GDPR Compliance

Overview

Although Bright HandIn is based in Australia, we are committed to protecting the privacy rights of individuals in the European Union and comply with the General Data Protection Regulation (GDPR) when processing personal data of EU residents.

Legal Basis for Processing

We process personal data only when we have a legal basis to do so. Our legal bases include:

• Consent: You have given clear consent for us to process your personal data for specific purposes
• Contract: Processing is necessary to fulfill our contractual obligations to provide services to you
• Legal Obligation: Processing is necessary to comply with legal requirements
• Legitimate Interests: Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights

Your Rights Under GDPR

If you are an EU resident, you have the following rights regarding your personal data:

Right to Access

You have the right to request copies of your personal data. We may charge a reasonable fee for additional copies beyond the first request.

Right to Rectification

You have the right to request correction of any information you believe is inaccurate or completion of information you believe is incomplete.

Right to Erasure

You have the right to request deletion of your personal data under certain conditions, such as when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis for processing
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

Right to Restrict Processing

You have the right to request restriction of processing of your personal data under certain conditions, such as when:

• You contest the accuracy of the data
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data, but you need it for legal claims
• You have objected to processing pending verification of legitimate grounds

Right to Data Portability

You have the right to request transfer of your data to another organization or directly to you in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to our processing of your personal data under certain circumstances, particularly:

• Processing based on legitimate interests
• Processing for direct marketing purposes
• Processing for scientific or historical research

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your EU member state if you believe our processing of your personal data violates GDPR.

How We Protect Your Data

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Staff training on data protection and security
• Incident response procedures
• Regular backups and disaster recovery planning

Data Retention

We retain personal data only for as long as necessary to:

• Provide the services you requested
• Comply with legal, accounting, or reporting requirements
• Resolve disputes and enforce agreements

Specific retention periods vary depending on the type of data and purpose of processing. Upon expiry of the retention period, personal data is securely deleted or anonymized.

International Data Transfers

When we transfer personal data from the EU to countries outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions recognizing equivalent data protection
• Binding Corporate Rules where applicable

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk
• Document all breaches and our response measures

Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental consent, we will take steps to delete that information.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Data Protection Officer

For questions about our GDPR compliance or to exercise your rights, you may contact our data protection representative:

Email: [email protected]
Address: Level 12, 345 Collins Street, Melbourne VIC 3000, Australia

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with:

• Sufficient information to identify you
• A description of the right you wish to exercise
• Any supporting information relevant to your request

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of the extension.

Updates to This Notice

We may update this GDPR notice from time to time. We will notify you of significant changes by posting the updated notice on our website and updating the "Last updated" date.

Last updated: May 11, 2026