× Home About Services Contact

GDPR Compliance

Information for European Economic Area visitors

Our Commitment to GDPR

Harbor Puffin is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA) in accordance with the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements when processing personal data of EEA residents.

Data Controller

Harbor Puffin acts as the data controller for personal information collected through our website and services. Our contact details are:

Harbor Puffin Pty Ltd
Level 12, 345 George Street
Sydney NSW 2000, Australia
Email: [email protected]

Legal Basis for Processing

We process personal data of EEA residents under the following legal bases:

  • Consent: Where you have given explicit consent for specific processing activities, such as receiving marketing communications.
  • Contract: Where processing is necessary to perform a contract with you or take pre-contractual steps at your request.
  • Legitimate Interests: Where processing is necessary for our legitimate business interests, provided these do not override your rights and freedoms.
  • Legal Obligation: Where processing is necessary to comply with legal requirements.

Your Rights Under GDPR

If you are an EEA resident, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you, along with information about how we process it.

Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.

Right to Restrict Processing

You have the right to request that we limit how we use your personal data in certain situations.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format and to transmit it to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time.

International Data Transfers

As an Australian company, transferring data from the EEA to Australia constitutes an international transfer. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Technical and organisational security measures
  • Data processing agreements with third-party processors

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods depend on the type of data and the purpose of processing. When data is no longer needed, we securely delete or anonymise it.

Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Staff training on data protection

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay.

Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals.

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at:

Email: [email protected]

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

Complaints

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with a supervisory authority in the EEA member state of your residence or where the alleged infringement occurred.

Changes to This Notice

We may update this GDPR notice from time to time. We will notify you of material changes through our website or by direct communication where appropriate.