GDPR Compliance Statement

Last updated: May 13, 2026

Introduction

flickering bloom is committed to protecting the privacy and personal data of all individuals, including those in the European Union (EU) and European Economic Area (EEA). While we are an Australian-based company, we recognize the importance of the General Data Protection Regulation (GDPR) and have implemented measures to comply with its requirements when processing personal data of EU/EEA residents.

Legal Basis for Processing

We process personal data only when we have a legal basis to do so under GDPR Article 6. Our legal bases include:

Consent: You have given clear consent for us to process your personal data for specific purposes
Contract: Processing is necessary for the performance of a contract with you or to take steps prior to entering into a contract
Legal Obligation: Processing is necessary to comply with legal obligations
Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided these interests do not override your fundamental rights

Your GDPR Rights

Under GDPR, EU/EEA residents have the following rights regarding their personal data:

Right to Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to access that data along with information about how it is processed.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you have the right to request deletion of your personal data in certain circumstances, such as:

The data is no longer necessary for the purposes for which it was collected
You withdraw consent and there is no other legal ground for processing
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed

Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, including when you contest the accuracy of the data or object to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not engage in automated decision-making or profiling.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

Email: [email protected]

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months, and we will inform you of any such extension.

Data Protection Officer

For GDPR-related inquiries, you may contact our designated privacy contact:

Email: [email protected]
Address: 348 Industrial Drive, Port Melbourne VIC 3207, Australia

International Data Transfers

When we transfer personal data from the EU/EEA to Australia or other countries, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions where applicable
Other legally approved mechanisms

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of personal data in transit and at rest
Regular security assessments and audits
Access controls and authentication mechanisms
Staff training on data protection and security
Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

Contract performance and warranty obligations (typically 7-25 years depending on service)
Legal and regulatory compliance requirements
Legitimate business interests such as fraud prevention

Third-Party Processors

When we engage third-party processors, we ensure they:

Provide sufficient guarantees regarding data protection
Process data only on our documented instructions
Are bound by appropriate data processing agreements
Implement appropriate security measures

Children's Data

We do not knowingly process personal data of individuals under 16 years of age without parental consent, in accordance with GDPR Article 8.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where an alleged infringement occurred. A list of EU supervisory authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en

Updates to This Statement

We may update this GDPR compliance statement from time to time. Material changes will be communicated through our website, and the "Last updated" date will be revised accordingly.

Contact Information

For any questions or concerns about our GDPR compliance or data protection practices:

flickering bloom
348 Industrial Drive
Port Melbourne VIC 3207
Australia
Email: [email protected]