GDPR Compliance Statement

Last Updated: May 11, 2026

Our Commitment to GDPR

While moonlit-hill is based in Australia and primarily serves Australian residents, we recognize that some of our website visitors may be located in the European Union. We are committed to complying with the General Data Protection Regulation (GDPR) for all EU residents who interact with our services.

Legal Basis for Processing

We process personal data under the following legal bases:

  • Consent: When you provide explicit consent for us to process your information for specific purposes
  • Contractual Necessity: When processing is necessary to fulfill our service obligations to you
  • Legal Obligation: When we must process data to comply with applicable laws
  • Legitimate Interests: When processing is necessary for our legitimate business interests, provided your rights are not overridden

Your Rights Under GDPR

If you are an EU resident, you have the following rights:

Right to Access

You have the right to request a copy of the personal data we hold about you.

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data under certain circumstances, such as when:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Right to Restriction of Processing

You can request that we limit how we use your personal data under certain circumstances.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

Data Protection Measures

We implement appropriate technical and organizational measures to ensure data security, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Access controls and authentication mechanisms
  • Staff training on data protection principles
  • Data minimization practices
  • Pseudonymization where appropriate

Data Transfers

Your personal data is primarily stored and processed in Australia. If we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other legally approved transfer mechanisms

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Specific retention periods include:

  • Client files: 7 years after case completion
  • Website analytics: 26 months
  • Marketing consent records: Until consent is withdrawn plus 3 years
  • Financial records: As required by applicable tax and accounting laws

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Document all data breaches, including facts, effects, and remedial actions taken

Third-Party Processors

We work with carefully selected third-party service providers who process data on our behalf. All processors are:

  • Bound by written data processing agreements
  • Required to implement appropriate security measures
  • Prohibited from using your data for their own purposes
  • Subject to our oversight and auditing

Children's Data

We do not knowingly collect or process personal data from children under 16 without verifiable parental consent. If we become aware of such collection, we will delete the data promptly.

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at:

Email: [email protected]
Subject Line: GDPR Request
Address: Level 12, 147 Collins Street, Melbourne VIC 3000, Australia

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, and we will inform you of any such extension.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:

  • Your local EU supervisory authority
  • The Office of the Australian Information Commissioner (OAIC)

Contact Our Data Protection Officer

For questions about our GDPR compliance or data protection practices, you can contact our Data Protection Officer at:

Email: [email protected]

Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. We will notify you of significant changes through our website or by email.