GDPR Compliance Statement

Last Updated: June 1, 2026

Our Commitment to GDPR

Kestrel Marsh is committed to complying with the General Data Protection Regulation (GDPR) and ensuring the protection of personal data for all individuals in the European Union and European Economic Area. This page outlines our approach to GDPR compliance and your rights under the regulation.

Data Controller

Kestrel Marsh acts as the data controller for personal information collected through our website and services. Our contact details are:

Kestrel Marsh
127 Bourke Street
Melbourne VIC 3000
Australia
Email: [email protected]

Legal Basis for Processing

We process personal data under the following lawful bases:

  • Contract Performance: To fulfill our contractual obligations when you book a tour with us
  • Legitimate Interests: To operate our business, improve our services, and communicate with customers
  • Consent: For marketing communications and non-essential cookies, where you have provided explicit consent
  • Legal Obligation: To comply with applicable laws and regulations, including tax and accounting requirements

Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access

You have the right to request access to the personal data we hold about you and receive a copy of this data.

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.

Right to Restriction of Processing

You can request that we restrict processing of your personal data in specific situations.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.

Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. We will respond to your request within one month, as required by GDPR.

When submitting a request, please include:

  • Your full name
  • Email address associated with your booking or account
  • Specific details of your request
  • Proof of identity (if required for verification)

Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication mechanisms
  • Staff training on data protection
  • Data backup and recovery procedures
  • Incident response protocols

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Our retention periods are:

  • Booking Information: 7 years (accounting and legal requirements)
  • Marketing Communications: Until consent is withdrawn or 2 years of inactivity
  • Website Analytics: 26 months
  • Customer Correspondence: 3 years from last interaction

International Data Transfers

As we are based in Australia, personal data from EU/EEA residents may be transferred outside the European Economic Area. We ensure such transfers are protected by appropriate safeguards, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Processing agreements with third-party service providers that include GDPR-compliant terms
  • Regular assessment of data protection adequacy

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals.

Third-Party Processors

We work with third-party service providers who process personal data on our behalf. These processors are contractually bound to process data only according to our instructions and to maintain appropriate security measures. Our key processors include:

  • Payment processing services
  • Email communication platforms
  • Website hosting providers
  • Analytics services

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated through our website and, where appropriate, via email.

Contact and Questions

If you have questions about our GDPR compliance or data protection practices, please contact us:

Email: [email protected]
Address: 127 Bourke Street, Melbourne VIC 3000, Australia