Website Privacy Policy

This Privacy Policy applies to all personal information collected by Bloom Business Advisory and Tax Services Pty Ltd (we, us or our) via the website located at bloombusinessadvisory.com.au (Website).

1. What information do we collect?

The kind of Personal Information that we collect from you will depend on how you use the website. The Personal Information which we collect and hold about you may include: We collect the following personal information from website users: name, email address, phone number, IP address, browser type and version, device information, cookies and tracking data, and any other information voluntarily provided through contact forms. This information is collected to contact you, send marketing communications (with consent), and comply with legal obligations.

2. Types of information

The Privacy Act 1988 (Cth) (Privacy Act) defines types of information, including Personal Information and Sensitive Information.

Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

If the information does not disclose your identity or enable your identity to be ascertained, it will in most cases not be classified as “Personal Information” and will not be subject to this privacy policy.

Sensitive Information is defined in the Privacy Act as including information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.

Sensitive Information will be used by us only:

(a) for the primary purpose for which it was obtained;

(b) for a secondary purpose that is directly related to the primary purpose;

(c) and with your consent or where required or authorised by law. How we collect your Personal Information

3. How we collect your Personal Information

(a) We may collect Personal Information from you whenever you input such information into the Website, related app or provide it to Us in any other way.

(b) We may also collect cookies from your computer which enable us to tell when you use the Website and also to help customise your Website experience. As a general rule, however, it is not possible to identify you personally from our use of cookies.

(c) We generally don’t collect Sensitive Information, but when we do, we will comply with the preceding paragraph.

(d) Before collecting cookies, we will obtain your informed consent through a cookie consent mechanism that allows you to accept, reject, or customise cookie preferences, distinguishing between essential and non-essential cookies.

(e) We use a cookie consent banner that appears on first visit, allowing users to accept all cookies, reject non-essential cookies, or customise preferences. Cookie categories include: (1) Essential cookies (required for website functionality, always enabled), (2) Analytics cookies (track user behaviour to improve website performance), (3) Marketing cookies (enable targeted advertising and retargeting). Users can modify preferences at any time through a cookie preference centre accessible via a link in the website footer. We store user consent preferences in a persistent cookie and honour opt-out requests for 12 months. We do not use cookies to track users across third-party websites without explicit consent.

(f) Where reasonable and practicable we collect your Personal Information from you only. However, sometimes we may be given information from a third party, in cases like this we will take steps to make you aware of the information that was provided by a third party.

4. Purpose of collection

(a) We collect Personal Information to provide you with the best service experience possible on the Website and keep in touch with you about developments in our business. All information provided in forms on our website is input at your own risk and we accept no liability if there is a security breach of this website.

(b) We customarily only disclose Personal Information to our service providers who assist us in operating the Website. Your Personal Information may also be exposed from time to time to maintenance and support personnel acting in the normal course of their duties.

(c) We require all service providers and third parties who access Personal Information to enter into written Data Processing Agreements that mandate compliance with the Australian Privacy Principles, implement security measures equivalent to our own standards, and acknowledge that we remain accountable for their handling of your Personal Information. We maintain audit rights to verify compliance and will notify you promptly if any third party experiences a data breach affecting your information.

(d) If a service provider experiences a data breach affecting your Personal Information, we will: (1) assess the breach within 7 business days to determine if serious harm is likely; (2) notify you without unreasonable delay if serious harm is likely, providing details of the breach, affected data types, and recommended protective steps; (3) notify the Office of the Australian Information Commissioner if required; (4) document the incident in our breach register with remedial actions taken. You may request details of our service provider's security measures and breach response procedures by contacting us.

(e) We assess whether a data breach is likely to result in serious harm by considering: (1) the type of Personal Information affected, including financial data, tax information, and health information; (2) the number of individuals affected; (3) the sensitivity of the information and potential for misuse; (4) whether the information has been accessed or is at risk of access; (5) the likelihood and severity of potential harm, including identity theft, financial loss, and reputational damage. Breaches involving financial records, tax file numbers, or health information are presumed likely to cause serious harm. All breach assessments are documented in our breach register with reasoning and are reviewed by our Privacy Officer within 7 business days.

(f) We will not disclose your Personal Information to overseas recipients unless we have obtained your express consent or are satisfied that the overseas recipient is subject to a law or binding scheme that provides substantially similar protections to the Australian Privacy Principles. Before any overseas disclosure, we will notify you of the recipient's country and the safeguards in place to protect your information.

(g) By using our Website, you consent to the receipt of direct marketing material. We will only use your Personal Information for this purpose if we have collected such information direct from you, and if it is material of a type which you would reasonably expect to receive from use. We do not use sensitive Personal Information in direct marketing activity. Our direct marketing material will include a simple means by which you can request not to receive further communications of this nature, such as an unsubscribe button link.

(h) We will obtain your express consent before sending marketing communications, allowing you to select preferences for different communication channels (email, SMS, push notifications) and marketing types. You may withdraw consent or update preferences at any time through your account settings or by contacting us directly, and we will process all opt out requests within 7 business days.

5. Security, Access and correction

(a) We store your Personal Information in a way that reasonably protects it from unauthorised access, misuse, modification or disclosure. When we no longer require your Personal Information for the purpose for which we obtained in, we will take reasonable steps to destroy and anonymise or de-identify it. Most of the Personal Information that is stored in our client files and records will be kept for a maximum of 5 years to fulfill our record keeping obligations

(b) The Australian Privacy Principles:

(ii) permit you to obtain access to the Personal Information we hold about you in certain circumstances (Australian Privacy Principle 12); and (ii) (c) allow you to correct inaccurate Personal Information subject to certain exceptions (Australian Privacy Principle 13).

(c) Where you would like to obtain such access, please contact us in writing on the contact details set out at the bottom of this privacy policy.

(d) We determine retention periods based on the nature of the Personal Information, legal and regulatory requirements, and our legitimate business needs. Different categories of Personal Information may be retained for varying periods, and we will provide specific retention timeframes upon request for particular data types you have provided to us.

(e) We retain Personal Information according to the following schedule: (1) Client advisory files and tax records: 5 years after final service delivery to fulfill tax law compliance obligations; (2) Marketing contact lists and engagement data: 2 years from last interaction or until consent is withdrawn; (3) Website analytics and cookie data: 12 months from collection; (4) Complaint and dispute records: 7 years to meet legal obligations; (5) Access and correction request records: 2 years from resolution. Upon expiration of these periods, data will be securely destroyed or anonymised within 30 days in accordance with clause 5.g.

(f) We will respond to your access request within 30 calendar days of receipt. If we require additional time to locate or compile your information, we will notify you within the initial 30 day period and provide a revised timeframe not exceeding 90 days total.

(g) We implement the following security measures to protect your Personal Information: encryption of data in transit and at rest using industry-standard protocols (TLS 1.2 or higher), access controls limiting employee access to authorised personnel only, regular security audits and vulnerability assessments, multi-factor authentication for administrative access, secure backup procedures with encrypted storage, and staff training on data handling and privacy obligations.

(h) Upon expiration of the applicable retention period, we will securely destroy or anonymise your Personal Information within 30 days using one of the following methods: secure deletion using industry-standard data wiping software (DOD 5220.22-M standard or equivalent), physical destruction of storage media, or anonymisation through removal of all identifying information. We maintain a data destruction register documenting the date, method, and categories of Personal Information destroyed. If destruction is not possible due to legal obligations, we will securely store the information and restrict access until destruction becomes possible.

(i) We maintain a data destruction register documenting the date, method, categories of Personal Information destroyed, and verification that destruction was completed. This register is reviewed quarterly to ensure compliance with our retention schedules and is available for audit by the Office of the Australian Information Commissioner upon request.

(j) In the event of a data breach affecting your Personal Information, we will assess the breach within 7 business days, notify affected individuals and the Office of the Australian Information Commissioner without unreasonable delay if the breach is likely to result in serious harm, and provide details of the breach, affected data types, and recommended protective steps. We will maintain a breach register documenting all incidents and remedial actions taken.

(k) To request correction of inaccurate Personal Information, please contact us in writing with details of the information you believe is inaccurate and the correction you seek. We will acknowledge your correction request within 7 business days and investigate within 30 calendar days. If we agree the information is inaccurate, we will correct it and notify you of the change. If we disagree, we will provide reasons and information about complaint procedures. If you dispute our decision, you may request we add a statement to your file noting your disagreement, which we will include in any future disclosures of that information.

6. Complaint procedure

If you have a complaint concerning the manner in which we maintain the privacy of your Personal Information, please contact us as on the contact details set out at the bottom of this policy. All complaints will be considered by the director and we may seek further information from you to clarify your concerns. If we agree that your complaint is well founded, we will, in consultation with you, take appropriate steps to rectify the problem. If you remain dissatisfied with the outcome, you may refer the matter to the Office of the Australian Information Commissioner.

If you have a complaint concerning the manner in which we maintain the privacy of your Personal Information, please contact us as on the contact details set out at the bottom of this policy. All complaints will be acknowledged within 7 business days of receipt. We will investigate your complaint and provide a substantive response within 30 calendar days. If we agree that your complaint is well founded, we will, in consultation with you, take appropriate steps to rectify the problem. If you remain dissatisfied with our response, you may refer the matter to the Office of the Australian Information Commissioner, and we will provide you with their contact details and information about their complaint process.

7. Overseas transfer

Your Personal Information will not be disclosed to recipients outside Australia unless you expressly request us to do so. If you request us to transfer your Personal Information to an overseas recipient, the overseas recipient will not be required to comply with the Australian Privacy Principles and we will not be liable for any mishandling of your information in such circumstances.

If you request overseas transfer of your Personal Information, we will only transfer to recipients in countries with substantially similar privacy protections or where you provide explicit consent. We will enter into written agreements with overseas recipients requiring equivalent security standards and Privacy Act compliance. We remain accountable for overseas recipients' handling of your information and will notify you of any breaches. You acknowledge the risks of overseas transfer and consent to such transfer only where you have explicitly requested it.

You may withdraw your consent for overseas transfer at any time by providing written notice to us, and we will cease all further transfers within 7 business days. Upon withdrawal, we will take reasonable steps to notify overseas recipients and request return or destruction of your Personal Information, though we cannot guarantee compliance by overseas recipients with such requests.

8. How to contact us about privacy

If you have any queries, or if you seek access to your Personal Information, or if you have a complaint about our privacy practices, you can contact us through: bloombusiness@outlook.com.au. You can contact us regarding privacy matters through: Email: bloombusiness@outlook.com.au; Postal Address: Bloom Business Advisory, WOTSO, Level 2 Westfield Chermside, Chermside, QLD, 4032. For urgent privacy matters or if you do not receive a response within 7 business days, you may escalate your inquiry to Kathleen Flower at bloombusiness@outlook.com.au. All inquiries will be acknowledged within 7 business days. If you remain unsatisfied with our response, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au or 1300 363 992.