GDPR Compliance Statement

Last updated: June 2, 2026

Introduction

Although Valley Prism operates primarily in Australia, we recognize that some website visitors and clients may be located in the European Union or European Economic Area. This page outlines our commitment to GDPR compliance for individuals whose data is subject to the General Data Protection Regulation.

Legal Basis for Processing

When processing personal data of EU/EEA residents, we rely on the following legal bases:

• Consent: Where you have explicitly agreed to our processing of your data
• Contractual necessity: Where processing is necessary to fulfill service agreements
• Legitimate interests: Where we have legitimate business reasons to process data, balanced against your rights
• Legal obligation: Where we must process data to comply with legal requirements

Your Rights Under GDPR

If you are an EU/EEA resident, you have the following rights regarding your personal data:

Right to Access

You can request confirmation of whether we process your data and obtain a copy of that data.

Right to Rectification

You can request correction of inaccurate personal data we hold about you.

Right to Erasure

You can request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes it was collected.

Right to Restriction of Processing

You can request that we limit how we use your data in specific situations.

Right to Data Portability

You can request to receive your data in a structured, commonly used format or have it transferred to another controller.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Valley Prism does not engage in automated decision-making of this nature.

Data Controller

Valley Prism acts as the data controller for personal information collected through our website and business operations. Our contact details are:

Valley Prism
127 Eucalyptus Lane
Mullumbimby NSW 2482
Australia
Email: [email protected]

Data Processing and Storage

Personal data collected from EU/EEA residents may be transferred to and processed in Australia. We ensure appropriate safeguards are in place for such transfers, including:

• Implementing appropriate technical and organizational security measures
• Limiting data access to authorized personnel only
• Using service providers who commit to GDPR-compliant practices
• Maintaining data processing agreements where applicable

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods vary based on data type and purpose:

• Inquiry and contact information: Retained while communications are active plus three years
• Client project data: Retained for duration of client relationship plus seven years
• Marketing communications: Retained until consent is withdrawn
• Website analytics: Typically aggregated and anonymized within 26 months

Cookies and Tracking

Our website uses cookies and similar technologies. You can control cookie preferences through your browser settings and our cookie banner. For detailed information, see our Cookies Policy.

Third-Party Data Sharing

We do not sell personal data to third parties. We may share data with:

• Service providers who assist with website hosting, email communications, and business operations under data processing agreements
• Professional advisors bound by confidentiality obligations
• Regulatory authorities when legally required

Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a data breach that poses risk to individuals' rights and freedoms, we will notify affected individuals and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR.

Exercising Your Rights

To exercise any of your GDPR rights, contact us at [email protected]. Please include sufficient information to verify your identity and specify which right you wish to exercise.

We will respond to requests within one month, though this may be extended by two additional months for complex requests. We will inform you of any extension and the reasons for delay.

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred.

Changes to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Updated versions will be posted on this page with a revised date.

Contact

For questions about GDPR compliance or data protection practices, contact us at [email protected].