Revised and effective December 13, 2023
Scope of This Policy
- Our “Offline Services” – Services you use when you visit properties or travel with companies operated by Xanterra;
- Our “Digital Services” – Our websites, mobile applications, and other online services, including data collected when you interact with or reference our products/services or advertisements online.
Who We Are
How to Contact Us/Controller
Xanterra Leisure Holding, LLC
6312 S. Fiddlers Green Cir. Ste. 600N
Greenwood Village, CO 80111
Xanterra Leisure Holding, LLC
6312 S. Fiddlers Green Cir., Ste. 600 North
Greenwood Village, CO 80111
General Inquiries and Data Updates: firstname.lastname@example.org
Marketing Choices: If you would like to make changes to your communications preferences with regard to any Xanterra entity, click the link in any email from the applicable Xanterra entity to change your preferences with regard to that entity, or send us an email at email@example.com and let us know to which Xanterra entity your request is related.
Direct Marketing Disclosure Requests: please email firstname.lastname@example.org.
Categories and Sources of Personal Data
The following describes how we process data relating to identified or identifiable individuals and households (“Personal Data”).
Categories of Personal Data We Process
The categories of Personal Data we process may include:
Audio/Visual Data– Recordings and images collected from our surveillance cameras when you visit our properties and locations and areas adjacent to them, as well as audio files and records, such as voice mails, call recordings, and the like.
Biographical Data-Data relating to professional and employment history, qualifications, and similar biographic information.
Transaction Data-Information about the Services we provide to you and about reservations and transactions you make with Xanterra or other companies operating through us or on our behalf (including travel agents), information relating to operations or services at our properties and locations you visit, information about purchases and the method of payment you have used for purchases (including gift card purchase and use), what has been provided to you, when and where and, if applicable, how much you paid, and similar information.
Contact Data-Identity Data that relates to information about how we can communicate with you, such as email, phone numbers, physical addresses, social media handles, and information you provide to us when you contact us by email or when you communicate with us via social media.
Device / Network Data– Browsing history, search history, and information regarding your interaction with a web site, mobile application, or advertisement (e.g., IP Address, MAC Address, SSIDs or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, browsing data, first party cookies, third party cookies, web beacons, clear gifs and pixel tags, as well as similar information collected when you use Wi-Fi at our properties or on our ships.
Identity Data-Information such as your name; address; email address; telephone number; date of birth, account login details, including your user name and password, license plate number, or other account-related information; your identity, public profile, and similar information from social networks; and information such as unique IDs and similar data collected or derived from the use of RFID enabled products such as keycards.
Inference Data-Personal Data used to create a profile about you reflecting your preferences, characteristics, behavior, and market segments, likes, favorites and other data or analytics provided about you or your account by social media companies or data aggregators, including household data such as income, number of children, occupation, home ownership status, the products and services you use or intend to use or purchase, and your interests.
General Location Data– Non-precise location data, such as dates and times of your visit, which properties or locations you visited, and location specified by social media tags/posts.
Sensitive Personal Data– Personal Data deemed “sensitive” under various privacy laws, such as social security, driver’s license, state identification card, or passport number; account log-in and password, financial account, debit card, or credit card number; precise location data; racial or ethnic origin, religious or philosophical beliefs, etc. We may collect (either directly or through third parties who may provide the data to us) the following categories of Sensitive Personal Data:
- “Government ID Data” relates to official government identification, such as driver’s license or passport numbers, including similar Identity Data protected as Sensitive Data under applicable law.
- “Health Data” includes information about your health, temperature, or vaccinations, or other information health-related information you may provide in connection with your bookings.
- “Payment Data” includes information such as bank account details, payment card information, and information from credit reference agencies, including similar data as defined in applicable law, and relevant information in connection with a financial transaction.
- “Precise Location Data” relates to data from GPS, Wi-Fi triangulation, certain localized Bluetooth beacons, mobile devices, or technologies used to locate you at a precise location and time.
User Content-Unstructured/free-form data that may include any category of Personal Data, e.g., data that you give us in free text fields such as comment boxes, answers you provide when you participate in sweepstakes, contests, votes and surveys, including any other Personal Data which you may provide through or in connection with our Services.
Sources of Personal Data We Process
We collect Personal Data from various sources, which include:
Data you provide us-We receive your Personal Data when you provide them to us, when you purchase our products or services, or complete a transaction via our Services, when you purchase or use one of our gift cards, or when you otherwise use our Services.
Data we collect automatically-We collect Personal Data about or generated by any device you have used to access our Services, the websites of any service provider used to purchase accommodations at properties or travel with companies operated by Xanterra, or when you use Wi-Fi at any of our properties or while traveling with companies operated by us.
Service Providers & Agents-We receive Personal Data from on-line travel agents such as Expedia or booking.com or brick and mortar travel agents who transfer Personal Data to us when you purchase accommodations or services from them in connection with Services that we provide, and other service providers performing services on our behalf.
Aggregators and advertisers-We receive Personal Data from ad networks, behavioral advertising vendors, market research companies, data brokers, and social media companies or similar companies that provide us with additional Personal Data such as Inference Data.
Social media companies-We receive Personal Data from Meta (e.g. Facebook and Instagram) and other social media companies who may transfer Personal Data to us when you register for one of our Services or interact with that social media company on or in connection with our services, properties or locations.
Data we create or infer-We, certain partners, social media companies, and third parties operating on our behalf create and infer Personal Data such as Inference Data or Aggregate Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you. We may combine any Personal Data about you that we receive from you, from other companies within our family of companies, and from third parties.
Data Processing Contexts/Notice at Collection
Purchases and Transactions
We process Identity Data, Transaction Data, Payment Data, Inference Data, Device/Network Data, and Contact Data when you engage in a purchase and sale transaction, whether through our Digital Services or in person, and whether for our products, our services, our gift cards, or otherwise. If provided, we also process Health Data (such as your requests for health-related accommodations, or as otherwise necessary in connection with your visit – please see “Health Data” below) and Government ID Data.
We process this Personal Data as necessary to perform or initiate a contract with you, process your order and payment, carry out fulfillment and delivery, track the use and balance of gift cards, and for our Business Purposes. We may process Identity Data, Transaction Data, Preference Data, Contact Data, and Device/Network Data for Commercial Purposes (which may include data sales/sharing). We do not sell or “share” (for behavioral advertising purposes) Payment Data, Government ID Data, or Health Data or use it for Business Purposes not permitted under applicable law.
Third party businesses/controllers may receive your information. Third Party data controllers/businesses (such as service providers) provide many products and services you purchase through our Services. We may disclose Identity Data, Transaction Data, Contact Data, and Device/Network Data to those third parties. You may also direct us to disclose this data to or interact with these third parties as part of visiting our properties or making a purchase (which does not involve a data sale by us).
We process Device/Network Data, Contact Data, Identity Data, and Inference Data in connection with marketing communications, push notifications, telemarketing, or similar communications, and when you open or interact with those communications. You may receive marketing communications if you consent and, in some jurisdictions, as a result of account registration or a purchase.
We process this Personal Data to contact you about relevant products or services and for our Business Purposes. We may use this data for our Commercial Purposes (which may include data sales/sharing). Marketing communications may also be personalized as permitted by applicable law, but will not involve Targeted Advertising where users have opted out or not provided necessary consents. See your Rights & Choices to limit or opt out of this processing.
Visiting Our Properties or Traveling with Companies Operated by Xanterra
We process Identity Data, Transaction Data, and Contact Data when you visit our properties or travel with Xanterra. Additionally, if you use electronic or RFID technologies, or use on-premise Digital Services, we will collect Device/Network Data (see below for additional information regarding our Digital Services). In some cases, we will collect Health Data as may be needed in connection with your travel and activities (please also see “Health Data” below) and Government ID Data for identification purposes and in connection with regional requirements. In some situations, when you travel with a Xanterra entity, we may recommend that you use certain mobile applications. Certain mobile applications may feature the branding of a Xanterra entity but are operated for us by third parties, or in other cases the mobile applications may be entirely those of third parties.
We may process Identity Data, Transaction Data, Contact Data, Inference Data, and General Location Data as necessary to operate our properties and provide our services to you, for our Business Purposes, and our other legitimate interests, including:
- verifying your identity for authentication and security purposes;
- helping us to ensure our customers are genuine and to prevent fraud;
- notifying you via email or SMS regarding changes in circumstances impacting your visit; and
- to help us to return lost property to its rightful owner
We may also use Identity Data, Commercial Data, Contact Data, and Race or Ethnic Origin Data collected in this context for Commercial Purposes. We do not sell or “share” Payment Data, Government ID Data, Health Data, Race or Ethnic Origin Data, or use this data for Business Purposes not permitted under applicable law.
Third parties operating mobile applications on our behalf may collect or process Precise Location Data if you have permitted the collection of such data from your mobile device.
In certain cases, we process Health Data. Health Data, such as your vaccinations, temperature, data on health screening questionnaires, and/or your COVID-19 testing status, may be required (by us or by various laws, regulations, or local authorities) in order to book or embark on some of our offerings, visit certain properties we manage, or visit certain locations at which our cruise ships or tours may stop. Health Data is also used so that we can provide certain services to you such as to provide you with tailored services (for example, a wheelchair accessible space or a sign language interpreter) or in connection with our response to health-related incidents that may have taken place at properties or while traveling with companies operated by Xanterra. Health Data may also be required in connection with certain activities.
Where we collect Health Data, we will use it only as necessary to fulfill or ensure compliance with relevant booking contracts, to protect the health, safety, and vital interests of our personnel, guests and the public, to provide healthcare services you may request (where available), and as otherwise necessary for authorized Business Purposes. In each case, where consent is required by law, we will process this information only with appropriate consent. We do not sell or “share” (for behavioral advertising purposes) Health Data or use it for Business Purposes not permitted under applicable law.
We may process Audio/Visual Data in connection with CCTV or security cameras on and adjacent to properties and facilities managed by Xanterra. We process this data as necessary to operate our CCTV systems, for our Business Purposes, and our other legitimate business interests, such as:
- preventing and detecting crime and to keep people who visit and work at our company locations safe and secure;
- recording and investigating health and safety and other incidents which have happened or may have happened at properties or while traveling with companies operated by Xanterra;
- counting the numbers of people who visit our properties and to analyze flows of people around the properties and facilities for safety and commercial purposes using software which analyzes CCTV camera images; and
- creating aggregate data.
We do not sell or “share” Audio/Visual Data collected in this context.
We process Device/Network Data, Contact Data, Identity Data, General Location Data, and Inference Data when you use our Digital Services. You may also be able to complete purchases, sign up as a travel advisor, or enroll in marketing communications through our Digital Services. We may process Precise Location Data through certain Digital Services if you consent. Location Data may be required in order for you to use certain features of our Digital Services. Please note: in some situations, Precise Location Data may be collected by a third party mobile application recommended by Xanterra, and in some circumstances, the data may be owned and controlled by that third party rather than Xanterra.
We use this Personal Data as necessary to operate our Digital Services, such as keeping you logged in, delivering pages, etc., for our Business Purposes, and our other legitimate interests, such as:
- enhancing the security of our websites, mobile applications and other technology systems;
- analyzing the use of our Services, including navigation patterns, clicks, etc. to help understand and make improvements to the Services, to provide directions and contextual information to you, and other features that require the use of location. This may include the use of “session capture” or “session replay” software, which we use to understand how users are interacting with our websites, and to help us make decisions regarding design and functionality. Third party service providers operating this software may capture this data on our behalf.
- creating aggregate information about users’ location and patterns, which we use to help improve our Services.
We may process this Personal Data for our Commercial Purposes (which may include data sales/sharing). You have the right to limit our use of Precise Location Data by withdrawing consent to or disabling the collection of Precise Location Data.
Cookies, Pixels, Similar Technologies, and Targeted Advertising
You may opt out or withdraw your consent to Targeted Advertising by visiting our Privacy Choices Portal. In some cases, you may be able to opt-out by submitting requests to third party partners, including for the vendors listed below:
- Google Ads
- Facebook Custom Audience Pixel
- X (also known as “Twitter”) Audience Pixel
- Digital Advertising Alliance’s opt-out
- Network Advertising Initiative opt-out
Global Privacy Control (GPC)
Our Digital Services may support certain automated opt-out controls, such as the Global Privacy Control (“GPC”). GPC is a specification designed to allow Internet users to notify businesses of their privacy preferences, such as opting-out of the sale/sharing of Personal Data. To activate GPC, users must enable a setting or use an extension in the user’s browser or mobile device. Please review your browser or device settings for more information regarding how to enable GPC.
Please note: We may not be able to link GPC requests to your Personal Data in our systems, and as a result, some sales/sharing of your Personal Data may occur even if GPC is active. See the “Regional Supplements” section below for more information regarding other opt-out rights.
Do-Not-Track – Our Services do not respond to your browser’s do-not-track request.
- for “essential” purposes necessary for our Digital Services to operate (such as maintaining user sessions, CDNs, and the like);
- for “functional” purposes, such as to enable certain features of our Digital Services (for example, to allow a customer to maintain a basket when they are shopping at an online store);
- for “analytics” purposes and to improve our Digital Services, such as to analyze the traffic to and on our Digital Services (for example, we can count how many people have looked at a specific page, or see how visitors move around the websites when they use them, to distinguish unique visits/visitors to our Digital Services, and what website they visited prior to visiting our websites, and use this information to understand user behaviors and improve the design and functionality of the websites);
- for “retargeting,” Targeted Advertising, or other advertising and marketing purposes, including technologies that process Inference Data or other data so that we can deliver, buy, or target advertisements which are more likely to be of interest to you; and
- for “social media” e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as Facebook or X (also known as “Twitter”).
Third parties may view, edit, or set their own cookies or place web beacons on our websites. We, or third-party providers, may be able to use these technologies to identify you across platforms, devices, sites, and services. Third parties may engage in Targeted Advertising using this data. Third parties have their own privacy policies and their processing is not subject to this Policy.
We implement and maintain commercially reasonable security measures to secure your Personal Data from unauthorized processing. While we endeavor to protect our Services and your Personal Data unauthorized access, use, modification and disclosure, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.
Our Services are neither directed at nor intended for use by persons under the age of 13 in the US, or under the age of 13 to 16 in the EEA, UK, Switzerland, Cayman Islands, or 15/16 in Australia. Further, we do not knowingly collect Personal Data from minors. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.
- Retention periods established under applicable law;
- Industry best practices;
- Whether the purpose of processing is reasonably likely to justify further processing;
- Risks to individual privacy in continued processing;
- Applicable data protection impact assessments;
- IT systems design considerations/limitations; and
- The costs associated continued processing, retention, and deletion.
We typically retain Government ID Data and Health Data for so long as you are receiving relevant Services from us (e.g. the duration of your stay or travels). However, we may need to retain such data for longer periods based on legal requirements, other business needs related to your travel, or in connection with incidents during your travel.
We will review retention periods periodically and may pseudonymize or anonymize data held for longer periods.
Third Party Websites and Mobile Applications
Changes to Our Policy
We may change this Policy from time to time. We will post changes on this page. We will notify you of any material changes, if required, via email or notices on our Digital Services. Your continued use of our Services constitutes your acknowledgement of any revised Policy.
US States/California & Others
US State & California Privacy Rights & Choices
Under the California Consumer Privacy Act (“CCPA”) and other state privacy laws, residents of certain US states may have the following rights, subject to regional requirements, exceptions, and limitations.
Confirm-Right to confirm whether we process your Personal Data.
Access/Know-Right to request any of following: (1) the categories of Personal Data we have collected, sold/shared, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the purposes for which we collected or sold/shared your Personal Data; (4) the categories of third parties to whom we have sold/shared your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.
Portability-Right to request that we provide certain Personal Data in a common, portable format.
Deletion- Right to delete certain Personal Data that we hold about you.
Correction-Right to correct certain Personal Data that we hold about you.
Opt-Out (Sales, Sharing, Targeted Advertising, Profiling)– Right to opt-out of the following:
- If we engage in sales of data (as defined by applicable law), you may direct us to stop selling Personal Data.
- If we engage in Targeted Advertising (aka “sharing” of personal data or cross-context behavioral advertising,) you may opt-out of such processing.
- If we engage in certain forms of “profiling” (e.g. profiling that has legal or similarly significant effects), you may opt-out of such processing.
Revoke Consent for Use of Sensitive Personal Data-If we are collecting, using or otherwise processing your Sensitive Personal Data solely based on consent you have provided, you may revoke that consent at any time. Please note that we only use Sensitive Personal Data where necessary and in accordance with the specific purposes authorized by applicable law, subject to your consent where required. For California residents, because we do not process Sensitive Personal Data for purposes other than those listed in CCPA section 7027(m), the right to limit use of Sensitive Personal Data is not applicable.
Opt-in/Opt-out of Sale/Sharing of Minors’ Personal Data-To the extent we have actual knowledge that we collect or maintain personal information of a minor under age 16 in California, those minors must opt in to any sales/sharing of personal information (as defined under CCPA), and minors under the age of 13 must have a parent consent to sales/sharing of personal information. All minors have the right to opt-out later at any time.
Non-Discrimination-California residents have the right to not to receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA.
List of Direct Marketers-California residents may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.
Remove Minors’ User Content-Residents of California under the age of 18 can delete or remove posts using the same deletion or removal procedures described above, or otherwise made available through the Services. If you have questions about how to remove your posts or if you would like additional assistance with deletion you can contact us. We will work to delete your information, but we cannot guarantee comprehensive removal of that content or information posted through the Services.
Submission of Requests
You may submit requests to a specific Xanterra entity, as follows (please our review verification requirements section). If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at email@example.com. We will respond to any request to appeal within the period required by law.
|Access/Know, Confirm Processing, Portability, Deletion, and Correction
|Opt-Out or Opt-In: Sales, Sharing, Targeted Advertising or Profiling, Opt-in/Opt-out of Sale/Sharing of Minors’ Personal Data
|Revoke Consent for Sensitive Personal Data; List of Direct Marketers; Remove Minors’ User Consent
Categories of Personal Data Disclosed for Business Purposes
For purposes of the CCPA, we have disclosed to Service Providers for “business purposes” in the preceding 12 months the following categories of Personal Data, to the following categories of recipients:
Category of Personal Data
Category of Recipients
|Audio Visual Data
General Location Data
|Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Successors; Lawful Recipients
|Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Data Aggregators; Successors; Lawful Recipients
|Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Public Disclosure; Data Aggregators; Successors; Lawful Recipients
|Gov. ID Data
|Xanterra Companies; Service Providers; Partners, Excursions & Local Providers; Successors; Lawful Recipients; Contact Us/Support
|Sensitive Personal Data
|Xanterra Companies; Service Providers; Successors; Lawful Recipients
Categories of Personal Data Sold, Shared, or Disclosed for Commercial Purposes
For purposes of the CCPA, we have “sold” or “shared” in the preceding 12 months the following categories of Personal Data to the following categories of recipients:
Category of Personal Data
Category of Recipients
General Location Data
|Advertisers and Social Media Platforms; Data Aggregators
Categories of Sensitive Personal Data Used or Disclosed
For purposes of CCPA, we use, and may disclose as described above, the following categories of Sensitive Personal Data: Government ID Data; Health Data; Payment Data; Precise Location Data. However, we do not sell or “share” (for behavioral advertising purposes) Sensitive Personal Data. We do not use these categories of Sensitive Personal Data for purposes other than those listed in CCPA section 7027(m).
The controller of Personal Data relating to residents of the UK/EEA/Switzerland/Cayman Islands is: Xanterra Leisure Holding, LLC, 6312 S. Fiddlers Green Cir., Ste. 600N, Greenwood Village, CO 80111.
Rights & Choices
Residents of the EEA, UK, Switzerland, and the Cayman Islands have the following rights. Please our review verification requirements. Applicable law may provide exceptions and limitations to all rights.
Access-You may have a right to access the Personal Data we process.
Rectification-You may correct any Personal Data that you believe is inaccurate.
Deletion-You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.
Data Export-You may request that we send you a copy of your Personal Data in a common portable format of our choice.
Restriction-You may request that we restrict the processing of personal data to what is necessary for a lawful basis.
Objection-You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:
- for Profiling purposes;
- for direct marketing purposes (we will cease processing upon your objection); and
- involving automated decision-making with legal or similarly significant effects (if any).
Regulator Contact-You have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.
Submission of Requests
- Access, Rectification, Data Export, Deletion, Restriction, or Correction: please visit our Data Request Portal (applicable to the specific Xanterra entity listed on the portal page).
- Restriction; Do Not Sell:please visit our Privacy Choices Portal (applicable to the specific Xanterra entity listed on the portal page).
- For other questions or requests, please contact us via email to our privacy team at firstname.lastname@example.org
Lawful Basis for Processing
Description of Basis & Relevant Purposes
|Performance of a contract
|The processing of your Personal Data is strictly necessary in the context in which it was provided, e.g. to perform the agreement you have with us, to provide products and services to you, to open and maintain your user accounts, to deliver ticket(s) you have purchased, or process requests.
|This processing is based on our legitimate interests. For example, we rely on our legitimate interest to administer, analyze and improve our Services and related content, to operate our business including through the use of service providers and subcontractors, to send you notifications about our Services or products you have purchased, for archiving, recordkeeping, statistical and analytical purposes, and to use your Personal Data for administrative, fraud detection, audit, training, security, or legal purposes. See the Business Purposes of Processing section above for more information regarding the nature of processing performed on the basis of our legitimate interests.
|This processing is based on your consent. You are free to withdraw any consent you may have provided, at any time, subject to your rights/choices, and any right to continue processing on alternative or additional legal bases. Withdrawal of consent does not affect the lawfulness of processing undertaken prior to withdrawal.
|Compliance with legal obligations
|This processing is based on our need to comply with legal obligations. We may use your Personal Data to comply with legal obligations to which we are subject, including to comply with legal process. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for compliance purposes.
|Performance of a task carried out in the public interest
|This processing is based on our need to protect recognized public interests. We may use your Personal Data to perform a task in the public interest or that is in the vital interests of an individual. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for such purposes.
Rights and Choices
Residents of Australia have the right under the Privacy Act to request access or correct Personal Data we hold about you, the right to erasure, and the right to withdraw any consent you may have provided with regard to processing your Personal Data. If you make a request, we will require you to verify your identity before we provide you with any access, as described in the verification requirements section.
Submission of Australian Data Requests
- Access, Deletion or Correction: please visit our Data Request Portal (applicable to the specific Xanterra entity listed on the portal page).
- Withdraw Consent (including Restriction or Do Not Sell): please visit our Privacy Choices Portal (applicable to the specific Xanterra entity listed on the portal page).
- For other questions or requests, please Contact us via email to our privacy team at email@example.com.
Purposes of Processing
In certain cases, we may not automatically process your Personal Data for certain purposes. We rely on your consent to process Personal Data as follows:
- Cookies and Other Tracking Technologies for Targeted Advertising
- Any context where we process certain categories of Sensitive Personal Data (including Health Data, Government ID Data, Payment Data and Precise Location Data)
- Marketing communications
- Targeted Advertising
- Data Sales
- Advertisers and Social Media Platforms
You may contact the Office of the Australian Information Commissioner (OAIC) or you may contact us with any complaints regarding our privacy practices. We will respond to complaints we receive in a timely manner and process your data in accordance with your rights and our legal obligations.