How Torvek collects, uses, discloses and protects personal information in Australia and New Zealand.

Effective date: 2 June 2026 · Version 1.0

1. About this policy

This policy explains how Torvek handles personal information. The contracting entity is the New Zealand operating company, which operates from New Zealand and is establishing a registered foreign-company branch in Australia under Part 5B.2 of the Corporations Act 2001 (Cth).

We are committed to protecting personal information in accordance with:

• the Privacy Act 2020 (NZ) and its Information Privacy Principles (IPPs), including the indirect-collection notification principle IPP 3A (in force from 1 May 2026); and

• the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Where both regimes apply to a given activity, we meet the higher standard. Reflecting the direction of modern privacy reform, we apply this policy to all personal information we handle regardless of any statutory small-business exemption that might otherwise be available.

2. Our role

In most engagements we act as principal: we decide what personal information to collect and how it is used, and the obligations in this policy apply in full. This includes any professional deliverable we sign - a producer statement, certification or engineering opinion - for which we remain accountable regardless of any client arrangement.

In some engagements we handle personal information solely on a client’s behalf and on their documented instructions - for example where a client directs how project data is to be used within their own systems. In those limited cases the client is responsible for the lawful basis of collection and for notifying the individuals concerned, and the client’s own privacy policy governs that use. In all other respects this policy applies, and nothing in this section limits our obligations under the Privacy Act 2020 (NZ) or the Privacy Act 1988 (Cth) in respect of personal information we collect, hold or use.

3. What we collect

Depending on your interactions with us, we collect:

• Contact and identity details: name, title, position, employer/organisation, email, phone and postal address.

• Project, site and design information: data provided in briefs, site evaluations, asset-ownership details, structural drawings and project correspondence.

• Workplace security data: visitor logs, timestamps, and digital device identifiers (such as IP and MAC addresses) if you connect to our office guest networks.

• Technical data: analytics regarding how you interact with torvek.co.nz.

• Recruitment information: CVs, professional engineering certifications (CPEng/RPEQ validation) and referee details for candidates.

4. How we collect it

Directly from you (IPP 3 / APP 3, 5)

We collect personal information directly from you when you request a proposal, execute an engagement contract, correspond with our engineers, or submit details via our website.

Indirectly - from other sources (IPP 3A / APP 5)

We may collect personal information about you from a source other than you - for example from shared project environments, head contractors, project joint ventures, referees, or publicly available professional registers. Where the NZ Privacy Act applies, IPP 3A (from 1 May 2026) requires us to take reasonable steps to ensure you are made aware of the matters in section 5 below when we collect your information indirectly, unless an exception applies. We rely on this policy, and on project onboarding notices given as soon as reasonably practicable after collection, to meet that obligation. APP 5 imposes a comparable notification requirement in Australia.

5. Matters we make you aware of on collection

When we collect your personal information (directly or indirectly), we take reasonable steps to ensure you are aware of:

• the fact that information is being collected, and who is collecting it (Torvek, contactable as in section 12);

• the purpose of collection;

• the intended recipients of the information;

• whether collection is required by law or is voluntary, and any consequences if it is not provided; and

• your rights to access and correct the information.

6. Why we collect and use data

We handle personal information to:

• scope, estimate and execute engineering and design consulting engagements;

• issue formal producer statements (PS1/PS4), independent design certifications and regulatory compliance deliverables;

• secure our physical offices, digital environments and cloud practice-management applications;

• manage commercial billing, invoicing and cross-border accounting; and

• comply with professional, statutory and insurance record-keeping obligations (including professional indemnity mandates).

We will only use or disclose personal information for the purpose for which it was collected, a directly related purpose you would reasonably expect, or another purpose permitted or required by law.

7. When we disclose personal information

To deliver complex projects, Torvek may disclose relevant information to:

• clients, principal contractors, sub-consultants and allied project participants;

• building consent authorities, certifiers, local councils and professional registration bodies (such as Engineering New Zealand or BPEQ);

• reputable third-party practice software providers (including secure cloud-hosting and document-management platforms); and

• legal or regulatory authorities where required to protect human safety, structural integrity, or by law.

Torvek does not sell personal information under any circumstances.

8. Cross-border and overseas transfers

As a trans-Tasman firm operating from New Zealand and establishing an Australian branch, personal information may move between our New Zealand and Australian operations and personnel. We use secure cloud infrastructure that may store data across international data centres.

Where the NZ Privacy Act applies, we comply with IPP 12 before disclosing personal information to an overseas person, including by ensuring comparable safeguards or relying on a permitted basis. Where the Australian Privacy Act applies, we take reasonable steps under APP 8 before an overseas disclosure to ensure the recipient handles the information consistently with the APPs. We choose providers with appropriate security and contractual protections.

9. Security and extended retention

We maintain technical, organisational and physical safeguards to protect data from loss, misuse and unauthorised access. No system is completely secure, and we cannot guarantee absolute security.

Because engineering liabilities, warranties and limitation periods extend over many years, project data and professional deliverables are retained for extended periods to satisfy insurance and statutory obligations, after which they are securely destroyed or permanently de-identified.

10. Data breaches

If a privacy breach occurs that is likely to cause serious harm (NZ) or is an eligible data breach likely to result in serious harm (AU), we will notify the affected individuals and the relevant regulator - the Office of the Privacy Commissioner (NZ) and/or the Office of the Australian Information Commissioner (OAIC) - in accordance with the Privacy Act 2020 (NZ) and the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

11. Your rights, access and correction

You may request access to the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date, incomplete or misleading (IPP 6 and 7 / APP 12 and 13). We will respond within the timeframes required by law. We may need to verify your identity, and in limited circumstances permitted by law we may decline access or correction - in which case we will explain why.

12. Contact and complaints

To exercise your privacy rights, make a query, or file a complaint, contact us at:

• Email: contact@torvek.co.nz

We will acknowledge and investigate complaints and respond within a reasonable time. If you remain unsatisfied with our internal resolution, you may escalate to the relevant regulator:

• New Zealand: Office of the Privacy Commissioner — privacy.org.nz

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

13. Changes to this policy

We may update this policy from time to time. The current version is published on our website, with the effective date shown above. Material changes will be highlighted where practicable.