Legal

Privacy Policy

Version 2.0 · Last updated: 25 February 2026

This policy applies to all users of the Utilitarian platform, including end-customers and business users.

This Privacy Policy explains how Utilitarian collects, uses, stores, and protects personal data when you use our platform — whether you are an end-customer participating in a take-back or recycling programme, or a business user managing programmes on the platform.

We are committed to protecting your personal information and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Australian Privacy Act 1988 (Cth). This policy should be read alongside our Terms of Service and Data Processing Agreement.

Who we are

Utilitarian is a product lifecycle and take-back technology platform. We provide tools for product recognition, customer engagement, reporting, and programme management for take-back, recycling, and brand activation programmes operated by retailers and brands.

Depending on your location, the Utilitarian entity responsible for your data is:

· Utilitarian B.V., registered in the Netherlands (KVK 97343927), Schiedamse Vest 154, 3011 BH Rotterdam — for users in the European Economic Area, the United Kingdom, and Switzerland.

· Utilitarian Pty Ltd (ABN 89 655 178 402) — for users in Australia and New Zealand.

For all other locations, Utilitarian B.V. is the responsible entity unless otherwise specified. Throughout this policy, "Utilitarian", "we", "us", and "our" refers to the applicable entity.

Personal data we collect

The personal data we collect depends on how you interact with the platform.

If you are an end-customer participating in a programme

— Email address — if the programme includes email capture (used to send your discount or confirmation).

— Photo submissions — images you upload (typically of products such as shoes). These are screened automatically; see Section 5.

— Product and brand information — data identified or confirmed from your upload.

— Technical data — IP address, browser type, device information, and approximate location derived from normal web use. This is not used for profiling.

If you are a business user (retailer staff, administrator)

— Account data — name, business email address, role, and permissions.

— Store and programme details — information linked to your organisation's programmes.

— Technical and usage data — login activity, actions taken on the platform, and technical signals.

Data we do not collect

— We do not collect biometric data, financial or payment details, or government-issued identity numbers.

— We do not intentionally collect special category data (as defined in GDPR Article 9). If such data is included in a photo upload, it is handled through our screening and quarantine workflow (see Section 5).

How we collect personal data

· Directly from you — when you participate in a programme (uploading a photo, entering your email) or when you create a business account.

· From retailers — our clients provide programme and store details that may include information about their staff.

· Automatically — through cookies and similar technologies when you access the platform or open emails sent through it. See Section 8 for details.

How and why we use your data

We use personal data for the following purposes:

— Operating the platform — enabling retailers to run take-back, recycling, and brand activation programmes, and enabling you to participate in them.

— Image screening — automatically screening photo uploads to detect prohibited content and ensure only product images enter the operational workflow. See Section 5.

— Communications — sending confirmation emails, discount codes, or follow-up messages on behalf of the retailer operating the programme.

— Reporting and analytics — generating programme reports for retailers (using aggregated or de-identified data where possible).

— Service improvement — maintaining, securing, and improving the platform.

— Legal compliance — meeting our regulatory, contractual, or legal obligations.

We do not sell personal data to third parties. We do not use personal data for profiling or automated decision-making that produces legal or similarly significant effects, other than the image screening described in Section 5.

Image screening and quarantine

When you upload a photo through the platform, it is automatically screened using AI-based tools for two purposes:

(a) Product recognition — identifying the product type, brand, and category.

(b) Prohibited content detection — checking for the presence of people, faces, identity documents, or other personal or sensitive content that should not be in a product photo.

If the screening identifies your upload as a product-only image, it is classified as an Approved Image and enters the programme workflow.

If the screening detects potentially prohibited content, your upload is classified as a Quarantined Image and held for review by Utilitarian staff. Quarantined images are not visible to the retailer or any programme partner. After review, the image is either approved, deleted (with a prompt to re-upload), or escalated for further review.

This screening is automated but is not used to make decisions that produce legal or similarly significant effects on you. Its purpose is to protect your privacy by preventing personal or sensitive content from entering an operational workflow where it does not belong. You may request human review of any screening decision by contacting privacy@utilitarian.world.

Legal basis for processing (GDPR)

When processing personal data of users in the EU/EEA or UK, we rely on the following legal bases:

— Performance of contract — processing personal data as necessary to operate the platform on instruction from the retailer (our client), who is the data controller.

— Legitimate interests — maintaining and improving our platform, ensuring security, preventing misuse, and generating aggregated insights. We balance these interests against your rights and do not use this basis for direct marketing.

— Consent — where required, such as for marketing communications. Consent for marketing is managed by the retailer operating the programme, not by Utilitarian directly. You can withdraw consent at any time by following the unsubscribe instructions in the communication or by contacting the retailer.

— Legal obligation — where processing is necessary to comply with applicable law.

Controller and processor roles

Retailers (our clients) are the data controllers for end-customer data collected through their programmes. They decide what data is collected, why, and how it is used.

Utilitarian is the data processor. We process personal data on behalf of retailers, following their instructions and in accordance with our Data Processing Agreement.

For a limited set of data — such as billing contacts, security logs, and aggregated analytics — Utilitarian acts as an independent data controller. This processing is described in this policy and is necessary to operate and secure the platform.

Cookies and similar technologies

We use cookies and similar technologies for the following purposes:

Strictly necessary

These are required for the platform to function — for example, maintaining your session during a programme flow, or authenticating business users. These cannot be disabled.

Analytics and performance

We use analytics tools to understand how the platform is used, identify issues, and improve performance. These collect data in aggregated form and do not identify individual users. Where these cookies are non-essential, we obtain consent before setting them.

Email tracking

Emails sent through the platform on behalf of retailers may include tracking pixels to measure open rates and engagement. This tracking is managed by the retailer (as data controller) and is subject to the retailer's own privacy practices.

We do not use advertising cookies or third-party tracking for ad targeting. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent the platform from functioning correctly.

Who we share data with

We may share personal data with the following categories of recipients:

— Retailers — end-customer data is shared with the retailer operating the programme you participated in. The retailer is the data controller and their own privacy policy applies to their use of your data.

— Programme Partners — where a programme involves an operational partner (such as a recycler or logistics provider), that partner may see approved product images in view-only mode within the platform, to the extent necessary for programme operations. Programme Partners cannot access your email address or any other personal identifier, and cannot download or export images. These restrictions are enforced through technical access controls.

— Sub-processors — we use trusted service providers for hosting, email delivery, analytics, and IT security. These providers act as data processors under strict contractual obligations. A current list is maintained at utilitarian.world/legal/sub-processors.

— Utilitarian group companies — our Australian and Dutch entities share data for operational purposes under appropriate safeguards.

— Legal authorities — where required by law, regulation, or binding request from a competent authority.

We do not authorise the onward sale of personal data by retailers or their partners.

Data storage and international transfers

Personal data of EU/EEA users is hosted and processed in the European Union (Netherlands), unless otherwise agreed with the retailer.

Personal data of Australian users is hosted and processed in Australia and/or the EU.

Where personal data is transferred outside the EEA, we use appropriate safeguards including the EU Standard Contractual Clauses (Commission Decision 2021/914). For Australian data, we comply with Australian Privacy Principle 8 (cross-border disclosure).

For EU/EEA programmes, we use EU/EEA-based sub-processors only, unless otherwise agreed in writing with the retailer and subject to appropriate transfer safeguards.

Data retention

We retain personal data only for as long as necessary. Specific retention periods:

— Approved images and programme data: retained for the term of the programme plus 6 months, then deleted or de-identified.

— Quarantined images: retained for 14 days after the screening decision (standard), or until closure of any related request plus 30 days, then deleted.

— Email addresses and customer data: retained for the term of the programme plus 6 months, unless the retailer instructs earlier deletion or you request erasure.

— Audit and security logs: retained for 24 months, then deleted.

— Business user account data: retained for as long as the account is active, plus a reasonable period after deactivation.

At the end of the retention period, data is deleted or de-identified. You may request deletion at any time (see Section 12).

Your rights

Under the GDPR (EU/EEA and UK users)

You have the right to:

— access the personal data we hold about you;

— request rectification of inaccurate data;

— request erasure ("right to be forgotten");

— request restriction of processing;

— request data portability;

— object to processing based on legitimate interests;

— request human review of automated screening decisions (see Section 5); and

— lodge a complaint with a supervisory authority.

Under Australian law

You have the right to:

— access and correct your personal information;

— complain to us and, if unresolved, to the Office of the Australian Information Commissioner (OAIC).

How to make a request

Contact us at privacy@utilitarian.world. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

Because the retailer is the data controller for end-customer data, we may redirect your request to the relevant retailer where appropriate. We will tell you if we do this.

Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit and at rest, role-based access controls, multi-factor authentication, regular vulnerability scanning, and audit logging. A detailed description of our security measures is included in our Data Processing Agreement (Section 4).

Updates to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of the page and publish the revised version on our website.

If changes are significant (for example, changes to how we use personal data, who we share it with, or your rights), we will notify business users directly and, where possible, take steps to inform end-customers through the platform or through the retailer.

Contact us

If you have questions about this policy or how we handle your data:

Europe

Utilitarian B.V.

Schiedamse Vest 154, 3011 BH Rotterdam

privacy@utilitarian.world

Australia

Utilitarian Pty Ltd

ABN 89 655 178 402

privacy@utilitarian.world

Utilitarian B.V. — Schiedamse Vest 154, 3011 BH Rotterdam (KVK 97343927)

Utilitarian Pty Ltd — ABN 89 655 178 402

Questions about privacy: privacy@utilitarian.world