Privacy Policy

1. Who We Are

WilliamThomas&Co. is an Australian AML/CTF compliance consultancy providing advisory, program development, training, and review services to businesses navigating AUSTRAC's Tranche II reforms and broader AML/CTF obligations. We operate across Australia on a consulting basis.

2. What Personal Information We Collect

We collect personal information that is reasonably necessary to provide our services and communicate with you. The types of personal information we may collect include:

Information You Provide Directly

• Your name, title, and contact details (email address, phone number)
• Your business name, role, and industry
• Information you provide in enquiry or contact forms on our website
• Information shared during consultation calls, discovery sessions, or the engagement process
• Information contained in documents, reports, or materials you share with us as part of a compliance engagement

Information We Collect Automatically

• Website analytics data, including pages visited, time on site, and referring URLs (collected via analytics tools such as Google Analytics)
• Device and browser information, IP address, and general location data
• Cookie and tracking data — see Section 9 (Cookies) below

Sensitive Information

We do not intentionally collect sensitive information (as defined by the Privacy Act, including health information, criminal record information, or financial information beyond what is reasonably necessary for our compliance advisory services). If you share sensitive information with us in the course of an engagement, we will handle it with heightened care and in accordance with this Policy.

3. How and Why We Collect Personal Information

We collect personal information by lawful and fair means, and only where it is reasonably necessary for one or more of the following purposes:

• Responding to your enquiries and providing information about our services
• Providing AML/CTF compliance consulting, advisory, training, and review services
• Preparing proposals, engagement letters, and reports
• Managing our ongoing client relationships and service delivery
• Sending relevant regulatory updates, insights, and communications where you have opted in or where we have a legitimate interest in doing so
• Improving our website and understanding how visitors use it
• Complying with our own legal and regulatory obligations

Where we collect personal information from you indirectly (for example, where a business provides us with contact details for a key personnel member), we will take reasonable steps to notify that individual of the collection as soon as practicable.

4. How We Use and Disclose Personal Information

We use personal information only for the primary purpose for which it was collected, or for a directly related secondary purpose that you would reasonably expect, or where you have consented to another use.

We may disclose your personal information to:

• Service providers and contractors who assist us in delivering our services, such as IT and cloud service providers, document management platforms, and communication tools — where these providers are bound by confidentiality obligations
• Professional advisors such as our own legal or accounting advisors, subject to professional privilege and confidentiality obligations
• Regulatory bodies or law enforcement agencies where we are required or authorised to do so by Australian law

We do not sell, rent, or trade your personal information to third parties for marketing or commercial purposes.

5. Overseas Disclosure

Some of the third-party platforms and tools we use to operate our business (including cloud storage, email, and website analytics) may store or process data on servers located outside Australia. Where this occurs, we take reasonable steps to ensure those providers maintain privacy and security standards consistent with the Australian Privacy Principles.

By providing us with your personal information, you acknowledge that your information may be transferred to and stored in countries outside Australia. We will not disclose your personal information to an overseas recipient unless we have taken reasonable steps to ensure the recipient handles your information in accordance with the APPs, or you have consented to the disclosure.

6. Security of Personal Information

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Storing electronic information on password-protected and encrypted systems
• Limiting access to personal information to those who need it to perform their functions
• Using secure communication channels for the transmission of sensitive information
• Regularly reviewing our security practices

If we no longer need your personal information and are not required by law to retain it, we will take reasonable steps to destroy or de-identify it securely.

While we take these precautions, no data transmission over the internet is entirely secure. We cannot guarantee the absolute security of information transmitted to us via our website or email.

7. Your Rights — Accessing and Correcting Your Information

Under the Australian Privacy Principles, you have the right to:

• Request access to the personal information we hold about you (APP 12)
• Request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
• Opt out of receiving direct marketing communications from us at any time

To make an access or correction request, please contact us using the details in Section 10 below. We will respond to your request within a reasonable time, generally within 30 days. We may ask you to verify your identity before processing your request. We will not charge a fee for making a request, but we may charge a reasonable fee to cover the cost of providing access where permitted by law.

We may decline an access or correction request in limited circumstances permitted by the Privacy Act — for example, where providing access would have an unreasonable impact on the privacy of another individual. Where we decline, we will give you written reasons.

8. Complaints

If you believe we have handled your personal information in a manner that does not comply with the Privacy Act or the Australian Privacy Principles, we encourage you to contact us in the first instance so we can attempt to resolve your concern.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

9. Cookies and Website Analytics

Our website uses cookies and similar tracking technologies to improve your browsing experience and understand how visitors use our site. Cookies are small text files stored on your device by your browser.

We use the following types of cookies:

• Essential cookies: Necessary for the website to function correctly. These cannot be disabled.
• Analytics cookies: We use Google Analytics to collect aggregated, anonymised data about website traffic and usage patterns. This data does not identify you personally. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

You can control or delete cookies through your browser settings. Disabling certain cookies may affect the functionality of our website.

10. Contact Us

For any privacy-related enquiries, access or correction requests, or complaints, please contact:

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. The current version will always be published on this page with the effective date noted at the top. We encourage you to review this Policy periodically.

Material changes to this Policy will be notified to active clients via email where reasonably practicable.