GDPR Compliance Statement

Last Updated: May 10, 2026

Introduction

Although steady-breeze primarily operates within Australia and is governed by the Australian Privacy Act 1988, we recognize that some of our clients may be European Union residents or citizens. This statement outlines how we comply with the General Data Protection Regulation (GDPR) when processing personal data of EU individuals.

Legal Basis for Processing

We process your personal data under one or more of the following legal bases:

  • Contractual necessity: Processing is necessary to perform our advisory services contract with you
  • Legitimate interests: Processing is necessary for our legitimate business operations
  • Legal obligation: Processing is required to comply with Australian and international legal requirements
  • Consent: You have given explicit consent for specific processing activities

Your GDPR Rights

If you are an EU resident, you have the following rights under GDPR:

  • Right to access: Request copies of your personal data
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Right to restrict processing: Request limitation of how we use your data
  • Right to data portability: Request transfer of your data to another service provider
  • Right to object: Object to certain types of processing, including direct marketing
  • Rights related to automated decision-making: Not be subject to decisions based solely on automated processing

Data Controller Information

For the purposes of GDPR, the data controller is:

steady-breeze
Level 14, 287 Collins Street
Melbourne VIC 3000
Australia
Email: [email protected]

International Data Transfers

Your personal data is primarily stored and processed in Australia. If we transfer your data to countries outside the EU, we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses approved by the European Commission
  • Data processing agreements with third-party service providers
  • Compliance with Australian privacy laws, which provide substantially similar protections

Data Protection Officer

While not legally required to appoint a Data Protection Officer (DPO), we have designated a privacy coordinator who can be reached at [email protected] for all GDPR-related inquiries.

Data Retention

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy. Specific retention periods include:

  • Client service records: 7 years after service completion
  • Financial records: 7 years as required by Australian tax law
  • Marketing consent records: Until consent is withdrawn
  • Website analytics: 26 months

Security Measures

We implement technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security audits and penetration testing
  • Staff training on data protection principles
  • Access controls and authentication procedures
  • Incident response and breach notification procedures

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects EU individuals.

Children's Privacy

Our services are not directed at children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of the alleged infringement. For Australian matters, you may also contact the Office of the Australian Information Commissioner (OAIC).

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. We will respond to your request within one month, or inform you if we require an extension.

Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or website notice.