Privacy Policy

1. Who we are

Ottica Management Pty Ltd (ACN 666 913 908 / ABN 36 666 913 908) trades as Ottica AI. Our registered and principal place of business is 281 Lygon Street, Brunswick East VIC 3057, Australia. In this policy, "Ottica AI", "we", "us" and "our" mean Ottica Management Pty Ltd.

We provide facial recognition technology (FRT), computer vision software and supporting services to gaming and hospitality venues and selected retail customers. Our platform operates on equipment installed at the customer venue. Throughout this policy we use you to refer to anyone we interact with — including patrons of venues that use our platform, our direct customers (venue operators), our suppliers, prospective employees and visitors to our website.

2. The Privacy Act and Australian Privacy Principles apply to us

We handle biometric information, which is sensitive information under section 6(1) of the Privacy Act 1988 (Cth) (the Privacy Act). We:

• comply with the Privacy Act and the Australian Privacy Principles (APPs);
• comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act;
• comply with applicable state-based codes for the use of facial recognition technology in licensed venues; and
• apply industry good-practice guidance from the Office of the Australian Information Commissioner (OAIC).

Where this policy uses defined terms from the Privacy Act (Personal Information, Sensitive Information, Eligible Data Breach), those terms have the meaning given to them in the Privacy Act.

3. What personal information we collect

3.1 If you are a patron of a venue that uses our platform

Our cameras process video frames as people enter or move through the venue. For each face the camera sees, we generate a numeric biometric representation (a template) and compare it against the venue's list of self-excluded or banned patrons.

• If you are not on the venue's exclusion list: your biometric template is held only briefly in volatile memory for the matching operation and is deleted as soon as a non-match is determined. It is not retained, not written to permanent storage, and not backed up. We do not record that you visited the venue and we do not build a profile of you.
• If you are on the venue's exclusion list: we hold an encrypted biometric template of you on the on-premise system at the venue, together with the limited information the venue has provided about your exclusion (your name, the reason for the exclusion, the period, and the source). We use this only to alert venue staff when you are detected at the venue.

Because biometric information is Sensitive Information, we only collect it where the Privacy Act permits — typically because you have consented to be added to the venue's exclusion register (self-exclusion), or because the collection is otherwise authorised under the Act (for example, a serious harm-prevention purpose or a venue's responsible-gaming legal obligations).

3.2 If you are a customer, supplier or prospective employee

We collect business contact details such as name, role, work email, work phone, company name and (where relevant) banking and invoicing details. From prospective employees we also collect resumes, qualifications, identity and right-to-work verification, and reference-check information.

3.3 If you visit our website

We collect standard website analytics information — IP address, browser type, pages viewed, referring website, and date and time of visit. We use a small number of cookies (see Section 11 — Cookies and website analytics) to make the website work and to understand how people use it.

4. How we collect personal information

• Directly from you — when you contact us, enter into a contract, accept an offer of employment, apply for a job, attend a meeting or fill in a form on our website.
• From our customers (venues) — when a venue adds a person to its self-exclusion or banned-patron list.
• Through our cameras and platform — when our cameras at a customer venue process video frames in real time.
• From industry programs — we integrate with self-exclusion registers operated by industry bodies, including the Australian Hotels Association (AHA) Victoria self-exclusion register. Other state or industry programs may be added over time.
• From your employer or referees — when you apply for a role with us, or where you represent a customer or supplier we deal with.
• Through cookies on our website — see Section 11.

5. Why we use your personal information

We may use your personal information to:

• provide our services to customer venues and operate the platform;
• detect and alert venue staff to the presence of self-excluded or banned patrons;
• support venues in meeting their legal obligations around responsible gambling and patron welfare;
• communicate with you about your account, an order, a contract or an enquiry;
• send you information about our services where you have consented or where the law permits (see Section 12);
• assess your application for employment;
• pay invoices and meet our tax, accounting and corporate obligations;
• respond to feedback, complaints and rights requests;
• comply with applicable laws and any direction from a regulator or court; and
• improve our services through aggregated, non-identifying analytics.

What we do NOT do with biometric information: we will not use your biometric template for marketing or profiling; we will not sell it; we will not link it to a venue's payment, sign-in, loyalty or biographical systems where this is prohibited by an applicable state code; we will not disclose it to any third party other than as described in Section 7; and we will not contact you because you are on a venue's exclusion list.

6. Biometric information — how we handle it

6.1 On-premise processing

Biometric processing happens on equipment installed inside the customer venue. Live camera frames do not leave the venue. The biometric template, the matching decision and any alert all remain on the on-premise system. This design limits the impact of any incident to a single venue and avoids the privacy risks associated with cloud-based facial recognition.

6.2 Retention

Biometric templates are subject to the following retention rules:

• Templates generated from people who are not on the venue's exclusion list are held only in volatile memory for the matching operation and are deleted immediately after a non-match is determined. They are never written to permanent storage and are never backed up.
• Templates of people who are on the venue's exclusion list are encrypted at rest and are automatically deleted no later than 28 days after creation. If the venue removes you from the exclusion list before then, the template is deleted as part of that removal.
• Limited metadata about an exclusion (name, reason, period, source) is held while the exclusion is active, under the control of the venue, and is removed when the venue deactivates the exclusion.

6.3 Security of biometric information

Biometric templates and exclusion metadata are protected by encryption at rest, strict access controls, multi-factor authentication, role-based authorisation and continuous audit logging. We commission an independent security review of our platform on a regular basis.

6.4 Data residency

Backups of biometric and venue operational data are stored in Australia and are not transferred outside Australia.

7. Who we share personal information with

We may disclose personal information to:

• Customer venues — biometric matches and exclusion alerts are sent to the venue that holds the exclusion list. We do not share data between venues without authority.
• Industry programs we integrate with — such as state-level self-exclusion registers, on an inbound-feed basis only.
• Our service providers — we use third-party providers for cloud infrastructure, identity management, network security, device management, software development tooling, productivity and credential management. Each provider is engaged under contract terms that require them to handle personal information in line with this policy and the Privacy Act. A current list of our service providers is available on request.
• Government, regulators and law enforcement — where required by law, in response to a valid warrant, subpoena or notice, or where reasonably necessary to lessen or prevent a serious threat to life, health or safety.
• Our professional advisors — lawyers, accountants and auditors, under confidentiality obligations.
• A prospective or actual buyer of our business — if Ottica AI is sold or restructured, subject to appropriate confidentiality and a requirement that the buyer treats your information in line with this policy.

We do not sell or rent personal information to any third party for any purpose.

8. Do we transfer personal information outside Australia?

Biometric templates, exclusion metadata and the operational data of our customer venues are stored only in Australia.

Some of our general business systems are provided by reputable global vendors whose support, billing and platform-management functions may be located outside Australia. We rely on the privacy and security commitments these vendors make under their standard customer agreements, supported by their independent assurance reports where available.

If we ever propose to materially change where biometric data is stored, we will update this policy and notify affected customers.

9. How we keep personal information secure

We take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. Our security measures include:

• encryption of biometric data and other sensitive information at rest, and encryption in transit;
• multi-factor authentication on accounts that have access to our systems;
• role-based access control with no shared accounts;
• a hardened on-premise system design at the venue;
• file-integrity monitoring, audit logging and alerting;
• daily encrypted backups stored in Australia, with documented restore tests;
• independent security reviews of the platform on a regular basis;
• a documented incident-response plan that follows OAIC guidance, and a defined process for assessing and notifying any eligible data breach; and
• an information security management system aligned to ISO/IEC 27001:2022, reviewed at least annually.

No data security measure can be guaranteed. If you become aware of any actual or suspected misuse, loss or unauthorised access to your personal information, please contact us immediately using the details in Section 14.

10. Your rights and choices

Under the Privacy Act you have the right to:

• Ask for access to the personal information we hold about you;
• Ask us to correct any personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading;
• Ask us to delete or de-identify your personal information, where the Privacy Act and any other applicable law allow us to do so;
• Opt out of any direct marketing from us at any time (see Section 12);
• Be anonymous or use a pseudonym when you contact us, where it is lawful and practical for us to deal with you on that basis;
• Make a complaint to us, and to the OAIC if you are not satisfied with our response (see Section 13).

We will acknowledge any rights request within 7 days and aim to resolve it within 30 days. There is no charge for making a request, although we may charge reasonable costs of providing copies.

If you are a patron of a venue that uses our platform and you want to access, correct or delete biometric or exclusion information about yourself, the fastest path is usually to deal directly with the venue, because the venue controls its exclusion list. You can also contact us and we will work with the venue on your behalf.

11. Cookies and website analytics

Our website may set or read the following kinds of cookies:

• Strictly necessary cookies — required for the website to function (for example, security and load-balancing cookies).
• Analytics cookies — used to count visitors, measure page-load performance and understand which content is useful. The data is aggregated and is not used to identify individual visitors. Where we use Google Analytics, you can opt out at https://tools.google.com/dlpage/gaoptout.

You can block or delete cookies through your browser settings. If you block strictly necessary cookies, parts of the website may not work.

12. Direct marketing

We may send you marketing communications about our services where you have provided consent or where the law allows us to do so. Every direct marketing email includes a one-click unsubscribe link. You can also opt out by emailing us at [email protected]. We will action your opt-out within 5 business days.

We do not use any data collected from patrons (biometric templates, exclusion metadata, match events or anything else) for direct marketing of any kind.

13. How to make a complaint

Please raise the complaint in writing to [email protected] and include enough detail for us to investigate. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. We may ask you for more information and we may need to involve a customer venue (where the complaint relates to data the venue controls).

If you are not satisfied with the way we have handled your complaint, you may complain to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5288, Sydney NSW 2001

14. How to contact us

Ottica Management Pty Ltd (trading as Ottica AI)

Attention: The Privacy Officer

281 Lygon Street, Brunswick East VIC 3057, Australia

Privacy enquiries: [email protected]

General enquiries: [email protected]

Website: www.ottica.ai

15. Changes to this policy

We may update this policy from time to time to reflect changes in our services, our systems, applicable law or industry good practice. The current version is always available on our website. For any change that materially affects how we handle biometric information, retention periods, or data residency, we will:

• publish the revised policy on our website at least 14 days before the change takes effect;
• update the version number and date at the top of this policy; and
• notify affected customer venues directly, so that they can in turn give appropriate notice to their patrons.

The current version of this policy is 2.1, issued on 25 June 2026.

16. Definitions

Personal Information has the meaning given in section 6(1) of the Privacy Act 1988 (Cth).

Sensitive Information has the meaning given in section 6(1) of the Privacy Act 1988 (Cth) and includes biometric information that is to be used for the purpose of automated biometric verification or biometric identification, and biometric templates.

APP / Australian Privacy Principles — the principles in Schedule 1 to the Privacy Act.

Eligible Data Breach has the meaning given in section 26WE of the Privacy Act, as part of the Notifiable Data Breaches scheme.

OAIC — Office of the Australian Information Commissioner.