GDPR Compliance

Last updated: 22 May 2026

Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organisations processing personal data of individuals within the European Union (EU) and European Economic Area (EEA). Although riches-shadow is based in Australia, we are committed to extending GDPR-level protections to all our customers, regardless of their location.

Data Controller

For the purposes of GDPR, riches-shadow acts as the data controller for personal information collected through our website and services. As the data controller, we determine the purposes and means of processing your personal data.

Contact Details:
riches-shadow
Level 3, 142 Brunswick Street
Fitzroy VIC 3065
Australia
Email: [email protected]

Legal Basis for Processing

Under GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

Consent

Where you have given clear consent for us to process your personal data for specific purposes, such as:

  • Receiving marketing communications
  • Placing non-essential cookies on your device

Contract Performance

Processing necessary for the performance of a contract with you, including:

  • Managing your booking requests
  • Providing culinary services you have purchased
  • Processing payments

Legitimate Interests

Processing necessary for our legitimate interests, provided these interests do not override your fundamental rights, including:

  • Improving our website and services
  • Analysing website usage patterns
  • Preventing fraud and maintaining security

Legal Obligation

Processing necessary to comply with legal obligations, such as:

  • Tax and accounting requirements
  • Responding to lawful requests from authorities

Your Rights Under GDPR

If you are located in the EU/EEA, you have the following rights regarding your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information within one month of receiving your request.

Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, including when:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Right to Restrict Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing pending verification of legitimate grounds.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller, where technically feasible.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently engage in such automated decision-making.

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. We will respond to your request within one month. If your request is complex or we receive numerous requests, we may extend this period by a further two months, in which case we will inform you of the extension and reasons for it.

We may need to verify your identity before processing your request. There is no fee for exercising your rights unless your request is manifestly unfounded or excessive.

International Data Transfers

As we are based in Australia, personal data collected from EU/EEA residents may be transferred to and processed in Australia. Australia is not considered to have an adequacy decision from the European Commission. However, we implement appropriate safeguards to protect your data, including:

  • Standard contractual clauses approved by the European Commission
  • Technical and organisational security measures
  • Limiting access to personal data to authorised personnel only

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. When determining retention periods, we consider:

  • The nature and sensitivity of the data
  • The potential risk of harm from unauthorised use or disclosure
  • The purposes for which we process the data
  • Whether we can achieve those purposes through other means
  • Applicable legal requirements

Data Protection Officer

While we are not legally required to appoint a Data Protection Officer under GDPR, we take data protection seriously. For any questions or concerns about our data protection practices, please contact us at [email protected].

Complaints

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority. For EU/EEA residents, this would be the data protection authority in your country of residence. In Australia, complaints can be made to the Office of the Australian Information Commissioner (OAIC).

Updates to This Notice

We may update this GDPR notice from time to time to reflect changes in our practices or legal requirements. We will post the updated notice on this page with a revised "Last updated" date.

We use cookies to enhance your experience. By continuing to visit this site you agree to our use of cookies. Learn more