AUSTRALIAN MINES LIMITED PRIVACY POLICY

Australian Mines Limited ACN 073 914 191 ("we", "our", "the Company") are an ASX-listed resource company based in Perth, Western Australia.

Our practices and procedures in relation to your privacy and the data we collect are outlined in this privacy policy.

We are committed to protecting your privacy through the lawful, open and transparent management of your personal and sensitive information in accordance with the applicable privacy laws.

In this privacy policy we outline:

• how we collect your information;
• how we manage, use and disclose your information; and
• how to contact us if you have any queries or concerns you wish to discuss with us.

This policy relates to our past, present and future employees, our customers, our website visitors, subscribers and other individuals who engage with us and our services.

We protect your privacy by adopting a system of compliant technical and organisational measures by default and by design so that your information that was process is securely protected.

To contact us in relation to this privacy policy please refer to our contact information below.

WHAT INFORMATION DO WE COLLECT, HOW DO WE COLLECTED IT AND WHY DO WE COLLECT IT?

We collect personal information about you with your consent that is specifically related to our business functions, activities or purposes. The nature and type of personal information we collect will depend on your relationship with us and what is required in order for us to fulfil our business functions. We only use your personal information for the purpose for which it was given to us.

We may also process data where it is necessary for the performance of a contract, where it is required in order to comply with our legal obligations or to protect the interest of an individual, for the performance of a public interest task, or legitimate purpose or if it is permitted in accordance with the local laws. We will notify you before we use your information for a purpose not stated in this privacy policy.

We will only process and use your data with your consent. You will be giving your consent for us to use your information for the purposes outlined in this privacy policy by accepting to the use of our website, by subscribing to our newsletters and events or by another clear affirmative action signifying your agreement for us to process and use your data. It is our usual practice to collect information directly from you. You can withdraw your consent at any time by following the procedure below.

Our key business functions, activities and purposes for collecting and processing your information include the following.

1. Recruitment and business information

We process information in relation to employees, future employees, job applicants and contractors for human resources and recruitment purposes.

The information that we collect may include sensitive and personal information including (but not limited to) gender, age, job title, identification, third party references, communications, survey responses, health assessments, employment history, qualifications and information in relation to salary payments. We collect this information with your consent and as supplied by you during our recruitment process and/or as part of your employment with the Company.

Sensitive information (including health information, race, ethnic origins, trade union membership, religious or philosophical beliefs) is only collected and processed with your consent and if it is required in order to comply with our legal obligations or if it is expressly permitted under the individual's local law.

We use this information for business and human resources purposes including for contractual management, administration, recruitment, obtaining relevant clearances, management of records, legal regulatory requirements and internal investigations. Further, we may use this information in order to fulfil our supply services and other contractual obligations.

2. Share Registry

We may collect personal information in relation to your shareholding with us. Information that we process will include your name, address, shareholder details, your tax file number and bank account details.

This information can be used for the purpose of paying dividends, regulatory reporting and compliance and to keep you up to date with our shareholder communications.

Where we engage a third party to externally manage our share registry, your information will be transferred and disclosed to them. This information will also be made available to regulatory bodies such as the Australian Taxation Office where required. For more information about third party relationships, please read below.

3. Website & Cookies

We secure and encrypt our website to avoid unauthorised access, modification or disclosure of your information and to protect your information from misuse, interference and loss.

With your consent, our website (and our related applications) use cookies to monitor and enhance your experience with us. We use Google Analytics when you visit our website and your information will be disclosed to them. Google stores their information in multiple locations so it is important to read their privacy policies for more information. You can opt out of the collection of information through your browser.

A cookie is a small text file that is located and stored on your computer or software browser. Google Analytics place cookies to obtain information in relation to the websites that you visit, how you navigate our website, your browser type, your time zone, your language settings, your geographical location, your VPN, what you look at on our website and for how long, your IP address, how you got to us and other relevant information associated with data analytics. Cookies that can identify you though your device are considered a type of personal data even if the information is only used for analytics, advertising or functional surveys.

Cookies allow us to understand you and how you interact with us so that we can provide you with a more personalised experience and build your navigation preferences into our system. We are also able to use this information to better understand your social media footprint.

We use google analytics when your visit our website to track our web traffic. You can opt out of the collection of information via Google Analytics Opt-out browser add on.

You have the ability to control and manage your cookies and the information that is collected and processed. For example, you are able to block or delete your cookies in your online browser. If you block or limit cookies in your online browser this may affect your experience on our website and some of our features may not function as designed.

We do not take responsibility for the content or privacy practices of any links to other websites contained on our website nor should a link be construed as an endorsement, approval or recommendation by us or of any information, graphics, materials, products or services referred to or contained on those linked websites, unless we expressly state otherwise. Please check the third party websites privacy statements prior to providing your information.

4. Use of tracking pixels

We use tracking pixels and/or cookies on our social media platforms including Facebook, Instagram, Twitter and other social media outlets. A tracking pixel is a graphic image placed on our social media applications and webpages that collect and store your information including but not limited to your social media movements, searches, location, what you view and the other sites you visit. We collect, store and use your information to optimise and direct our advertising and marketing opportunities so that they are tailed to you. You can opt out and turn off tracking pixels in the settings on your social media applications. For more information on how to disable your tracking pixels please contact the applicable social media server.

5. Newsletters, Email Alerts, Event Registration and Marketing

If you sign up and consent to receive our newsletters, updates and latest event bulletins we will ask you to provide us with information such as your name, email address and contact number. In addition to our newsletters and email updates we may use this information for other marketing purposes including inviting you to special events, promotions and other further publications. We always make sure that you know the alerts are being sent by us and a way to contact us if you have any concerns.

You are able to opt out and unsubscribe from our updates and alerts at any time.

In addition we will use the information collected by our cookies (including your geographical location and social media footprint) to tailor your marketing experience with the Company.

Unless you provide your express consent for us to use your information for marketing purposes any information collected through cookies will only be used for anonymous analysis and statistical purposes.

LEGAL BASIS FOR PROCESSING YOUR DATA, SECURITY AND THIRD PARTIES

We will use and disclose your information for the purposes for which it was collected based on your consent, the performance of a contract or in accordance with our legal obligations. We will only disclose your personal information if it is reasonably necessary in order to carry out one of our business functions.

We endeavour to store and protect your information in a secure, encrypted environment that deters and protects your information from unauthorised access and illegal processing. We promote an integrated privacy data procedure which means we assess our data processing techniques with the effect it will have on your data protection. Throughout our privacy impact assessments we will assess the risks of your rights and freedoms and the most appropriate technical and organisational measures to ensure a level of security appropriate to the risk and type of data is adopted. Appropriate technical and organisational measures to secure processing may include using pseudonyms, encrypting personal data and regular testing, assessing and evaluating the effectiveness of our privacy measures.

Your data may be stored internally or on software infrastructure processed by external third party service providers located Australia or overseas.

We will use a third party service provider where we cannot process the data ourselves and where we require assistance with the provision of client services. This includes for example our email campaign provider, our IT services company and other data management services. It is not practicable to specify each possible country in this policy however the service providers may be located overseas and your personal information may be disclosed to persons overseas for this purpose.

We will not give your information to third parties unless you consent or if you would reasonably expect that the information is the kind to be usually passed on to the third party (Australia only).

We assess and choose our third party service providers carefully and require all third parties to legally comply with the applicable privacy and data protection laws to the same high standard of data protection as our own. This includes having the necessary safe guards to ensure a secure and adequate level of data protection.

In certain circumstances, we may also have to disclose your information to authorities, advisors, suppliers of IT services, IP agencies, legal or other professional services due to legal or regulatory requirements in order to investigate a data breach or those third parties engaged by us to deliver services to you.

In the event Company is sold or merged with another entity we may disclose your information (with your consent) to another entity.

ACCOUNTABILITY AND GOVERNANCE

We undertake to implement appropriate technical and organisational measures to ensure our data processing measures comply with the applicable data protection legislation and regulations.

Where there is a change to our processing format and/or there is an increased risk that will affect or result in a high risk to the rights and freedoms of individuals, we will undertake a data protection impact assessment prior to processing any data. We also endeavor to provide audits when required in order to ensure your privacy is protected. We endeavor to keep all records of processing activities and assessments completed by us.

CONTACTING US ABOUT YOUR DATA: ACCESS, CORRECTION AND COMPLAINTS

It is important to us that your information is accurate, up to date, complete and relevant.

We therefore encourage you to contact us by written request if you believe this may not be the case and if you would like:

• to update, amend or correct inaccurate, incomplete or out of date data in our possession;
• to access, review or request a copy of your personal data;
• to remove, erase or delete your personal data;
• to limit or restrict the processing rights;
• to find out more information in relation to how we process your information, this privacy policy or your rights under this privacy policy;
• to withdraw previously given consent;
• to use a pseudonym for your data;
• to raise a concern of complaint about the way we have used or handled your information; or
• to exercise another right under the applicable data protections laws.

We endeavour to assist with your request within a reasonable time frame (and at the latest within 1 month of your request) unless it is unlawful to do so, if there are ongoing legal proceedings or if the request is deemed frivolous or vexatious.

You can obtain the information specified above or contact us using the following contact details below:

Australian Mines Limited
L23, 108 St Georges Terrace,
Perth, Western Australia, 6000
Email: [email protected]

Where you have raised a concern or complaint about the way we have used your personal information and you are not satisfied after consulting and raising your concerns with us, you can notify your applicable national data protection authority.

NOTIFIABLE DATA BREACHES

In the event of a serious data breach involving personal information that is likely to result in serious risk of harm to an individual, we will promptly contain the breach and take remedial action including, where appropriate, an assessment of the suspected data breach. Where an eligible data breach has been identified we will,

a) notify all individuals of the breach; or if that is not practicable

b) notify only the individuals whose personal information is at risk of serious harm (together, Notified Users).

We will provide Notified Users the details of the data breach, the kinds of information concerned in the data breach, the best way to contact us and our recommended steps in response to the data breach.

As soon as practicable after we become aware of the breach we will report a statement of the breach to the Australian Information Commissioner through the online platform.

If we deem (a) or (b) above not to be practicable, we will publish a copy of the statement prepared for the Australian Information Commissioner on our website.

If the breach involves data covered under the European Union General Data Protection Regulation we will advise the relevant supervisory authority of the data breach without undue delay and at the latest within 72 hours of becoming aware of the breach (otherwise a written explanation will accompany the notice) unless the risk is unlikely to be a high risk to rights and freedoms of individuals. The effected individual will also be notified as soon as possible after the incident where the breach poses a high risk to those individuals (unless there is effective technical and organisational protection measure that will ensure the risk is unlikely to occur).

STORAGE

We will take all reasonable steps to protect the security of the personal information that we hold and store against misuse, interference and loss due to unauthorised access, modification or disclosure.

We will keep your information for no longer than is necessary for our business purposes.

Data that is no longer necessary or required to be kept will be securely destroyed, de-identified or permanently deleted in accordance with our practices and procedures.

CHANGES

We reserve our right to amend this privacy policy from time to time. Any amendments will be effective from the date it is made available on our website.

If you do not agree with any of the terms and conditions contained in our privacy policy please exit the website and contact us directly with any queries or questions that you have.

GLOSSARY

There are a few key terms that we use in this data policy that you should be aware. The key terms we include:

• Personal information means all information relating to an identified natural persons. Types of personal information includes personal details (such as your name, address, telephone number, email address, employment details and bank account details).
• Sensitive data/information means information relating to racial or ethnic origins, political opinions, religious or philosophical believes, trade-union membership, genetic data, biometric data, health-related data and data in relation to sex or an individuals’ sexual orientation.
• Data Controller means Australian Mines Limited as we determine the purposes and the means by which personal information is collected and used.
• Consent means consent that is freely given, specific and informed and demonstrates an unambiguous indication of your wishes which by a statement or by a clear affirmative action signifies agreement to data processing. Consent must demonstrate a clear understanding of the reasons we are collecting the information and must at all times be able to be withdrawn without the user being disadvantaged.
• Processing means any and all action in relation to personal data including the collection, using, disclosing, storing, and transferring, deleting and otherwise handling personal data.