GDPR Compliance

Our Commitment to GDPR

While zenith-course operates primarily in Australia, we recognize our obligations under the General Data Protection Regulation (GDPR) when processing personal data of individuals located in the European Union or European Economic Area.

This document outlines how we comply with GDPR requirements and explains the rights available to EU/EEA residents regarding their personal data.

Data Controller Information

For purposes of GDPR, zenith-course acts as the data controller for personal information we collect:

Data Controller: zenith-course
Address: 247 Collins Street, Melbourne VIC 3000, Australia
Email: [email protected]

Legal Basis for Processing

We process personal data only when we have a valid legal basis under GDPR. Our processing activities rely on the following legal grounds:

Contractual Necessity

Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract. This includes:

Providing consultation services you request
Delivering design and renovation services
Managing project timelines and communications
Processing payments for services rendered

Legitimate Interests

Processing is necessary for our legitimate business interests, provided these interests do not override your fundamental rights. This includes:

Responding to inquiries about our services
Improving our website and service offerings
Analyzing business performance and customer needs
Maintaining records for quality assurance

Legal Obligation

Processing is necessary to comply with legal requirements, such as:

Maintaining financial records for tax purposes
Retaining project documentation as required by building regulations
Complying with court orders or regulatory requests

Consent

For processing not covered by the above bases, we obtain your explicit consent. This includes:

Sending marketing communications
Using analytics cookies beyond essential functionality
Sharing project images for promotional purposes

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Your Rights Under GDPR

As an EU/EEA resident, you have the following rights regarding your personal data:

Right to Access

You may request confirmation of whether we process your personal data and obtain a copy of that data. We will provide this information in a commonly used electronic format.

Right to Rectification

You may request correction of inaccurate personal data or completion of incomplete data we hold about you.

Right to Erasure

You may request deletion of your personal data in certain circumstances, including when:

The data is no longer necessary for the purposes it was collected
You withdraw consent and no other legal basis exists
You object to processing and no overriding legitimate grounds exist
The data has been unlawfully processed

Note that legal obligations may prevent immediate deletion in some cases, such as required retention periods for financial or building regulation compliance.

Right to Restriction of Processing

You may request that we limit how we use your personal data in certain situations, such as when you contest data accuracy or object to processing.

Right to Data Portability

You may request your personal data in a structured, machine-readable format and have it transmitted to another controller when technically feasible.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe our processing violates GDPR. However, we encourage you to contact us first so we can address your concerns directly.

Exercising Your Rights

To exercise any of the rights described above, please contact us at [email protected] with:

A clear description of which right you wish to exercise
Sufficient information to verify your identity
Any relevant details about the specific data or processing involved

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, in which case we will inform you of the extension and reasons.

We do not charge a fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request.

International Data Transfers

As we are based in Australia, personal data collected from EU/EEA residents is transferred outside the European Economic Area. We ensure such transfers comply with GDPR through:

Standard Contractual Clauses approved by the European Commission
Ensuring adequate data protection measures are in place
Limiting data transfers to what is necessary for service provision

Australia's privacy framework provides substantial protections similar to GDPR, though it is not currently recognized as providing adequate protection under GDPR. We implement additional safeguards to bridge any gaps.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure data security, including:

Encryption of data in transit and at rest
Access controls limiting who can view personal data
Regular security assessments and updates
Staff training on GDPR compliance and data protection
Contracts with processors requiring GDPR compliance
Data breach response procedures

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Inform affected individuals without undue delay if the breach poses a high risk
Provide clear information about the nature of the breach and steps being taken
Offer guidance on measures you can take to protect yourself

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. All significant decisions involving your data are made by human review.

Third-Party Processors

We engage certain third parties to process data on our behalf. All processors are carefully selected and bound by contracts requiring GDPR compliance, including:

Processing data only according to our documented instructions
Maintaining appropriate security measures
Assisting with our GDPR obligations
Deleting or returning data upon contract termination

We do not permit processors to use your data for their own purposes.

Children's Data

Our services are not directed to children under 16 years of age. We do not knowingly collect or process personal data from children. If you are a parent or guardian and believe we have collected data from your child, please contact us immediately for deletion.

Data Retention

We retain personal data only as long as necessary for the purposes it was collected or as required by law. Specific retention periods include:

Project documentation: 7 years following project completion (building regulation requirement)
Financial records: As required by tax law
Marketing consent records: Until consent is withdrawn
Website analytics: 26 months

When retention periods expire, we securely delete or anonymize personal data.

Updates to This Policy

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Updates will be posted on this page with a revised date. We encourage regular review of this document.

Contact and Questions

If you have questions about our GDPR compliance or wish to exercise your rights, please contact:

zenith-course
Email: [email protected]
Address: 247 Collins Street, Melbourne VIC 3000, Australia

We are committed to addressing your concerns and ensuring your data protection rights are respected.