GDPR Compliance Statement

Last Updated: May 10, 2026

Mystic Breeze respects the privacy rights of individuals in the European Economic Area (EEA) and is committed to complying with the General Data Protection Regulation (GDPR) when processing personal data of EEA residents.

1. Legal Basis for Processing

We process your personal data under the following legal bases:

• Consent: When you provide explicit consent for us to process your data for specific purposes
• Contract Performance: When processing is necessary to fulfill our service agreement with you
• Legal Obligation: When we must process your data to comply with legal requirements
• Legitimate Interest: When processing is necessary for our legitimate business interests, provided these do not override your rights

2. Your GDPR Rights

If you are an EEA resident, you have the following rights under GDPR:

• Right to Access: You can request a copy of the personal data we hold about you
• Right to Rectification: You can request correction of inaccurate or incomplete data
• Right to Erasure: You can request deletion of your personal data in certain circumstances
• Right to Restrict Processing: You can request that we limit how we use your data
• Right to Data Portability: You can request a copy of your data in a machine-readable format
• Right to Object: You can object to certain types of processing
• Right to Withdraw Consent: You can withdraw previously given consent at any time
• Right to Lodge a Complaint: You can file a complaint with your local data protection authority

3. Data Collection and Processing

We collect and process the following categories of personal data:

• Identity data: name, date of birth
• Contact data: email address, postal address
• Financial data: retirement accounts, pension information
• Technical data: IP address, browser type, device information
• Usage data: how you interact with our website and services

4. International Data Transfers

Your personal data may be transferred to and processed in Australia. While Australia is not in the EEA, we ensure adequate safeguards are in place to protect your data in accordance with GDPR requirements.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Specific retention periods depend on the nature of the data and the purpose of processing.

6. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you without human intervention.

7. Third-Party Processing

When we engage third-party service providers to process personal data on our behalf, we ensure they provide appropriate safeguards and comply with GDPR requirements through data processing agreements.

8. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication
• Staff training on data protection

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

10. Contact Information

To exercise any of your GDPR rights or if you have questions about our data processing practices, please contact us:

Email: [email protected]
Address: Level 12, 385 George Street, Sydney NSW 2000, Australia

11. Supervisory Authority

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority in the EEA.