PRIVACY POLICY

LAST UPDATED: 24 February 2026

RFMS Australasia Limited, and QuantiSafe Limited, both with registered offices at 127A Gordon Road, Mosgiel, Dunedin 9024, New Zealand, NZBN 9429030996779 and 9429048424820 respectively, including their subsidiaries, affiliates and contractors acting on their behalf (collectively, the "Company", "we", "us", or "our") want you to be familiar with how we collect, use, and disclose information. This Privacy Policy describes our processing practices in connection with Personal Information that we collect through:

  • Websites operated by us;

  • Software applications developed by us or our affiliates, including Boost for RFMS ("Boost") and its associated application programming interface (the "Boost API"). Boost is designed to interface with the RFMS ERP system, a third-party product developed by RFMS Incorporated; data transmitted via the RFMS API is subject to RFMS Incorporated's own policies;

  • Remote support sessions with you;

  • In-person training, implementation, or consultation with you;

  • Email messages, telephone calls, online meetings, and other communications with you; and

  • Offline business interactions you have with us.

Collectively, we refer to the websites, software applications, communications, and offline business interactions as the "Services".

PERSONAL INFORMATION
“Personal Information” is information that identifies you as an individual or relates to an identifiable individual. Via the Services, we collect the following categories of Personal Information:

  • Personal Information we receive from you or your representatives:

    • Name and Contact Details – such as first and last name, email address, telephone number, postal address;

    • Business Details – such as company name, business email address, business telephone number, business postal address;

    • Account Information – such as username and password, profile image, assigned user role, and other information you share in your account;

    • Billing Information – such as debit or credit card details, bank account details, billing address, tax or business registration numbers;

    • Marketing Data - such as your choices regarding our newsletters, surveys, and other marketing/advertising displayed or provided to you, and preferred methods of such promotional communication;

    • Relationship History – such as details of your communications with us, and details of your claims, complaints and queries in general;

    • Transaction Information – such as details of the products and Services you have purchased or received from us;

    • User Files – such as logos, spreadsheets, PDFs, project drawings, database copies, and other files that we have acquired, or you have sent us, so that we can render Services to you;

    • Call and Meeting Recordings – such as audio recordings of telephone calls or audio and screen recordings of online meetings;

    • IT Information – such as information about your servers, computers, networks, operating systems, software, IP addresses, databases, computer accounts (usernames and passwords), and the name and contact information of your IT service provider.

  • Personal Information we collect through your use of our Services or from other sources:

    • Device Information – such as hardware identifiers, type of device and operating system, IP address, licensing information, and date/time and frequency of use;

    • Application Usage Data - such as features accessed, actions performed, and duration of use within our software applications, including Boost.

DATA COLLECTED AND PROCESSED BY BOOST FOR RFMS
In addition to the general categories above, the following information is specifically collected, processed, or transmitted through Boost and its associated API:

Organisation and Licensing Data
We collect and maintain your organisation's name, contact details (phone number, email address, physical address), and licensing information for the purposes of account management, license validation, and feature allocation. This data is stored for the duration of the business relationship between you and RFMS Australasia Limited, and thereafter as required by applicable law.

User Account Data
We collect and maintain the name, user identifier, and assigned role of each user account created within Boost. User identifiers are formatted as email addresses but may not correspond to an active email account. This data is stored for the duration of the user account and is used for authentication, access control, and feature allocation.

Transient Service Data
When you use Boost to perform business functions such as warehouse stocktake, reporting, or other operational tasks, the Boost API will necessarily receive, process, and temporarily store business data from your RFMS database in order to provide the requested service. This may include inventory data, financial data, customer records, supplier information, and any other data relevant to the function being performed. This data is retained only for as long as necessary to deliver the requested service and is then deleted. It is not used by RFMS Australasia Limited for any purpose other than providing the service you have requested.

Diagnostic Logs
API request and response traffic is logged for the purposes of debugging, support, and service improvement. These logs are automatically purged on a regular cycle. Authentication endpoints are excluded from logging; no passwords, session tokens, or authentication credentials are captured in diagnostic logs.

Third-Party Data Processing via RFMS ERP
Boost is designed to interface with the RFMS ERP system, a third-party software product developed and owned by RFMS Incorporated (a member of the Cyncly group of companies). RFMS Australasia Limited is an independent company and is not a subsidiary, division, or affiliate of RFMS Incorporated or the Cyncly group. Where Boost interfaces with the RFMS ERP system via the RFMS API, data may be transmitted to and processed by systems operated by RFMS Incorporated/Cyncly. Such data is subject to the privacy policies and terms of service of RFMS Incorporated/Cyncly, which are separate from and not governed by this Privacy Policy. RFMS Australasia Limited is not responsible for how RFMS Incorporated/Cyncly collects, uses, stores, or processes data transmitted via the RFMS API. The Licensee should review Cyncly’s privacy policies separately.

DATA SECURITY
We employ industry-standard organisational, technical, and administrative measures to protect Personal Information within our systems. These measures include, but are not limited to:

  • SSL/TLS encryption for all data transmitted between Boost and our servers;

  • Security certificates on our domains and servers;

  • Organisational access controls ensuring that all API access is scoped to the requesting user's organisation, such that authenticated users may only access data belonging to their own organisation;

  • Hosting infrastructure provided by secure datacentre facilities and Microsoft Azure cloud resources, selected with regard to their security certifications and compliance standards;

  • Regular review of security practices and infrastructure.

Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in Accordance with the "Contacting Us" section below.

COLLECTION OF PERSONAL INFORMATION
We and our service providers collect Personal Information in a variety of ways. We collect Personal Information through the Services, for example, when you sign up for a newsletter, register an account to access the Services, send us an email, place an order, contact us by phone, or run our applications.

If you do not provide the information requested, we may not be able to provide the Services. If you disclose any Personal Information relating to other people to us or to our service providers in connection with the Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

USE OF PERSONAL INFORMATION
We do not sell Personal Information to third parties.

We and our service providers use Personal Information for the following purposes:

Providing the functionality of the Services and fulfilling your requests:

  • To provide the Services' functionality to you, such as arranging access to your registered account, providing you with related benefits, or rendering customer service;

  • To authenticate users and validate licenses for Boost and related software;

  • To process and temporarily store business data necessary to provide requested functions within Boost, such as reporting and stocktake services;

  • To respond to your inquiries and fulfil your requests, when you contact us via one of our online contact forms or otherwise, for example, when you send us questions, suggestions, compliments or complaints, or when you request a quote for or other information about our Services;

  • To complete your transactions, process returns and exchanges, verify your information, and provide you with related benefits, special promotions, or customer service;

  • To send administrative information to you, such as changes to our terms, conditions, and policies;

  • To allow you to send messages to another person through the Services if you choose to do so.

We will engage in these activities to manage our contractual relationship with you and/or to comply with a legal obligation.

Providing you with our newsletter and/or other marketing materials and facilitating social sharing:

  • To send you marketing-related emails, with information about our services, new products and other news about our company.

We will engage in this activity with your consent or where we have a legitimate interest.

Debugging, support, and service improvement

  • To diagnose and resolve technical issues with Boost and the Boost API;

  • To monitor service performance and reliability;

  • To improve the quality and functionality of our Services;

  • To provide you with technical and/or software support.

We engage in these activities based on our legitimate interest in maintaining and improving our Services and assisting you in the use of our Services.

Analysing Personal Information for business reporting and providing personalised services:

  • To analyse or predict our users' preferences in order to prepare aggregated trend reports on how our digital content is used, so that we can improve our Services;

  • To better understand your interests and preferences, so that we can personalise our interactions with you and provide you with information and/or offers tailored to your interests;

  • To better understand your preferences so that we can deliver content via our Services that we believe will be relevant and interesting to you.

We will provide personalised services based on our legitimate interests, and with your consent to the extent required by applicable law.

Aggregating and/or anonymising Personal Information:

  • We may aggregate and/or anonymise Personal Information so that it will no longer be considered Personal Information.

We do so to generate other data for our use, which we may use and disclose for any purpose, as it no longer identifies you or any other individual.

Accomplishing our business purposes:

  • For data analysis, for example, to improve the efficiency of our Services;

  • For audits, to verify that our internal processes function as intended and to address legal, regulatory, or contractual requirements;

  • For fraud prevention and security monitoring purposes, for example, to detect and prevent cyberattacks or attempts to commit identity theft;

  • For developing new products and services;

  • For enhancing, improving, repairing, maintaining, or modifying our current products and services, as well as undertaking quality and safety assurance measures;

  • For identifying usage trends, for example, understanding which parts of our Services are of most interest to users;

  • For determining the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our users;

  • For operating and expanding our business activities, for example, understanding which parts of our Services are of most interest to our users so we can focus our energies on meeting our users' interests.

We engage in these activities to manage our contractual relationship with you, to comply with a legal obligation, and/or based on our legitimate interest.

DISCLOSURE OF PERSONAL INFORMATION
We disclose Personal Information:

To our affiliates for the purposes described in this Privacy Policy:
Our affiliates will be responsible for handling all our legitimate requests regarding shared Personal Information.

To our third-party service providers, to facilitate services they provide to you or us:
These can include providers of services such as website hosting, cloud infrastructure (including Microsoft Azure), data analysis, payment processing, order fulfilment, return authorisation, fraud prevention, information technology, software testing and development, infrastructure provision, customer service or related benefits (including special promotions), email delivery, auditing, and other services.

Other Uses and Disclosures:
We also use and disclose your Personal Information as necessary or appropriate, in particular when we have a legal obligation or legitimate interest to do so:

To comply with applicable law and regulations - This may include laws outside your country of residence.

To cooperate with public and government authorities - To respond to a request or to provide information we believe is necessary or appropriate. These can include authorities outside your country of residence.

To cooperate with law enforcement - For example, when we respond to law enforcement requests and orders or provide information we believe is important.

For other legal reasons - To enforce our terms and conditions, and to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.

In connection with a sale or business transaction - We have a legitimate interest in disclosing or transferring your Personal Information to a third party in the event of any reorganisation, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, or assets (including in connection with any bankruptcy or similar proceedings).

YOUR RIGHTS BY JURISDICTION
Depending on where you are located, you may have certain rights regarding your Personal Information under applicable privacy and data protection laws. We are committed to honouring these rights regardless of your location, to the extent practicable.

New Zealand Residents
Under the Privacy Act 2020, you have the right to:

  • Request access to Personal Information we hold about you;

  • Request correction of any Personal Information that is inaccurate, incomplete, or misleading;

  • Request deletion of Personal Information where there is no lawful reason for us to continue to hold it;

  • Complain to the Office of the Privacy Commissioner if you believe we have interfered with your privacy.

Australian Residents
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

  • Request access to Personal Information we hold about you;

  • Request correction of any Personal Information that is inaccurate, incomplete, out of date, or misleading;

  • Complain to the Office of the Australian Information Commissioner if you believe we have breached the Australian Privacy Principles.

Where the Australian Consumer Law applies, nothing in this Privacy Policy limits any consumer guarantees or rights you may have under that law.

United States Residents
Various US state privacy laws, including the California Consumer Privacy Act (as amended by the California Privacy Rights Act), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and others, may grant residents of those states certain rights regarding their Personal Information. To the extent any such law applies to our processing of your Personal Information, you may have the right to:

  • Know what categories of Personal Information we collect about you and the purposes for which it is used;

  • Request access to the specific Personal Information we have collected about you;

  • Request deletion of Personal Information we hold about you, subject to certain exceptions;

  • Opt out of the sale or sharing of your Personal Information (note: we do not sell Personal Information);

  • Not be discriminated against for exercising your privacy rights.

We do not sell Personal Information. We do not use or disclose sensitive Personal Information for purposes other than those permitted under applicable law.

Exercising Your Rights
To exercise any of the rights described above, or if you have questions about how your Personal Information is handled, please contact us in accordance with the "Contacting Us" section below. We will respond to your request consistent with applicable law. We may need to verify your identity before processing your request. You will not be required to pay a fee to exercise your rights, except where permitted by applicable law.

OTHER INFORMATION
"Other Information" is any information that does not reveal your specific identity or does not directly relate to an identifiable individual. The Services collect Other Information such as: browser and device information; app usage data; information collected through cookies, pixel tags and other technologies; demographic information and other information provided by you that does not reveal your specific identity; information that has been aggregated in a manner such that it no longer reveals your specific identity.

Your use of the Applications:
When you download and use the applications, we and our service providers may track and collect application usage data, such as the date and time the application on your device accesses our servers and what information and files have been downloaded to the application based on your device number.

Cookies and similar technologies:
We may collect information using cookies and similar technologies.

Uses and Disclosures of Other Information:
We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. If we are required to treat Other Information as Personal Information under applicable law, we may use and disclose it for the purposes for which we use and disclose Personal Information as detailed in this Policy. In some instances, we may combine Other Information with Personal Information. If we do, we will treat the combined information as Personal Information whenever it is combined.

RETENTION PERIOD
We retain Personal Information for as long as needed or permitted considering the purpose(s) for which it was obtained and consistent with applicable law.

Specific retention periods for data processed through Boost are as follows:

  • Organisation and licensing data: retained for the duration of the business relationship and as required by law thereafter.

  • User account data: retained for the duration of the user account.

  • Transient service data (such as inventory or reporting data processed via the API): retained only for as long as necessary to deliver the requested service and then automatically deleted.

  • Diagnostic logs: automatically purged on a regular cycle, with a maximum retention period of ninety (90) days.

For all other Personal Information, the criteria used to determine our retention periods include:

  • The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or keep using the Services);

  • Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or

  • Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

THIRD PARTY SERVICES
This Privacy Policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any website or service to which the Services link. The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates. In addition, we are not responsible for the information collection, use, disclosure, or security policies or practices of other organisations, such as Apple, Google, Microsoft, Cyncly, or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider, cloud service provider, or device manufacturer, including with respect to any Personal Information you disclose to other organisations through or in connection with the applications.

USE OF SERVICES BY MINORS
The Services are not directed to minors and we do not knowingly collect Personal Information from minors.

JURISDICTION AND CROSS-BORDER TRANSFER
Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, including New Zealand and Australia, and regions where Microsoft Azure datacentres are located. By using the Services, you understand that your information may be transferred to countries outside of your country of residence, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.

Where required by applicable law, we will ensure that appropriate safeguards are in place for any cross-border transfer of Personal Information.

In-Country Data Hosting for Managed Hosting Clients
Where RFMS Australasia Limited provides managed hosting services for a client's database and ERP software (through GlobiCom Limited/VPS City), the client may request that their database be hosted in a datacentre located within their own country, for example where the client is subject to data sovereignty or data residency requirements imposed by government contracts, regulatory obligations, or applicable law.

Clients who have or become aware of such a requirement must notify RFMS Australasia Limited as soon as reasonably practicable after the requirement becomes known to them. Upon receiving such notification, RFMS Australasia Limited will either:

  • accommodate the in-country hosting requirement, which may be subject to different pricing to reflect variations in infrastructure costs by location; or

  • assist the client in retrieving their data from our infrastructure so that the client may arrange their own data hosting in compliance with their requirements.

Clients who use our managed hosting services and do not notify us of any data residency requirement will have their data hosted in the datacentre location selected by RFMS Australasia Limited at its discretion.

SENSITIVE INFORMATION
We ask that you not send us, and you not disclose, any sensitive Personal Information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership) on or through the Services or otherwise to us.

THIRD PARTY PAYMENT SERVICE
The Services may provide functionality allowing you to make payments to the Company using third-party payment services with which you have created your own account. When you use such a service to make a payment to us, your Personal Information will be collected by such third party and not by us and will be subject to the third party's privacy policy, rather than this Privacy Policy.

We have no control over, and are not responsible for, this third party's collection, use, and disclosure of your Personal Information.

UPDATES TO THIS PRIVACY POLICY
The "Last Updated" legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes will become effective when we post the revised Privacy Policy on the Services. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the Personal Information we collect.

CONTACTING US
If you have any questions about this Privacy Policy, please contact us at help@rfmsanz.com, by using the phone number(s) listed on our website rfmsanz.com, or via postal mail to:

RFMS Australasia Limited
127A Gordon Road
Mosgiel, Dunedin 9024
New Zealand