We collect personal information that is reasonably necessary to provide our services and to run our business. Without this information, we may not be able to provide our services or run our business effectively.

The types of personal information we collect depend on the nature of your relationship with us and the services we are providing.

For our clients, we typically collect:

• identity details, such as name contact details and date of birth;
• employment and business details, such as job title and employer;
• financial details, including billing and payment information;
• other information relevant to your client matter (which may on occasion include sensitive information, such as health or medical information or criminal history); and
• other information required by law or our professional rules.

For prospective and current employees, we collect information necessary for recruitment and employment, including qualifications, work history and references.

For suppliers and business contacts, we collect names, contact details and information relevant to our business relationship.

If you interact with us via our website or other marketing channels, we may collect online data about you such as IP address, device and browser details, and usage data specific to accessing our website and social media channels.

From 1 July 2026, we will be a reporting entity under Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime which means we are required to comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the AML/CTF Rules. This will impact the types of personal information that we collect from individuals we engage with, how the information is collected and what it is used for. Section 2.8 below sets out more detailed information about how we handle personal information for AML/CTF purposes.

We usually collect personal information directly from you – for example, when you engage us, fill out a form, contact us by telephone, email, or through our website or social media channels, attend an event or visit our website.

We also collect personal information indirectly in several ways, and you may not always be aware of this collection:

• We may receive your personal information from your authorised representatives or agents, such as your accountant, financial adviser or another law firm acting on your behalf.
• We may receive your personal information from court documents and regulatory filings, or from third parties, such as barristers, experts, consultants, regulators and government agencies.
• Our clients sometimes provide us with personal information about third parties in order for us to advise them. For example, in disputes, our clients may provide us with personal information about opposing parties or witnesses, and in commercial transactions, we may receive personal information about directors, employees or shareholders of a target company or business.
• We may collect personal information from publicly available sources where relevant, such as the Australian Securities and Investments Commission (ASIC) registers, the Personal Property Securities Register (PPSR) and lands title searches. These searches may reveal personal information about individuals who are not our clients.
• Our website and marketing software may collect information about individuals who interact with us online or attend our events, in connection with our business development and marketing activities.

We use the personal information we collect for purposes directly related to providing our services and running our business. This includes communicating with clients and other parties involved in a client matter, managing billing, payments and client accounts, and meeting our professional and legal obligations.

We also use personal information to:

• conduct internal administration, risk management and training;
• improve our services, including through the use of technology and analytics; and
• market our services to clients and business contacts (with an option to opt out).

We do not use your personal information for any unrelated purpose without your consent.

We take reasonable steps to protect personal information we hold from misuse, interference, loss and from unauthorised access, modification or disclosure. Our security measures include:

• secure electronic systems and encrypted communications;
• access controls, passwords, confidentiality agreements and staff training; and
• secure document disposal and data retention practices in line with professional and legal requirements.

We may hold or process personal information using secure third-party platforms, such as our practice management system, document management system, email system, electronic execution software, customer relationship management software, Microsoft 365, cloud storage and specialist third-party AML/CTF compliance software. When using third-party service providers, we take reasonable steps to:

• use reputable service providers that have strong data protection standards; and
• ensure that the providers handle personal information consistently with the APPs and are bound by obligations of confidentiality consistent with our professional and legal obligations.

We primarily store personal information on servers located in Australia. Where Australian-based hosting is unavailable, our secondary hosting location is the European Union. Other regions used by our service providers may include the United States of America and Asia-Pacific (for example, in connection with Microsoft 365 and secure cloud hosting services). Where personal information is stored or processed overseas, we take reasonable steps to ensure compliance with the APPs or equivalent international standards.

We may use personal information we have collected from you (other than sensitive information) to market our services to you, including providing information about legal developments, publications and our events. We will only do so where permitted by applicable privacy laws.

You can ask us to stop sending you marketing communications at any time by contacting our Privacy Officer using the contact details below, or by using the unsubscribe facility in our electronic communications, and we will action your request promptly.

When you visit our website:

• we may collect information about you such as IP address, browser type and website pages accessed;
• cookies may be used to improve functionality, enhance security and analyse traffic (you can disable cookies in your browser settings, noting some website features may not function properly without them);
• analytics tools, such as Google Analytics, may track website usage trends; and
• our website may include some links to third-party websites (we limit these wherever possible). We are not responsible for the privacy practices of those external sites.

We may use secure third-party AI-based tools and automated systems to support internal processes and provide our services, including:

• document management and review;
• legal research and knowledge management; and
• administrative support and efficiency (such as electronic execution of documents, transcription, scheduling and workflow automation).

When using these tools and systems, we apply the service provider standards described in section "How we hold personal information" above. In addition, we take reasonable steps to ensure that our AI service providers will host data in Australia and will not train their models on any information that we provide.

Our lawyers remain responsible at all times for reviewing legal advice for accuracy and relevance as part of our standard process to settle work for clients.

This section explains how we collect, handle and use personal information specifically in connection with our AML/CTF compliance obligations.

Why we collect personal information

Given the multi-disciplinary nature of our practice, which includes both legal advisory services across a broad range of specialist areas and conveyancing, we have assessed that client engagements may reasonably involve, or evolve to include, the provision of a designated service. So that we are able to seamlessly provide our clients with our full suite of services and also meet our AML/CTF compliance obligations, we may undertake customer due diligence (CDD) on all of our clients at the point of onboarding.

We also collect information necessary for personnel due diligence (PDD) in relation to our current and prospective employees, contractors, and other personnel in accordance with our AML/CTF compliance obligations.

What information we collect

The personal information we collect for AML/CTF purposes may include identity and verification information, information about beneficial owners and controllers of entities, information relevant to sanctions and politically exposed person screening, and other information required to assess money laundering and terrorism financing risk.

In the context of PDD, we may collect identity and verification information, employment history, qualifications, and other information relevant to assessing whether personnel pose a risk of involvement in money laundering or terrorism financing.

How we collect information

We usually collect CDD information directly from you at the point of onboarding. We use a specialist third-party CDD platform to facilitate our customer due diligence and identity verification processes. We may also collect personal information about individuals other than our direct client (such as beneficial owners) from our client or from third-party sources where it is impracticable to collect it directly from the individual.

PDD information is usually collected directly from the relevant employee or contractor during onboarding or at periodic intervals as required by our AML/CTF program. We may also collect PDD information from third-party sources, such as referees or screening providers, where necessary to verify information provided or to complete required checks.

Disclosure

We may disclose personal information for AML/CTF purposes to AUSTRAC, law enforcement and regulatory bodies (where required or authorised by law, including for the submission of suspicious matter reports), and to third-party service providers engaged to assist with our CDD and PDD processes. We will not use or disclose personal information collected for AML/CTF purposes for an unrelated purpose unless an exception under the Privacy Act applies or we obtain your consent.

Information retention

We retain AML/CTF records in accordance with our obligations under the AML/CTF Act and take reasonable steps to destroy or de-identify personal information once it is no longer required.

More information

For further information about how our AML/CTF compliance obligations might impact you, please refer to our AML/CTF article available on our website.

We may disclose personal information where it is necessary to provide our services or to comply with our legal obligations. Common examples include disclosing information to:

• courts, tribunals, regulators and government authorities;
• other parties involved in a transaction or dispute; and
• barristers, expert witnesses, consultants and other professionals engaged on your behalf.

We may also disclose personal information to our third-party service providers (e.g., IT, cloud storage, practice management system, document management system, client relationship management system, marketing support), subject to the service provider standards described in section "How we hold personal information" above.

We do not routinely disclose personal information to overseas recipients. However, we may do so where necessary for a particular matter – for example, if we instruct an overseas law firm or agent on a client’s behalf. The countries to which personal information may be disclosed for a particular client matter will depend on the nature of the specific engagement.

In addition, some of our third-party service providers may store or process personal information outside of Australia, in the regions described in section "How we hold personal information" above.

You have the right to request access to personal information we hold about you, and to ask us to correct it if you believe it is inaccurate, out-of-date, incomplete, irrelevant or misleading.

To make an access or correction request, please contact us using the details below. We will respond to your request within a reasonable period.

Our obligation to provide access to personal information will be limited in circumstances where doing so would be inconsistent with secrecy or tipping off provisions under the AML/CTF Act.

Where practicable, you have the option of not identifying yourself, or of using a pseudonym, when dealing with us. However, in most cases we will need to verify your identity in order to provide you with our services or to comply with our professional and legal obligations. In such circumstances, it will not be practicable for us to deal with you on an anonymous or pseudonymous basis.

You may ask us not to send you marketing communications at any time by contacting us using the details below.