GDPR Compliance Statement

Last Updated: May 22, 2026

Our Commitment to GDPR

OakshireTrustAI is committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) when processing personal data of individuals located in the European Economic Area (EEA), United Kingdom, and Switzerland.

This document outlines how we meet GDPR requirements and protect your data rights.

Data Controller Information

Data Controller: OakshireTrustAI
Address: Level 12, 485 La Trobe Street, Melbourne VIC 3000, Australia
Contact: [email protected]

Legal Basis for Processing

We process your personal data only when we have a valid legal basis under GDPR Article 6:

1. Consent (Article 6(1)(a))

When you provide explicit consent for specific processing activities such as marketing communications or cookie usage beyond essential cookies.

2. Contract Performance (Article 6(1)(b))

When processing is necessary to deliver our AI verification and certification services that you have contracted.

3. Legal Obligation (Article 6(1)(c))

When we must process data to comply with legal requirements including tax laws, anti-money laundering regulations, or court orders.

4. Legitimate Interests (Article 6(1)(f))

When processing serves our legitimate business interests while not overriding your fundamental rights, such as:

  • Website analytics for service improvement
  • Fraud prevention and security
  • Internal record keeping

Your Rights Under GDPR

As an individual in the EEA, UK, or Switzerland, you have the following rights:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access that data along with supplementary information.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your personal data when:

  • Data is no longer necessary for original purposes
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and no overriding legitimate grounds exist
  • Data has been unlawfully processed
  • Erasure is required for legal compliance

Note: This right is not absolute. We may retain data when legal obligations require it.

Right to Restriction of Processing (Article 18)

You can request we limit processing of your personal data when:

  • You contest the accuracy of the data
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing pending verification

Right to Data Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller when processing is based on consent or contract and carried out by automated means.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, place of work, or place of alleged infringement.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: [email protected]

We will respond to your request within one month. In complex cases, we may extend this by two additional months and will inform you of such extension.

Data Protection Principles

We adhere to GDPR's core data protection principles (Article 5):

  • Lawfulness, Fairness, Transparency: We process data lawfully, fairly, and transparently
  • Purpose Limitation: We collect data for specified, explicit, legitimate purposes only
  • Data Minimization: We collect only data adequate, relevant, and necessary
  • Accuracy: We maintain accurate data and correct inaccuracies promptly
  • Storage Limitation: We retain data only as long as necessary
  • Integrity and Confidentiality: We protect data with appropriate security measures
  • Accountability: We demonstrate compliance with these principles

International Data Transfers

As an Australian-based organization, when we transfer your personal data from the EEA to Australia, we ensure appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules where relevant

We conduct transfer impact assessments to ensure protection levels are not undermined.

Data Security Measures

We implement technical and organizational measures to ensure a level of security appropriate to risk (Article 32):

  • Pseudonymization and encryption of personal data
  • Ongoing confidentiality, integrity, availability, and resilience of systems
  • Ability to restore data availability after incidents
  • Regular testing and evaluation of security effectiveness
  • Staff training on data protection
  • Access controls and authentication

Data Breach Notification

In the event of a personal data breach that risks your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware
  • Notify affected individuals without undue delay when high risk exists
  • Document all breaches including facts, effects, and remedial action

Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals (Article 22).

Data Protection by Design and Default

We implement data protection principles into our processing operations from the design stage (Article 25), including:

  • Privacy-enhancing technologies
  • Default settings that process only necessary data
  • Regular privacy impact assessments

Third-Party Processors

When we engage third-party processors, we ensure:

  • Written contracts meeting Article 28 requirements
  • Processors provide sufficient guarantees of GDPR compliance
  • Processing occurs only on our documented instructions
  • Appropriate security measures are implemented

Children's Data

We do not knowingly process personal data of individuals under 16 years of age. Our services are directed at business professionals and organizations.

Data Retention

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy. Retention periods are determined based on:

  • Legal and regulatory requirements
  • Contractual obligations
  • Legitimate business purposes

Upon expiry of retention periods, data is securely deleted or anonymized.

Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. Material changes will be communicated via email or prominent website notice.

Supervisory Authority

Our lead supervisory authority for GDPR matters is determined by the location of our main establishment in Australia. However, you have the right to lodge complaints with your local EU supervisory authority.

Find your supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

Contact Our Data Protection Officer

For GDPR-related inquiries or to exercise your rights:

Email: [email protected]
Subject: GDPR Inquiry

Legal Documents

Your GDPR Rights

  • Access your data
  • Rectify inaccuracies
  • Request erasure
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent
  • Lodge complaints