GDPR Compliance
Information for visitors from the European Economic Area about your data protection rights.
Last updated: 16 June 2026
The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy. Although fern-point is based in Australia, we are committed to protecting the privacy of all our website visitors and service users, including those from the European Economic Area (EEA).
This page provides additional information about how we comply with GDPR requirements for EEA residents.
Data Controller
fern-point is the data controller for personal information collected through our website and services. Our contact details are:
fern-point
42 Harbour Street
Sydney NSW 2000
Australia
[email protected]
Legal Basis for Processing
We process personal data under the following legal bases as defined by GDPR:
Consent
Where you have given clear consent for us to process your personal data for specific purposes, such as receiving marketing communications or allowing certain cookies.
Contract Performance
Where processing is necessary to perform a contract with you (for example, to deliver services you have booked) or to take steps at your request before entering a contract.
Legitimate Interests
Where processing is necessary for our legitimate interests or those of a third party, provided those interests do not override your fundamental rights and freedoms. Our legitimate interests include:
- Operating and improving our website and services
- Understanding how visitors use our website
- Ensuring the security of our systems
- Communicating with clients about their bookings
Legal Obligation
Where processing is necessary to comply with a legal obligation, such as maintaining financial records.
Your Rights Under GDPR
If you are located in the EEA, you have the following rights regarding your personal data:
Right of Access
You have the right to request a copy of the personal data we hold about you. We will provide this information within one month of your request, free of charge in most circumstances.
Right to Rectification
You have the right to request that we correct any inaccurate personal data or complete any incomplete data we hold about you.
Right to Erasure
You have the right to request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, or when you withdraw consent.
Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance.
Right to Object
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently use automated decision-making in our services.
Exercising Your Rights
To exercise any of these rights, please contact us at [email protected] with your request. We may need to verify your identity before processing your request.
We will respond to your request within one month. If your request is complex or you have made multiple requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and reasons for the delay.
International Data Transfers
As we are based in Australia, personal data collected from EEA residents may be transferred to and processed in Australia. Australia is not subject to an adequacy decision by the European Commission, which means data protection standards may differ from those in the EEA.
When transferring data outside the EEA, we implement appropriate safeguards to protect your personal data, including:
- Contractual clauses approved by the European Commission
- Ensuring appropriate technical and organisational security measures
Data Retention
We retain personal data only for as long as necessary for the purposes set out in our Privacy Policy. When determining retention periods, we consider:
- The nature and sensitivity of the data
- The purposes for which we process the data
- Legal requirements and obligations
- Whether the purpose can be achieved through other means
Data Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit
- Regular security assessments
- Access controls limiting who can access personal data
- Staff training on data protection practices
Complaints
If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority. For EEA residents, this would be the data protection authority in your country of residence.
We would appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Please contact us first at [email protected].
Changes to This Information
We may update this GDPR compliance information from time to time. Changes will be posted on this page with an updated revision date.