GDPR Compliance Statement

Effective Date: January 1, 2026

AurenzaTrustPro is committed to protecting the privacy and personal data of all individuals, including those in the European Economic Area (EEA), United Kingdom, and Switzerland. While we primarily operate in Australia, we recognize the importance of complying with the General Data Protection Regulation (GDPR) when we process personal data of individuals located in the EEA.

1. Application of GDPR

The GDPR applies to our processing of personal data when:

• We offer services to individuals in the EEA
• We monitor the behavior of individuals in the EEA
• We process personal data of EEA residents in connection with our business activities

This statement outlines how we comply with GDPR principles alongside our adherence to Australian privacy law.

2. Data Controller Information

Data Controller: AurenzaTrustPro
Address: Level 18, Gateway Tower, 1 Macquarie Place, Sydney NSW 2000, Australia
Contact: [email protected]

3. Legal Bases for Processing Personal Data

Under the GDPR, we process your personal data based on the following legal grounds:

Consent (Article 6(1)(a))

You have given clear, informed consent for us to process your personal data for specific purposes, such as receiving marketing communications or newsletters.

Contract Performance (Article 6(1)(b))

Processing is necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes providing trust management, estate planning, and advisory services you have engaged us to deliver.

Legal Obligation (Article 6(1)(c))

Processing is necessary for compliance with legal obligations to which we are subject, including Australian financial services regulations, anti-money laundering requirements, and professional standards.

Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms. Legitimate interests include:

• Improving and securing our services
• Conducting business analytics and internal operations
• Preventing fraud and ensuring network security
• Communicating with you about services relevant to your needs

4. Your Rights Under GDPR

If you are located in the EEA, you have the following rights under the GDPR:

Right of Access (Article 15)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data along with information about how it is being processed.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

Right to Erasure / Right to be Forgotten (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: This right may be limited by legal or professional obligations to retain records.

Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not engage in automated decision-making that has legal or similarly significant effects.

Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

5. How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months and will inform you of any such extension.

6. Data Processing Activities

Categories of Personal Data We Process

• Identity data (name, title, date of birth)
• Contact data (email address, postal address)
• Financial data (assets, liabilities, trust structures)
• Professional data (business interests, corporate structures)
• Communication data (correspondence, consultation notes)
• Technical data (IP address, browser type, device information)

Purposes of Processing

• Providing trust management and advisory services
• Responding to inquiries and communications
• Fulfilling legal and regulatory obligations
• Improving our services and website functionality
• Sending relevant updates about regulatory changes
• Preventing fraud and ensuring security

7. Data Sharing and International Transfers

Data Recipients

We may share your personal data with:

• Professional advisors (accountants, solicitors) as necessary for service delivery
• IT service providers who support our operations
• Regulatory bodies and law enforcement agencies when legally required

International Transfers

Your personal data is primarily stored and processed in Australia. If we transfer your data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries recognized by the European Commission as providing adequate protection
• Other legally recognized transfer mechanisms under GDPR

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, regulatory, and professional obligations. Typical retention periods include:

• Client service records: minimum 7 years after service completion (as required by Australian law)
• Marketing communications: until you unsubscribe or withdraw consent
• Website analytics: aggregated and anonymized after 24 months

9. Data Security

We implement technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee training on data protection and confidentiality
• Incident response and breach notification procedures

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.

11. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a supervisory authority in the EEA, particularly in the member state of your habitual residence, place of work, or place of the alleged infringement.

You may also contact the Office of the Australian Information Commissioner (OAIC) if you are in Australia.

12. Updates to This Statement

We may update this GDPR Compliance Statement from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated effective date.

13. Contact Information

For any questions or concerns about our GDPR compliance or to exercise your rights, please contact: