Data Protection & Privacy Rights
Last Updated: May 11, 2026
Overview
smooth-timber is committed to protecting your personal data in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This page outlines your data protection rights and how we uphold them.
Legal Basis for Processing
We process your personal information on the following legal bases:
- Consent: You provide explicit consent when engaging our services and submitting personal information
- Contract performance: Processing is necessary to deliver the services you've requested
- Legal obligation: We must retain certain records to comply with Australian taxation and business laws
- Legitimate interests: Processing for business administration, fraud prevention, and service improvement, balanced against your privacy rights
Your Data Protection Rights
Right to Access
You have the right to request access to the personal information we hold about you. We will provide this within 30 days of your request, subject to identity verification. You may request:
- Confirmation of what personal data we hold
- A copy of your personal data in a commonly used format
- Information about how we use and share your data
Right to Correction
If you believe any personal information we hold is inaccurate, incomplete, or out of date, you may request correction. We will update your information within 30 days and notify any third parties to whom we disclosed the incorrect information.
Right to Erasure
You may request deletion of your personal information in certain circumstances:
- The information is no longer necessary for the purpose collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
This right is subject to legal retention requirements. For example, we must retain financial records for 7 years under Australian taxation law.
Right to Restrict Processing
You can request that we limit how we use your personal information if:
- You contest the accuracy of the data while we verify it
- Processing is unlawful but you don't want the data deleted
- We no longer need the data but you need it for legal claims
- You've objected to processing while we verify our legitimate grounds
Right to Data Portability
You can request that we transfer your personal information to another service provider in a structured, commonly used format. This applies to information you've provided to us with consent or for contract performance.
Right to Object
You may object to our processing of your personal information based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or if processing is necessary for legal claims.
Right to Withdraw Consent
Where we process your data based on consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.
How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: [email protected]
Subject line: "Data Protection Request"
Please include:
- Your full name and contact details
- Description of the information or right you're requesting
- Proof of identity (copy of driver's license or passport)
We will respond within 30 days. There is no fee for exercising these rights unless requests are manifestly unfounded or excessive.
Data Security Measures
We implement comprehensive security measures to protect your personal information:
Technical Safeguards
- TLS encryption for data transmission
- AES-256 encryption for data storage
- Multi-factor authentication for staff access
- Regular security audits and penetration testing
- Automated backup systems with encrypted storage
Organizational Safeguards
- Staff confidentiality agreements and privacy training
- Role-based access controls limiting data exposure
- Incident response procedures for data breaches
- Vendor management ensuring third-party compliance
- Regular privacy impact assessments
Data Breach Notification
In the event of a data breach likely to result in serious harm, we will:
- Notify affected individuals as soon as practicable
- Report the breach to the Office of the Australian Information Commissioner
- Provide information about the breach and steps you can take to mitigate harm
- Implement remedial actions to prevent future breaches
International Data Transfers
We primarily store and process data within Australia. If we transfer data overseas, we ensure:
- The recipient country has substantially similar privacy protections to Australia, or
- We have contractual arrangements requiring equivalent protections, or
- You have provided informed consent to the transfer
Currently, we use cloud storage providers with Australian data centers to minimize overseas transfers.
Children's Data
When we collect information about children (under 18) for benefit applications such as NDIS or Family Tax Benefit, we:
- Obtain consent from a parent or legal guardian
- Collect only information necessary for the application
- Implement additional security measures for sensitive child data
- Allow parents to access, correct, or delete their child's information
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals. All eligibility assessments and service recommendations involve human review.
Data Protection Officer
For data protection inquiries, contact our Privacy Officer:
Email: [email protected]
Address: Level 8, 142 Victoria Street, Melbourne VIC 3000, Australia
Complaints and Escalation
If you believe we have not handled your data appropriately:
- Contact us first: Email [email protected] with details of your concern. We will investigate and respond within 30 days.
- Escalate to the regulator: If unsatisfied with our response, lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
Updates to This Policy
We review this data protection information annually and update it as necessary to reflect changes in law or our practices. Significant updates will be communicated to active clients via email.
Related Policies
For more information about our data practices, see: