GDPR Compliance Statement

Last Updated: May 29, 2026

1. Introduction

While Penny Forecast is an Australian-based company, we recognize the importance of the General Data Protection Regulation (GDPR) for individuals in the European Economic Area (EEA). This statement outlines our commitment to GDPR principles.

2. Legal Basis for Processing

We process personal data on the following legal bases:

• Consent: When you provide explicit consent for specific processing activities
• Contract: When processing is necessary to fulfill our service obligations
• Legitimate Interests: For business operations that do not override your rights
• Legal Obligation: When required by applicable law

3. Your GDPR Rights

If you are an EEA resident, you have the following rights:

3.1 Right to Access

You can request copies of your personal data we hold.

3.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

3.3 Right to Erasure

You can request deletion of your personal data under certain circumstances.

3.4 Right to Restrict Processing

You can request limitation on how we use your data.

3.5 Right to Data Portability

You can request transfer of your data to another service provider.

3.6 Right to Object

You can object to processing based on legitimate interests or direct marketing.

3.7 Right to Withdraw Consent

You can withdraw consent at any time where processing is based on consent.

4. Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at:

Email: [email protected]

5. Data Retention

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy or as required by law. Retention periods vary based on:

• The nature of the data
• The purpose of collection
• Legal and regulatory requirements

6. International Data Transfers

As an Australian company, your data is primarily processed in Australia. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions where applicable
• Explicit consent when required

7. Security Measures

We implement technical and organizational measures to ensure data security, including:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security assessments
• Employee training on data protection

8. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay
• Document all breaches and remedial actions

9. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

10. Children's Data

We do not knowingly collect or process data from individuals under 16 years of age without parental consent.

11. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

12. Exercising Your Rights

To exercise any of your GDPR rights, contact us at:

Email: [email protected]
Subject: GDPR Rights Request

We will respond to verified requests within one month, with possible extension to two months for complex requests.

13. Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. The "Last Updated" date indicates the most recent revision.