BlueSky Creations

Privacy Policy

Introduction

Blue Sky Creations Pty Ltd (ABN 68 612 240 990) ("we", "us", or "our") is committed to protecting your privacy and handling personal information responsibly.

This Privacy Policy explains what personal information we collect, how and why we use it, who we share it with, how we protect it, how long we keep it, and the rights you may have under applicable privacy and data‑protection laws.

We are not required to appoint a Data Protection Officer. Any enquiries about our use of personal information should be sent by email to info@blueskycreations.com.au or by writing to PO Box 688, Mooloolaba, Queensland 4557, Australia.

We may revise this Policy from time to time by updating it. The revised Policy will take effect when it is posted on our website or otherwise made available to you.

Laws we comply with

We comply with applicable privacy and data‑protection laws, including:

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) (including relevant amendments in force from time to time);
  • New Zealand Privacy Act 2020;
  • EU General Data Protection Regulation (GDPR) 2016/679 (where it applies);
  • UK GDPR (as incorporated into UK law by the Data Protection Act 2018) (where it applies);
  • UK Data (Use and Access) Act 2025 (where it applies, including any rights relating to transparency of access to personal data and access‑record disclosure); and
  • where applicable, the EU Digital Services Act.

Depending on the context, we may act as a data controller, a data processor, or both.

Who this policy applies to

This policy applies to:

  • visitors to our websites;
  • customers and users of our products and services;
  • employees, contractors, and job applicants; and
  • suppliers, business partners, and other contacts.

What is personal information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Examples include your name, contact details, account details, payment details, IP address, device identifiers, and information we infer or derive about you from other data.

Sensitive information is a special category of personal information (for example, health information, biometric information, racial or ethnic origin, political opinions, religious beliefs, trade‑union membership, sexual orientation, or criminal history).

We only collect sensitive information where it is necessary for a lawful purpose, permitted or required by law, and where explicit consent has been obtained where required.

Types of information we collect

Depending on your relationship with us and the services you use, we may collect:

  • contact and identification details (for example, name, email address, phone number);
  • account and authentication information (for example, usernames, hashed passwords, MFA settings);
  • billing, payment, and transaction information;
  • documents, files, or other content you upload or submit through our platforms;
  • usage data, analytics, and interaction information (for example, pages viewed, features used, timestamps, diagnostic logs);
  • information from third‑party services or integrations you link to our services (where you enable those connections); and
  • system‑generated metadata, including audit logs and access records where required for security, compliance, or legal purposes.

How we collect information

We collect personal information in the following ways:

  • Directly from you (for example, when you create an account, contact support, complete forms, or use our services).
  • Automatically (for example, through cookies, session identifiers, device metadata, server logs, and similar technologies).
  • From third parties (for example, payment processors, cloud providers, and integration partners), where permitted by law and where relevant to providing our services.
  • Through our website and social networking services such as Facebook, Instagram, LinkedIn and X (formerly Twitter), where you interact with our pages or content.

Purposes for collection and use

We collect and use personal information to:

  • provide, operate, and maintain our products and services;
  • authenticate users and administer accounts;
  • process payments and transactions and issue invoices/receipts (note: we do not store credit card or debit card numbers on our websites or in our systems);
  • deliver customer support, service notices, and operational communications;
  • improve performance, reliability, and user experience (including analytics);
  • detect, prevent, and investigate security incidents, fraud, and misuse;
  • meet legal, regulatory, taxation, audit, and compliance obligations; and
  • manage recruitment, employment, contractor engagement, and workforce administration (where relevant).

Legal bases for processing (where applicable)

Where required by EU/UK law (and in other contexts as a matter of good practice), we process personal information on one or more of the following bases:

  • Consent (for example, certain marketing communications or optional cookies where required).
  • Performance of a contract (for example, providing services you have requested).
  • Legal obligations (for example, taxation, employment, or regulatory requirements).
  • Vital interests (rarely, where necessary to protect life).
  • Legitimate interests (for example, improving our services and protecting our systems), provided those interests are not overridden by your rights.

Transparency and notices at collection

When we collect personal information, we take reasonable steps to inform you about:

  • our identity and contact details;
  • the purpose(s) of collection and how we will use the information;
  • whether collection is required or optional and the consequences of not providing it;
  • the types of third parties we may disclose information to;
  • whether we are likely to disclose information overseas (and, where practical, to which countries); and
  • how you can access, correct, or complain about our handling of personal information.

We may provide these notices through this policy, in‑product notices, “just‑in‑time” prompts, web forms, onboarding screens, or contractual documentation.

Where practicable and lawful, you may have the option to engage with us on an anonymous basis or using a pseudonym.

Cookies and online activity

We use cookies and similar technologies to help our websites and services work properly and to improve them. Cookies may be used to:

  • keep you signed in and manage sessions;
  • protect against fraud and improve security;
  • analyse traffic and performance;
  • remember preferences; and
  • deliver advertising or retargeting where permitted and where you have provided consent (if required).

You can control or disable cookies in your browser settings. If you disable cookies, some features may not function properly.

Where required by law, we maintain records of access to analytics and tracking data, including logs of system or personnel access to such information.

Direct marketing

We may send you updates about our products and services, events, or opportunities where permitted by law.

For Australian recipients, we comply with the Spam Act 2003 (Cth). For UK and EU individuals, we rely on consent or legitimate interests where permitted by law.

You can opt out at any time by using the unsubscribe function in our messages or by contacting us.

Automated decision‑making and profiling

We may use automated tools to support activities such as fraud detection, security monitoring, service personalisation, or eligibility assessments.

Where an automated decision produces legal or similarly significant effects and applicable law requires it, you may request:

  • meaningful information about the logic involved and the significance and envisaged consequences; and
  • human review of the decision and an opportunity to contest the outcome.

We maintain secure and auditable records of system access and processing activities associated with automated processing, in accordance with applicable requirements.

Disclosure of personal information

We may disclose personal information to:

  • service providers and contractors who help us deliver our services (for example, hosting providers, payment processors, and customer support tooling);
  • professional advisers (for example, auditors, insurers, legal advisers, accountants) where necessary;
  • regulators, courts, law enforcement, or other authorities where required or authorised by law;
  • a buyer or successor entity in connection with a merger, acquisition, restructure, or asset sale; and
  • other parties with your consent or at your direction (for example, enabled integrations).

We require relevant third parties to implement appropriate confidentiality, privacy, and security safeguards, and we only disclose what is reasonably necessary for the relevant purpose.

We do not sell or rent personal information to third parties.

Third‑party agreements and due diligence

Before engaging service providers who may handle personal information on our behalf, we take risk‑based steps such as:

  • assessing privacy and security posture (including certifications where relevant);
  • requiring written agreements that address confidentiality, security controls, and permitted processing;
  • limiting access to personnel with a legitimate need; and
  • reviewing third‑party performance and security where appropriate.

Overseas disclosure and international transfers

We may store or process personal information with service providers located outside your country of residence (including outside Australia).

Before transferring personal information overseas, we take reasonable steps to ensure the recipient handles personal information consistently with applicable privacy and data‑protection laws. Depending on the circumstances, this may include:

  • assessing the recipient’s privacy and information‑security controls;
  • contractual safeguards (including Standard Contractual Clauses and UK addenda where applicable);
  • reliance on adequacy or equivalent recognition mechanisms under applicable law; and
  • limiting transfers to what is necessary for the relevant purpose.

Where required, we remain accountable for overseas disclosures under Australian law.

Data retention

We retain personal information only for as long as necessary for the purpose it was collected and to meet legal, regulatory, and business requirements.

Indicative retention periods may include:

  • customer and financial records: up to 7 years (for taxation and audit requirements);
  • job applicant records: 6–12 months if an application is unsuccessful (unless required longer by law or with consent); and
  • marketing preferences and opt‑in/opt‑out records: for as long as necessary to respect your choices and demonstrate compliance.

If we hold hard‑copy records, they are stored in secure premises with access controls. Hard‑copy records are retained and securely destroyed in line with our retention schedule and applicable legal requirements.

When information is no longer required, we securely destroy it or de‑identify it (where appropriate and practicable).

Data security

We use technical and organisational measures to protect personal information, which may include:

  • encryption in transit and at rest (where appropriate);
  • multi‑factor authentication and strong access controls;
  • network and system monitoring, logging, and alerting;
  • regular vulnerability management and system maintenance;
  • staff training and awareness; and
  • incident response procedures.

Data breaches

We investigate and respond promptly to suspected data breaches.

Where required, we notify affected individuals and regulators in accordance with applicable law, including the Australian Notifiable Data Breaches scheme and EU/UK breach notification rules.

We document response actions taken and improvements implemented following incidents.

Privacy impact assessments

We conduct Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) for processing activities that are likely to present higher privacy risks, such as large‑scale profiling, sensitive information processing, or significant cross‑border transfers.

Your rights

Subject to applicable law and certain exceptions, you may have rights to:

  • request access to the personal information we hold about you;
  • request correction of inaccurate or out‑of‑date information;
  • request deletion in certain circumstances;
  • object to or restrict certain processing (including certain profiling);
  • withdraw consent where processing is based on consent; and
  • receive a portable copy of your personal information (in certain circumstances).

Right to access records (UK individuals)

Where the UK Data (Use and Access) Act 2025 applies, you may request information about access to your personal data. This may include (where required and subject to lawful exemptions) whether your personal data has been accessed, the categories of persons or systems that accessed it, the date and time of access, and the lawful purpose for which it was accessed.

We maintain secure and auditable access logs and will respond within applicable legal timeframes.

Where required under EU/UK law, we will also maintain records of processing activities and support the exercise of data subject rights.

How to exercise your rights

To request access, correction, deletion, or other rights, contact us using the details in section 27. We may require identity verification to protect your information, particularly for access‑record requests.

We will respond within the timeframes required under applicable law. If we cannot fulfil a request, we will explain why (for example, where a lawful exemption applies).

Children and young persons

We obtain parental or guardian consent before collecting personal information from anyone under the age of 16, or such higher age threshold as required by applicable local law.

Accountability and governance

We maintain governance measures to support privacy compliance, including:

  • appointment of a Privacy Officer (or equivalent accountable role), where appropriate;
  • privacy training and awareness for staff and contractors;
  • internal reviews and audits;
  • risk‑based due diligence for suppliers; and
  • a data governance and security framework aligned with ISO/IEC 27001:2022.

Complaints and dispute resolution

If you have a complaint about how we handle personal information, please contact us first so we can try to resolve it.

If unresolved, you may lodge a complaint with the relevant regulator, including:

  • Office of the Australian Information Commissioner (OAIC);
  • New Zealand Privacy Commissioner;
  • an EU supervisory authority (for EU individuals, where EU law applies); or
  • the UK Information Commissioner’s Office (ICO) (for UK individuals, where UK law applies).

Digital Services Act – privacy‑related disclosures (where applicable)

Where our services fall within scope of the EU Digital Services Act, we maintain processes for notices about illegal content, transparency of moderation actions, and user appeals. These processes may be described in additional terms and product notices.

Contact details

Email: info@blueskycreations.com.au

Post: PO Box 688, Mooloolaba QLD 4557, Australia

Phone: +61 7 3040 2098