Privacy Policy
Last updated: June 2025
Welcome to . We are committed to protecting your personal data and respecting your privacy in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all applicable data protection legislation. This Privacy Policy explains who we are, what personal data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and what rights you have regarding your personal data.
Please read this Privacy Policy carefully before using our website at goldenmeadowstudio.com or any of our services. By accessing or using our website and services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy.
1. Data Controller
The entity responsible for the processing of your personal data (the "Data Controller") is:
| Legal Entity | |
|---|---|
| Legal Address | |
| Registration Country | European Union (EU) |
| Website | goldenmeadowstudio.com |
| Privacy Contact Email | privacy@goldenmeadowstudio.com |
1.1 Data Protection Officer (DPO)
In accordance with Article 37 of the GDPR, we have appointed a Data Protection Officer who is responsible for overseeing our data protection strategy and ensuring compliance with data protection laws. You may contact our DPO directly at any time:
| Name / Title | The Data Protection Officer |
|---|---|
| Organisation | |
| Address | |
| privacy@goldenmeadowstudio.com |
2. Personal Data We Collect
We collect personal data directly from you (Article 13 GDPR) and, in some cases, from third-party sources such as booking platforms, payment processors, or publicly available sources (Article 14 GDPR). The categories of personal data we collect include, but are not limited to, the following:
2.1 Identification and Contact Data
- Full name, title, and date of birth
- Email address, telephone number, and postal address
- Nationality and passport or national identity card details (required for hotel registration)
- Signature (where required for check-in or contractual purposes)
2.2 Reservation and Stay Data
- Booking reference number and reservation details
- Check-in and check-out dates, room type, and special requests
- Number of guests and accompanying persons
- Records of services used during your stay (dining, spa, entertainment, casino, etc.)
- Guest preferences and loyalty programme information
2.3 Financial and Payment Data
- Credit or debit card details (processed securely through compliant payment processors)
- Billing address and invoicing information
- Transaction history and payment records
- Bank account details (where direct debit is used)
2.4 Casino and Gaming Data
- Gaming activity records, including bets placed, wins, and losses
- Responsible gambling self-exclusion requests and related records
- Age verification and identity verification data required by gaming regulations
- Anti-money laundering (AML) and Know Your Customer (KYC) documentation
2.5 Technical and Usage Data
- IP address, browser type and version, operating system
- Device identifiers and hardware information
- Pages visited on our website, time spent on each page, and navigation paths
- Referring URLs and exit pages
- Cookie identifiers and similar tracking technologies (see our Cookie Policy)
- Log files and access records
2.6 Communication and Marketing Data
- Records of correspondence with us (emails, letters, live chat transcripts, phone call records)
- Marketing preferences and subscription status
- Survey responses and feedback submitted voluntarily
- Social media usernames or profile information where you interact with us via social platforms
2.7 Security and Surveillance Data
- CCTV footage recorded on our premises (hotel and casino areas)
- Access control records and visitor logs
- Incident and security reports
2.8 Special Categories of Personal Data
In limited circumstances, we may process special categories of personal data as defined under Article 9 of the GDPR. This may include:
- Health information (e.g., dietary requirements, disability-related accommodations, or medical emergencies)
- Information revealing religious beliefs (e.g., dietary restrictions based on religion)
We only process such special category data where we have obtained your explicit consent, or where processing is necessary to protect your vital interests or to comply with legal obligations. We handle all special category data with the highest degree of care and apply appropriate technical and organisational safeguards.
3. Legal Basis for Processing
In accordance with Article 6 of the GDPR, we process your personal data only where a valid legal basis exists. The applicable legal bases are as follows:
3.1 Performance of a Contract (Article 6(1)(b))
Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. This includes:
- Processing your hotel reservation and managing your stay
- Providing casino and gaming services
- Processing payments and issuing invoices
- Managing loyalty programme memberships
- Responding to service requests made during your visit
3.2 Compliance with Legal Obligations (Article 6(1)(c))
Processing is necessary for compliance with a legal obligation to which we are subject. This includes:
- Guest registration requirements under hotel and tourism regulations
- Anti-money laundering (AML), counter-terrorism financing (CTF), and Know Your Customer (KYC) obligations under applicable gaming and financial regulations
- Age verification obligations under gambling legislation
- Tax and accounting obligations
- Compliance with court orders, regulatory requests, or law enforcement obligations
- Data breach notification obligations
3.3 Legitimate Interests (Article 6(1)(f))
Processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:
- Ensuring the security of our premises, staff, and guests (including CCTV surveillance)
- Preventing fraud, theft, and other criminal activity
- Improving and personalising our services and website
- Managing and developing our business operations
- Sending direct marketing communications to existing customers (where permitted and subject to your right to object)
- Conducting internal analytics and reporting
- Enforcing our terms and conditions
3.4 Consent (Article 6(1)(a))
Where required, we will ask for your explicit consent before processing your personal data. This applies to:
- Sending you marketing communications if you are a new customer or if applicable law requires consent
- Placing non-essential cookies and similar tracking technologies on your device
- Processing special categories of personal data (Article 9(2)(a))
- Any other processing activities where consent is required
Where we rely on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal. You may withdraw consent by contacting us at privacy@goldenmeadowstudio.com.
3.5 Vital Interests (Article 6(1)(d))
In exceptional circumstances, we may process personal data where processing is necessary in order to protect the vital interests of you or of another natural person, such as in a medical emergency during your stay.
3.6 Public Task (Article 6(1)(e))
Where applicable, processing may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, for example when cooperating with regulatory authorities or public bodies in the exercise of their official functions.
4. How We Use Your Personal Data
We use your personal data for the following specific purposes, always ensuring that such use is compatible with the original purpose of collection:
4.1 Hotel and Accommodation Services
- Processing, confirming, and managing your room reservations
- Facilitating check-in, check-out, and room management
- Fulfilling special requests and accessibility requirements
- Managing billing, invoicing, and payment processing
- Providing concierge and guest services
4.2 Casino and Gaming Operations
- Verifying your identity and age in compliance with gaming regulations
- Providing casino floor services and online gaming where applicable
- Conducting AML and fraud prevention checks
- Administering responsible gambling programmes, including self-exclusion requests
- Maintaining gaming transaction records as required by applicable regulations
4.3 Customer Service and Communications
- Responding to enquiries, complaints, and feedback
- Sending booking confirmations, pre-arrival information, and post-stay surveys
- Notifying you of changes to our services, terms, or this Privacy Policy
- Managing loyalty programme communications and benefits
4.4 Marketing and Personalisation
- Sending you promotional offers, newsletters, and event information based on your preferences (where you have consented or where we have a legitimate interest)
- Personalising your experience on our website and during your stay
- Conducting market research and customer satisfaction surveys
- Delivering targeted advertising through digital channels (subject to your cookie preferences)
4.5 Security and Safety
- Monitoring our premises via CCTV to ensure the safety of guests, staff, and property
- Preventing, investigating, and reporting fraud, theft, and other criminal activity
- Managing access to restricted areas of the hotel and casino
- Responding to emergency situations and ensuring guest welfare
4.6 Legal and Regulatory Compliance
- Meeting our obligations under applicable laws and regulations
- Responding to lawful requests from public authorities and law enforcement agencies
- Establishing, exercising, or defending legal claims
- Maintaining records for audit and compliance purposes
4.7 Business Operations and Improvement
- Analysing website usage and service performance
- Improving our products, services, and website functionality
- Internal training, quality assurance, and staff management purposes
- Business planning, financial reporting, and corporate governance
5. Data Sharing and Disclosure
We do not sell your personal data to third parties. We may, however, share your personal data with the following categories of recipients where necessary and in accordance with this Privacy Policy:
5.1 Service Providers and Data Processors
We engage trusted third-party service providers who process personal data on our behalf and under our instructions, strictly in accordance with Article 28 of the GDPR. These include:
- Payment processing and fraud prevention providers
- IT infrastructure, cloud hosting, and cybersecurity providers
- Online booking platforms and reservation management systems
- Email and marketing automation platforms
- Customer relationship management (CRM) software providers
- Accounting, legal, and professional advisory firms
- Casino gaming technology providers and regulators
- CCTV and physical security service providers
All service providers are required to implement appropriate technical and organisational security measures and may only process personal data for the specific purposes we have authorised.
5.2 Business Partners
In certain circumstances, we may share personal data with business partners such as:
- Travel agencies and tour operators involved in your booking
- Partner hotels or venues forming part of a loyalty or referral programme
- Restaurants, entertainment venues, or other on-site partner operators
5.3 Regulatory and Law Enforcement Authorities
We may disclose personal data to competent public authorities, regulators, and law enforcement agencies where we are legally required or permitted to do so, including:
- Gaming and gambling regulatory bodies
- Tax authorities and financial intelligence units
- Police, courts, and other judicial bodies
- Data protection supervisory authorities
5.4 Corporate Transactions
In the event of a merger, acquisition, reorganisation, sale of assets, or similar corporate transaction, your personal data may be transferred to the relevant third party as part of that transaction. We will notify you of any such change and ensure appropriate safeguards are in place.
5.5 International Data Transfers
As is registered in the EU but operates from Australia, and as some of our service providers may be located outside the European Economic Area (EEA), your personal data may be transferred to and processed in countries outside the EEA that may not provide the same level of data protection as your home country.
Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
- Adequacy decisions issued by the European Commission (Article 45 GDPR)
- Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR)
- Binding Corporate Rules (BCRs) where applicable (Article 47 GDPR)
- Your explicit consent for specific transfers (Article 49(1)(a) GDPR)
You may request a copy of the relevant safeguards by contacting us at privacy@goldenmeadowstudio.com.
6. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The criteria used to determine our retention periods include:
- The nature and sensitivity of the personal data
- The purposes for which we collected the data and whether those purposes can be achieved through other means
- Applicable statutory limitation periods and legal obligations to retain certain records
- Relevant industry standards and regulatory guidance
- Whether we have a legitimate interest in retaining the data (e.g., for ongoing litigation)
6.1 Standard Retention Periods
| Category of Data | Retention Period | Legal Basis for Retention |
|---|---|---|
| Guest reservation and stay records | 7 years from the end of your last stay | Legal obligation (tax, audit) |
| Financial and payment records | 7 years from the transaction date | Legal obligation (tax and accounting law) |
| Casino gaming records and AML/KYC documentation | 5–10 years as required by applicable gaming and AML regulations | Legal obligation (gaming and financial regulations) |
| CCTV footage (general areas) | 30 days unless needed for investigation | Legitimate interests (security) |
| CCTV footage (casino floor) | Up to 7 years as required by gaming regulations | Legal obligation (gaming regulations) |
| Marketing preferences and communications | Until withdrawal of consent or objection, plus 3 years for record-keeping | Consent / Legitimate interests |
| Customer service correspondence | 3 years from the date of last communication | Legitimate interests / Legal claims |
| Website usage and cookie data | Up to 13 months (as per cookie consent settings) | Consent / Legitimate interests |
| Responsible gambling self-exclusion records | Duration of self-exclusion plus 5 years | Legal obligation / Vital interests |
Upon expiry of the applicable retention period, personal data will be securely deleted, anonymised, or archived in accordance with our internal data retention and disposal procedures. Anonymised data that can no longer identify you may be retained for analytical purposes indefinitely.
7. Your Rights Under the GDPR
As a data subject, you have the following rights under the GDPR. We are committed to facilitating the exercise of these rights in a timely and transparent manner. You may exercise any of the rights listed below by contacting us at privacy@goldenmeadowstudio.com.
7.1 Right of Access (Article 15 GDPR)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed. This is commonly referred to as a Subject Access Request (SAR). We will respond to your SAR within one month of receipt, extendable by a further two months in complex cases.
7.2 Right to Rectification (Article 16 GDPR)
You have the right to request that we correct any inaccurate or incomplete personal data we hold about you without undue delay. If you believe any information we hold is incorrect, please contact us and we will investigate and update the data as appropriate.
7.3 Right to Erasure ("Right to be Forgotten") (Article 17 GDPR)
You have the right to request the deletion of your personal data in certain circumstances, including where:
- The data is no longer necessary for the purpose for which it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required to comply with a legal obligation
Please note that this right is not absolute and may be limited by legal obligations requiring us to retain certain data (e.g., AML records, tax records, gaming records).
7.4 Right to Restriction of Processing (Article 18 GDPR)
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of the data, consider your objection to processing, or where processing is unlawful but you prefer restriction over erasure.
7.5 Right to Data Portability (Article 20 GDPR)
Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right applies to data you have provided to us directly.
7.6 Right to Object (Article 21 GDPR)
You have the right to object at any time to the processing of your personal data where such processing is based on our legitimate interests (Article 6(1)(f)) or for direct marketing purposes. Where you object to direct marketing, we will cease processing your data for that purpose immediately. Where you object to other legitimate interest-based processing, we will assess whether our legitimate interests override your rights and freedoms.
7.7 Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you. If we use automated decision-making that significantly affects you, we will inform you and provide you with the opportunity to request human review, express your point of view, and contest the decision.
7.8 Right to Withdraw Consent (Article 7(3) GDPR)
Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to the withdrawal. You can withdraw your consent by contacting us at privacy@goldenmeadowstudio.com or by using the opt-out mechanism provided in any marketing communications.
7.9 Right to Lodge a Complaint
If you believe that we have infringed your rights or failed to comply with our data protection obligations, you have the right to lodge a complaint with a competent data protection supervisory authority. As is registered in the EU, you may contact the relevant EU supervisory authority in your Member State of habitual residence, place of work, or the place of the alleged infringement. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
We encourage you to contact us first so that we can address your concerns directly before escalating to a supervisory authority.
7.10 How to Exercise Your Rights
To exercise any of the above rights, please submit a written request to:
- Email: privacy@goldenmeadowstudio.com
- Post: The Data Protection Officer, , 21 Binara Street, Canberra ACT 2601, Australia
We may need to verify your identity before processing your request. We will respond to all legitimate requests within one month. Where requests are complex or numerous, we may extend this period by a further two months and will notify you accordingly. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
9. Data Security
We take the security of your personal data very seriously and have implemented appropriate technical and organisational measures in accordance with Article 32 of the GDPR to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security measures include, but are not limited to:
- Encryption of personal data in transit (TLS/SSL) and at rest
- Access controls and role-based permissions to limit data access to authorised personnel only
- Regular security assessments, penetration testing, and vulnerability scans
- Staff training on data protection and cybersecurity best practices
- Incident response and data breach management procedures
- Physical security measures at our premises
- Data minimisation and pseudonymisation practices where appropriate