Privacy Policy - Chrysos Corporation

Privacy Policy

Privacy Policy

1. Application of this Policy

This Policy applies to Chrysos Corporation Limited ACN 613 131 141 and its related bodies corporate (“Chrysos”) and to any personal data collected by Chrysos in the course of its operations.

Chrysos is made up of different legal entities, so when we mention “Chrysos”, “we”, “us” or “our” in this Policy, we are referring to the relevant entity within Chrysos responsible for processing your data. Where required under applicable law, that entity will be registered as a data controller/processor with the relevant local authorities.

Chrysos is committed to handling personal data responsibly and transparently and to maintaining the trust of our employees, customers, suppliers and other stakeholders. In this Policy, “personal data” means any information that identifies an individual or could reasonably identify an individual. It does not include data where your identity has been permanently removed (de-identified information).

2. When we collect personal data

We may collect personal data:

  1. about our employees, officers or contractors for employment purposes (Employment Data);
  2. from job applicants, where individuals apply to us for a job or work placement (Recruitment Data); and/or
  3. from our customers, in order to supply goods or services to them (Customer Data); or
  4. from suppliers, in order to obtain goods or services from them (Supplier Data).

3. Types of personal data we collect

We collect a range of personal data depending on the nature of our interactions with you. Such personal data may include:

  1. Identity Data (such as name, title and identifiers);
  2. Contact Data (such as address, email and telephone details);
  3. Employment and Professional Data (such as qualifications and work history, disciplinary records, attendance and leave records);
  4. Financial and Transaction Data (such as banking information, tax and superannuation information and transaction records); and
  5. Compliance Data (such as identity verification and due diligence information).

In limited circumstances, we may also collect and process Sensitive Data (such as health information and radiation exposure data) where this is reasonably necessary to comply with applicable occupational health and safety regulations. This may include recording and maintaining radiation exposure records. We will handle all Sensitive Data in accordance with applicable data protection and privacy laws, including applying appropriate safeguards and obtaining consent where required.

When a person interacts with our website, systems, platforms or customer-facing applications, we may also collect technical and usage data such as that person’s IP address, browser type, device information and pages visited (Technical and Usage Data). This information is typically collected through cookies and similar technologies where relevant to the service. These technologies may include both essential cookies (required for website functionality) and analytics cookies (used to understand website usage and improve performance). The use of cookies can be controlled through browser settings. Where required by law, we will obtain consent to the use of non-essential cookies.

4. How we collect personal data

We will generally collect Employment Data and Recruitment Data directly from the individual concerned. We will generally collect Customer Data directly from our customers or their representatives when they engage with us, including when they request or receive our services, enter into agreements with us, or communicate with us.

We will generally collect Supplier Data directly from suppliers or their representatives in the course of onboarding and managing supplier relationships, including when suppliers provide goods or services to us or enter into agreements with us.

We may also collect information from other sources, such as social media platforms and any information gathered through these channels will be governed by the privacy settings, policies, and/or procedures of the applicable social media platform.

5. How we use personal data

In general, we will only use personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. More specifically, we use personal data for the purposes described below.

(a) Employment Data

We collect and process personal data about our employees, officers and contractors in connection with managing the employment or engagement relationship.

We use Employment Data to manage recruitment, onboarding and workforce administration; pay remuneration and provide benefits; monitor performance and conduct; ensure workplace health and safety; manage training and development; protect our business and systems; and comply with our legal and regulatory obligations as an employer.

Our lawful bases for processing Employment Data include the performance of an employment or engagement contract, compliance with legal obligations (including employment, tax, and workplace laws), and our legitimate interests in operating and managing our business effectively. Where required by law, we will obtain consent (for example, in relation to certain sensitive information), although consent is not generally relied upon as a primary basis for processing Employment Data.

(b) Recruitment Data

If an individual applies for a job or work placement with Chrysos, we will collect and process personal data relevant to their application. This typically includes the applicant’s contact details, employment history, qualifications, skills, references and other information they choose to provide as part of the recruitment process.

We use Recruitment Data to assess the applicant’s suitability for a role, manage the recruitment process, communicate with the applicant, and comply with our legal and regulatory obligations as an employer.

Our lawful bases for processing Recruitment Data include taking steps prior to entering into a contract, our legitimate interests in recruiting and managing our workforce, and compliance with applicable employment and regulatory laws. Where required or permitted by law, we may carry out pre-employment checks (such as identity, right-to-work, professional registration or background checks). Any such checks will be conducted in accordance with applicable laws and only where relevant to the role.

(c) Customer Data

Customer Data is typically collected and used to provide and administer our services, manage our relationship with the customer, process transactions, and comply with our legal and regulatory obligations.

Our lawful bases for processing Customer Data include the performance of a contract with the customer, our legitimate interests in operating, improving and securing our services and customer relationships, and compliance with applicable legal and regulatory obligations.

(d) Supplier Data

Supplier Data is typically collected and used to procure goods and services, manage accounts and payments, maintain business records, and comply with legal and regulatory obligations.

Our lawful bases for processing Supplier Data include the performance of a contract with the supplier, our legitimate interests in managing supplier relationships and business operations, and compliance with applicable legal and regulatory obligations.

If we need to use personal data for an unrelated purpose, we will notify the individual concerned and we will explain the legal basis which allows us to do so.

(e) Sensitive Data

We use any Sensitive Data collected (including health information and radiation exposure data) to ensure a safe working environment, comply with applicable health, radiation safety and other regulatory obligations, investigate incidents, and evaluate and improve the performance and safety of our products and services.

Our lawful bases for processing Sensitive Data include compliance with legal obligations (including workplace health and radiation safety laws), our legitimate interests in and, where applicable, reasons of public interest in the area of public health. Where processing is required or authorised by law, we do not rely on consent. In other circumstances, we may rely on our legitimate interests (where permitted) or obtain your explicit consent where required.

(f) Technical and Usage Data

Technical and Usage Data is used to operate, maintain, secure and improve our websites, systems, platforms and services that individuals interact with, including customer-facing applications. This data may be used for purposes such as monitoring system performance and availability, troubleshooting and support, ensuring security, detecting and preventing unauthorised access or misuse, and improving functionality and user experience.

Our lawful bases for processing this data include our legitimate interests in ensuring the functionality, security and performance of our website, and, where required by law, your consent (for example, in relation to non-essential cookies).

We do not use personal data for solely automated decision-making that produces legal or similarly significant effects on individuals.

6. Disclosure of personal data

We may disclose personal data to:

  1. our related bodies corporate;
  2. service providers and contractors who assist us in operating our business (including IT, cloud hosting, data storage, payroll, professional advisers and other support services);
  3. customers and suppliers where necessary to provide or receive services;
  4. regulators, government authorities, law enforcement bodies and mandated industry systems where required or permitted by law; and
  5. other third parties with your consent or as otherwise permitted by law.

We take reasonable steps to ensure that third parties who handle personal data on our behalf are subject to appropriate confidentiality and security obligations.

7. International transfers

We may transfer personal data to recipients located outside the country in which you are located, including to Australia (where our global headquarters are located), the United States, Canada, the United Kingdom and other countries in Europe, the Middle East and Africa (EMEA). Where we transfer personal data internationally, we take reasonable steps to ensure that appropriate safeguards are in place in accordance with applicable data protection laws. These safeguards may include contractual protections, secure data transfer mechanisms, and, where required, transfer impact assessments. However, in some cases, the overseas recipient may be subject to different data protection laws than those in your jurisdiction.

For individuals in Australia, where we disclose personal data to overseas recipients, we take reasonable steps to ensure those recipients handle personal data in a manner consistent with the Australian Privacy Principles, including through contractual protections.

For individuals in the United States and Canada, we process and transfer personal data in accordance with applicable federal and state/provincial privacy laws and implement reasonable administrative, technical and organisational safeguards to protect such data.

For individuals in the UK, EEA and broader EMEA region, where personal data is transferred to countries that are not recognised as providing an adequate level of protection, we rely on appropriate safeguards such as the European Commission Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, together with any supplementary measures required by law.

For individuals in Tanzania, where required under Tanzanian law, we will only transfer personal data outside Tanzania where adequate protection is ensured or with the individual’s explicit consent.

8. How we hold personal data

We may hold personal data in different ways, including in paper form, electronic form and/or in other mediums.

We will only retain personal data for as long as is necessary to fulfil the purposes it was collected for. We determine appropriate retention periods based on the nature of the personal data, the purposes for which it is processed, and applicable legal, regulatory, tax, accounting or reporting requirements.

Where personal data is no longer required, we will take reasonable steps to securely delete or de-identify it.

9. How we protect personal data

We implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse, alteration or disclosure. Personal data is stored in secure, access-controlled systems and facilities, and access is limited to personnel and service providers with a legitimate business need, all of whom are subject to confidentiality obligations. We also require our third-party providers to maintain appropriate information security standards. We maintain procedures to identify and respond to suspected data breaches and will notify affected individuals and regulators where required by law.

10. Your rights in relation to personal data we hold about you

Individuals have certain rights under applicable data protection laws in relation to personal data we hold about them, including the rights to access, correct or delete their personal data, object to or restrict our processing, request transfer of their data (where applicable), and to withdraw consent to processing, where relied upon by us (without affecting prior lawful processing). These rights are subject to certain legal limitations and conditions. To exercise these rights, please contact us using the details set out below. We may need to verify the individual’s identity before responding and will generally respond within one month, although this may be extended where permitted by law. We do not usually charge a fee but may do so or decline requests that are manifestly unfounded or excessive.

For individuals in certain US states (including California), you may have additional rights under applicable privacy laws, including the right to request access to specific information about the personal data we collect, use and disclose about you, the right to request deletion of your personal data, and the right not to be discriminated against for exercising your privacy rights. We do not sell personal data as defined under applicable US privacy laws.

For individuals in Tanzania, you may have additional rights under Tanzanian privacy laws. Further information regarding these rights can be obtained from the Tanzanian Personal Data Protection Commission (PDPC). This is also who you should contact should you wish to make a complaint regarding the handling of your personal data.

11. How to make a complaint

Individuals have the right to make a complaint about how we handle their personal data, and we encourage affected individuals to contact us first so we can address your concerns promptly using the contact details set out below. We will investigate complaints and respond in accordance with our internal procedures. Individuals may also lodge a complaint with the relevant regulator in their home jurisdiction (for example, in Australia, the Office of the Australian Information Commissioner (OAIC)).

12. Contact details

If you have any questions about this Policy or our privacy practices, please contact our data privacy manager in the following ways:

Chrysos Corporation Limited ACN 613 131 141
2A Venture Road, Tonsley SA 5042, Australia
Data Privacy Manager
Phone: +61 8 7092 7979
Email: compliance.officer@chrysoscorp.com

13. Changes to this Policy

We may update this Policy from time to time to reflect changes in applicable laws, regulatory guidance, technology and our operations. The current version will be published on our website and the “last updated” date will be revised accordingly. Where changes are significant or materially affect an individual’s rights, we will provide additional notice, including via our website or direct communication where appropriate.

Last updated: 16 April 2026