GDPR Compliance
Last updated: May 11, 2026
Our Commitment to Data Protection
While calm-bastion operates primarily in Australia, we recognize that some of our students may be located in the European Union or other regions with strict data protection requirements. We comply with GDPR principles for all users, regardless of location.
Legal Basis for Processing
We process personal data based on:
- Contractual necessity: To deliver courses and services you've enrolled in
- Legitimate interests: To improve our educational content and communicate about relevant offerings
- Consent: For marketing communications, which you can withdraw at any time
- Legal obligation: To comply with tax, accounting, and other regulatory requirements
Your GDPR Rights
Under GDPR, you have the following rights:
- Right to access: Request a copy of all personal data we hold about you
- Right to rectification: Correct inaccurate or incomplete personal information
- Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
- Right to restriction: Limit how we process your information in certain circumstances
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Opt out of certain types of data processing, including marketing
- Right to withdraw consent: Revoke consent for processing at any time
Data Protection Officer
For GDPR-related inquiries, contact our data protection team at [email protected] with "GDPR Request" in the subject line. We will respond within 30 days of receiving your request.
Data Transfers
Your data is primarily stored on servers located in Australia. When we use third-party services that may transfer data internationally, we ensure appropriate safeguards are in place through standard contractual clauses or equivalent mechanisms.
Data Retention Periods
We retain personal data only as long as necessary for the purposes it was collected or as required by law:
- Course enrollment data: Duration of course access plus 2 years
- Financial records: 7 years (Australian tax requirement)
- Marketing communications data: Until you unsubscribe or request deletion
- Website analytics: 26 months
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals.
Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals within 72 hours of becoming aware of the breach, as required by GDPR.
Complaints
If you believe we have not handled your data properly, you have the right to lodge a complaint with your local data protection authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC).
Contact Us
For any GDPR-related questions or to exercise your rights, email [email protected] or write to Level 7, 142 Collins Street, Melbourne VIC 3000, Australia.