ACE Electric Vehicles Terms & Conditions for Reserving a vehicle

(Revised Edition, Effective December 2025)

This amended policy incorporates updates to further align with Australian Privacy Principles (APPs), Australian Consumer Law (ACL), and recent privacy reforms (effective from December 2024 onwards, including the Privacy and Other Legislation Amendment Act 2024).

ACE EV Group commits to compliance, emphasising privacy by design, data minimisation, and fair practices to reduce risks while maintaining transparency.

Amendments focus on enhanced user controls, security measures, and balanced terms to mitigate potential litigation from data breaches, unfair contracts, or non-compliance.

1. Definitions

In this document, unless the context requires otherwise:

• ACL – Australian Consumer Law under the Competition and Consumer Act 2010 (Cth).
• APP – Australian Privacy Principles under the Privacy Act 1988 (Cth).
• Connected Vehicle Data – data generated by your ACE EV vehicle, comprised of Core Telematics Data and Sensitive Vehicle Data. We minimise collection to only what is reasonably necessary for defined purposes.
• Core Telematics Data – data necessary for the basic operation, maintenance, and safety of your vehicle, including odometer reading, battery state of charge and health, charging session history (date, duration, energy consumed), software version numbers, and diagnostic fault codes related to core systems (e.g., powertrain, brakes). This data is pseudonymised where practicable (e.g., where it does not impair the data’s utility for safety and maintenance purposes) to reduce identifiability.
• Personal Information has the meaning given in the Privacy Act 1988 (Cth), and we interpret it broadly to include any data that could reasonably identify an individual, including inferred data from vehicle patterns.
• Sensitive Information has the meaning given in the Privacy Act 1988 (Cth) and, for clarity regarding our products, includes precise geolocation history, continuous speed data, images or video from in-vehicle cameras, contact lists synced to the vehicle, and any biometric data (e.g., voice recognition). We do not collect sensitive information unless strictly necessary and with express consent.
• Sensitive Vehicle Data means Connected Vehicle Data that is also Sensitive Information.
• Privacy by Design means incorporating privacy considerations into product development from the outset, including data minimisation, default privacy settings, and security safeguards.
• Data Breach means unauthorised access, disclosure, or loss of Personal Information that is likely to result in serious harm, as defined under the Notifiable Data Breaches scheme.

2. Introduction & Scope

This document outlines the terms and conditions for using the ACE EV Group website and our privacy practices. It applies to all users. By accessing the website, you agree to these terms. Specific consents for data handling (e.g., collection of Sensitive Information, overseas transfers, direct marketing) are obtained separately via clear, stand-alone opt-in mechanisms to ensure they are voluntary, informed, current, and specific. Consents are unbundled, and you can withdraw them at any time without penalty or loss of core vehicle functions, though some optional features may be affected (we will clearly explain this at the time of consent).

Company Information

3. Key Points

• Focused Data Collection: We collect only the minimum data points reasonably necessary for defined purposes, using privacy by design principles. Express, separate consent is required for Sensitive Information, with defaults set to “off” for non-essential features.
• Clear Service Guarantees: The website facilitates transactions covered by ACL consumer guarantees. We commit to reasonable steps for compliance.
• Granular Control: Consents for collection, sharing, overseas transfers, and marketing are unbundled and obtained via separate opt-ins. You have easy access to review and withdraw consents via app or email.
• Fair and Compliant: We avoid unfair practices and design our terms to comply with evolving standards, including those for connected vehicles, children’s privacy, and cyber security. We prioritise proportionality to reduce overcollection risks.
• Children’s Privacy: For vehicles used by families, we provide additional controls for data involving minors (e.g., default opt-out for location tracking), in line with OAIC guidance and the developing Children’s Online Privacy Code. We implement age verification mechanisms, such as requiring parental email confirmation or other age gates, for features that may involve minors’ data.

4. Privacy Practices

We handle Personal Information openly and transparently (APP 1), incorporating privacy by design. You can interact anonymously where practical (APP 2). We collect only solicited information that is reasonably necessary for our specific business functions (APP 3), minimising data streams and conducting PIAs for high-risk activities. We notify you at or before collection (APP 5), including clear statements on purposes, risks, and your rights.

4.1 Information We collect limited types of information, minimising data where possible and de-identifying or aggregating it by default.

From You Directly: This includes:

• Contact & Transaction Details: Name, delivery address, phone number, email address, payment information for order processing (tokenised for security).
• Identity Verification Details: Driver’s license number or date of birth only when expressly required and with your separate, express consent for purposes such as financing applications or government rebate processing. We do not retain full copies beyond the time required for the specific purpose, after which they are securely deleted.
• Sources: Website forms, purchases, registrations, offline events, test drives.

Automatically from Website Use: Browser type, device operating system, IP address (anonymised where possible), and site usage data via cookies. Non-essential analytics/advertising cookies require separate consent and are defaulted to off.

From Other Sources: We may receive limited information, such as your contact details from an installation partner, solely to schedule your service or complete your order. We verify and minimise this data.

From Your ACE EV Vehicle:

• Core Telematics Data: As defined above, collected for vehicle operation, maintenance, and safety recall management. We pseudonymise this where feasible. You will be provided with clear notice about this collection at the point of vehicle sale or activation, in accordance with APP 5.
• Sensitive Vehicle Data: Such as continuous location, trip history, or camera footage, is collected only with your separate, express, informed consent for specific features you enable (e.g., stolen vehicle tracking, dashcam functionality). Anonymisation is applied by default for aggregated traffic data. We do not use analytics to deduce Sensitive Information (e.g., health conditions) from driving patterns and prohibit secondary inferences.

From Your ACE EV Energy Products: Installation date, product serial numbers, system configuration details (e.g., inverter model, number of batteries / panels), and performance data (e.g., energy generation, system alerts) for monitoring and warranty service. Data is minimised to essential metrics.

Table of Collected Data Types and Purposes

This structure reduces overcollection risks by defaulting to minimal data and using techniques like anonymisation.

4.2 How We Use Your Information We use information for its primary purpose or directly related secondary purposes with consent (APP 6), limiting to what is fair and reasonable.

• Service Fulfillment: Processing orders, delivering products, providing servicing, software updates, and warranty support.
• Communication: Responding to inquiries, sending safety notices (e.g., recall information), and administrative updates. Marketing communications require a separate opt-in and are not based on Sensitive Information.
• Improvement & Security: Using anonymised and aggregated data for product improvement, fraud prevention, and system security. We do not use data for profiling or secondary marketing without consent.
• Legal & Compliance: Meeting regulatory obligations, including data breach notifications.

For direct marketing (APP 7), we require express opt-in, promptly honour opt-outs, and do not use Sensitive Information. We conduct fairness assessments to ensure uses do not cause detriment.

4.3 Sharing Your Information We share information only as necessary with robust protections, using contracts to enforce compliance.

• Service Providers: With entities bound by contracts to handle data only for our specified purposes (e.g., cloud hosting, payment processing, delivery logistics). Contracts include data destruction clauses.
• With Your Consent: With finance providers, insurers, or utilities only when you elect a specific service that requires this sharing.
• For Legal Reasons: As required by law, subpoena, or to protect rights and safety.
• Business Transfers: In connection with a sale, with appropriate data safeguards and notification to you.

We do not share Personal Information for third-party marketing without your explicit, separate opt-in. Sharing is minimised, and we remain accountable under APP 8.

4.4 Overseas Transfers Data may be transferred overseas (e.g., to the US for cloud infrastructure) only with your separate, informed consent. The consent request will specify the country, associated risks (e.g., access under foreign laws like the U.S. CLOUD Act), and alternatives (e.g., local storage options where feasible for non-real-time data, or delayed processing to avoid transfers). We ensure equivalent safeguards via binding contractual clauses, standard data protection clauses, or other mechanisms aligned with APP 8, and conduct risk assessments.

Details on these safeguards are readily accessible in our dedicated Overseas Data Transfer Policy at www.aceelectricvehicles.com.au/overseas-transfers or upon request.

Withdrawal of Consent Information

4.5 Your Rights and Choices Your rights under the Privacy Act, ACL, and recent reforms include:

Access and Correction: Request access to or correction of your Personal Information via your ACE EV Account or by contacting us. We provide this free of charge where reasonable.

Opt-Outs: Separate mechanisms for:

• Direct marketing communications.
• Non-essential cookies.
• Collection of non-essential Sensitive Vehicle Data (e.g., disable location for “journey insights” while retaining for emergency assistance).

Deletion: Request deletion of your Personal Information, subject to legal retention requirements (e.g., warranty periods). We respond promptly and delete securely.

Complaints: Complain to us first, then to the Office of the Australian Information Commissioner (OAIC) or the Australian Competition and Consumer Commission (ACCC) for ACL issues. We aim to resolve internally within 14 days.

Automated Decisions: If Connected Vehicle Data or other Personal Information is used for automated decisions that have a significant legal or similarly substantial effect on you (e.g., denying a warranty claim based on diagnostic data), we will, upon your request, disclose the logic, the data involved, and the likely consequences. You have the right to request a meaningful human review of such a decision. We will complete this review and provide you with an explanation of the outcome within 30 days of receiving your request.

Requests: Email privacy@aceelectricvehicles.com.au. We verify identity and respond within 30 days (or sooner for small requests).

4.6 Security and Retention We implement reasonable security measures (APP 11) tailored to risks, including:

Technical Measures: Encryption for Connected Vehicle Data in transit and at rest, firewalls, multi-factor authentication, access controls, and regular software updates, aligned with industry standards such as ISO 27001, NIST Cybersecurity Framework, and OAIC’s Guide to Securing Personal Information.

Organisational Measures: Staff training on privacy, access limited to need-to-know, and regular security audits conducted by independent third-party experts. We maintain a robust security framework informed by these audits.

Breach Response: In case of a Data Breach, we notify affected individuals and the OAIC if serious harm is likely, per the Notifiable Data Breaches scheme. We maintain an incident response plan. Data is retained only as long as reasonably necessary:

• Transaction data: 7 years for tax/warranty.
• Vehicle data: Duration of ownership, or up to 2 years post-ownership only where strictly necessary for an active safety recall investigation, a specific legal obligation, or a communicated legal hold. We conduct periodic reviews to ensure this retention is proportionate and justified under APP 11.

After retention, data is securely deleted or de-identified. We take privacy by design steps to prevent misuse, considering vulnerabilities in connected vehicles.

5. Website Terms of Use

5.1 Access and Use
The site is for information and transactions. You must be 18+ or have guardian consent. We reserve the right to suspend access for violations without liability.

5.2 Intellectual Property
Content is protected. Personal, non-commercial use only. To the extent permitted by law, you agree to indemnify ACE EV Group against any loss, liability, or damage arising from your wilful infringement of our intellectual property rights.

5.3 Disclaimer and Liability

• Informational Content: While we endeavour to keep general website content accurate, it is provided for informational purposes only and should not be relied upon as specific advice. We disclaim liability for any inaccuracy in such general content to the fullest extent permitted by law, noting that this does not affect your rights under the ACL in relation to services we provide to you.
• Transactional Services: Our obligations to you are governed by non-excludable statutory guarantees under the ACL (e.g., due care, fitness for purpose). Our liability for breach of these consumer guarantees is not limited, and your remedies may include repair, replacement, or refund. For all other claims (to the extent permitted by law), our liability is limited, at our option, to the resupply of the services or the payment of the cost of resupply. This limitation does not apply to any claim arising from a breach of a consumer guarantee under the ACL. You indemnify us against claims arising from your wilful misuse or prohibited conduct. These limits and indemnities apply only to the extent lawful and do not affect your statutory rights.

5.4 External Links
Provided for convenience; we do not endorse them and disclaim liability for their content.

5.5 Prohibited Conduct
No unauthorised access, viruses, spam, or illegal activity. You are liable for, and agree to indemnify us against, all losses we suffer arising out of your breach of this clause or your unlawful use of the website.

6. Online Orders and Services

6.1 Pricing: In AUD, includes GST, subject to confirmation. No auto-renewals without separate consent.
6.2 Orders: Subject to availability. Refusals/cancellations come with ACL-compliant refunds, processed within 14 days.
6.3 Charging/Services: Fair use policies detailed at point of use, with clear limits to prevent disputes.

7. General

7.1 Changes to These Terms
We may update these terms with at least 30 days’ prior notice via email or a prominent site alert. Changes will be made only for valid reasons such as compliance with new laws, security enhancements, technological improvements, or to address material operational necessities (e.g., a critical change to our underlying service infrastructure or a significant increase in the cost of providing a service). If a change materially disadvantages you, you may terminate your agreement without penalty within the notice period. We will not make changes that unfairly imbalance the contract.

7.2 Ethical Commitments
Compliance with modern slavery, conflict minerals, ethical sourcing laws, and privacy by design principles.

7.3 Governing Law
Queensland, Australia; disputes in Queensland courts or via alternative resolution where appropriate for small claims.

8. Connected Vehicles Privacy Addendum

For ACE EV vehicles, we implement the following concrete practices to ensure fair and controlled data handling:

• Granular In-Vehicle Consent: Consents for Sensitive Vehicle Data are presented individually within the vehicle’s touchscreen interface and owner’s app, not bundled. Defaults are opt-out for non-essential data.
• Meaningful Choice: You can withhold consent for specific data types (e.g., location history) without losing access to core vehicle functions like driving, charging, and basic remote status checks. We provide alternatives where possible.
• Easy Ongoing Control: You can review, modify, or withdraw your data choices at any time via the in-vehicle menu or owner’s app, with changes taking effect promptly (within 24 hours).
• Transparent Automated Decisions: If Connected Vehicle Data is used for automated decisions that significantly affect you (e.g., denying a warranty claim based on diagnostic data, prioritizing service requests, or influencing insurance premium recommendations), we will disclose the logic, data sources, and potential impacts in plain language, and provide a simple path to request human review (e.g., via app button).
• Children’s Privacy Protections: For data involving minors (e.g., passenger location), we require parental consent and default to minimal collection, aligning with OAIC guidance and the Children’s Online Privacy Code. We use age verification methods like parental email confirmation.
• Data Breach and Security: We maintain a response plan for incidents, notifying you promptly if your data is affected.

Table of User Controls for Connected Vehicles