GDPR Compliance Statement

Effective Date: May 11, 2026

Fresh Level is committed to protecting the privacy and personal data of all individuals, including residents of the European Economic Area (EEA), United Kingdom, and Switzerland. This page outlines our compliance with the General Data Protection Regulation (GDPR).

Legal Basis for Processing

We process personal data only when we have a legal basis to do so. Our legal bases include:

• Consent: When you have given clear consent for us to process your personal data for specific purposes
• Contract: When processing is necessary to fulfill a contract with you or take steps at your request before entering into a contract
• Legal Obligation: When we must process your data to comply with legal or regulatory requirements
• Legitimate Interests: When processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms

Your Rights Under GDPR

If you are a resident of the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you, along with information about how we use it.

Right to Rectification

You can request that we correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for the purposes it was collected
• You withdraw your consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Right to Restriction of Processing

You can request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]

We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months and will inform you of any such extension.

Data Protection Officer

For questions about our GDPR compliance or to exercise your rights, you may contact our Data Protection Officer at [email protected]

International Data Transfers

As we are based in Australia, your personal data may be transferred to and processed in Australia. We ensure that appropriate safeguards are in place for such transfers, including:

• Ensuring the recipient country has adequate data protection laws
• Using standard contractual clauses approved by the European Commission
• Obtaining your explicit consent for the transfer

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Specific retention periods depend on:

• The nature of the services provided
• Legal and regulatory obligations
• The need to defend or establish legal claims

Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data
• Regular security assessments and audits
• Access controls and authentication
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where required, within 72 hours of becoming aware of the breach. We will also notify the relevant supervisory authority.

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. For EEA residents, you can find your local supervisory authority at: https://edpb.europa.eu/about-edpb/board/members_en

For UK residents, the supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk

Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will take steps to delete it.

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated effective date.

Contact Information

Fresh Level
Level 3, 142 Edward Street
Brisbane QLD 4000
Australia
Email: [email protected]