Last updated: June 16, 2026
While vivid-blossom operates primarily in Australia, we recognize the importance of data protection principles established by the General Data Protection Regulation. This statement outlines how we comply with GDPR principles when processing data of individuals in the European Economic Area.
Legal basis for processing
We process personal data under the following legal bases:
- Contract performance: Processing necessary to fulfill orders and provide requested services
- Consent: Marketing communications and non-essential cookies
- Legitimate interests: Fraud prevention, website security, and business analytics
- Legal obligation: Compliance with accounting, tax, and consumer protection laws
Your rights under GDPR
Right to access
You have the right to obtain confirmation whether we process your personal data and to receive a copy of that data.
Right to rectification
You can request correction of inaccurate or incomplete personal data.
Right to erasure
You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw consent.
Right to restrict processing
You can request that we limit how we use your data in certain circumstances.
Right to data portability
You have the right to receive your personal data in a structured, commonly used format and to transmit it to another controller.
Right to object
You may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent
Where processing is based on consent, you can withdraw that consent at any time.
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority in your jurisdiction.
Data transfers
Personal data collected from individuals in the EEA may be transferred to and processed in Australia. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where applicable.
Data protection officer
For questions regarding GDPR compliance or to exercise your rights, please contact:
Automated decision-making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.
Data breach notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities within 72 hours of becoming aware of the breach.
Children's data
We do not knowingly process data of individuals under 16 years of age. If we become aware that we have collected such data, we will delete it promptly.
Exercising your rights
To exercise any of your GDPR rights, please submit a request to [email protected]. We will respond within one month of receiving your request. In complex cases, this period may be extended by up to two additional months.
We may require verification of your identity before processing requests to protect your personal information.