Halali User Privacy Agreement

Effective Date: December 1st 2025

This Privacy Agreement ("Agreement") describes how Halali Life Pty Ltd ("Halali", "we", "us", or "our") collects, uses, stores, discloses, and protects the personal information of users ("you", "your", or "User") of the Halali platform, including via our mobile apps, websites, APIs, or other interfaces (collectively, the "Platform"). By using or registering for our services, you agree to the practices described in this Agreement.

1. Scope and Application

1.1 This Agreement applies to all personal information collected in connection with your use of our Platform services, including but not limited to placing orders, delivery, payment, account registration, customer support, marketing, and related interactions.

1.2 This Agreement is to be read together with our Terms of Service / User Agreement. In the event of conflict, the provisions in this Privacy Agreement shall govern with respect to data protection matters.

1.3 By using the Platform or registering an account, you acknowledge you have read, understood, and consent to this Agreement.

2. Information We Collect

2.1 Information You Provide

We may collect the following categories of personal information you actively provide:

Name, nickname, date of birth;

Mobile phone number, email address;

Delivery address, contact address;

Payment information (e.g. credit card numbers, bank account identifiers, third-party payment account identifiers)—we do not store full payment credentials in certain cases but may rely on payment providers;

Account credentials (username, password, profile pictures, avatar);

Dietary preferences, allergy information, religious dietary notes (e.g. halal preference) — where voluntarily provided;

Feedback, reviews, user-submitted content (e.g. photos, voice messages);

Other optional data you choose to share (e.g. preference settings, marketing opt-ins).

2.2 Automatically Collected / Derived Information

When you access or use the Platform, we or our service providers may automatically collect:

Device & network data: device model, operating system, device identifiers, IP address, MAC address, network type, carrier, camera, album, and microphone etc.; You can change your settings on your own device and control access to your personal information.

Log / usage data: pages visited, features used, timestamps, clickstream, crash logs, error logs, path navigation;

Location information: if you grant permission, we may collect precise or approximate location for delivery, mapping, routing, and recommendation;

Cookie / local storage / SDK data: to enable functionality, analytics, personalization, and security features.

2.3 Information from Third Parties

We may also obtain or verify certain information about you from third-party sources and public records (e.g. verification services, identity verification, credit / anti-fraud providers) to supplement, validate, or cross-reference our collected data.

◆

3. How We Use Information

We may use your information for the following purposes:

3.1 Service Provision

To process and fulfill your orders: order placement, payment, refunds, delivery, customer support;

To manage your account: authentication, password resets, account maintenance;

To route and optimize delivery logistics, map services, assign delivery personnel;

To provide merchants or delivery partners with necessary order and contact details (within limited scope) to execute delivery.

3.2 Communications & Marketing

To send you service notifications, updates, account messages, and marketing/promotional offers (where you consent to receive them);

For personalized recommendations, offers, or advertisements;

To conduct surveys, feedback collection, and user research.

3.3 Security, Risk Management & Compliance

To detect fraud, misuse, unauthorized access, and security threats;

To conduct internal analytics and operational reporting (e.g. usage metrics, growth, retention);

To comply with legal, regulatory, tax, audit, or accounting obligations;

To resolve disputes, enforce our terms, and protect our rights.

3.4 Other Purposes

For any other purpose reasonably compatible with the above, or as otherwise permitted by applicable law;

When we have obtained your separate consent for additional uses.

◆

4. Disclosure & Sharing of Information

We may disclose or share your information under the following circumstances:

4.1 To Merchants / Delivery Partners

To enable order fulfillment, we may share your delivery address, contact name/phone, and relevant order details with the merchant and delivery partner (in minimal necessary scope).

4.2 To Service Providers

We may engage third-party vendors and service providers (e.g. cloud hosting, payment processors, analytics providers, messaging / notification services, fraud detection, customer service) who assist us in providing the Platform. These providers are contractually obligated to maintain confidentiality and use your data only to the extent necessary.

4.3 Legal & Regulatory Disclosures

We may disclose your personal data when required by law, regulation, court order, governmental or regulatory authority, or other legal processes.

4.4 Business Transfer

In connection with merger, acquisition, asset sale, or reorganization, your personal information may be transferred as part of the business assets. We will notify you and/or obtain your consent where required by law.

4.5 Aggregated / De-identified Data

We may publish or share aggregated, anonymized, or de-identified data (which cannot reasonably be used to re-identify you) for research, public insight, or business analytics.

◆

5. Data Retention & Security

5.1 Retention Period

We will retain personal information only as long as needed to fulfill the purposes described herein, or as required by applicable law. Once no longer needed, we will delete or anonymize the data.

5.2 Security Measures

We implement reasonable technical and organizational safeguards to protect data from unauthorized access, disclosure, alteration, or destruction, including encryption (HTTPS / TLS), access controls, authentication, logging and monitoring, data segmentation, employee training, and minimal privilege policies.

5.3 Data Breach Response

In the event of a data breach or security incident, we will promptly notify affected Users and regulatory authorities as required under applicable law and take remedial measures.

◆

6. Your Rights & Choices

Subject to applicable law, you may have the following rights:

1. Access – to request a copy of personal data we hold about you.

2. Correction – to update or correct inaccurate or incomplete data.

3. Deletion / Erasure / Account Closure – to request deletion or anonymization of personal data, or cancellation of your account, where legally permitted.

4. Restriction / Object to Processing – to request that we restrict processing or object to certain processing, including profiling or marketing.

5. Data Portability – where applicable, to receive your personal data in a structured, machine-readable format or transmit it to another controller.

6. Withdraw Consent – to revoke consent for specific processing (e.g. marketing, sensitive data usage). Withdrawal will not affect the validity of prior processing.

7. Complaints – you may lodge a complaint with us; if unresolved, you may contact the Office of the Australian Information Commissioner (OAIC) or relevant data protection authority.

We will respond to your requests in accordance with applicable legal timeframes.

◆

7. Handling of Minors / Vulnerable Users

We do not knowingly collect or solicit sensitive personal information from persons under 16 years of age. If we become aware that we have collected such data without verifiable parental consent, we will remove it promptly. If minors (under 16) are using the service (e.g. through a guardian account), then consent must be given by the legal guardian, and such guardian should supervise the use.

◆

8. Cross-Border Transfers & International Storage

If your personal data is transferred or stored outside Australia, we will ensure such transfers comply with applicable laws, including implementing safeguards such as standard contractual clauses, encryption, or verifying that recipient jurisdictions provide adequate protection.

◆

9. Sensitive Data / Special Data Handling Provisions

9.1 Definition & Principles

"Sensitive Data" (or "Special Data") refers to a subset of personal information whose misuse or exposure carries higher risk, including but not limited to: racial or ethnic origin, religious beliefs, health information, biometric data, sexual orientation, criminal records, political views, or other legally protected categories.

If you voluntarily provide religious / dietary preference data (e.g. halal preference or religious affiliation), such data will be treated as Sensitive Data.

9.2 Consent & Transparency

We will collect, store, or process Sensitive Data only after obtaining your explicit, informed, and freely given consent (i.e. express consent). When collecting such data, we shall clearly inform you of purposes, retention period, access rights, sharing scope, and your right to withdraw consent.

9.3 Usage Restrictions

Unless strictly necessary for core platform functionalities or required by law, Sensitive Data shall not be used for marketing, targeted advertising, or algorithmic profiling.

Sensitive Data shall never be sold to third parties.

Prior to any international or third-party transfer of Sensitive Data, we must secure your explicit consent and apply adequate safeguards (e.g. encryption, contractual obligations, limited recipient scope).

9.4 Retention & Deletion

Sensitive Data shall not be retained beyond what is necessary for the processing purpose. Once the purpose ends, data shall be deleted or anonymized without undue delay.

9.5 Withdrawal of Consent

You may withdraw consent for processing Sensitive Data at any time. Upon withdrawal, we will cease further processing and remove related data within a reasonable timeframe. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

9.6 Monitoring & Breach Notification

We will conduct periodic reviews of our Sensitive Data handling processes to ensure compliance, security, and lawfulness. In the event of a breach involving Sensitive Data, we will notify affected users and regulatory bodies in accordance with applicable laws.

◆

10. Cookies & Tracking Technologies

10.1 Types & Purposes of Cookies / Tracking

We may employ Cookies and similar technologies (e.g. tracking pixels, local storage, software development kits) for the following categories:

Strictly Necessary / Essential Cookies: required to enable fundamental platform functions (e.g. login sessions, cart, checkouts, navigation). These cannot be disabled without impairing core functionality.

Performance / Analytics Cookies: used to collect usage statistics, analyze user behavior (e.g. page visits, navigation paths) to improve performance and user experience.

Functional Cookies: to remember user preferences (language, address, display settings) for enhanced convenience.

Advertising / Targeting Cookies: to deliver personalized content or advertising based on user interests and behavior.

10.2 Consent, Control & Management

On first visit to our website or app, we will display a prominent cookie notice / consent interface, explaining categories, purposes, and user options.

Non-essential cookies (performance, functional, advertising) will only be deployed after obtaining your consent. We will offer toggles or preference settings so you can manage them.

You may at any time disable, delete, or manage cookies via your browser, app settings, or system settings. However, disabling certain cookies may break or impair platform functionality.

Our Privacy Policy will include a detailed cookie inventory: each cookie's name, purpose, third-party provider, and expiration.

When using third-party pixels, SDKs, or social media plugins, we will assess and monitor their data flows to ensure compliance (data minimization, no transmission of sensitive data, lawful processing).

If a third party acquires personal data via cookies or tracking and transfers it overseas, we will take reasonable steps to ensure compliance with Australian privacy standards.

We will review and update our cookie and tracking practices periodically, removing obsolete technologies and reassessing privacy risks.

◆

11. Changes to This Agreement & Notification

11.1 We may revise this Privacy Agreement from time to time to reflect changes in regulation, business models, or technical advancements. Updated versions will be posted on Platform, with the effective date clearly indicated.

11.2 If changes are material, we may notify you via email, in-app message, or other appropriate means. Continued use of the Platform after changes become effective constitutes your acceptance of the revised terms.

◆

12. Governing Law & Dispute Resolution

This Agreement is governed by and construed in accordance with the laws of New South Wales, Australia. Any dispute arising from or related to this Agreement shall be resolved via negotiation, and if unresolved, submitted to the competent courts of Sydney, NSW (or a mutually agreed alternative).