Legal status and applicable regulation
Vegazone acts as a data controller and independently determines the purposes for processing personal data. The legal basis is formed in accordance with the lawful basis framework established by the Australian Privacy Act 1988. The APPs (Australian Privacy Principles — mandatory personal data processing principles in Australia) apply. Compliance is monitored by the Office of the Australian Information Commissioner. The supervisory function is vested in the OAIC.
Processing is carried out within the scope of statutory obligations, including mandatory data retention for at least 5 years. Registration of an account confirms acceptance of the terms and conditions. The policy may be updated up to 2 times within a 12 month period. The date of the last update is recorded to an accuracy of 1 calendar day.
Categories of data collected and sources
Vegazone processes personal information, including name, date of birth, phone number and email address. In certain cases, sensitive information is requested as part of the KYC procedure (Know Your Customer identification process). Identity verification checks are carried out within 24–72 hours.
IP address logging is recorded with an accuracy of 1 session. GeoIP tracking is used to determine the country of access. Device fingerprinting is used to analyse the device. All actions are recorded in an audit trail with a retention period of 5 years. A financial transaction record is stored for each transaction without any limit on the number of records. Due diligence procedures are initiated where a transaction exceeds 1,000 AUD.
Purposes and legal bases for data processing
Data is processed for the purposes of AML compliance and meeting anti money laundering requirements. AML (anti money laundering) measures are applied. Each transaction is subject to transaction monitoring on a 24/7 basis. The automatic review threshold is set from 1,000 AUD per transaction.
Data is used for fraud prevention using risk assessment models. The legal basis is determined through lawful basis and contractual necessity. All payments are processed through payment processing providers with logging of 100% of operations. Fulfilment of statutory obligations is confirmed through reporting to the regulatory authority at least once every 12 months.
Data sharing with third parties and cross border processing
Vegazone carries out cross border transfer when server infrastructure is hosted outside Australia. Cross border transfer (transfer of personal data outside the jurisdiction) is permitted where contractual safeguards are in place and a compliance audit is performed at least once every 12 months. Transfers are only made to third party processors on the basis of a written agreement.
Each supervisory authority request is complied with within 30 calendar days. A consent mechanism is used for specific categories of disclosure. Storage and transfer comply with record keeping requirements for a period of at least 5 years. Processing is carried out in accordance with the Australian Privacy Act 1988 and under the supervision of the Office of the Australian Information Commissioner.
Retention periods and data deletion policy
Vegazone applies a defined data retention period in line with regulatory requirements. The data retention period (legally established data storage period) is at least 5 years from the date of the last financial transaction. Upon account closure, data is not deleted immediately where AML compliance obligations remain.
Each financial transaction record is stored in an immutable form. An access request is reviewed within 30 days. Data portability is available in PDF or CSV format within 14 days. All procedures comply with the APPs (Australian Privacy Principles) and statutory obligations. Deletion is possible after the expiry of 60 months of storage.
Security measures and technical protection
Vegazone uses encryption standards that are no lower than TLS 1.2 with a 256 bit key length. All data is stored in a secure storage system with access controlled through two factor authentication. Logs are kept in an audit trail for at least 5 years.
Fraud prevention mechanisms operate 24/7 and analyse up to 100% of sessions. Device fingerprinting is used to detect device inconsistencies. IP address logging is implemented with time stamps accurate to 1 second. A compliance audit is carried out annually, at least once every 12 months. Each procedure undergoes risk assessment and is documented under a due diligence protocol.
Marketing, consent and communication management
Vegazone uses personal information for marketing communications only where marketing opt in (prior consent to receive promotional materials) is active. Consent is recorded via a consent mechanism with date and time accuracy to 1 minute. Without opt in, messages are not sent.
Each unsubscribe request is processed within 48 hours. Technical delivery is carried out through third party processors under a data processing agreement. Cookies may be used in mailouts for click through analytics. A session identifier is used to track activity. Compliance is monitored with regard to OAIC guidance. Information about promotional offers does not affect payment processing conditions.
Use of cookies and tracking technologies
Vegazone uses cookies to ensure stable website operation and for analytics. Each session identifier (a unique user session identifier) is created automatically upon login and is valid for up to 30 days or until the end of the session. The legal basis for processing is determined through lawful basis related to technical necessity.