GDPR Compliance

Our Commitment to Data Protection

winding-glow is committed to protecting the personal data of all individuals, including those located in the European Economic Area (EEA). While we are based in Australia, we recognise and respect the rights granted under the General Data Protection Regulation (GDPR) for European residents who interact with our services.

Legal Basis for Processing

We process personal data based on the following legal grounds:

• Contractual necessity: To fulfil our obligations when you book our services
• Legitimate interests: To improve our services and communicate relevant information
• Consent: For marketing communications and non-essential cookies
• Legal obligation: To comply with applicable laws and regulations

Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of your request, free of charge.

Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data. We aim to process such requests within 30 days.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for its original purpose
• You withdraw consent on which processing was based
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Right to Restrict Processing

You have the right to request restriction of processing your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where processing is based on consent or contract.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently use automated decision-making for significant decisions about individuals.

Data Transfers

As an Australian business, your data may be transferred to and processed in Australia. Australia has been recognised by the European Commission as providing an adequate level of data protection. Where we transfer data to third parties outside of adequate jurisdictions, we ensure appropriate safeguards are in place.

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Specific retention periods include:

• Booking records: 7 years (legal and tax requirements)
• Marketing preferences: Until withdrawn
• Website analytics: 26 months
• Email correspondence: 3 years after last interaction

Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Access controls and authentication measures
• Regular security assessments
• Staff training on data protection
• Incident response procedures

Data Protection Officer

While we are not required to appoint a Data Protection Officer under Australian law, we have designated a privacy contact to handle data protection matters:

Email: [email protected]

Exercising Your Rights

To exercise any of your rights under GDPR, please contact us with:

• A clear description of the right you wish to exercise
• Sufficient information to identify you
• Any additional information relevant to your request

We will respond within 30 days. If we require an extension, we will inform you within the initial period.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For EEA residents, this would be the data protection authority in your country of residence.

Updates to This Information

We may update this GDPR compliance information from time to time. Significant changes will be communicated through our website or direct notification where appropriate.

Contact Us

For any questions regarding GDPR or your data protection rights:

Email: [email protected]
Address: Level 3, 127 Collins Street, Melbourne VIC 3000, Australia