result that includes the Authenticator's name, role, linked organisation, Onboarding Tier, and current status (active or revoked). This information is disclosed to the Verifier submitting the verification request. By registering as an Authenticator, you consent to this disclosure.

This disclosure is inherent to the Platform's purpose: the identity of the Authenticator and their status at the time of verification are core components of the trust guarantee the Platform provides.

4.2 Disclosure on the Hedera Public Ledger

Authentication Records are anchored permanently to the Hedera Consensus Service (HCS), a publicly accessible distributed ledger. The data anchored to Hedera comprises only:

• —The unique document or file hash (SHA-256 cryptographic fingerprint)
• —A cryptographic signature bound to the Authenticator's key
• —The Authenticator's public key fingerprint
• —The Authenticator's verification tier
• —Timestamp

Hedera records contain no personal information. No name, contact detail, organisation identifier, or other directly or indirectly identifying information is included. These records are permanently public and cannot be deleted or modified, including in response to a deletion request. Because no personal information is anchored, this permanence does not engage the right to erasure under GDPR Article 17 or the correction and deletion obligations under the Australian Privacy Act.

By registering as an Authenticator and issuing Authentication Records, you acknowledge and accept that this cryptographic data will be published to the Hedera ledger permanently.

Document or file content is never anchored to Hedera. Only the cryptographic record described above is published.

4.3 Identity Verification Provider

Audrie engages the services of a reputable identity verification provider, currently IDVerse, to conduct government document verification, liveness testing, and biometric capture during Authenticator onboarding. IDVerse processes identity data on our behalf as a data processor.

IDVerse retains identity verification data in accordance with its own privacy policy and applicable law. Audrie does not receive or store copies of identity documents or biometric data from IDVerse. IDVerse may be located outside Australia. By completing the IDV process, you consent to your identity data being transferred to and processed by IDVerse in accordance with IDVerse's privacy policy.

4.4 Payment Processor

Subscription billing is handled by a reputable payments processor, currently Stripe, Inc. Stripe processes payment card data on our behalf as a data processor. Audrie does not store payment card numbers, CVVs, or full payment credentials. Audrie stores only billing contact details and subscription status. Stripe's privacy policy is available at stripe.com/privacy.

4.5 Single Sign-On Providers

If you choose to log in using Google or Microsoft/Entra SSO, those providers supply Audrie with your email address and name for the purpose of account authentication. We do not receive or store other account data from these providers. Your use of SSO is subject to the relevant provider's terms and privacy policy.

4.6 Cloud Infrastructure

The Platform is hosted on Amazon Web Services (AWS). Personal data processed by the Platform is stored on AWS infrastructure. AWS acts as a data processor. Data may be stored in AWS regions outside Australia.

4.7 Register Checks

During Authenticator onboarding, Audrie queries publicly available government and professional body registers (for example, the Australian Business Register for ABN verification, or relevant professional membership registers for independent Authenticators) to verify authority and professional standing. These queries use information you provide and return only confirmation of status. We do not receive or store personal data from those registers beyond what is necessary to record verification outcome.

4.8 Law Enforcement and Regulatory Disclosure

Audrie may disclose personal information to courts, regulators, law enforcement agencies, or professional bodies where:

• —required to do so by law or court order
• —necessary to prevent or investigate fraud or other criminal conduct
• —required to respond to a lawful request from a regulatory body with jurisdiction over Audrie or over an Authenticator's professional activities

Where practicable and permitted by law, we will notify you of any such disclosure.

4.9 Business Transfers

If Audrie is involved in a merger, acquisition, restructure, or sale of assets, personal information we hold may be transferred to the acquiring or successor entity, subject to that entity assuming this policy's obligations or providing equivalent protections.

5. International Data Transfers

Audrie is an Australian entity. Your personal data may be transferred to, and processed in, countries outside Australia, including in connection with our use of AWS cloud infrastructure, IDVerse, Stripe, Google, and Microsoft. Some of these countries may not have data protection laws equivalent to Australia's or the GDPR.

We take steps to ensure that international transfers of personal data are protected by appropriate safeguards, including:

• —contractual clauses that impose obligations on overseas recipients to protect personal data to a standard comparable to applicable law
• —engaging providers that participate in recognised data protection frameworks
• —minimising the personal data transferred where possible

For individuals in GDPR-applicable jurisdictions, international transfers are made subject to appropriate transfer mechanisms under GDPR Chapter V (including Standard Contractual Clauses where no adequacy decision applies).

6. Retention of Personal Information

6.1 General Principle

Audrie retains personal information for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by law. We do not retain personal information beyond what is needed.

6.2 Retention Periods

6.3 Hedera Permanence — Special Note

Authentication Records anchored to the Hedera Consensus Service are permanently and irrevocably public. This is a deliberate feature of the Platform's architecture: the permanent, tamper-evident nature of these records is what gives them their legal and commercial value as proof of provenance.

No deletion request, legal order directed at Audrie, or cessation of Audrie's operations can remove records from the Hedera ledger.

Hedera records do not contain personal information or any file or document content. What is anchored comprises only: a cryptographic document hash, a cryptographic signature, a public key fingerprint, a verification tier, and a timestamp. None of these elements, individually or in combination, constitute personal information as defined under the Privacy Act or personal data as defined under the GDPR. The permanent nature of Hedera records therefore does not engage the right to erasure under GDPR Article 17 or the correction and deletion obligations under the APPs.

7. Security

Audrie implements technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, and disclosure. These measures include:

• —Zero document storage: Document content is never stored. Only cryptographic hashes are retained.
• —Post-quantum cryptography: Authentication Records are signed using ML-DSA (FIPS 204), a NIST-standardised post-quantum digital signature algorithm, providing resistance to both classical and quantum computing attacks.
• —Passkey authentication: All Platform access requires passkey (WebAuthn) authentication with biometric challenge. No passwords are stored.
• —Hardware Security Modules (HSM): Private keys are generated and stored within FIPS 140-2 Level 3 HSMs. Private keys never leave the HSM boundary.
• —Encryption in transit and at rest: All data in transit is protected by TLS 1.3. Data at rest is encrypted using industry-standard algorithms.
• —Minimal data footprint: The limited scope of personal data held by Audrie materially reduces the potential impact of any security incident.
• —Audit logging: All authentication, verification, and administrative events are logged in a tamper-evident audit trail.

Audrie is built to SOC 2 and ISO 27001 standards. Formal certification will be pursued as the Platform matures.

No security system is infallible. If you become aware of any actual or suspected security incident affecting your account or data, please contact us immediately at privacy@audrie.io.

In the event of a data breach that is likely to result in serious harm to individuals, Audrie will comply with the notifiable data breach scheme under the Privacy Act (Part IIIC) and, for GDPR-applicable individuals, the breach notification obligations under GDPR Articles 33 and 34.

8. Your Privacy Rights

8.1 Rights Under the Australian Privacy Act

Under the Privacy Act and the APPs, you have the right to:

• (a) Access your personal information.You may request access to the personal information Audrie holds about you. We will respond to access requests within a reasonable period (generally within 30 days). We may charge a reasonable fee for access requests in accordance with the APPs.
• (b) Correct your personal information.If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may ask us to correct it. We will take reasonable steps to correct the information.
• (c) Complain about a breach of the APPs.You may make a complaint to us if you consider we have breached the APPs (see Section 10). If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

8.2 Additional Rights Under GDPR

If you are located in the EEA, UK, or another GDPR-applicable jurisdiction, you additionally have the right to:

• (a) Erasure ("right to be forgotten").You may request deletion of your personal data. Please read Section 8.3 carefully before making a deletion request. We will comply with erasure requests where we are not prevented from doing so by a legal obligation or overriding legitimate interest.
• (b) Restriction of processing.You may request that we restrict processing of your personal data in certain circumstances (for example, while a correction request is being assessed).
• (c) Data portability.Where we process your data by automated means on the basis of consent or contract, you may request a copy of your data in a structured, machine-readable format.
• (d) Object to processing.You may object to processing carried out on the basis of legitimate interests. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests.
• (e) Withdraw consent.Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• (f) Lodge a complaint with a supervisory authority.You have the right to lodge a complaint with the data protection supervisory authority in your country of residence or the authority with jurisdiction over Audrie's processing activities.

To exercise any of these rights, contact us at privacy@audrie.io.

8.3 Data Deletion: Critical Consequence

Before we process any deletion request affecting an Authenticator account, we will:

1. 1.provide you with a clear written description of the consequences
2. 2.require your explicit written confirmation that you understand and accept those consequences
3. 3.allow a 30-day cooling-off period during which you may withdraw the request

We will not process a deletion request until explicit confirmed acceptance is received.

Note regarding Hedera records: As described in Section 6.3, Authentication Records anchored to the Hedera Consensus Service cannot be deleted from that ledger. However, because Hedera records contain no personal information — only cryptographic hashes, signatures, a public key fingerprint, a verification tier, and a timestamp — the permanent nature of those records does not limit or engage the right to erasure. A deletion of your Audrie account removes all personal information held by Audrie. The residual Hedera record is non-identifiable and carries no privacy consequence.

9. Cookies and Tracking

9.1 Cookies We Use

We use a limited number of cookies to operate the Platform. These include:

• —Strictly necessary cookies: Session cookies required to maintain your logged-in state and to enable passkey authentication flows. These are essential to the operation of the Platform and cannot be disabled.
• —Verification recognition cookies: A cookie set when a Verifier submits a verification request, used to reduce friction for returning Verifiers on subsequent checks. This cookie contains only an anonymised session identifier.
• —Security cookies: Cookies set by our CAPTCHA provider (Cloudflare Turnstile) to distinguish humans from automated bots on the verification endpoint.

9.2 Cookies We Do Not Use

We do not use:

• —advertising or targeting cookies
• —cross-site tracking cookies
• —social media tracking pixels
• —third-party analytics cookies that identify individual users

9.3 Managing Cookies

You may configure your browser to refuse cookies or to alert you when cookies are being sent. Note that disabling strictly necessary cookies will prevent the Platform from functioning correctly.

10. Complaints

10.1 How to Make a Complaint

If you have a complaint about the way we have handled your personal information, please contact our Privacy Officer:

Please include a description of your complaint and the outcome you are seeking. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. If we require additional time, we will notify you.

10.2 External Complaints Bodies

If you are not satisfied with our response:

• —Australia: You may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.
• —EEA: You may complain to the data protection supervisory authority in your country of residence or establishment.
• —UK: You may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

11. Children

The Platform is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected personal information from a child, please contact us at privacy@audrie.io and we will take steps to delete that information.

12. Changes to This Policy

We may update this policy from time to time to reflect changes to our data practices, the Platform, or applicable law. Where changes are material, we will provide reasonable notice on the Platform before the changes take effect. The current version of this policy is always available at audrie.io/privacy. The effective date at the top of this document indicates when it was last revised.

13. Contact Us

For all privacy enquiries, access requests, correction requests, or complaints:

For general enquiries: hello@audrie.io

Appendix A — Glossary