lucasLINK – Privacy Policy

Last updated: [21 October 2025]
Legal entity: [LucasLINK, powered by Lucas Group Solutions] (ABN [85 302 985 291]) (“LucasLINK”, “we”, “us”, “our”)
Contact: [hello@lucaslink.com.au] | [PO BOX 945, Hillarys, WA, 6923]

We respect your privacy. This policy explains how we collect, use, disclose, store, and protect your personal information in Australia, and how you can access or correct it. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Compliance clarity: LucasLINK is not a digital currency exchange (DCE). We accept select digital assets only as payment for our own services (merchant acceptance). We do not provide exchange, conversion, brokerage, remittance, or custody services. See our Terms of Service for details.

1) What we collect

We may collect the following categories of personal information (as relevant to your interactions with us):

• Identity & contact: name, business name, role, ABN/ACN, email, phone, postal and billing addresses.
• Account & communications: login details, support requests, feedback, survey responses, and preferences.
• Transactional: invoices, quotes, project records, payment references (including transaction hashes and paid wallet addresses), and audit logs.
• Website & device: IP address, device type, browser, pages viewed, referring links, session data, cookies (see §10).
• KYC/AML (conditional): where required by law or our risk settings (e.g., higher-value invoices, unusual activity), we may request verification data such as date of birth, government-issued ID details, liveness checks, business ownership/beneficial owner information, and screening results (e.g., sanctions/PEP checks).
• Sensitive information: we generally avoid collecting sensitive information. If collection is necessary (e.g., AML/CTF risk assessment), we will do so with consent or as permitted by law.

We collect personal information directly from you, your authorised representatives, publicly available sources (e.g., ABN Lookup), and trusted service providers (e.g., analytics, KYC vendors).

2) Why we collect it (purposes)

We collect and use personal information to:

• Provide, price, deliver, and support our services (e.g., web builds, integrations, consulting).
• Manage accounts, proposals, statements of work, and project communications.
• Accept digital-asset payments for our own services and reconcile invoices (including recording transaction hashes for audit).
• Perform risk assessment and comply with law, including AML/CTF obligations (KYC, record-keeping, screening).
• Operate and improve our website, user experience, and security.
• Send administrative notices, service updates, and (with consent) marketing communications you can opt out of at any time.
• Handle disputes, complaints, chargebacks, and enforcement of our Terms.

3) Our business model (privacy context)

To avoid doubt: we do not provide exchange, conversion, brokerage, remittance, or custody. We do not send funds back as “refunds” in crypto or fiat. Overpayments, if any, are handled by account credits or scope adjustments only (see Terms and the Volatility & Finality Policy). This privacy context explains why we record transaction hashes and payment addresses for reconciliation and compliance — not for exchange activities.

4) AML/CTF and KYC

We aim to operate within a merchant-acceptance model. However, Australian AML/CTF laws may require us to implement KYC and other controls for certain customers, transactions, or risk triggers (e.g., large invoice values, unusual patterns, sanctions exposure). Where applicable:

• We may request identity and business verification (including beneficial ownership), conduct sanctions and PEP screening, and assess transaction risk.
• We may use independent verification providers (ID document checks, liveness, screening).
• We will keep required AML/CTF records for the statutory minimum period (typically 7 years) and restrict access to authorised personnel on a need-to-know basis.
• If you do not provide requested information, we may be unable to proceed with services or accept payment.

5) Legal bases (APPs) and, where relevant, GDPR/UK

Under Australian law, we collect and use personal information as reasonably necessary for our functions or activities, and as otherwise permitted by law (APP 3 & 6). If you are in the EEA/UK, we typically rely on contract necessity, legitimate interests (e.g., security, fraud prevention, AML/CTF compliance), legal obligation, and consent (for optional marketing). See Annex A for EEA/UK rights.

6) Disclosing your information

We may disclose personal information to:

• Service providers acting on our instructions: hosting, cloud storage, email and collaboration tools, analytics, customer support, KYC/AML providers, auditors, professional advisers, and insurers.
• Regulators and law enforcement where required or authorised (e.g., responding to lawful requests, AML/CTF obligations).
• Business counterparts where necessary to deliver services (e.g., domain registrars, infrastructure partners), limited to what’s needed.
• Corporate transactions: if we restructure or sell assets, we may transfer information subject to confidentiality and this policy.

We do not sell personal information.

7) Cross-border disclosures

Our providers may process personal information in Australia and other countries (e.g., [list likely regions, such as the United States, EU/EEA, United Kingdom, Singapore]). Where we transfer information overseas, we take reasonable steps to ensure recipients protect it in accordance with the APPs (APP 8), such as contractual safeguards and vendor due diligence.

8) Data security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, including:

• Access controls, least-privilege roles, and MFA for administrative accounts.
• Encryption in transit and at rest (where supported by our providers).
• Network and application monitoring, logging, and backups.
• Vendor risk review and confidentiality obligations.

No method is perfectly secure. If a data breach is likely to cause serious harm, we will assess and, where required, notify you and the OAIC under the Notifiable Data Breaches scheme.

9) Retention

• We keep personal information only as long as necessary for the purposes in this policy or as required by law.
• AML/CTF records (e.g., KYC checks, transaction evidence) are retained for at least 7 years (or longer if required) from the relevant event or the end of the customer relationship.
• When no longer required, we take reasonable steps to de-identify or securely destroy information.

10) Cookies, analytics & tracking

We use cookies and similar technologies to operate the site, remember preferences, and improve performance. We may use analytics tools to understand aggregate usage and improve content. You can set your browser to refuse cookies or to prompt you; some features may not work without them. We do not respond to “Do Not Track” signals.

If we run marketing or retargeting pixels, we will present cookie consent options where required and provide opt-out links in our notice/banner.

11) Access, correction, and choices

• Access & correction: You may request access to, or correction of, the personal information we hold about you. We will respond within a reasonable time.
• Marketing opt-out: You can opt out of marketing emails at any time via the unsubscribe link or by contacting us.
• KYC data: Where AML/CTF laws require retention, deletion requests may be limited until the retention period ends.

To make a request, contact [hello@lucaslink.com.au].

12) Complaints

If you have privacy concerns, contact us at [hello@lucaslink.com.au]. We’ll investigate and respond promptly. If you’re not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Mail: GPO Box 5288, Sydney NSW 2001

13) Children

Our services are intended for business users and their respective customers. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information, please contact us and we will take appropriate steps.

14) Changes to this policy

We may update this policy from time to time. The “Last updated” date reflects the most recent version. Material changes will be communicated via our website or by email where appropriate. Continued use of our services after changes means you accept the updated policy.

15) Contact us

Questions, requests, or complaints: hello@lucaslink.com.au
Postal address: PO BOX 945, Hillarys, WA, 6923