GDPR Compliance

Last updated: May 22, 2026

Our Commitment to GDPR

Sparkling Academy is committed to complying with the General Data Protection Regulation (GDPR) and respecting the data protection rights of individuals in the European Union and European Economic Area.

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. Our lawful bases include:

• Consent: You have given clear consent for us to process your personal data for specific purposes
• Contract: Processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
• Legal obligation: Processing is necessary for us to comply with the law
• Legitimate interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests

Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access

You have the right to request copies of your personal data. We may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

Right to Rectification

You have the right to request that we correct information you believe is inaccurate or complete information you believe is incomplete.

Right to Erasure

You have the right to request that we erase your personal data, under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data, under certain conditions.

Right to Object to Processing

You have the right to object to our processing of your personal data, under certain conditions.

Right to Data Portability

You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.

Right to Withdraw Consent

Where we rely on consent to process your personal data, you have the right to withdraw that consent at any time.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

Email: [email protected]
Subject: GDPR Data Subject Request

We will respond to your request within one month. In some cases, such as complex requests, we may extend this period by two additional months, and we will inform you of this extension.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation. You can contact our DPO at [email protected].

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Regular security assessments and audits
• Access controls and authentication procedures
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

International Data Transfers

When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries deemed to provide adequate protection by the European Commission
• Binding Corporate Rules where applicable

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Our retention periods are based on:

• The nature of the data and the purposes for which it was collected
• Legal and regulatory requirements
• The need to defend or bring legal claims

Children's Data

Our services are not directed at children under 16 years of age. Where we process personal data of children, we obtain parental consent where required by law.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. In Australia, you may contact the Office of the Australian Information Commissioner (OAIC). If you are in the EU/EEA, you may contact your local data protection authority.

Updates to This Statement

We may update this GDPR compliance statement from time to time. We will notify you of any material changes by posting the updated statement on our website.

Contact Us

For questions about our GDPR compliance or to exercise your rights, please contact:

Data Protection Officer
Sparkling Academy
127 Ecology Drive
Byron Bay, NSW 2481, Australia
Email: [email protected]