GDPR Compliance

Last Updated: April 2026

Our Commitment to GDPR

Clear Fluff is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and explains your rights as a data subject.

Data Controller Information

Clear Fluff is the data controller responsible for your personal information. You can contact our Data Protection Officer at:

Email: [email protected]
Address: Level 12, 45 Collins Street, Melbourne VIC 3000, Australia

Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our language courses and services
  • Consent: For marketing communications and optional features (you can withdraw consent at any time)
  • Legitimate Interests: To improve our services, prevent fraud, and ensure security
  • Legal Obligations: To comply with applicable laws and regulations

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information within one month of your request.

Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request correction or completion.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data in certain circumstances, such as when it's no longer necessary for the purposes for which it was collected.

Right to Restriction of Processing

You can request that we limit how we use your personal data in certain situations, such as while we verify data accuracy.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or significantly affects you.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by two months, in which case we will inform you.

We may need to verify your identity before processing your request to ensure we're protecting your data appropriately.

Data Processing Activities

Categories of Personal Data We Process

  • Identity data (name, username)
  • Contact data (email address, physical address)
  • Financial data (payment information)
  • Transaction data (course enrollments, payments)
  • Technical data (IP address, browser type, device information)
  • Usage data (how you use our website and services)
  • Learning data (course progress, quiz results, assignments)

Third-Party Data Processors

We work with trusted third-party processors who assist in providing our services. All processors are bound by data processing agreements that comply with GDPR requirements.

Data Transfers

When we transfer your data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for countries with equivalent data protection standards
  • Binding Corporate Rules where applicable

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Access controls and authentication mechanisms
  • Employee training on data protection
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also notify affected individuals without undue delay.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Our standard retention periods are:

  • Active student data: Duration of enrollment plus 7 years
  • Marketing communications data: Until consent is withdrawn
  • Website analytics: 26 months
  • Financial records: 7 years (legal requirement)

Children's Data

We do not knowingly process personal data of children under 16 without parental consent. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. In Australia, you can contact the Office of the Australian Information Commissioner (OAIC).

However, we encourage you to contact us first so we can address your concerns directly.

Updates to This Information

We may update this GDPR information periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes through our website or by email.

Contact Us

For any questions about GDPR compliance or to exercise your rights:

Data Protection Officer: [email protected]
General Inquiries: [email protected]
Address: Level 12, 45 Collins Street, Melbourne VIC 3000, Australia