Privacy Policy

Effective and last updated date: January 29, 2026

At Orora, we are committed to protecting your privacy and using your data carefully. This privacy policy (“Privacy Policy”) describes the privacy practices of Orora Limited and its affiliates, subsidiaries, international and associated entities. (“Orora”, “our”, “we”) for our websites (“Websites”) or any website or mobile application that we own, operate or control that links to this Privacy Policy.

This Privacy Policy outlines how we collect, use, share, store and manage your personal data, including when you create an Orora account, interact with our customer support specialists and visit www.ororagroup.com or other Orora Websites that link to this Privacy Policy.

In certain jurisdictions, including Australia, there are exemptions which apply to particular “employee records.” In such circumstances, Orora may operate within certain exceptions to the restrictions in those relevant privacy laws in relation to such employee records. While Orora makes every effort to treat your personal data in accordance with this Privacy Policy, Orora is entitled to rely on any “employee records” exemption or other exemptions available under applicable local laws.

This privacy policy covers the following topics:

1. What is Orora?
2. What personal data do we collect?
3. Why do we collect and process personal data?
4. How do we share personal data about you?
5. How do we protect your personal data?
6. Do we transfer your personal data internationally?
7. How long do we retain your personal data?
8. What about third party links?
9. What are your rights?
10. Do we collect children’s data?
11. Notice to Australian Residents
12. Notice to California residents
13. Notice to European Economic Area and United Kingdom residents
14. Notice regarding Mexico’s data protection laws
15. Accessibility
16. How to contact us
17. Privacy Policy updates

1. What is Orora?

Orora, along with its associated entities, is a global beverage packaging manufacturer with more than 4,000 team members located across seven countries. Orora’s global operations span Australasia, the United Arab Emirates, Mexico, North America and Europe.

Orora Limited, or its relevant subsidiary, is the data controller of all personal data collected from residents of Australia, the United States, the European Economic Area and the United Kingdom

2. What personal data do we collect?

The personal data we collect about you depends on who you are and how we interact with you. Personal data means any information relating to an identified or identifiable natural person.  It includes data that could be used to identify, locate, track or contact you.

If you are a customer, business partner, or express interest in our solutions:

• Learning about our company and our solutions: If you request or indicate an interest in information about our solutions or partnership opportunities, we process your name, email address, phone number, job title, information about the organisation where you work, including its website address, and any comments you provide. We append business information related to the organisation where you work from third party sources, such as business intelligence providers, information from publicly available sources, such as LinkedIn, as well as information about the number and frequency of your interactions with us online and offline, such as at events, webinars, via email and our website. We may also process personal data about you that we collect either directly, through forms or data entry fields on our website, or through passive collection by cookies and other data collection technologies as described in this Privacy Policy. We maintain and update this information as we continue to engage with you and use it under the legitimate interests processing purposes described below.
• Using the Orora Customer Portals: If you are an authorised user of our portal, we process your name, email address, username, password, IP address, job title, phone number, information about the organisation where you work, and actions you have taken in the applications on the portal, such as record creation, changes, input, responses, analysis, and approvals, and tickets filed on your behalf related to our portal.
• Receiving marketing, sales-related and business development communications from us: If our marketing team or a member of our sales or business development teams sends communications to you, we process your name, phone number, email address, postal address, job title, job function, company name, company size, company financial information, IP address, device type, email view information including IP address and associated city, birthday (if provided), and information about which of our solutions you use or which may be of interest to you. Orora will only send you marketing, sales-related and business development communications if you subscribe to receive such communications. You can unsubscribe from receiving these communications at any time.
• Market research and surveys: If you consent to participate in our market research and surveys, we process your email address, job title, phone number, survey responses, company name, job function, state, country, and any comments you provide.

If you visit the websites and online properties we provide:

We process personal data about you that we collect either directly, through forms or data entry fields on our Websites, or through passive collection by cookies and other data collection technologies. The types of personal data we collect and process in each of these contexts is further explained in the following categories:

• Contact us and registration forms: We process your name, email address, company where you work, phone number, job function, job title, country of residence, and any comments you provide.
• Consumer opinion surveys: We process your survey responses.
• Cookies and other data collection technologies: We use browser session cookies, which are temporary cookies that are erased from your device’s memory when you close your Internet browser or turn your computer off, and persistent cookies, which are stored on your device until they expire, unless you delete them before that time. We group browser cookies on our Websites into three categories, which you can manage through our “Cookie Preferences” manager:
  • Required cookies: These cookies are necessary to enable the basic features of this site to function, such as allowing images to load or allowing you to select your cookie preferences.
  • Functional cookies: These cookies allow us to analyse your use of the site to evaluate and improve our performance. They may also be used to provide a better customer experience on this site. For example, this may include remembering your log-in details or providing us with information about how our site is used.
  • Advertising cookies: These cookies may be used to share data with advertisers so that the ads you see are more relevant to you, allow you to share certain pages with social networks, or allow you to post comments on our site. Depending on the advertiser, the data in the cookies may be shared with other companies so they may provide you with ads that are relevant to you.
  • If you wish to restrict or limit the use of cookies and other data collection technologies, you can configure your browser to reject or delete cookies. If you do so, be aware that this may limit the functionality of our Websites.

If you are an employee, contractor, job applicant, temporary hire or former employee:

• Applying to work at Orora: If you apply to work at Orora, we collect personal data about you and your professional experience, education and training such as your application, your name (and any former names), postal address, email address, phone number, universities attended, academic degrees obtained, grades, professional certifications and licenses, employment history, and curriculum vitae or resume. If you are offered employment, we will collect additional personal data about you, including possibly through background and professional reference checks in accordance with applicable laws of the country in which you reside and the laws applicable to Orora and its employees in the countries where Orora operates.
• Employment-Related Background checks: Prior to commencement of your employment with us, we conduct and may engage third parties to conduct, background checks that involve the necessary personal data processing as permitted by the laws in the location in which you reside and/or work. More details are provided to you in the context of our request to you to complete these checks.
• Offer of employment, temporary hire or contractor position: If we extend an offer of employment, temporary hire or a contractor position at Orora to you, we will process personal data about the position to which you have been appointed, your job title at Orora, the compensation or project-based contractor rate we offer to you, whether you or your employment agency accepts the offer, your signature, your starting compensation, agency agreed compensation or project-based contractor rate, and your start date at Orora.
• As an employee or contractor or temporary hire of Orora: We may collect and process personal data about your benefits, nationality, residency status, personal or email address, office or other workplace location, work phone number, mobile phone number, photographs, passport, visas, marital status, beneficiaries, profile, emergency contact details, financial account information, disability status, race, gender, age, social security number or other government-issued identification number, holiday and paid time off days, salary, incentive compensation, Orora stock options granted, Orora stock ownership, assigned projects, performance against your assigned goals, training completed, any performance improvement plans, any disciplinary actions taken, system accounts, technology and physical assets provided to you, and your role and actions taken in connection with Orora projects and processes. These types of personal data are also handled by mobile applications owned and operated by Orora.
• Device and application specific data: If, as part of your employment with Orora, you use a mobile application on your personal device or on a device given to you by Orora, the mobile applications you use collect the following data: device identifiers, operating system details, analytics about the application’s usage, location data, push notifications, etc. If a mobile application uses location services, push notifications, your camera or microphone as part of the application’s operation, the employee has the right to change settings according to their personal preferences. If there are options that cannot be changed or privacy concerns relating to the use of personal data, employees can contact the Privacy Officer at Orora who can assist with the resolution of their query.
• Orora managed mobile devices: we collect only what’s necessary to secure company systems, meet compliance obligations, and run the business effectively. Depending on device configuration we may collect:
  • Device and system information
    • Device model, OS version, serial number/IMEI, compliance status, security posture (encryption, passcode enabled), corporate certificate status.
  • Application inventory (work profile)
    • List of installed managed (work) apps, versions, and configuration.
  • Network and security telemetry
    • Connection metadata (time, destination domain/IP), VPN status, threat detections, and security alerts (e.g., malware, jailbreak/root).
  • Location data
    • Approximate device location only when required for critical functions (e.g., lost device recovery, emergency response for lone workers, protecting high risk shipments).
  • Usage logs (work profile)
    • Timestamps of corporate application access, policy compliance events, and authentication logs.
  • Corporate data on the device
    • Emails, calendars, contacts, documents, and data created or stored in managed work applications.

If your employment with Orora ends, we process personal data necessary to off-board you from Orora, including deactivation of your access to our systems, fulfilling our financial and related benefits obligations, and other related obligations with respect to the end of your employment with Orora.

• In certain countries, supplemental privacy notices will be provided to Orora employees and contractors and, where applicable, consent will be obtained to ensure compliance with local laws and requirements.
• California Residents: If you are a California resident, please refer to our California Privacy Notice attached at the end of this Policy.

We will not collect, use, or disclose sensitive personal data about you unless it is necessary to operate our business, we have your informed consent, or we are legally required or permitted to collect, use or disclose that data, or as otherwise allowed by law. Sensitive personal data includes any personal information about a person's race, ethnic origin, political opinions, religious or philosophical beliefs or affiliations, membership of a professional, trade or political association or union, sexual preferences or practices, criminal record, health information, or genetic information about an individual that is not otherwise health information.

We also operate video surveillance devices on our premises and may monitor and record your communications with us (including by email and telephone) for legitimate business and security purposes.

3. Why do we collect and process personal data?

The reasons that we collect and process personal data about you depends on who you are and how we interact with you.

If you are a customer, business partner, or express interest in our solutions:

If you have a contract or other agreement in place with us, we collect and process personal data about you to fulfil the following obligations to you under that contract or agreement:

• Provision your account on our business systems, customer portal and other systems to provide the requested goods or services.
• Authenticate you to enable you to access your account and conduct business with us.
• Provide customer service and support and investigate issues that you raise.
• If you apply for a credit account with an Orora business, we may request credit information from you or a credit reporting body and disclose the information we receive to one or more credit reporting bodies and use this information to assess your credit worthiness for a trading account.
  • If you are a customer with our Australian companies, and apply for a credit account, we may request credit information from you or a credit reporting body and disclose the information we receive to one or more credit reporting bodies, in accordance with the Privacy Act. The data we collect and hold includes identification information such as your name and address, the type and amount of credit applied for, the fact that information was requested from a credit reporting body (and the information received following such a request), any court judgments relating to credit provided to you in the past, and information relating to your solvency from the National Personal Insolvency Index. We use this information to assess your credit worthiness for a trading account and (where applicable) to register interests on the Personal Property Securities Register. If you nominate Orora as a commercial reference to a third party, we may provide limited credit information to that third party.
• Communicate with you, including via email, about your use of our customer portals and business, obtain your input on new features, functionality, and content, and to provide information about our solutions.
• De-provision your account on our business systems, customer portal and other systems, where required. To the extent required by law, if you have provided your consent, we process personal data about you to send direct email marketing communications about our solutions. You may unsubscribe from our emails at any time by clicking the “unsubscribe” link in the email communications we send to you or by exercising Your Rights as described below.

Our legitimate interests: We process personal data about you based on our legitimate business interests, including for the following purposes:

• To renew your account or service you have requested, based on our legitimate business interest in retaining you as a customer or partner.
• To provide additional solutions you request based on our legitimate business interest to respond to your reasonable requests and to retain you as a customer or partner.
• To determine whether, when, and the IP address and associated city of, a marketing, sales, or business development email communication we sent was viewed based on our legitimate interest to effectively manage and improve upon such communications with you.
• To understand the business that you work for and your prior experience based on our legitimate interest to tailor our communications with you to improve our engagement with you.
• To manage our legal, financial, policy and regulatory compliance responsibilities and to demonstrate our compliance upon request.
• To defend our legal rights and the rights of others.
• To maintain, improve, and protect the security and integrity of our websites and mobile applications.
• To investigate, prevent, or act on illegal activities, suspected fraud, and situations involving potential threats to the physical safety of a person.
• To undertake or engage in certain business transactions where some, or all our assets are purchased by or merged with another party or in preparation for these events.

Statistical and research purposes: We may further analyse use of our solutions, and characteristics of the companies that use our solutions (e.g., by size and industry sector) to help us understand and make decisions about customer and market needs, to improve our solutions, to design new solutions, and to inform partnership and business development decisions.

If you visit the websites and online properties we provide:

Consent: If you have provided your consent, we process personal data about you to:

• Respond to your requests regarding your individual rights.
• Manage your consent preferences.
• Ads Interests: If required by law, to apply your device-specific interests for both mobile apps and mobile websites, to create a non-permanent unique ID within our portal for the purpose of storing and communicating interests within our internal portal, to communicate and share your interests to service providers, including whether you want to receive interest-based ads, and to enable us to honour your interests according to the preferences you have set.
• Deliver the resources and information you have requested online.
• If required by law, use cookies and other data collection technologies to help you navigate our Websites or technical solutions, personalise and provide a more convenient experience to you, analyse which pages you visit, which features you use, provide features such as social sharing widgets and videos, measure advertising and promotional effectiveness, assess which areas of our Websites you visit to remarket to you after you visit our Websites, and to provide content to you from our third party content partners (only to the extent that you have provided informed consent to be provided such content).

Our legitimate interests: We process personal data about you based on our legitimate business interests, including for the following purposes:

• To investigate complaints or concerns based on our legitimate interest to ensure that such complaints or concerns are addressed appropriately.
• To evaluate the characteristics and needs of our customers based on our legitimate interest in improving the solutions we offer and provide.
• To communicate with you about Orora events, industry or related news based on our legitimate interest in engaging with you as a customer.
• To administer our Websites and to understand how our Website visitors navigate through our Websites.
• To engage in certain marketing activities.

Statistical and research purposes: We may further analyse information we gather online to improve the online experience and resources we provide to our users.

If you are an employee, contractor, job applicant, temporary hire or former employee:

If you have a contract or other agreement with us, we process personal data about you to fulfil the specific obligations we have to you under the applicable contract or agreement such as:

• Payment of project fees to contractors and temporary hires.
• Managing performance obligations under employment contracts, where applicable.
• Management of Orora stock options pursuant to stock option agreements.
• Management of stock ownership pursuant to stock purchase and related agreements.

Our legitimate interests: We process personal data about you based on our legitimate interests, including to establish and manage our relationship with and responsibilities to you and for effective operation of our business, such as to:

• Recruit new talent to join Orora.
• On-board employees, contractors and new hires to Orora.
• Grant and ensure appropriate access to Orora systems and facilities.
• Ensure the security, safety, and health of the workplace and the tangible and intangible assets for which we are responsible.
• Assign roles and responsibilities.
• Manage team and cross-functional communications and collaboration.
• Promote a positive workplace culture.
• Administer payroll.
• Benefits administration.
• Award and pay incentive compensation.
• Invoice payments.
• Managing Orora projects and processes.
• Maintaining corporate, financial and other essential business records and reporting.
• Evaluating financial and operational performance.
• Managing compliance, including, but not limited to our privacy, security, accounting, labour and employment, and other legal and regulatory obligations.

Statistical and research purposes: We may further analyse information to evaluate and understand employee engagement and to develop plans to continuously improve our workplace culture.

4. How do we share data about you?

We share your personal data in the following ways:

• Vendors. We share personal data with vendors that help us with our business activities, including advertising. They are only authorised to process that information as necessary and as directed by us.
• Advertising partners. We permit some of our advertising partners to collect and use personal data in order to provide you with relevant marketing and advertising content when you visit Orora Websites as described in this Privacy Policy. You can choose to opt out of third party collection and use of personal data through the cookie consent manager on our Websites.
• Required by law. If we are required to disclose personal data as part of a legal process, we will take commercially reasonable steps to inform you as part of that process if it is required by law. We may also be required to disclose personal data in response to lawful requests by or in accordance with our obligations to government authorities, including requests from taxation authorities, government and/or regulatory bodies, national security agencies or law enforcement.
• Legal proceedings. We may share personal data in connection with any legal proceedings and to establish, exercise or defend our or a third party’s legal rights, including providing information to others for the purposes of fraud prevention.
• Employees. For employees who use Orora’s mobile applications and Websites, any personal data collected will be used for internal business purposes and only to fulfil the legitimate business interests of Orora.
• Safety, fraud prevention, government requests and protection of our rights are all reasons where we may share personal data where we believe in good faith it is necessary.
• Mergers, acquisitions, divestitures, bankruptcies, asset sales, or similar proceedings, or in preparation for these events, but only if the acquiring organisation agrees to this Privacy Policy’s protections.
• With any other person or entity where you consent to the disclosure.
• For any other purpose disclosed by us when you provide the personal data or for any other purpose we deem necessary, including to protect the health and safety of others.

5. How do we protect your personal data?

We maintain commercially reasonable security measures to protect the personal data we collect from you, like enforcing multifactor authentication, encryption at rest and role-based access controls. However, we cannot guarantee absolute security.

6. Do we transfer your data internationally?

We may transfer, access, or store personal data about you outside of your country of residence. This may include but is not limited to, transferring, accessing, or storing personal data about you outside the European Economic Area, United Kingdom, United States, Switzerland, Australia, New Zealand or Mexico. When we do, and to the extent required by applicable law, we will ensure that an adequate level of protection is provided for the information by using one or more of the following approaches:

• Transferring personal data to countries that have privacy laws that have been recognised by the country from which the personal data is transferred as providing similar protections for the personal data.
• Entering into written agreements with recipients that require them to provide the same level of protection for the transfer and processing of your personal data.
• Relying on other transfer mechanisms approved by authorities in the countries from which, and to which, the personal data is transferred.
• With your informed consent.

7. How long do we retain your personal data?

We will keep your personal data for as long as we provide solutions to you, as long as you work for or with us, or as long as we are addressing a concern, question, complaint, or request you have made to us, as applicable to our interactions with you. If we have a contract or other agreement with you, we will follow the retention obligations of that agreement.

We may keep personal data longer if we have a legal obligation to keep it or to maintain necessary records for legal, financial, compliance, or other reporting obligations, and to enforce our rights and agreements. We may also keep personal data about you for statistical analysis or research purposes.

8. What about third party links?

Our Websites may contain links that will let you leave the Websites and access another website. Linked websites are not under our control. We accept no responsibility or liability for these other websites.

9. What are your rights?

Depending on the jurisdiction in which you reside, you may have certain privacy rights such as:

• Right to be informed: right to be provided with clear, transparent and easily understandable information about how we use your personal data, and your rights associated with the collection, use, storage and management of that data. This information is covered through the contents of this Privacy Policy.
• Right to access and rectification: right to access, change or correct your personal data. Note that your rights to access may be limited if such access would compromise the privacy rights of another person.
• Right to data portability: personal data you provide us can be moved, copied or transmitted electronically in certain circumstances. Note that your rights to portability may be limited if such access and portability would compromise the privacy rights of another person.
• Right to be forgotten: right to request the deletion of your personal data, in some circumstances. If we no longer need the personal data we collect for any purpose and we are not permitted by law to keep it, we will do what we can to delete, destroy or permanently remove any personal data that could be used to personally identify you.
• Right to restrict processing: right to restrict the processing of your personal data, in certain circumstances.
• Right to object: right to object to certain types of processing, including the collection of certain types of cookies when visiting our Websites, and processing for direct marketing (i.e., receiving emails from us notifying you or being contacted with varying potential opportunities), in certain circumstances.
• Right to lodge a complaint: right to lodge a complaint with a supervisory authority if you object to the way we process your personal data.
• Right to withdraw consent: where we rely on consent as the legal basis for processing, you have the right to withdraw your consent to the use of your personal data at any time, even if you have provided consent to the use of your personal data in the past. To withdraw consent, please email Orora’s Privacy Officer at [email protected].
• Rights related to automated decision-making: the right to human intervention, to express your point of view, to obtain an explanation of a decision reached after an assessment, and to challenge a decision based solely on automated processing and which produces legal or other significant effects on you.

We will honour the requests you make related to your rights as the relevant regional laws allow, which means in some cases there may be legal or other official reasons that we may not be able to address the specific request you make related to your rights. To exercise your privacy rights, please contact Orora’s Privacy Officer as described in the “How to contact us” section below.

10. Do we collect children’s data?

Orora is committed to protecting the privacy of children. Our Websites are intended for use by adults. We do not knowingly collect personal data about children or sell products to children. If you are a child, we kindly ask that you do not use our Websites. If we discover that we have collected personal data from a child, we will delete that data as soon as we are able.

11. Notice to Australian Residents

The Privacy Act 1988 (Cth) governs the handling of personal information in Australia and was introduced to promote and protect the privacy of individuals. It also includes thirteen Australian Privacy Principles (“APPs”) that outline the standards, rights and obligations in respect of the collection, use and disclosure of personal information, the rights of individuals to access and correct their personal information, and regulates an organisation’s governance and accountability obligations in respect of the personal information. The Privacy Act and the APPs can be accessed on the Australian Federal Register of Legislation at https://www.legislation.gov.au/.

12. Notice to California residents

The California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”), requires that we provide California residents with a privacy policy that contains a comprehensive description of our online and offline practices regarding the collection, use, disclosure, sale, sharing, management and retention of personal information and of the rights of California residents regarding their personal information. For more information, please see our California Privacy Notice. 

13. Notice to European Economic Area and United Kingdom residents

The General Data Protection Regulation (“GDPR”) provides residents within the European Economic Area with a high level of protection with respect to the processing of their personal data by organisations anywhere in the world who have a presence in the European Economic Area, so long as specific criteria are satisfied. Personal data of individuals collected within the European Economic Area are governed by the GDPR which gives individuals rights to transparency, access to their data, rectification of their data, erasure of their data, restrictions on processing their data, rights to receiving personal data concerning them, and rights to object to the processing of their personal data under certain circumstances.
The GDPR can be accessed on the official website of European Union at https://european-union.europa.eu/index_en.

The United Kingdom General Data Protection regulation (“UK GDPR”) preserves the GDPR under the UK’s domestic laws and retains the UK’s right to regularly review the GDPR. The UK GDPR may apply to Orora’s processing activities if the personal data collected is for the purposes of offering goods or services to individuals in the UK or monitoring the conduct of individuals in the UK. The UK Addendum to the GDPR can be found on the Information Commissioner’s Office website at https://ico.org.uk.

If you have any questions or concerns about how your personal data may be processed by Orora, contact the Privacy Officer at [email protected].

14. Notice regarding Mexico’s data protection laws

The Federal Law on the Protection of Personal Data Held By Private Parties enacted on 20 March 2025 updates and expands the legal framework that applies to the collection, use and storage of personal data in Mexico. It broadly applies to private entities, like Orora, who collect, use and store personal data for commercial and professional interests. Individuals in Mexico whose personal data is processed by Orora are entitled to exercise fundamental rights of access, rectification, cancellation and opposition to the processing of their personal information.

If you have any questions or would like to exercise your rights regarding how your personal data may be processed by Orora, contact the Privacy Officer at [email protected] or the Data Protection Officer for Saverglass at [email protected].

15. Accessibility

We are committed to ensuring this Privacy Policy is accessible to individuals with disabilities. If you wish to access this Privacy Policy in an alternative format, please contact us as described below.

16. How to contact us

Australia and New Zealand

Please contact us at +61 3 9811 7111 or at [email protected] if you have any questions or would like to exercise your privacy rights. You can also submit written inquiries to:

Privacy Officer
Orora Limited
109 Burwood Road
Hawthorn, Victoria 3122, Australia

If you are not satisfied with how Orora has dealt with your enquiry, you may contact the Office of the Australian Information Commissioner at [email protected] or by calling 1300 363 992 (for Australia), or the Office of Privacy Commissioner at [email protected] or by calling 0800 803 909 (for New Zealand).

European Economic Area, United States, Mexico and other regions

Please contact the Data Protection Officer of Saverglass, a fully owned subsidiary of Orora, at [email protected] if you have any questions or would like to exercise your privacy rights regarding your personal information with Saverglass. You can also submit written inquiries to:

Attention: Data Protection Officer
Saverglass
3 Pl. de la Gare
60960 Feuquières, France

If you are not satisfied with how Saverglass has dealt with your enquiry, you may contact the French supervisory authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) at https://www.cnil.fr/fr/plaintes or the European Union supervisory authority, the European Data Protection Supervisor at https://www.edps.europa.eu/data-protection/our-role-supervisor/complaints_en.

For all enquiries relating to Orora, please refer to the above contact details for Australia and New Zealand.

17. Privacy Policy Updates

We may update this Privacy Policy from time to time. We will provide notice of any material changes to our Privacy Policy as required by law. We will also post an updated copy on our Websites. Please check our Websites periodically for updates.