Home / GDPR Compliance

GDPR Compliance Statement

Last Updated: May 11, 2026

1. Introduction

While Bright Mingle is an Australian company primarily serving Australian residents, we recognize that some of our clients and website visitors may be located in the European Union or United Kingdom. This GDPR Compliance Statement explains how we comply with the General Data Protection Regulation (GDPR) when processing personal data of individuals in the EU/UK.

This statement should be read in conjunction with our Privacy Policy, which covers our compliance with Australian privacy law.

2. Data Controller

For the purposes of GDPR, the data controller is:

Bright Mingle
Level 14, 127 Creek Street
Brisbane QLD 4000
Australia
Email: [email protected]

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Consent: When you provide explicit consent for us to process your personal data for specific purposes
  • Contract: When processing is necessary to perform our services under a contract with you
  • Legal Obligation: When we must process data to comply with legal requirements (e.g., tax obligations, reporting to government agencies)
  • Legitimate Interests: When processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms

4. Your GDPR Rights

If you are an EU/UK resident, you have the following rights under GDPR:

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this within one month of your request, free of charge for the first request.

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Note: This right is subject to exceptions, including where we must retain data to comply with legal obligations (e.g., tax record-keeping requirements).

Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU/UK if you believe we have violated your data protection rights.

5. Exercising Your Rights

To exercise any of your GDPR rights, please contact us at:

Email: [email protected]

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, and we will inform you if this is necessary.

6. Data Processing Activities

Categories of Personal Data We Collect

  • Identity data (name, date of birth, identification numbers)
  • Contact data (email, postal address)
  • Financial data (income, assets, bank details)
  • Health data (where relevant to benefit claims)
  • Technical data (IP address, browser type, device information)
  • Usage data (how you interact with our website)

Purposes of Processing

  • Providing social benefits advisory and support services
  • Managing client relationships
  • Processing payments
  • Complying with legal obligations
  • Improving our services and website
  • Communicating with clients

7. International Data Transfers

As we are based in Australia, any personal data we collect from EU/UK residents will be transferred to and processed in Australia. Australia is not subject to an adequacy decision by the European Commission.

To ensure adequate protection for international data transfers, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Technical and organizational security measures equivalent to GDPR standards
  • Data Processing Agreements with third-party processors

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Generally, we retain client records for seven years after service completion. After this period, we securely delete or anonymize the data.

Specific retention periods:

  • Client service records: 7 years
  • Financial transaction records: 7 years
  • Marketing consent records: Until consent is withdrawn
  • Website analytics data: 26 months

9. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Pseudonymization where appropriate
  • Regular security assessments and penetration testing
  • Access controls and authentication measures
  • Staff training on data protection and security
  • Incident response and breach notification procedures

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. Where the breach poses a high risk, we will notify you directly within 72 hours of becoming aware of the breach.

11. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.

12. Third-Party Data Processors

We may engage third-party service providers to process personal data on our behalf. These processors are contractually bound to:

  • Process data only on our documented instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Assist with GDPR compliance obligations
  • Delete or return data upon contract termination

13. Children's Data

We do not knowingly process personal data of children under 16 years of age without parental consent. If we become aware of such processing, we will delete the data unless we have obtained verifiable parental consent.

14. Changes to This Statement

We may update this GDPR Compliance Statement from time to time. We will notify you of material changes by posting an updated version on our website with a new "Last Updated" date.

15. Contact and Complaints

For any questions, concerns, or to exercise your GDPR rights, contact us at:

Email: [email protected]
Address: Level 14, 127 Creek Street, Brisbane QLD 4000, Australia

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. Contact details for EU supervisory authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en.