KordaMentha privacy policy

Issued: 1 July 2025

KordaMentha (‘KordaMentha, ‘we’ or ‘our’) understands the importance of keeping any personal information we may receive about you secure and confidential.

This privacy policy sets out how KordaMentha collects, uses, manages and discloses personal information and how KordaMentha aims to protect the privacy of your personal information.

This policy applies to KordaMentha Pty Limited, KordaMentha Real Estate Pty Limited, KordaMentha Pte Limited, KordaMentha Investments Pty Limited, KordaMentha NZ Unit Trust and PT KordaMentha and the service lines operated by those corporate entities.

A separate privacy policy applies to KordaMentha Funds Management Pty Limited, 333 Capital Pty Limited, KM Develop Pty Limited and KM Property Funds Limited. KordaMentha may update this policy from time to time.

KordaMentha may update this policy from time to time.

Relevant legislation and personal information

The following legislations and ancillary documents regulate how we can collect, store, manage, use, disclose and provide access to personal information in each country where we operate. These will be referred to collectively as ‘the relevant legislation’.

Australia

• Privacy Act 1988 (Cth) (‘Privacy Act’)
• the relevant privacy principles under the Privacy Act

Singapore

• Personal Data Protection Act 2012 (‘PDP Act’)

Indonesia

• Law 27 of 2022 regarding Personal Data Protection (‘PDP Law’)

New Zealand

• Privacy Act 2020 (‘Privacy Act NZ’)

Information or an opinion, whether true or not and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

In Indonesia, under the Personal Data Protection Law, No. 27 of 2022, personal information is classified into two categories. General personal data includes full name; gender; nationality; religion; marital status; and/or combined personal data to identify a person. Specific personal data means data and information regarding health; biometric data; genetic data; criminal records; data of children; personal financial data; and/or any other data in accordance with the relevant laws and regulations.

Reasons for collecting personal information

KordaMentha collects personal information primarily for the purpose of providing our services and conducting our businesses. Any processing of personal data will be carried out only for lawful purposes. The duration of processing your personal data shall be the term of the services provided to you or for the duration of the engagement/agreement.

You are not required to provide your personal information to us. However, if you choose not to provide personal information to us where requested (or provide inaccurate or incomplete information or withdraw your consent for us to use your information), we may not be able to provide services to you or in the case of an external administration, deal with your claim.

By providing us with this information, you consent to KordaMentha using the information for its primary purpose.

Primary purposes where we may require your personal information:

• comply with our obligations when appointed as external administrators to a corporation, individual or other entity under the Corporations Act or Bankruptcy Act in Australia or the Insolvency, Restructuring and Dissolution Act, the Companies Act or the Bankruptcy Act in Singapore
• comply with our obligations when appointed as administrator to a class action
• make a payment to you in relation to an external administration, creditors’ trust or class action
• provide advice to you, an associated entity or a third party where your personal information is required to complete a component of the engagement
• consider or enter into an employment application from you
• consider procurement of services from you
  provide you with access to our website and other online services
• provide our publications to you
• respond to queries you submit to us
• provide you with information about our services that may be of interest to you
• administer accounting, billing and other internal administrative services
• comply with our legal requirements under any applicable laws, including anti-money laundering legislation and any other legal requirements with which we must comply.

KordaMentha will use the personal information for the primary purpose and potentially for a permissible secondary purpose.

Where we will use your personal information for a permissible secondary purpose:

• you have consented to that secondary purpose
• it would be reasonably expected to be used for the secondary purpose
• the secondary purpose is related to the primary purpose, or
• otherwise allowed by legislation.

Personal information KordaMentha collects

KordaMentha collects personal information such as a person’s name, date of birth, address, telephone number, email address, driver’s licence details, passport details, tax file number, Australian business number, bank account details, investment information and employment information. The types of personal information which KordaMentha collects will be limited to what information is necessary for the primary purpose.

In circumstances limited to prospective employees or employees of corporations subject to external administrations, KordaMentha will collect sensitive information such as membership of a professional or trade association, membership of a trade union or a criminal record. In the case of prospective employees, your photo may be taken.

How KordaMentha collects personal information

KordaMentha collects personal information by lawful and fair means and not in an unreasonably intrusive way. Generally, KordaMentha will collect this personal information directly from you.

Due to the scope of some engagements, we may collect personal information from our client. Our client will be required to confirm that the personal information is provided on the basis that it is either for the primary purpose for which it was initially collected, a permissible secondary purpose or with your consent.

There may be other occasions when we collect personal information about you or from other sources, such as from a publicly maintained record or from an information services provider, for example where we are required to verify your identity under anti money laundering legislation.

We may collect personal information when you:

• fill out an application form
• submit an online form to us
• enter into an agreement with us
• engage in social media with us
• correspond with us
• subscribe to a distribution list.

In the case of externally administered companies, this information may come into our possession when appointed as external administrators to a company or an individual in accordance with the Corporations Act or Bankruptcy Act respectively.

Retention of the personal information KordaMentha collects

The duration of processing your personal information shall be the term of the services provided to you or for the duration of the engagement, agreement or other primary purpose.

The retention period will vary according to the primary purpose and the requirements of the relevant legislation in the country where the personal information was collected. The retention period will start from the end of the engagement, during which the personal information will be archived. Any request for access by KordaMentha employees during the retention period will be assessed to ensure there is a genuine purpose for access.

Retention periods:
Candidates who do not progress to employment with KordaMentha – 2 years from the date of application. Client contacts and subscribers to marketing materials – confirmation will be sought annually that your personal information is to be retained. If you request your personal information to be deleted via the email address, [email protected], your email address will be retained to manage this request.

Australia
Engagements other than those specified below – 7 years from date of final invoice
KordaMentha Property Funds – 7 years from date of final invoice or closure of fund
External administrations – 7 years from Form 5603 End of Control return
Creditors’ Trust – 7 years from termination of trust
Bankruptcy – 7 years from date of discharge or annulment of bankruptcy

Singapore
Liquidations and provisional liquidations – 5 years from date of dissolution
Other engagements – 5 years from cessation date of if not applicable, date of final invoice

Jakarta
Engagements – 10 years from end of financial year

New Zealand
Financial Crime engagements – 7 years from date of final invoice

Where is your personal information stored
Personal information contained in emails, files and apps are stored in various jurisdictions, depending on where the personal information is collected.

Australia and New Zealand
All emails, file data and apps used are stored in Australian datacentres.

Singapore and Jakarta
All emails, file data and apps used are stored in Singapore datacentres.

Accessing or changing personal information

Under the relevant legislation, you have a right to access or change your personal information that is collected and held by KordaMentha.

If you would like to access or change the personal information KordaMentha holds about you, in the first instance, you should contact your KordaMentha contact if you have one. Otherwise, please contact us as outlined in Section ‘How to contact us’.

Prior to actioning any change or access request, we will need to verify your identity and comply with our other procedures which are in place to prevent unauthorised access to personal information. We will take all reasonable steps to provide access or make the changes to your personal information within 30 days from your request. KordaMentha will not normally charge you any fees or costs for access to your personal information, particularly when required under the relevant legislation to provide access or obtain a copy free of charge. Fees or costs may apply if providing you with access would require us to incur unreasonable retrieval or other out of pocket costs. We will notify you if any such fees or costs would be payable.

Disclosure of your personal information by KordaMentha

From time to time, we may need to disclose your personal information to a third party.

The types of third parties to which we may disclose personal information include:

• your financial, legal or other professional advisers or other persons you have authorised to act on your behalf
• service providers we engage to provide custody, administration, technology, auditing, mailing, printing or other services
• our professional advisers (including legal and accounting firms, auditors, consultants and other advisers)
• our related companies.

Any such disclosures will be made on a confidential basis and, where possible, will require the third party to comply with appropriate privacy obligations.

Some of the recipients to whom KordaMentha may disclose your personal information may be based overseas. KordaMentha will only disclose your personal information on receipt of your consent. Your personal information may be shared for business related purposes with our related entities, our agents and third party suppliers that are located in Australia, Singapore, Indonesia and Philippines. Any overseas recipients may not be bound by the relevant legislation in your country. In Australia, on granting your consent, you acknowledge that by consenting to KordaMentha disclosing your personal information to overseas recipients, Australian Privacy Principle 8.1 will not apply to the disclosure. This means that KordaMentha will not be required to take reasonable steps in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that personal information and as a result KordaMentha may not be liable under the Privacy Act if the recipient does not act consistently with the Australian Privacy Principles. In Singapore and Indonesia, we will ensure that the recipient affords a standard of protection that is at least comparable to the protection under the PDP Act or the PDP Law respectively. In New Zealand, we will ensure that there are adequate protections in place or if adequate protections are not in place, we will seek your express permission.

Security of your personal information

KordaMentha takes all reasonable steps to protect the personal information we hold about you from misuse and loss and from unauthorised access, modification or disclosure. We have in place a number of data security, information security and other similar security policies and procedures. These policies and procedures are regularly reviewed to ensure they remain current and appropriate.

Privacy complaints

KordaMentha will seek to resolve any privacy complaints and will deal with privacy complaints as quickly as possible and in a respectful and confidential manner.

KordaMentha will investigate any privacy complaint you make and will inform you of the outcome of your complaint following the completion of the investigation.

In the event you are dissatisfied with the outcome of your complaint, you may refer the complaint to the relevant authority in your country.

Australia
Office of the Australian Information Commissioner < Lodge a privacy complaint with us | OAIC

Singapore
Personal Data Protection Commission Singapore PDPC | Report a Personal Data Protection Concern

Indonesia
To be advised by the Indonesian government

New Zealand
Privacy Commissioner
Office of the Privacy Commissioner | Making a complaint to the Privacy Commissioner

How to contact us

For further information or enquiries regarding your personal information, please contact as below:

Email: [email protected]
Phone: +61 3 8623 3333
Mail: GPO Box 2985, Melbourne Victoria 3001