Whistleblower Policy

Cohabit Technology Group Pty Ltd — Insurance Brokerage, Data & Reporting Products

1. Purpose

Cohabit Technology Group Pty Ltd ("Company", "we", "our") is committed to lawful, ethical, and responsible conduct across:

  • Our insurance brokerage operations
  • Our data collection, analytics, and data services business
  • Our reporting platforms and technology products

This policy establishes a safe, confidential, and legally compliant process for reporting misconduct or improper conduct without fear of retaliation.

We encourage the reporting of concerns to ensure:

  • Compliance with AFSL and Corporations Act obligations
  • Integrity in client dealings
  • Protection of confidential and personal information
  • Accuracy and reliability of reporting products
  • Maintenance of public trust in our services

2. Scope

This policy applies to:

  • Employees (permanent, part-time, casual)
  • Directors and officers
  • Contractors and consultants
  • Brokers and authorised representatives
  • Suppliers and service providers
  • Former employees and associates
  • Relatives and dependants of eligible whistleblowers

This policy applies across all business units including:

  • Insurance broking and placement
  • Claims handling and advice services
  • Data aggregation and analytics
  • Reporting tools, dashboards, and products
  • Technology development and platform operations

3. What Can Be Reported?

A disclosure may be made if a person has reasonable grounds to suspect misconduct or improper conduct.

Examples include, but are not limited to:

3.1 Insurance Brokerage Conduct

  • Breaches of AFSL obligations
  • Conflicted remuneration or undisclosed commissions
  • Misleading or deceptive conduct
  • Failure to act in client best interests
  • Improper claims handling practices
  • Fraudulent placement or premium misrepresentation

3.2 Data & Reporting Misconduct

  • Manipulation of reporting data
  • Falsification of analytics outputs
  • Intentional misrepresentation of reporting results
  • Improper suppression of negative findings
  • Data integrity breaches

3.3 Privacy & Data Protection

  • Unauthorised access to personal or client data
  • Breach of the Privacy Act or APPs
  • Improper data sharing
  • Security vulnerabilities knowingly ignored
  • Failure to notify eligible data breaches

3.4 Corporate & Financial Misconduct

  • Fraud, theft, or corruption
  • Accounting irregularities
  • False financial reporting
  • Insider trading or misuse of confidential information

3.5 Regulatory or Legal Breaches

  • Breaches of Corporations Act
  • ASIC reporting failures
  • AML/CTF non-compliance
  • Modern slavery violations
  • Tax evasion

3.6 Retaliation

  • Victimisation of a whistleblower
  • Threats, harassment, or intimidation

4. What Is Not Covered?

This policy does not cover:

  • Personal work-related grievances (unless they relate to victimisation or systemic misconduct)
  • Performance disputes
  • Interpersonal conflicts unrelated to misconduct

Such matters should be addressed under HR grievance procedures.

5. Who Can Receive a Disclosure?

Disclosures may be made to:

  • A Director
  • The Responsible Manager (AFSL)
  • Head of Compliance / Risk
  • Company Secretary
  • External legal counsel
  • An ASIC-authorised auditor

Alternatively, disclosures may be made directly to:

  • ASIC
  • APRA (if applicable)
  • A legal practitioner for advice

6. How to Make a Disclosure

Reports may be made:

  • In writing (email or secure form)
  • Verbally (phone or in person)
  • Anonymously

Company Contact:

compliance@cohabit.com.au

Anonymous disclosures are permitted and will be treated seriously.

7. Confidentiality & Anonymity

The Company will:

  • Keep the whistleblower's identity confidential
  • Not disclose identifying information without consent
  • Remove identifying details where practical
  • Store records securely

Identity may only be disclosed where required by law.

Unauthorised disclosure of a whistleblower's identity is a serious offence.

8. Protection Against Detriment

The Company strictly prohibits retaliation, including:

  • Dismissal
  • Demotion
  • Harassment
  • Discrimination
  • Injury or damage
  • Threats or intimidation

Anyone found engaging in retaliation will face disciplinary action, including termination.

Whistleblowers are protected under the Corporations Act 2001 (Cth).

9. Investigation Process

Upon receiving a disclosure:

  1. The matter is acknowledged (where possible).
  2. A preliminary risk assessment is conducted.
  3. An independent investigator may be appointed.
  4. Relevant documents and systems may be reviewed.
  5. Findings are reported to the Board or appropriate authority.
  6. Corrective action is implemented where required.

Investigations will be:

  • Fair
  • Impartial
  • Conducted confidentially
  • Completed within a reasonable timeframe

Where appropriate, the whistleblower will be informed of progress.

10. Fair Treatment of Individuals Mentioned

The Company will:

  • Treat all individuals fairly
  • Maintain confidentiality
  • Provide opportunity to respond to allegations
  • Avoid reputational harm unless findings support action

11. Handling of Data & Technology Investigations

Given our operation of data and reporting products:

  • Access logs may be reviewed
  • System audit trails may be examined
  • Data integrity testing may be conducted
  • Independent technical audits may be commissioned

All investigations involving personal information will comply with privacy obligations.

12. Record Keeping

All disclosures will be:

  • Logged in a secure register
  • Assigned a unique case reference
  • Documented in accordance with compliance obligations
  • Reported to the Board (de-identified where appropriate)

13. Regulatory Reporting

Where required, the Company will report matters to:

  • ASIC
  • APRA (if relevant)
  • OAIC (for privacy breaches)
  • AUSTRAC (if AML/CTF issue)

14. False or Malicious Reports

Making a report that is knowingly false or malicious may result in disciplinary action.

However, a report made in good faith will not result in consequences, even if unsubstantiated.

15. Policy Review

This policy will be reviewed:

  • Annually
  • Upon regulatory change
  • Following any material whistleblower event

16. Availability

This policy will be:

  • Published on the Company intranet
  • Available to all staff
  • Provided to contractors and authorised representatives
  • Available upon request