GDPR Compliance Statement

Last Updated: May 22, 2026

1. Introduction

While OakshireTrustAI is based in Australia, we recognise the importance of the General Data Protection Regulation (GDPR) for individuals in the European Economic Area (EEA) and United Kingdom.

This statement outlines our commitment to GDPR compliance when processing personal data of individuals in these regions.

2. Legal Basis for Processing

We process personal data under the following legal bases:

• Consent: When you provide explicit consent for specific processing activities
• Contractual Necessity: When processing is necessary to perform our services
• Legitimate Interests: When processing serves our legitimate business interests while respecting your rights
• Legal Obligation: When required to comply with legal requirements

3. Your GDPR Rights

If you are located in the EEA or UK, you have the following rights:

• Right to Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data in certain circumstances
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a structured, commonly used format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Right to Lodge a Complaint: File a complaint with your local supervisory authority

4. Data Protection Officer

For GDPR-related enquiries, you can contact our data protection representative at:

Email: [email protected]

5. Data Transfers

When we transfer personal data from the EEA or UK to Australia or other jurisdictions, we ensure appropriate safeguards through:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions where applicable
• Other legally recognised transfer mechanisms

6. Data Retention

We retain personal data only as long as necessary for the purposes stated in our Privacy Policy, or as required by law. Retention periods vary depending on:

• The nature of the data
• The purpose for which it was collected
• Legal or regulatory requirements
• Legitimate business needs

7. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.

8. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security testing and assessments
• Access controls and authentication mechanisms
• Incident response procedures
• Employee training on data protection

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware
• Notify affected individuals without undue delay if there is a high risk to their rights
• Document all data breaches, including facts, effects, and remedial action

10. Third-Party Processors

We only engage third-party processors that provide sufficient guarantees to implement appropriate technical and organisational measures. All processors are bound by written contracts that comply with GDPR requirements.

11. Children's Data

We do not knowingly process personal data of children under 16 years of age without parental consent, in compliance with GDPR requirements.

12. Exercising Your Rights

To exercise any of your GDPR rights, contact us at:

Email: [email protected]
Address: Level 14, 283 George Street, Sydney NSW 2000, Australia

We will respond to your request within one month, with possible extensions for complex requests.

13. Supervisory Authority

If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates GDPR.

14. Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website.