GDPR Compliance

Last Updated: June 1, 2026

1. Overview

While lumen-quasar is primarily an Australian-based company, we recognize that the General Data Protection Regulation (GDPR) may apply to some of our clients and website visitors who are located in the European Economic Area (EEA) or the United Kingdom. This page explains how we comply with GDPR requirements when processing personal data of EEA and UK residents.

2. Legal Basis for Processing

When we process personal data of EEA or UK residents, we do so under one or more of the following legal bases:

  • Consent: You have given clear consent for us to process your personal data for specific purposes.
  • Contract: Processing is necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.
  • Legal Obligation: Processing is necessary to comply with applicable laws and regulations.
  • Legitimate Interests: Processing is necessary for our legitimate business interests, provided these interests do not override your rights and freedoms.

3. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights regarding your personal data:

3.1 Right of Access

You have the right to request copies of your personal data. We may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

3.2 Right to Rectification

You have the right to request correction of any information you believe is inaccurate or incomplete.

3.3 Right to Erasure

You have the right to request deletion of your personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.

3.4 Right to Restrict Processing

You have the right to request that we restrict processing of your personal data under certain circumstances.

3.5 Right to Data Portability

You have the right to request transfer of your personal data to another organization or directly to you, where technically feasible.

3.6 Right to Object

You have the right to object to our processing of your personal data where we are relying on legitimate interests, direct marketing, or processing for research or statistical purposes.

3.7 Right to Withdraw Consent

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing based on consent before withdrawal.

3.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence or place of work if you believe our processing of your personal data violates GDPR.

4. Data Controller

For the purposes of GDPR, lumen-quasar is the data controller responsible for your personal data. Our contact details are:

lumen-quasar
Email: [email protected]
Address: Level 7, 142 Creek Street, Brisbane City QLD 4000, Australia

5. Data Protection Officer

If you have any questions about our GDPR compliance or wish to exercise your rights, you may contact our Data Protection Officer at [email protected].

6. Data Transfers

Your personal data is primarily stored and processed in Australia. When we transfer personal data from the EEA or UK to Australia or other countries outside the EEA/UK, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions recognizing that the destination country ensures an adequate level of data protection
  • Your explicit consent to the transfer

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. Retention periods vary depending on the type of data and the nature of our relationship with you.

When determining retention periods, we consider:

  • The amount, nature, and sensitivity of the personal data
  • The purposes for which we process the data
  • Legal and regulatory requirements
  • Whether the purpose can be achieved through other means

8. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.

9. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Staff training on data protection principles
  • Incident response procedures

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

11. Third-Party Processors

We may engage third-party service providers to process personal data on our behalf. When we do so, we:

  • Ensure they provide sufficient guarantees of GDPR compliance
  • Enter into written contracts that meet GDPR requirements
  • Monitor their compliance with data protection obligations

12. Cookies and Tracking

Our use of cookies and similar tracking technologies is described in our Cookies Policy. We obtain your consent before placing non-essential cookies on your device.

13. Marketing Communications

We will only send you marketing communications if:

  • You have given us explicit consent, or
  • We are contacting you about similar services you have previously used (soft opt-in), and you have not opted out

You can opt out of marketing communications at any time by clicking the unsubscribe link in our emails or contacting us directly.

14. Children's Data

We do not knowingly collect or process personal data from individuals under 16 years of age without parental consent. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information.

15. Exercising Your Rights

To exercise any of your GDPR rights, please contact us using the details provided above. We will respond to your request within one month, though this may be extended by two additional months in complex cases. We will inform you of any such extension and the reasons for the delay.

16. Updates to This Policy

We may update this GDPR compliance statement from time to time. We will notify you of any material changes by posting the updated statement on our website with a revised date.