GDPR Compliance Statement

Last updated: June 16, 2026

Our Commitment to Data Protection

While ember-puffin operates primarily in Australia, we recognize that some of our website visitors and clients may be located in the European Union. We are committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR) principles, regardless of where our users are located.

Data Controller Information

Entity Name: ember-puffin
Address: 127 Brunswick Street, Fitzroy, VIC 3065, Australia
Contact Email: [email protected]

Legal Basis for Processing Personal Data

We process personal data under the following legal grounds:

  • Consent: You have given clear consent for us to process your personal data for specific purposes (such as marketing communications)
  • Contract: Processing is necessary to fulfill a contract with you or to take steps at your request before entering into a contract
  • Legal Obligation: Processing is necessary to comply with the law
  • Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights

Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

Right to Access

You have the right to request copies of your personal data. We may charge a reasonable fee for additional copies beyond the first request.

Right to Rectification

You have the right to request correction of any information you believe is inaccurate or to request completion of information you believe is incomplete.

Right to Erasure

You have the right to request deletion of your personal data under certain conditions, including when the data is no longer necessary for the purposes for which it was collected.

Right to Restrict Processing

You have the right to request restriction of processing your personal data under certain conditions.

Right to Object to Processing

You have the right to object to our processing of your personal data under certain conditions, particularly for direct marketing purposes.

Right to Data Portability

You have the right to request transfer of your data to another organization or directly to you, in a structured, commonly used, and machine-readable format, under certain conditions.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected] with the subject line "GDPR Data Request." We will respond to your request within one month, though this period may be extended by two additional months in complex cases. We will inform you of any such extension.

We may need to verify your identity before processing your request to ensure the security of your personal data.

Data We Collect and Process

Categories of Personal Data

  • Identity data: name, title
  • Contact data: email address, physical address
  • Service data: dietary preferences, service selections, booking history
  • Technical data: IP address, browser type, device information
  • Usage data: how you interact with our website
  • Marketing data: your preferences for receiving communications

Purpose and Legal Basis

For detailed information about why we collect this data and the legal basis for processing, please refer to our Privacy Policy.

International Data Transfers

Your personal data may be transferred to and processed in Australia, which is not subject to an adequacy decision by the European Commission. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the European Commission
  • Ensuring the recipient is certified under an approved certification mechanism
  • Obtaining your explicit consent for the transfer

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements.

When determining retention periods, we consider:

  • The amount, nature, and sensitivity of the data
  • The potential risk from unauthorized use or disclosure
  • The purposes for processing and whether we can achieve those purposes through other means
  • Applicable legal requirements

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Data Security

We have implemented appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Staff training on data protection and security
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. If the breach poses a high risk, we will notify you directly. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.

Third-Party Data Processors

We work with carefully selected third-party service providers who process personal data on our behalf. These processors are bound by data processing agreements that ensure they:

  • Process data only on our documented instructions
  • Maintain appropriate security measures
  • Assist us in responding to data subject requests
  • Delete or return data at the end of the service relationship
  • Demonstrate compliance with GDPR requirements

Children's Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal data to us, please contact us so we can delete it.

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our data processing practices or legal requirements. We will notify you of significant changes by posting a notice on our website or sending you an email.

Complaints and Supervisory Authority

If you believe we have not processed your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, work, or where an alleged infringement occurred.

You can find your local supervisory authority through the European Data Protection Board's website.

Contact Us

For questions about this GDPR compliance statement or to exercise your rights, please contact us:

Email: [email protected]
Address: 127 Brunswick Street, Fitzroy, VIC 3065, Australia