Privacy Policy

Last updated: June 2025

Welcome to . We are committed to protecting your personal data and respecting your privacy in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all applicable data protection legislation. This Privacy Policy explains who we are, what personal data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and what rights you have regarding your personal data.

Please read this Privacy Policy carefully before using our website at goldenmeadowstudio.com or any of our services. By accessing or using our website and services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy.

1. Data Controller

The entity responsible for the processing of your personal data (the "Data Controller") is:

Legal Entity
Legal Address
Registration Country European Union (EU)
Website goldenmeadowstudio.com
Privacy Contact Email privacy@goldenmeadowstudio.com

1.1 Data Protection Officer (DPO)

In accordance with Article 37 of the GDPR, we have appointed a Data Protection Officer who is responsible for overseeing our data protection strategy and ensuring compliance with data protection laws. You may contact our DPO directly at any time:

Name / Title The Data Protection Officer
Organisation
Address
Email privacy@goldenmeadowstudio.com

2. Personal Data We Collect

We collect personal data directly from you (Article 13 GDPR) and, in some cases, from third-party sources such as booking platforms, payment processors, or publicly available sources (Article 14 GDPR). The categories of personal data we collect include, but are not limited to, the following:

2.1 Identification and Contact Data

  • Full name, title, and date of birth
  • Email address, telephone number, and postal address
  • Nationality and passport or national identity card details (required for hotel registration)
  • Signature (where required for check-in or contractual purposes)

2.2 Reservation and Stay Data

  • Booking reference number and reservation details
  • Check-in and check-out dates, room type, and special requests
  • Number of guests and accompanying persons
  • Records of services used during your stay (dining, spa, entertainment, casino, etc.)
  • Guest preferences and loyalty programme information

2.3 Financial and Payment Data

  • Credit or debit card details (processed securely through compliant payment processors)
  • Billing address and invoicing information
  • Transaction history and payment records
  • Bank account details (where direct debit is used)

2.4 Casino and Gaming Data

  • Gaming activity records, including bets placed, wins, and losses
  • Responsible gambling self-exclusion requests and related records
  • Age verification and identity verification data required by gaming regulations
  • Anti-money laundering (AML) and Know Your Customer (KYC) documentation

2.5 Technical and Usage Data

  • IP address, browser type and version, operating system
  • Device identifiers and hardware information
  • Pages visited on our website, time spent on each page, and navigation paths
  • Referring URLs and exit pages
  • Cookie identifiers and similar tracking technologies (see our Cookie Policy)
  • Log files and access records

2.6 Communication and Marketing Data

  • Records of correspondence with us (emails, letters, live chat transcripts, phone call records)
  • Marketing preferences and subscription status
  • Survey responses and feedback submitted voluntarily
  • Social media usernames or profile information where you interact with us via social platforms

2.7 Security and Surveillance Data

  • CCTV footage recorded on our premises (hotel and casino areas)
  • Access control records and visitor logs
  • Incident and security reports

2.8 Special Categories of Personal Data

In limited circumstances, we may process special categories of personal data as defined under Article 9 of the GDPR. This may include:

  • Health information (e.g., dietary requirements, disability-related accommodations, or medical emergencies)
  • Information revealing religious beliefs (e.g., dietary restrictions based on religion)

We only process such special category data where we have obtained your explicit consent, or where processing is necessary to protect your vital interests or to comply with legal obligations. We handle all special category data with the highest degree of care and apply appropriate technical and organisational safeguards.

4. How We Use Your Personal Data

We use your personal data for the following specific purposes, always ensuring that such use is compatible with the original purpose of collection:

4.1 Hotel and Accommodation Services

  • Processing, confirming, and managing your room reservations
  • Facilitating check-in, check-out, and room management
  • Fulfilling special requests and accessibility requirements
  • Managing billing, invoicing, and payment processing
  • Providing concierge and guest services

4.2 Casino and Gaming Operations

  • Verifying your identity and age in compliance with gaming regulations
  • Providing casino floor services and online gaming where applicable
  • Conducting AML and fraud prevention checks
  • Administering responsible gambling programmes, including self-exclusion requests
  • Maintaining gaming transaction records as required by applicable regulations

4.3 Customer Service and Communications

  • Responding to enquiries, complaints, and feedback
  • Sending booking confirmations, pre-arrival information, and post-stay surveys
  • Notifying you of changes to our services, terms, or this Privacy Policy
  • Managing loyalty programme communications and benefits

4.4 Marketing and Personalisation

  • Sending you promotional offers, newsletters, and event information based on your preferences (where you have consented or where we have a legitimate interest)
  • Personalising your experience on our website and during your stay
  • Conducting market research and customer satisfaction surveys
  • Delivering targeted advertising through digital channels (subject to your cookie preferences)

4.5 Security and Safety

  • Monitoring our premises via CCTV to ensure the safety of guests, staff, and property
  • Preventing, investigating, and reporting fraud, theft, and other criminal activity
  • Managing access to restricted areas of the hotel and casino
  • Responding to emergency situations and ensuring guest welfare

4.6 Legal and Regulatory Compliance

  • Meeting our obligations under applicable laws and regulations
  • Responding to lawful requests from public authorities and law enforcement agencies
  • Establishing, exercising, or defending legal claims
  • Maintaining records for audit and compliance purposes

4.7 Business Operations and Improvement

  • Analysing website usage and service performance
  • Improving our products, services, and website functionality
  • Internal training, quality assurance, and staff management purposes
  • Business planning, financial reporting, and corporate governance

5. Data Sharing and Disclosure

We do not sell your personal data to third parties. We may, however, share your personal data with the following categories of recipients where necessary and in accordance with this Privacy Policy:

5.1 Service Providers and Data Processors

We engage trusted third-party service providers who process personal data on our behalf and under our instructions, strictly in accordance with Article 28 of the GDPR. These include:

  • Payment processing and fraud prevention providers
  • IT infrastructure, cloud hosting, and cybersecurity providers
  • Online booking platforms and reservation management systems
  • Email and marketing automation platforms
  • Customer relationship management (CRM) software providers
  • Accounting, legal, and professional advisory firms
  • Casino gaming technology providers and regulators
  • CCTV and physical security service providers

All service providers are required to implement appropriate technical and organisational security measures and may only process personal data for the specific purposes we have authorised.

5.2 Business Partners

In certain circumstances, we may share personal data with business partners such as:

  • Travel agencies and tour operators involved in your booking
  • Partner hotels or venues forming part of a loyalty or referral programme
  • Restaurants, entertainment venues, or other on-site partner operators

5.3 Regulatory and Law Enforcement Authorities

We may disclose personal data to competent public authorities, regulators, and law enforcement agencies where we are legally required or permitted to do so, including:

  • Gaming and gambling regulatory bodies
  • Tax authorities and financial intelligence units
  • Police, courts, and other judicial bodies
  • Data protection supervisory authorities

5.4 Corporate Transactions

In the event of a merger, acquisition, reorganisation, sale of assets, or similar corporate transaction, your personal data may be transferred to the relevant third party as part of that transaction. We will notify you of any such change and ensure appropriate safeguards are in place.

5.5 International Data Transfers

As is registered in the EU but operates from Australia, and as some of our service providers may be located outside the European Economic Area (EEA), your personal data may be transferred to and processed in countries outside the EEA that may not provide the same level of data protection as your home country.

Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • Adequacy decisions issued by the European Commission (Article 45 GDPR)
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR)
  • Binding Corporate Rules (BCRs) where applicable (Article 47 GDPR)
  • Your explicit consent for specific transfers (Article 49(1)(a) GDPR)

You may request a copy of the relevant safeguards by contacting us at privacy@goldenmeadowstudio.com.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The criteria used to determine our retention periods include:

  • The nature and sensitivity of the personal data
  • The purposes for which we collected the data and whether those purposes can be achieved through other means
  • Applicable statutory limitation periods and legal obligations to retain certain records
  • Relevant industry standards and regulatory guidance
  • Whether we have a legitimate interest in retaining the data (e.g., for ongoing litigation)

6.1 Standard Retention Periods

Category of Data Retention Period Legal Basis for Retention
Guest reservation and stay records 7 years from the end of your last stay Legal obligation (tax, audit)
Financial and payment records 7 years from the transaction date Legal obligation (tax and accounting law)
Casino gaming records and AML/KYC documentation 5–10 years as required by applicable gaming and AML regulations Legal obligation (gaming and financial regulations)
CCTV footage (general areas) 30 days unless needed for investigation Legitimate interests (security)
CCTV footage (casino floor) Up to 7 years as required by gaming regulations Legal obligation (gaming regulations)
Marketing preferences and communications Until withdrawal of consent or objection, plus 3 years for record-keeping Consent / Legitimate interests
Customer service correspondence 3 years from the date of last communication Legitimate interests / Legal claims
Website usage and cookie data Up to 13 months (as per cookie consent settings) Consent / Legitimate interests
Responsible gambling self-exclusion records Duration of self-exclusion plus 5 years Legal obligation / Vital interests

Upon expiry of the applicable retention period, personal data will be securely deleted, anonymised, or archived in accordance with our internal data retention and disposal procedures. Anonymised data that can no longer identify you may be retained for analytical purposes indefinitely.

7. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. We are committed to facilitating the exercise of these rights in a timely and transparent manner. You may exercise any of the rights listed below by contacting us at privacy@goldenmeadowstudio.com.

7.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed. This is commonly referred to as a Subject Access Request (SAR). We will respond to your SAR within one month of receipt, extendable by a further two months in complex cases.

7.2 Right to Rectification (Article 16 GDPR)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you without undue delay. If you believe any information we hold is incorrect, please contact us and we will investigate and update the data as appropriate.

7.3 Right to Erasure ("Right to be Forgotten") (Article 17 GDPR)

You have the right to request the deletion of your personal data in certain circumstances, including where:

  • The data is no longer necessary for the purpose for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

Please note that this right is not absolute and may be limited by legal obligations requiring us to retain certain data (e.g., AML records, tax records, gaming records).

7.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of the data, consider your objection to processing, or where processing is unlawful but you prefer restriction over erasure.

7.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right applies to data you have provided to us directly.

7.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to the processing of your personal data where such processing is based on our legitimate interests (Article 6(1)(f)) or for direct marketing purposes. Where you object to direct marketing, we will cease processing your data for that purpose immediately. Where you object to other legitimate interest-based processing, we will assess whether our legitimate interests override your rights and freedoms.

7.7 Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you. If we use automated decision-making that significantly affects you, we will inform you and provide you with the opportunity to request human review, express your point of view, and contest the decision.

7.8 Right to Withdraw Consent (Article 7(3) GDPR)

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to the withdrawal. You can withdraw your consent by contacting us at privacy@goldenmeadowstudio.com or by using the opt-out mechanism provided in any marketing communications.

7.9 Right to Lodge a Complaint

If you believe that we have infringed your rights or failed to comply with our data protection obligations, you have the right to lodge a complaint with a competent data protection supervisory authority. As is registered in the EU, you may contact the relevant EU supervisory authority in your Member State of habitual residence, place of work, or the place of the alleged infringement. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

We encourage you to contact us first so that we can address your concerns directly before escalating to a supervisory authority.

7.10 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to:

We may need to verify your identity before processing your request. We will respond to all legitimate requests within one month. Where requests are complex or numerous, we may extend this period by a further two months and will notify you accordingly. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

8. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies (such as web beacons, pixels, and local storage) to enhance your browsing experience, analyse website performance, and deliver personalised content and advertising.

We use the following categories of cookies:

  • Strictly Necessary Cookies: Essential for the website to function and cannot be disabled. These do not require your consent.
  • Performance and Analytics Cookies: Help us understand how visitors interact with our website by collecting anonymous information. These require your consent.
  • Functional Cookies: Enable enhanced functionality and personalisation, such as remembering your preferences. These require your consent.
  • Targeting and Advertising Cookies: Used to deliver relevant advertisements and track the effectiveness of marketing campaigns. These require your consent.

When you first visit our website, you will be presented with a Cookie Consent Banner allowing you to accept or decline non-essential cookies. You may change your cookie preferences at any time by accessing the Cookie Settings link in the footer of our website. For more detailed information about the specific cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy available on our website.

9. Data Security

We take the security of your personal data very seriously and have implemented appropriate technical and organisational measures in accordance with Article 32 of the GDPR to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security measures include, but are not limited to:

  • Encryption of personal data in transit (TLS/SSL) and at rest
  • Access controls and role-based permissions to limit data access to authorised personnel only
  • Regular security assessments, penetration testing, and vulnerability scans
  • Staff training on data protection and cybersecurity best practices
  • Incident response and data breach management procedures
  • Physical security measures at our premises
  • Data minimisation and pseudonymisation practices where appropriate