This policy explains how we collect, use, disclose, and protect personal information, and the rights you have in relation to your information.

Last updated: 26 August 2025

Carta Strategy (ABN 72 205 230 647) (“we”, “our”, “us”) is committed to protecting your privacy.

We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Privacy (Market and Social Research) Code 2021 (the “Code”).

1. What personal information do we collect?

The personal information we collect depends on how you engage with us. It may include:

• Identity and contact details: name, organisation, role, email, phone, address

• Research participation data: interview notes, survey responses, recordings (with consent)

• Professional and demographic information: industry, occupation, opinions, feedback

• Sensitive information: political opinion, health information, or other sensitive data (only with your express prior consent, and only if necessary for our research)

• Website/analytics data: IP address, browser type, device info, session cookies (we do not use persistent cookies)

• Supplier/contractor information: ABN, payment details, performance information

You may choose to remain anonymous or use a pseudonym where practicable.

In some cases (for example, when your details are provided by a client or when research data may allow identification) anonymity may not be possible.

In line with our privacy commitments, we require clients to exclude personally identifiable information (PII) from any data they share with us, unless it is essential to meet the research objectives.

2. How we collect personal information

We may collect information:

• Directly from you (e.g. interviews, surveys, workshops, events, email, website forms).

• From clients, research partners, or list providers (we ensure appropriate consent has been obtained).

• Automatically when you use our website or services (via cookies and analytics logs).

3. Why we collect and use personal information

We collect and use personal information to:

• Conduct research projects and provide insights to clients

• Analyse de-identified data for benchmarking and research purposes

• Communicate with you about research participation, workshops, or events

• Manage business operations (billing, compliance, suppliers, employment)

• Comply with legal obligations

We will never use personally identifiable research information for advertising, promotions, or direct marketing. If you receive newsletters or updates from us, you may opt out at any time.

If you send us personal information we have not requested (unsolicited information), we will destroy or deidentify the information as soon as practicable.

If we collect information about you from third parties, we will take reasonable steps to ensure the third party has first obtained your permission or has a lawful basis to share the information with us. This includes deidentified data we collect from research partners to enable tracking of brand insights as part of our services. This data cannot be linked to you individually and we will not make any attempts to re- identify you.

4. Information we collect from website users

When visiting Carta Strategy’s website, the site server makes a record of the visit and logs the following information for statistical and administrative purposes:

• The user’s server address. This helps us to consider the users who use the site regularly and tailor the site to their interests and requirements.

• The date and time of the visit to the site. This is important for identifying the website’s busy times and ensuring maintenance on the site is conducted outside these periods.

• Pages accessed and documents downloaded. This indicates which pages or documents are most important to users and also helps identify important information that may be difficult to find.

• Duration of the visit. This indicates to us how interesting and informative the website is to users.

• The type of browser used. This is important for browser specific coding.

• In order to optimise our website and better understand its usage, we collect the visiting domain name or IP address, Computer Operating System, Browser Type and Screen Resolution.

A cookie is a piece of information that an Internet web site sends to your browser when you access information at that site. Cookies are either stored in memory (session cookies) or placed on your hard disk (persistent cookies). Our website does not use persistent cookies. Once you close your browser the session cookie set by this website is destroyed and no personal information is maintained which might identify you if you visit our website again.

4. Disclosure of personal information

We may disclose your personal information:

• To clients, but only in aggregated or de-identified form, unless you provide express consent for disclosure.

• To service providers (e.g. transcription, cloud storage, IT, analytics, payment processors).

• To regulators or enforcement agencies, if required by law.

• To overseas service providers, but only where we take reasonable steps to ensure they handle personal information in accordance with the APPs and the Code.

We will never sell your personal information.

We currently use third party AI systems in providing our services. We undertake a review process of third party AI systems to ensure they comply with our security and privacy requirements. A list of third party AI systems we use can be made available to you at any point on request by using the Contact form at www.cartastrategy.com.au

5. Research re-contact

If you participate in our research, we may only re-contact you if:

• You were informed about this at the time of collection, or

• We have valid reasons to believe a genuine research concern warrants it.

6. Data security and retention

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Measures include access controls, encryption, MFA, and secure storage.

Please be aware that the transmission of information over the Internet is not completely secure or error-free. In particular, email sent to or from this website may not be secure, and you should therefore take special care in deciding what information you send to us via email. 

We retain personal information only as long as necessary for the purpose it was collected, or as required by law. After that, it will be securely destroyed or de-identified.

7. Notifiable Data Breaches

If a data breach is likely to cause serious harm, we will promptly notify affected individuals and the Office of the Australian Information Commissioner (OAIC), in line with the Notifiable Data Breaches scheme.

8. Access and correction

You have the right to request access to personal information we hold about you, and to request correction if it is inaccurate, incomplete, out-of-date, irrelevant or misleading. We will respond within a reasonable timeframe (usually 30 days).

9. Complaints

If you have a privacy question or complaint, please contact us first using the Contact form at www.cartastrategy.com.au. We will respond as quickly as possible. If you are not satisfied, you can contact the OAIC:

• Phone: 1300 363 992

• TTY: 1800 620 241

• TIS: 131 450 (ask for the OAIC)

• Post: GPO Box 5218, Sydney NSW 2001

• Website: www.oaic.gov.au

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be published on our website.

Although we intend to always observe this Privacy Policy, it is not legally binding on Carta Strategy in any way. From time to time, we may regard it as necessary or desirable to act outside the policy. We may do so subject only to any other applicable contractual rights you have and any statutory rights you have under the Privacy Act or other applicable legislation.

11. Contacting us

If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us using the Contact form at www.cartastrategy.com.au.