Last updated: June 17, 2026
While bold-leaf operates primarily in Australia, we recognize that our website may be accessed by individuals in the European Economic Area. This statement outlines how we comply with the General Data Protection Regulation when processing personal data of EU residents.
We process personal data under the following legal bases:
If you are an EU resident, you have the following rights:
For inquiries related to GDPR compliance or to exercise your rights, contact our data protection representative at [email protected]. Please include "GDPR Request" in your subject line.
We collect and process the following categories of personal data:
Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law. Inquiry submissions are typically retained for 24 months. After this period, data is securely deleted unless you have requested ongoing service communications.
Personal data collected from EU residents may be transferred to and processed in Australia. We ensure that such transfers comply with GDPR requirements through appropriate safeguards. Australia has been recognized as providing adequate data protection under EU standards for certain sectors.
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit, secure server infrastructure, access controls limiting who can view personal data, and regular security assessments.
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal. To withdraw consent, contact us at [email protected].
In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR.
When we engage third-party service providers to process personal data on our behalf, we ensure they provide sufficient guarantees of GDPR compliance through contractual agreements that specify their data processing obligations.
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete such information.
You have the right to lodge a complaint with a supervisory authority in your jurisdiction if you believe our processing of your personal data violates GDPR. However, we encourage you to contact us first so we can address your concerns directly.
We will respond to requests to exercise your GDPR rights within one month of receiving your request. This period may be extended by two additional months where necessary, taking into account the complexity of the request. We will inform you of any such extension within the initial one-month period.